Critical Infrastructure Protection: Resolve to be Ready...

Terrorism Risk includes the risk from attackers both “Internal and External” to our organizations.

These attackers are still using conventional (incendiary explosive devices IED) or Active Shooters and unconventional (Digital Advanced Persistent Threat (APT) methods to disrupt the operations and economic well being of corporate organizations, the real estate finance industry and most of our Critical Infrastructures.

The process and systems for managing Terrorism Risk are rapidly changing as the commercial real estate finance and building owners strive to establish new standards.

Critical Infrastructure Protection (CIP) is now again a national priority. 

The key catalysts for change could further motivate infrastructure owners to implement new risk reduction programs and measures. 

Some of the key catalysts that remain for change are:

·Insurance – those institutions that are sharing risks that a building owner faces.

·Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.

·Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.

Overall Terrorism Risk reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is a corporate office building, a hospital, a mall, a school, religious facility, subway, or a hotel.

These soft targets are where the risk management decision-making is again already taking new directions.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners and operators.

Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety.

Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen.

Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future.

First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures.

The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure.

"In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles."

These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers they must have a foundation of knowledge about the structures physical vulnerabilities.

However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk.

If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions.

The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events. 

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.

As landlords and other interested real estate finance industry partners move towards updated standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount.

CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises.

Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism...

LADDER: Protective Security Specialists…

How long does it take for a lethal attack to occur against an At-Risk person?

Just 2 Seconds is the best selling book by Gavin De Becker. Along with his long time colleagues Tom Taylor and Jeff Marquart, they document how to use time and space to defeat adversaries.

There are some compelling insights gained from their research:

• In the US, attacks are most likely to be undertaken by lone assailants 87% vs. outside the US where attacks are typically the work of multiple assailants 71%.
• Attacks in the US are about as likely indoors (53%) vs. outdoors (47%).
• However, 64% of attacks happen when the protected person is outside in or around the car and 77% of these attacks are successful.

Most of these happen within a distance of 25 feet or less using a handgun. Corporate executives and their Protective Security Detail (PSD) already know these statistics and have trained together for these increasing risks.

Many have adopted the LADDER model from “Gavin de Becker & Associates” training academy:

> L ogistics

> A dvance

> D istance

> D eterrence

> E vacuation

> R esponse

The study of the motives and the psychology of why these actors pick their targets and choose the time and place has become a science. The methods and tools to assist corporate security in predictive analytics requires a substantial baseline of historical data and real-world experience.

Over 30 years ago Gavin and his team developed the MOSAIC Threat Assessment system. It is now in use with dozens of police and government agencies to help authorities and “Protective Security Details” to be more proactive and preemptive.

Protective Security Specialist’s (PSS) today are certified professionals utilizing intelligence in combination with the attributes of Time, Mind and Space to provide safe and secure travel for their clients.

The Science and the Art have converged to provide a fusion of data, strategy and ad hoc tactics to ensure the mission is completed without incident.

The profession doesn't stop there. Some Operational Risk Management firms who have these certified individuals on staff, go much further in their training and their vetting of employees.

We agree and recommend that you add these questions to your due diligence when obtaining Request for Proposals (RFPs) from these firms:

• Review all policy documents the firm has their personnel sign to become a PSS on staff.
• Review the firms hiring process and the prerequisites to join the firm.
• Review the operational standards and operating procedures to ensure 24 x 7 x 365 capabilities.
• Review the 3rd party agreements that encompass any transportation and private aviation suppliers.
• Review the firms technology and communications infrastructure including Internet, radios, information systems security controls and privacy countermeasures.

The profession has come a long way and people like Gavin de Becker & Associates have for decades established the baseline for others to compete. High net worth individuals, movie stars, public officials and corporate executives have much at stake and require comprehensive strategy execution.

Think of every assassination like attack you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for the book, all of them combined, took place in less than a half-hour.

Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers...

Memorial Day 2025: Remember Them...

On Memorial Day 2025 what do you think about and remember in memory of our fallen.

Those brave men and women in the USA who have defended our Flag and our Freedom for almost 250 years.

Walking through Arlington Cemetery anytime, or to a Funeral in Section 60 there, provides context on how much we value our country, our way of life and the people who call themselves true “Americans’.

“As we seek to shrink what remains of the Gap over the next several decades, we will rarely find societies adequately prepared—either intellectually or emotionally—for the travails that lie ahead. Instead, the elements most prepared will be the most willing to wage bloody resistance against this process: educated, worldly young men who are familiar with the future we offer and have already decided that it is corrupting beyond all reason. These revolutionaries and terrorists will wage wars of extreme perversity against both us and their own peoples, convinced as they are of their moral superiority in rooting out hypocrisy and heresy.”

The Pentagon’s New Map - BLUEPRINT For ACTION - A Future Worth Creating - Page 281- Thomas P.M. Barnett 2005

Over twenty years after reading this book, we are still at war. Memorial Day each year and many years ahead of us will be about our American citizens, who have served in our U.S. Military and lost their lives.

This Memorial Day weekend as you see the military ceremonies, or hear the fighter jets flying in formation over your city...now think about all those who have served behind the front lines, Visible and Invisible.

The “Quiet Professionals” in the United States who provide a spectrum of services, supplies and continuous information in support of securing our valuable freedom.

As you reread chapters of "BLUEPRINT FOR ACTION" while you watch our Flag waving in the wind, Remember Them…Never Forget, Always Be Ready!

Security Governance: Corporate Emergency Response Team (CERT)...

You can be a proud CxO if you can confidently say that in the event of a "Crisis" your employees are trained and ready to handle it.

You can never predict human behavior in the face of a sudden and shocking incident.

If your company doesn't have "Corporate Emergency Response Teams" (CERT) exercising test scenarios monthly or quarterly, you face the consequences of poor Operational Risk Management (ORM); losses that could have been prevented.

We are still amazed at how many “Executive Rows” we visit that still doesn’t have an AED within arms reach in the event of a heart attack.

Protecting corporate assets first begins with common sense and then expands exponentially from there.

How will you and your CxO’s provide your employees with the privacy as a U.S. citizen and remain vigilant with all potential insider threats?

Programatic Data Privacy and Integrity is the real issue at stake here.

“Enterprise Security Governance will provide the mechanisms and controls necessary for the Patriot Act to operate with the highest degree of assurance.”

Our civil liberties are still in force and will be there to protect everyone who is an American.

What we must not waiver on is the need to modernize, to re-equip and to create more robust "Correlation Centers”. Perhaps with AI and always with trained Intel Analysts.

The fact is, our intelligence analysts in enforcement are under attack every day by more savvy and increasingly powerful adversaries.

The establishment of a more robust, pervasive and technologically superior force to defend our Homeland today is still in the maturation stages.

What is paramount now at this stage of growth, is the framework for your own organizations “Security Governance” to be injected into each stakeholder.

The policies, ethics and controls must be there to guide those who are protecting our privacy while simultaneously allowing us to accelerate our countermeasures to Deter, Detect and Defend against those who will continue to attack us.

The Patriot Act will remain a powerful asset to those who wake every morning to ensure the Confidentiality, Integrity and Availability of information in our country and to protect the American people…

Private Sector: Proactive Continuity & Protection of Critical Infrastructure…

Before 9/11 who at your organization was responsible for the continuous “Continuity of Operations“ for the business?

Last time your Board of Directors had their quarterly or annual meeting, was your compliance with the U.S. CII Act of 2002 on the agenda?

You know, the Critical Infrastructure Act of 2002 (CII Act):

“Under provisions of the Critical Infrastructure Information Act of 2002 (CII Act), information that is voluntarily submitted per those provisions will be protected from public disclosure until and unless a determination is made by the PCII Program Office that the information does not meet the requirements for PCII. If validated as PCII, the information will remain exempt from public disclosure.”

Critical Infrastructure Information (CII) is information not in the public domain and related to the security of CI or protected systems by either physical or computer based attack that harms commerce in the United States or threatens public health or safety.

Today, who in your particular organization is responsible for the PCII Program and are the entities that submit information:

• Private Sector companies
• State, local, and territorial government entities
• Working groups comprised of government and private sector representatives

"It is well known that over 85% of Critical Infrastructure is owned and operated by these organizations in the United States."

Consider this thought.

AI is increasingly being powered now by the Private Sector. Crypto mining is powered by the Private Sector. There are 16 more key CI Sectors.

The companies that are in your city, county or state that are directly tied to your Critical Infrastructure to provide Water, Electricity and Natural Gas, Emergency Services, Healthcare, Information Technology and Transportation are all components of the on-going safety and security of your community.

Who in your organization is responsible for the key relationships of all of the CI entities that you rely on to operate and serve your community each day?

Is it your CISO? Is it your CSO? Is it your CFO? Is it your CIO? Is it your COO?

If you don’t know that answer in your Board of Directors Meeting then add this to your To-Do list with your CEO.

Here are four key areas of focused leadership in your role to build resilience of Critical Infrastructure Protection in your organization:

> R_ecruiting

> E_ducation

> N_etworking

> S_haring Information

After you and your RENS team have prioritized "Critical Infrastructure Protection" and the safety of the American people at your organization, how will your own leadership be visible and proactive?

Never forget!

Future Risk: What is True...

On the dawn before the next large public gathering across the world, Operational Risk Management (ORM) professionals are on edge.  Readiness and contingencies are at their highest level in anticipation of any globally televised event.

The same crisis management environment exists four or more times a year within the confines of the Board Room and Executive suite.

Operating at the "Speed of Business" and effectively managing daily, weekly, and quarterly risk management tasks requires an adaptive and resilient culture.  A culture that has been born and evolved from its Genesis to a daily run rate based upon two main components.

• Trust is the first one and to many a given in any high performing environment.  To be able to trust the person to your left and to your right requires many tests.  It builds over time yet it must start with the right elements and be nurtured for it to flourish.

• The second component is far more complex.  It requires you to embark on a continuous discipline with yourself and the people to your left and right, to know "What is True."

"What is True" means one set of reality for you and perhaps something different for those around you.  Your mission is to get to a single version and reality of what is true faster than your competition, your adversary or your partner.  Survival will be a factor of your speed to understanding as a team, "What is True" and then your adaptive nature to the consequences of your actions.

Are you accountable for your outcomes?  Have you accepted the consequences of your behavior?  So what does all of this have to do with Operational Risk Management?  It has everything to do with it. The most high consequence event to any risk matrix, is the fact that people do not see themselves or others in a "True" perspective.  They are not operating in reality.

What is your willingness to bring current problems to everyone to dissect, understand and solve?  Those who continue to operate without a proactive problem-solving environment are headed towards disaster.  Surprises.  Being blind-sided.  Never saw it coming.

When you hear people saying these things.  You have someone who has not been proactive in the continuous identification of problems and communicating those problems to the team to be solved.

You see, leadership is about continuously testing, designing and improving the process or the product.  The thinkers and the doers, the blueprint and the construction, the designers and the operators must be in a synchronous harmony together.

Ask yourself; how is this movie unfolding compared to the script that was written?  How has the change and the rate of change had consequences?  What have I and my team done to adapt, by changing the design or the people to achieve the mission? 

The "Speed of Business" is the environment and the successful outcome we all seek and is captured in three words.  "What is True."

operational risk

Remember: Imagine Our Resilient Future...

Where were you on the morning of September 11, 2001?

In the middle of our mutual “Information Security” and data privacy dialogue over breakfast on the ground floor restaurant of the Reston Hyatt, we both suddenly over heard the peoples commotion and muddled cries.

In the adjacent bar area others were watching the morning television news and were witnessing the continuous replay of an airliner crashing itself into one of the New York City World Trade Center Twin Towers.

We jumped up to walk around the corner into the room and saw the growing shock on peoples faces, as they hurried out the door to pick up or go check on their loved ones.

Then we saw the 2nd plane hit.

Walking back into pay our bill a few minutes later, both of us looked at each other and realized what this meant. Or did we?

Like some other days across your life, this particular morning in America was full of confusion, emotion, tears and fears.

Soon thereafter, driving away from the Reston Town Center near Dulles (IAD), in the distance to the East as the morning sun was rising, you could now see the billowing black smoke rising from the Pentagon burning.

Over the next decade, much of our thinking on our true vulnerabilities as a nation would come before us to solve.

Before 9/11, there were few aviation engineers thinking about reinforced and secure cockpit doors on commercial airliners.

The evolution of “Homeland Security” over the next decade included new buildings and technologies up and down Chain Bridge Road in Northern Virginia.

Predictive Intelligence and Color-Coded warning levels was now focused more on peoples thinking and behavior, not just about flying objects over a country boarder.

Asymmetric Warfare would become a National focus.

Certain kinds of fertilizers such as "Ammonium Nitrate" would soon be taken off the shelf of local gardening centers and wholesalers in our farming communities and locked up.

Information Technology was now to become a force multiplier. Business Continuity Planning (BCP) was now a mandate. What if?

Operational Risk Management (ORM) was the new normal.

After 9/11, there were new travel innovations like TSA PreCheck. Where even to this day, only one photo ID is required to apply in pre-enrollment, as they take your fingerprints and your photo to match up with vast government databases.

In using another ID travel service years before, CLEAR, even a retina scan was taken in order to back up fingerprinting and two photo IDs.

As we approach our next 9/11 ceremonies around the United States this September 2024, take a few minutes yourself to “Never Forget”.

Acknowledge the vital missions of all those serving who are in uniforms, all those in semi-formal suits, ties and dresses sitting around the conference table and the tireless shifts of analysts and tech people behind the screens who are on continuous watch.

24x7.

Now just 23 years after that historic morning in New York, NY, Arlington, VA and Shanksville, PA, we shall all continue our next year of Citizen Vigilance, our National Resilience and our continuous Freedom as true Americans.

And on this Wednesday September 11, 2024, sitting outside on your own back deck or patio watching another sun set or the moon rise, think about how you too will achieve a more resilient journey into the Future…with those you love.

Godspeed!

Preface: Growing Up in the USA...

As we approach our 248th year celebration of the country named the “United States of America”, think about it with open eyes as you look at our flag waving in the wind on the morning of July 4th.

One of 193 countries in the United Nations on our globe today, our country has become a sought after destination for so many others in the world to see and to actually experience.

Why?

Being born in the USA, our school Principal at our “Riverside Elementary” would get on the speaker system at 8:30AM sharp. Our “Pledge Allegiance” each morning was sacred as we all would stand in our classrooms:

"I pledge allegiance to the flag of the United States of America, and to the republic for which it stands, one nation under God, indivisible, with liberty and justice for all.”

Little did any of us truly know at that point in our lives, how precious these words would eventually become to us. Some before we were all grown adults.

It would dawn upon us all decades later, as our team was sitting around our tables with other fellow INSA members in a 2nd Floor conference room on North Stuart Street in Arlington Virginia. Our local professionals had a new important project before us.

Our Homeland Security Intelligence Council (HSIC) had started to tackle the definition of “Homeland Security Intelligence” and we would later develop 16 key recommendations in our 20 page White Paper.

It was finally published in September 2011 and ten years since so many Americans had died on 9/11 and so many others who would fight in the wars international and thereafter domestic.

“Homeland Security Intelligence is information that upon examination is determined to have value in assisting federal, state, local, tribal and private sector decision makers in identifying or mitigating threats residing principally within U.S. borders.”

Intelligence to Protect the Homeland...taking stock ten years later and looking ahead...

Now after returning to our USA once again with your own overseas travel behind you, reach into your pocket for that dark blue "US Passport" with the Eagle emblazoned on the front in Gold and read these words once again on page one:

“The Secretary of State of the United States of America hereby requests all whom it may concern to permit the citizen/national of the United States named herein to pass without delay or hindrance and in case of need to give all lawful aid and protection.”

In 2024, this Independence Day, reflect on all that you have learned and now earned, as a US Citizen protecting our country and as a true proud American.

 “Never Forget”…

Analytic Priorities: Crossing the Digital RubiCON...

The governance of information within the government enterprise or the private sector enterprise remains very much the same. Both are subjected to a myriad of laws to help protect the civil liberties and privacy of U.S. citizens. Yet the data leaks, breaches and lost laptops keep both private sector and government organizations scrambling to cover their mistakes and to keep their adversaries from getting the upper hand. Again, the governance of information is the core capability that must be addressed if we are to have effective homeland security intelligence sharing to defeat the threats to the homeland 100% of the time.

The stakeholders in the information sharing environments will say that they have all the laws they need to not only protect information and also to protect the privacy of and liberties of U.S. citizens. What they may not admit, is that they do not have the assets within the context of their own organizations to deter, detect, defend and document the threats related to too much information being shared or not enough. These assets are a combination of new technologies, new education and situational awareness training and the people to staff these respective duties within the enterprise architecture.

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

operational risk