How Enterprise Situational Awareness Builds Metrics
It’s a common phrase in the security field: “There is no silver bullet to prevent incidents.”
It’s a common phrase in the security field: “There is no silver bullet to prevent incidents.” With risk landscapes expanding online and security executives taking on more responsibilities throughout the enterprise, however, the phrase doesn’t stop security leaders from looking for tools to help lessen the load of managing the enterprise’s risk. And, for many, this starts with enhancing enterprise awareness.
For Owen Key, the Chief Security Officer and Chief Information Security Officer for the City of Calgary in Alberta, Canada, managing the city’s mature security department (which includes information security, internal investigations, physical security and more) requires as much information as possible.
“We manage security for more than 350 sites and buildings,” says Key. “Most of our staff have not visited every one, so having a PSIM (physical security incident management) system gives our staff better insight into buildings and operations, so we can triage events more effectively.”
Their PSIM system includes an incident management program, Perspective by PPM, and more systems are being integrated every year. Key and his department have been working on this PSIM system for more than five years, and the next addition is a 3D mapping tool to help dispatchers in the city’s two fully integrated command centers better guide first responders through facilities. On the logical and information security side, Key has invested in a SIEM (security information and event management) system.
“Combined, these systems help us improve our security posture,” Key says.
“I’ve been in this role for 10 years, and we inherited PPM’s precursor system for incident management, IRIMS, but it was not being used to its fullest extent,” he says. “We were able to expand use of internal e-reporting for incidents, and in turn, glean more insight into our own operations, providing us with much needed metrics to sell security.” Key adds, “These metrics allowed us to obtain good capital to improve security as well as operations and expand our program.”
Now, Key continues to pull metrics with Perspective, complete with workflow and dispatching capabilities, allowing for the collection of even more security event data submitted by a variety of departments throughout the organization.
"Metrics help us drive where we want to put our scarce resources in play,” Key adds.
Similarly, Jessie Beaudoin, Director of Security and Surveillance for the Downtown Grand Casino and Hotel in Las Vegas, uses both internal and external metrics to prove security’s value to the C-Suite.
By using law enforcement crime statistics, Beaudoin can be alerted when there is a rise in car thefts, and thus he would increase parking garage security and patrols. Or, an increase in push-door burglaries (when a thief prowls hotel hallways checking which doors are ajar and can be simply pushed open) could lead to key-checks at elevators to prevent anyone who is not a guest from entering hotel guest floors. He can also use critical reach fliers, distributed by the Las Vegas Metropolitan Police, and network with other security and surveillance directors around town to stay one step ahead of criminals targeting casinos.
Beaudoin keeps in-house metrics as well; Key Business Indicators (KBIs) are a record of thefts, slip and falls, or other incidents on property, and he can disseminate this information to higher-level executives during daily security briefings.
“During these meetings, we want to explain crime trends and what we’re doing to curtail that activity,” says Beaudoin, who introduced the Downtown Grand’s surveillance program to Securitymagazine during a speech at the Security one2one Summer Summit by ISC. “It’s all about being aware of what your risks are, and having and sharing this knowledge helps to back up our budget requests, such as a request to boost staffing for more garage patrols or key-checks.”
For Key in Calgary, using metrics to show security’s value to enterprise leaders is an act of creativity. He works with a dedicated communications consultant to present security’s strategy and vision, often using two to three pages of infographics instead of lengthy written reports to show security’s current status.
“You can’t make the graphics without having all of the metrics and research to back them up, but this presents it in a way that’s easy to understand and fast to present,” Key says. “We want to avoid the ‘Fort Knox’ mentality and concentrate on protecting our critical assets. Having these metrics helps to better explain what those are to city executives.
“Be creative with it,” he suggests. “Within security, we have to sell the idea of our services and become a strategic business partner – enabling rather than just impacting.”
Beaudoin is working to better enable the Downtown Grand to succeed by making the most of surveillance assets and video analytics. By combining video surveillance and big data gathered throughout the enterprise, he and his team can look for red flags, such as one particular bartender who has low revenue, a high number of voids and no-sales. This could be a sign of theft or sweethearting (giving free product or services to friends). Checking employee card use throughout a shift could help lead the security investigations team to a case of time fraud.
“We’re using data to lead us to the crime,” Beaudoin says. “Analytics completely make our job of surveillance different than it was 10 years ago.”
Notifications are one of his first lines of defense when it comes to addressing the inevitable business risks of insider theft and loss prevention. Employees must call in to the central command center before they escort money around the casino, and table games have low notification thresholds so that surveillance employees can be aware of which games have large stockpiles of funds and monitor them more closely.
Another tool Beaudoin uses to keep aware of potential problems on the casino floor is auditing: “For two to three days, for 24 hours, on every shift, we will monitor one single area,” he says. “If we’re auditing the main cage, for example, we’ll review the procedure manual and watch every transaction, every count, every employee for cellphone use, proper conduct, uniforms, everything. The benefits to this are two-fold: we can identify anything suspicious in that department, and we can identify good behavior. In both cases, we send a report to the area manager.”
To minimize risks of collusion, surveillance employees are not allowed to socialize with any other casino or hotel staff, barring HR, without risking their job. They are only allowed to speak with executives when they are inside the surveillance room.
Beaudoin also works with the public relations department to investigate any negative statements posted to social media accounts about the casino and hotel, an area which has seen much more activity in the past five years.
John Slattery, Senior Vice President at investigations firm AOOC II, LLC, is working with social media monitoring as well, to provide as much information as possible to his high-profile sports franchise clients about potential draft picks or scholarship recipients.
“Most professional franchises do some form of due diligence, and they can tap local resources for basic investigations,” he says. “Risks can be mitigated further, however, if you go through the trouble to vet your individuals on a behavioral level. Social media is a person’s social life in public, and it can augment existing insight into a potential investment.”
Working with CES PRISM Social Media Investigation reports, Slattery investigates a subject’s entire Internet footprint, including public source information, public records, social media and the person’s network and connections to either confirm or refute issues.
For example, he says, investigating a potential player for a pro-baseball franchise, the subject popped up in multiple arrests in multiple states while enrolled in college. A local investigation at one of the player’s colleges showed that he was asked to leave due to marijuana and alcohol abuse.
In another case, an investigation into a potential draft choice revealed that, which the player himself had no suspicious content on his record, his close associates on social media had posted content featuring guns, alcohol and drug innuendo involving this particular player. So, Slattery referred the case, with the new information, back to the franchise for further decision-making.
“While looking for anomalies or bad behaviors, you also find good behaviors, such as charity work, positive moments, and we report back to franchises on those notes as well,” he says.
There is a four-part approach to these due diligence investigations, he says, and it hinges on understanding all of the data that reports can uncover:
- Deploy your research tool
- Add analyses from trained experts
- Evaluate, vet and validate your information, adding context
- Ensure proper legal research has been added to address privacy and civil liberties
“There is still some reticence in investing in a front-end investigation,” says Slattery. “However, the cost of doing your due diligence and making the most of available data is decimal dust compared to what the enterprise would invest in the player.”
Similarly, the investment in enterprise situational awareness, whether from PSIM, video surveillance or analytics, is a valuable one both in terms of creating value and proving value to the C-Suite.
Want to LearnMore?
Check out the following service providers for enterprise situational awareness tools: