Facilities and Public Spaces conference offers answers to improbable failure

In the previous issue of NZSM, I wrote that the Christchurch mosque attacks had provided security managers with a new set of problems, with employers and customers now asking them: “How do we make our sitting-duck venue, which is easily accessible by large numbers of people on a predictable basis, secure against the extremely unlikely possibility of a terrorist attack? And how do we do it cheaply?”

It’s the classic Black Swan problem of how to prepare for – and invest in protecting against – an event as unknowable and unlikely as it is potentially catastrophic.

In their presentations, Dean Kidd (Manager Safety and Security at Auckland Live) and Stewart O’Reilly (Manager Behavioural Analysis at SecureFlight Ltd) both made reference to James Reason’s famous Swiss Cheese Model, a model of accident causation used in risk analysis and risk management.

In Reason’s model, an organisation’s defences against failure are represented as slices of cheese. The holes in the slices represent weaknesses in individual parts of the system and they vary randomly in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason’s words) “a trajectory of accident opportunity”.

At any given time, one might safely assume that the layers of cheese are enough to defend an organisation against failure. But in the off circumstance that Murphy’s Law wins out and the holes in the slices align, statistically improbable instances of failure can – and do – occur. Such is the nature of a black swan event, and thus Reason’s model is useful in not only conceptualising vulnerabilities to threats but also in identifying defences. It’s also a handy model for me to structure this article around in terms of describing how various speakers at the conference presented their examples of security defences and failures.

The slices of cheese in the Swiss Cheese Model can be thought of as layers of security, and in Reason’s four-slice model these layers include the following:

1. Organisational influences

2. Supervision/management/training

3. Preconditions for unsafe acts

4. Execution, unsafe acts, failure to act

In terms of the ‘organisational influences’ I identified three themes raised by speakers at the conference, including (i) guidelines/policies; (ii) procurement/ recruitment; and (iii) standards/securityby-design. These are the holes in the ‘organisational influences’ cheese slice that present weaknesses if not adequately covered.

(i) Guidelines/policies

Andrew Moss of Optic Security Group gave us insights into the relationship of cyber security to good physical security, and how a logical – and increasingly necessary – extension to the government Protective Security Requirements (PSR) model is that of ‘converged security’, where information security, physical security and personnel security are considered as interdependent rather than distinct domains.

Dean Kidd and Lincoln Potter PSP (independent security consultant) focused on the usefulness of Australia-New Zealand Counter Terrorism Committee’s Australia’s Strateg y for Protecting Crowded Places from Terrorism and associated documents, including the Crowded places self- assessment tool, security audit, and supplementary guidelines: Hostile Vehicle Attack; Active Armed Offender; Improvised Explosive Device; Chemical Weapon Attack.

Both Dean and Dr Bridgette SullivanTaylor (Senior Lecturer, University of Auckland) stressed the importance of employing a ‘joined-up’ approach to security resilience. To what extent, for example, do your security policies take your neighbours and their security vulnerabilities and capabilities into account?

(ii) Procurement/recruitment

In terms of ‘procurement and recruitment’, several speakers focused on the importance of a risk-based view of security solutions. Willie Taylor MNZM (Associate Director Security and Emergency Management at AUT), highlighted the importance of assessing what security elements are required based on a facility’s risk profile and physical features.

Looking at procurement from an IT and cyber perspective, Steve Bell (Chief Technology Officer at Gallagher) observed that “local government tends to have a small budget for IT and may not have investment in good cyber protection and general patching.” Checking that a supplier has an active process of evaluating their products for weaknesses, therefore, becomes critical. “In the rush to get IoT devices to market,” commented Andrew Moss on a related point, “functionality and appearance tend to be prioritised over security.”

(iii) Standards/security by design

In terms of security by design, Andy Wray (Senior Technical Consultant) reminded delegates that “good security design has multiple layers (defence in depth) often with differing technologies.” These might include detection technologies as diverse as radar; biometrics; ANPR, concealed weapon technology, chemical detection, thermal imaging, and microwave and vibration detection.

Looking at security by design from a CPTED perspective, Anton Venter, General Manager Facilities, Engineering and Asset Management at Counties Manukau DHB, stressed the importance of designing the environment to highlight strange behaviour and create time to react, such as in the event of a lockdown.

Covering such standards as covered ISO 31000 Risk Management and HB167 2006 Security Risk Management, Chris Kumeroa (Director, Global Risk Consulting) demonstrated the value of data-driven risk analysis and risk management as the basis for a security solution.

Also on standards, David Horsburgh CPP PSP PCI (Director, Security Risk Management) focused on the range of CCTV-related standards, including: Privacy and CCTV – A Guide to the Privacy Act for Businesses, Agencies and Organisations; BS EN 50132 – CCTV Surveillance Systems for Use in Security Applications; CCTV Operational Requirements Manual (UK Home Office Scientific Development Branch); A/NZ Police – Recommendations for CCTV Systems; and Defining Video Quality Requirements (US Department of Homeland Security).

In terms of the ‘the management and training slice, I identified three themes raised by speakers at the conference, including (i) oversight/performance tracking; (ii) training and awareness; and (iii) culture.

