This week, Security Management interviewed James R. Black, CPP, PSP, CSC, a senior security consultant at TRC. During his presentation, Black will teach attendees how to stretch their security dollars in a sinking economy. He will also share which security technologies give consumers the best “bang for their buck” as well as discuss the five most costly security technology mistakes and how to avoid them.

What are you presenting on during the Seminar?

My session is titled, Survival in a Sinking Economy: A Guide to Stretching Your Security Dollars. I will be presenting along with some of the regions’ critical infrastructure stakeholders on not only what they’re doing to stretch their dollars but how to make the best use of finite resources. I’ll be including other experiences from our clients as well.

We’ve got dozens of clients going through similar economic pressures and conditions and they are all looking for ways to maximize the dollars they invest, whether it’s taking advantage of technologies to supplement or enhance the effectiveness of an increasingly limited personnel presence or if it’s leveraging the assets that you do have with other areas or other aspects of the organization. We’ll provide solutions attendees can use.

Who will be there with you Jim?

I’ll be joined by Mojgan Hashemi, CPP, PE, security program manager with the Metropolitan Water District of Southern California and Mike McMullen, lead security project manager at the Port of Long Beach. Now on the surface, one might think, well, geez, the Port of Long Beach, they get big cardboard checks from Homeland Security grants, so what can they add to the presentation. The reality is they’ve got so many things that they’ve got to accomplish. Plus, they aren’t getting the same amount of money that they have in years past, and in fact much less than anticipated. What they’re having to still do with less-than-planned resources and how they are leveraging what they’re doing amongst the regional stakeholders will be a good lesson for any security professional with budget responsibilities. The Metropolitan Water District faces similar challenges. They’ve got reduced budgets and they have to make more of less, and so what they’re doing on the security front is not just focusing on technology, but also cover some of the operational and physical stuff too. Overall we’ll stay focused on how to make the most out of dollars you have to spend. So we’ll be hearing right from the horse’s mouth and not just a consultant trying to say positive things.

What have you seen happen in your security consultancy because of the fiscal crisis? How are security departments rearranging themselves to meet their security needs?

Our clients are facing increasing pressures on all fronts. For some clients, they’re having to go to zero-based budgeting, meaning before they would have to justify increases in their budget year over year but their budget wasn’t necessarily entirely in jeopardy on a year-to-year basis. Now some of our clients are facing a complete rejustification for their budget every single year from dollar one. They have to justify every dollar that they’re spending, the pressure for return on investment is mounting and their budgets are being cut back significantly. Fortunately for us, we serve a number of diverse critical markets so there are certain industries where we have seen a big jump in activity.

When security managers are in such a crazily constrained budgetary environment, how do they go the CEO and say this security investment is mandatory?

This is the $64,000 question. It takes a good basis of knowledge in “what you’re doing? What you’re mission is? What your mandate is?”

Most organizations have an appropriate sense of security’s importance and are able to properly justify their security program. You know the threats not only haven’t changed much, the threats in this economic crisis have worsened.

Because of the pressures, there are more people taking stuff. There are more internal threats. There’s more fraud. There’s more embezzlement. More people are contemplating bad acts when financial pressures hit home. The threat landscape is not reducing in lockstep with the economic downturn so there’s more justification. It’s easier for security managers to justify because the threats are there and for the most part, obvious. And in some cases there are regulatory requirements that our clients must adhere to and so that provides some of the support, because there are consequences for failures in the security program. And the liability issue is still there. It makes sense for owners not to overly expose themselves from a liability standpoint. Significant reductions in security merely for economic reasons isn’t good enough because bad things can still happen and you could ultimately face a worse financial situation due to inaction or arbitrary reductions.

How often do security consultants draw on historical examples of things going wrong to justify your case?

Unfortunately, more times than not, our work as consultants is reactive to a problem. It’s the exception rather than the rule that we’re involved in or developing a security program or planning implementation around an undesired event.

Sometimes people consider having us design security upgrades, but it’s easy to say, “How long can we wait before something bad happens?” I very much wish it wasn’t true but sometimes the bad thing happening is the motivation.

You’re generally called in after something bad has already happened?

It’s often a fire drill for us, yes. Sometimes clients are motivated to address their security by good planning and appropriate awareness. More times than not however, a high-profile incident at or near a client’s facility drives the call to action. Even when such incidents don’t involve the client’s type of facility or industry the “standard of care” can still be applied to the point where improvements are appropriate. We would much prefer this not be the case to be honest.

How great is that pressure when a competitor makes a security upgrade? How much pressure is there to make that same upgrade?

We’re always keeping an eye on our client’s interests. That’s what people pay us to do. So of course, the perfect example is in downtown Los Angeles. We have a college campus here that’s proximate to the downtown area that’s had some high profile security incidents. And they’re making very appropriate security upgrades in various areas with mass notification, video, access control, and the like.

We also have another nearby community college client that was at the point of considering what to do about security on their campus. Because we had this client, we knew of what was being planned at the other college campus. We were able to say right down the street we’re doing X, so it would make sense for you to do X or something appropriate relative to that. That was all the justification they needed.

Since the financial crisis struck, what are the concerns you’ve heard the most? What are people most worried about?

They’re most worried about not dropping the level of security to the point where they are unnecessarily exposed. They’re trying to trim excesses without materially impacting the security program in a negative way. It’s a big challenge.

What did you bring to the table for the Port of Long Beach Fusion Center?

Because we’re not affiliated with any particular product or manufacturer or installer, we are really the only outside, unbiased client advocate from the technical standpoint. There’s so much technology, and it’s moving so fast. At the Port of Long Beach, every single vendor of security technology equipment wants to literally give their stuff to our client and use their site for beta testing. We’re the sanity filter. We helped with the checking, vetting, testing, showdowns, and shootouts.

So you’re basically Consumer Reports for your clients?

I like that comparison, yes, that is a good way to categorize that aspect of our work. And we help develop the criteria to identify and prioritize their needs. We help clients craft their planning documents, design standards, guidelines, the things they should be making sure happen. We help with a lot of the ancillary issues, whether it’s regulatory compliance, codes, electrical issues, or a blizzard of other construction-related stuff that sometimes the security folks within organizations may not have the time or specific skills to deal with. I have to mention we also have some of the best systems engineers in the business.

What did you recommend for the Port of Long Beach Fusion Center?

Well, we were involved in the needs assessment and procurement process for their security management platform, essentially that’s the overall management software piece that concurrently handles every electronic security related system at the Port, whether it’s sonar, radar, or mass notification. We were heavily involved in the up-front planning and decision-making process.

When you’re consulting for someone like the Port of Long Beach, do civil liberties concerns ever factor into your processes or considerations?

Absolutely. Technologies are now so powerful, you can read license plates three miles away from where you are in any type of weather, day or night. With the advance of these and other technologies the privacy intrusion risk has increased. In the United States in particular, we’re a hypersensitive group in that regard and there are plenty of advocates who keep an eye on such things. And not only are we mindful of that, for a lot of our clients we’ll help with the community outreach to inform community members and put them at ease and answer their questions. We tell community groups ahead of time, “We’re putting cameras here and this is what they are there for, and this is what they can see and can’t see and why.” We help our clients’ neighbors understand what measures are being taken to ensure the technologies don’t intrude into private areas, for example. A lot of the video technologies have masking, blanking, or physical stops that can keep the cameras from looking in places that aren’t appropriate. So absolutely, that’s an issue quite often. In a port environment, there’s less of that concern because it’s a big facility and virtually everything is public access. There’s less expectation of privacy in that environment.

I saw that you were on Twitter. What’s your feeling on social media? What are the security concerns? What do you tell your clients?

It’s a double-edged sword. Historically, information sharing between similar industries or stakeholder groups was limited. It was harder to find out what your peers were doing, especially if something’s gone wrong. There was nowhere to go to get questions answered. You had to hire the right person to get any sort of information. And that, in some respects, held back the industry as a whole, because people just didn’t know what the state of the art was. For the most part, everyone would have to learn lessons the hard way, themselves.

The new networking medium helps raise the awareness and the collective knowledge base of security professionals. And there is great information to be had. The flip-side to that is occasionally there is too much information to be had. There is plenty of proprietary, important need-to-know information that is a little too available. Consider for example that there was some critical infrastructure information regarding nuclear plants that was recently posted. And once it was posted, even for just a few hours, everybody has it—even if it wasn’t supposed to be out in the open. So the more mediums there are, whether it’s LinkedIn or Twitter or blogs or other networking sites, the more potential there is for that information to accidentally get out. On balance, if folks pay a reasonable amount of attention to what they publish, I think the benefit outweighs the risk. I prefer to see more information sharing between stakeholders. And this helps breaks down the historic barriers, the legacy attitudes that security folks have had, regarding their information and the lack of desire to share that information with other peers in their groups. For example, a client might not want to be embarrassed about facts surrounding a big deployment of software or equipment that ended up a colossal flop. They don’t want people to know they failed and wasted a bunch of money. However, how much money could be saved if these lessons learned and the reasons behind them were shared with others in some form? Letting others know might spare repeating these mistakes or know what it takes to prevent them from recurring.

I’m reminded of when IP cameras were first introduced, people said “Oh, no, you can’t put any of the security stuff over IP, because then all the kids in Russia and Latvia can hack into the system and see the images and use that knowledge to attack our facility and steal.” And what’s happened over time is people become more comfortable and we understand okay, a kid in Russia can see your camera. So what? It’s not like he can do anything with it. People have figured out the sky really isn’t falling, even though there are some risks. But we have learned to be a little less sensitive about that.

So this is about putting public interest over private interest?

It is. It’s weighing them. If you ask Europeans, most will say, “We understand the city has to put cameras all over because they want to protect us.” And they say, “Sure some cop could look into someone’s window but they can also catch something really bad that was about to happen.” They’re a little more trusting in that regard. But I think on balance, we’re heading more into that direction and the benefits have over time been shown to outweigh the collective risks.

For full coverage of the ASIS International 55th Annual Seminar and Exhibits, click here [1].

Thumbnail: