What do you do as a profession?

What do you doNow there’s a question I get asked a lot.  Reasonable question.  Honestly asked.  Pure curiosity.  Not always the easiest to answer.

So how have I answered that question in the past?  I’ve tried the formal route: “I’m a consultant that specializes in Security Management, Risk Management and Emergency Management”  Usually followed by the next question of, so what really is all that?  Then I of course would dive in to explain each segment of my statement.

So I changed it up.  “I save companies time, money, liability, I inconvenience some but hopefully help to save lives”  Well that peaked the interest of many.  The money and liability statement peaked the interest of the business crowd whilst the saving lives peaked everyone’s interest.

DefencemanI was at a personal engagement and amongst the various conversations about this and that, that were totally unrelated to anyone’s work, I made a slightly humorous comment about doing one thing so that we can accomplish another and the gentleman said “…and that from a security guy…trying to figure out all the angles…” and then he said this “…it’s like knowing where the puck is going to be”  A wow went off in my head.

You see, as a much younger person I was quite heavily into organized sports, especially hockey and I played defence.  In fact I played right defence but shot left.  Another story for another time.  But to be a good hockey player you need to anticipate where the puck is going to be.  So either you can intercept it from an opponent or accept a pass from a teammate, or block the shot, or be able to take that winning goal shot.

Much of what I do is trying to figure out what is going to happen, how best to get it done, how people are going to react and what is the best way to get them to do what they need to do.  Anticipating where the puck is going is a skill set that I discovered and honed whilst playing hockey.  Bobby Orr was one of my childhood idles and in my opinion was one of the greatest hockey players that did just that.  That made him a great defenceman.

broomBut I had another recent related experience while at Spanish class.  Yes I took a conversation Spanish class in hopes to learn another language a little better than I know it now.   Anyways, it was a conversation with my Spanish instructor in how she delivers her lessons.  She hopes not to blow through content and would rather her students learn and understand the structure of the language rather than just learning how to say words, whilst not understanding the basics and having a base to build from  Which of course, you guessed it, reminded me of when I was again a younger man learning weightlifting.  For the first month my weightlifting coach (Charlie Arnett – great guy, huge, but the kindness and  one of the most gentle hearted men I know) only allowed me to lift a broom stick for the first month of training.  What! The basics and techniques needed to be learned first before he would let me move on to anything else

So what does Spanish and weightlifting have to do with this?  Back to what I do as a profession…I review what your company, organization have in place and I take the basics (known best practices and standards) and I apply them to what your company, organization has ( or even create new), overlaying the knowledge of where the company, organization is, what your business does, and what your needs are.  Put that all into either your Security procedures, your Emergency preparedness training or your Emergency Response Plans.

standards

I assist your company, organization in figuring out what it’s broom stick is, what will be it’s foundation.  All the while listening, writing, reviewing, coaching, and delivering the company, organization a product that will then allow your company, organization to work with it and begin to see where the puck is going to be.

Plan the Work (creating the broom stick foundation). Work the Plan (learning and honing the skills to see where the puck is going to be)

You know what you just did, right?

You know what you did, right?

So I’m going to do a lot in this post to “protect the innocent” or is the uninformed, but if I get to descriptive, you’re intelligent people you might just figure out where I was.

So I have an appointment at what could be, well it is considered a government infrastructure location.  So this location was pretty centralized within the city.  To add to it, it had nothing on the perimeter that would greatly attract attention to it.  I mean no armed guards patrolling the facility, turrets with with spot lights or a multi-tracking surveillance system with bio-metric analysis for access.

So that you get the picture…pretty plain.

So I have a scheduled appointment.  So as I’m waiting outside of the facility when what I can only assume was an employee of the facility, not my contact, approached me, a brief conversation determining the reason why I was there and boom…I’m in.  No call to verify, no reach out to their colleague, no text, no email not even a yell down the hall.  You get the picture.

So I’m passed the perimeter access, in through a few interior access doors and now I’m meters away from the heart of this building, the reason for it’s existence.  The reason for it’s existence, I’ll leave out.  So I’m placed in what can only be described really as an employee hang out or break area…not even in a monitored waiting area or lobby.

Oh I forgot to add that I was 15 minutes early for my appointment.  Was actually going to take the time to study the outside of the facility a little more but that really didn’t happen.

So there I sit and wait.  Five minutes before the appointment happens I receive an email:

I’m really sorry but something has come up and I won’t be able to make it to our appointment.  I’ve been pulled away to another facility.  I hope you haven’t been waiting outside the building too long.  I apologize.  Can we reschedule?

So a couple things.  Here I was in this building, not being monitored in any way from where I’m sitting only meters away from the belly of the beast.  My contact had not been informed that I was there.  The other employee took my word on face value.  Better yet I was given access without any verification, scrutiny, identification verification…I mean nothing.

So wow.  I don’t let anyone in my house unless I’ve come to some satisfaction I know who they are, why they’re there and what the intent of their visit is…family excluded.  Well most of them.

So where’s the failure.  Pretty obvious.  There is no security culture engrained into this facility.  There’s no belief that security is everyone’s job.  There may not be any access control policies…well l know there is, it’s not that enforced as I learned.

A simple risk assessment on the situation really held no weight.  So if i was on the on side of the team I would have just figured out how to get in again, but even better I was in already.  I might have just been able to go and do enough damage to hurt or even cripple this facility.  And walk away.  As far as my contact was concerned I was still outside or on my way.  The individual who let me in knew who I was to see, and the reason for it but never asked my name.

So lesson.  Make sure everyone knows what the policy is.  If you have appointments and can’t make it, contact someone on your team to make sure that this person is either not in or if they are in they get out.  Oh yeah…I let myself out.

Work on fostering a security culture, it is a  mind shift but it is beneficial and you don’t even need to be an infrastructure site to foster this type of environment.

As I always say, Plan the Work, Work the Plan.

 

Risk Management – Identifying your Loss Exposure

A loss exposure is a possibility of loss, it is more specifically, the possibility of financial loss that a particular entity or organization faces as a result of a particular peril striking a particular thing that you have assigned value to. Probably the most important step in the risk management process is the identification or finding of risks that need to be treated. If you are not aware of the existence of a risk, you certainly cannot make plans for handling it or mitigating its potential loss.

Continue reading “Risk Management – Identifying your Loss Exposure”