(i) Oversight/performance tracking

In an excellent presentation focusing on the guarding sector within security, Ben Wooding (General Manager at Red Badge Group), talked about the idea of ‘suppliers as partners’. He made the important point that collaboration starts even before contracts are signed, and stressing the criticality of clear performance measures and KPIs, regular contract management meetings (face-to-face), traffic light systems for monitoring performance, and ongoing communication between suppliers and customers.

Approaching the issue of oversight from an incident response management perspective, Dave Greenberg (Emergency Management Consultant) stated that plans go out of date (particularly in terms of contact information) quickly, and that regular checking and updating prevents the wrong information ending up on the plan at crisis time. In other words, says Dave, “Open the damn plan!”

Barry Brailey (Principal Security Consultant at Quantum Security Services) and Ellen King (Emergency Response Consultant at Air New Zealand) gave us valuable insights into collaborating with emergency services, incident response, and the importance of “planning, planning, planning” and “people, people, people.”

(ii) Training and awareness

Bruce Couper (Director, RISQ New Zealand) reminded delegates of the value of providing security awareness training to staff and developing an effective security culture. “Who needs training within the security circles?” asks Dean Kidd. “Everybody.”

According to Sir Ken McKenzie (Head of Security, Health and Safety at Auckland War Memorial Museum) there’s a difference between a person who has achieved competency and one who has merely been trained. Competency, he stated, is made up of the following five elements:

1. Skills

2. Knowledge (education, training or professional development)

3. Experience (application of knowledge and skills)

4. Behaviours (approach to safety, motivation, compliance, attitudes, communication, management, leadership or teamwork)

5. Fitness (physical fitness to perform the task/s)

Dave Greenberg described the ‘crawl, walk, run’ approach to putting people through their incident response paces:

1. Crawl = talk through the plan with all the players

2. Walk = table-top exercise

3. Run = full scale test of all or part of the plan stress test the plan as much as possible.”

But he also pointed out that despite the existence of solid standard operating procedures (SOPs), you can’t train for everything – a black swan event will be unprecedented in one way or another.

(iii) Culture

In a vivid presentation that detailed the security challenges of a large public institution housing priceless objects and handling massive visitor numbers and the occasional Royal Family member, Sir Ken McKenzie made the point that people operating in crowded places that embrace cultural significance must take cultural security seriously.

Cultural security starts with an understanding of and respect for the significance of culture and place, and it encompasses more than just the museum and gallery context. How many stadiums, for example, are home to well-known sporting teams commanding large numbers of diehard supporters who may be prone to ‘passionate’ behaviour that in any other context might be deemed to be aggressive or antisocial?

According to Anton Venter, a security safety culture should be embedded at leadership levels, with leaders responsible for branding, promoting, and visibly demonstrating security. Dean Kidd emphasised the importance of creating a ‘challenge culture’, which at its most fundamental level involves the wearing and checking of ID cards.

In terms of the ‘preconditions’ slice, I identified three themes raised by speakers at the conference, including (i) neighbourhood; (ii) task saturation/ fatigue; and (iii) the state of systems.

(i) Task saturation

Security personnel often work excessive hours per week, and with a heightened threat level requiring a higher operational tempo, just how many more hours can a security guard take until he/she becomes ineffective? Dave Greenberg asks the related question “can business-as-usual continue while we deal with an incident” – or does something have to give?

(ii) Neighbourhood

In his wide-ranging presentation, Dr Paul Buchanan (Director of 36th Parallel Assessments) set the scene with an excellent geopolitical overview focussing on the security implications for New Zealand of great power competition and contending value systems. Whether we understand it or not, our domestic security context is influenced heavily by international dynamics.

As conference chair, I expressed the concern that security has not been a high priority for most New Zealanders because they have, in the past, taken their security largely for granted. This has given rise to a level of complacency that means that people just don’t have the conversations with each other on security matters that they probably should.

According to Anton Venter, security “needs staff and community involvement to be a success”. In advocating for the establishment of networks of people responsible for security in neighbouring businesses, Dean Kidd, suggested a ‘precinct’ approach that accords with Dr Bridgette Sullivan-Taylor’s idea of a joined-up approach to security resilience.

(iii) State of systems

“It has not been traditional in the facilities management arena to expect to get cyber security upgrades for building management, process control and security systems, including Video Management and Access control,” commented Steve Bell. “Any of these systems that has software that is several years old will have cyber security weaknesses that should be mitigated though patches or upgrades.”

This is a concern, says Andy Wray, particularly where legacy architecture meets the brave new world of analytics and artificial intelligence.

But in the incident response and emergency management context, argues Brad Law (New Zealand Country Manager at RiskLogic) new, smart technologies will ultimately make all the difference, delivering:

• Improved communication

• Increased accessibility and mobility

• Savings in time and effort

• Better informed decisions

• Empowered and decentralised decision-making

• More effective response and recovery

With a jam-packed schedule of 26 presentations over the course of two days, the conference covered far more than this article can do justice to. If there is a 2020 instalment of Safe and Security Facilities and Public Spaces, I recommend attending it in order to benefit from the full range of speakers and their insights.