SECURITY PERCEIVED

Security Perceived Is Security Achieved Lets change hats for a bit. If we are not able to draw upon experience by finding the right category to file our situation in, we must think of things in different terms. Instead of drawing on what has been, we consider what might be. In other words we think like the aggressor instead of the defender. Be the bad guy, think of what he might do or can do. How might the area I protect be probed for weakness and those found, be exploited? Where are the soft spots? How can I take advantage of what is known? Just what is known? Lets start with that question, seeing as I think it is most important. Knowledge is a very powerful thing, a little goes a long way, the more you have the better you'll fare. The less the other guy has is even better. We as security professionals must take great steps to protect the secrecy of our patron's/client's business, the systems in place to protect it and the recovery plan after the fact. This is paramount.

Perception of what systems are in place and the capabilities of your response should be carefully tailored to send the right message. One message to the casual observer might be that doors are locked after hours and an alarm system is used. In certain circumstances this might be adequate and cost effective. Another stronger signal might be uniformed or armed Officers patrolling a perimeter. Marked vehicles, canine units, Overt CCTV all speak volumes as to what you are willing to invest to protect assets.

These indicators may slow some and stop others.

We can never truly know how effective they will be. Only history will tell the tale. If the sign on the door says beware of dog and it works, great but some day someone who wants in badly enough will pay attention long enough to know there is no dog. I'd rather have the dog and no sign then the sign and no dog. Let them learn the hard way and guess whats behind the door after they hear the barking but I surely wouldn't educate them.

Procedure in communication, tactics or even policy must be guarded and shared on a need to know basis. Security levels should be maintained so that crucial information such as passwords, call signs and codes only be given to those that must posses such information. This goes up as well as down. Being the president of the company does not automatically mean you are in the loop. If the CEO needs this info then by all means, if not then never share for the sake of "giving the Boss his due". Today the Boss, tomorrow who knows. This has happened to me more then once, administrators being shown the door. Now my work begins. What information did they have? What must I change in the security program so I can sleep nights without fear of disgruntled reprisal? Could I have kept such information to the need to know team and still steam forward secure and with all systems in place?

We play our cards very close to the vest and that's how it should be. It's a special thing when we can trust our assets but do not share for the sake of the old boy/one of the gang /he's with us reasons. Things change.

I have seen procedures casually discussed in meetings where only three of the twenty five people at the table had any real need for the information. Never do it.

Changing critical security measures after a administrative change can be fast and easy if only a few are involved, a nightmare if lips have been loose.

The sign out front is the starting point of your perceived security deterrent. Keeping security information well guarded is just as important.

In the business it's about what we allow others to know.

Posted by RJ MOSCA at 15:07