1.15.2008

Missouri county gets new tool to protect schools

Securityinfowatch.com has another interesting article how a Missouri county is using a new tool to protect their schools with virtual 'walk-through' tours in case of an emergency.

Missouri county gets new tool to protect schools

Flash drives contain virtual 'walk-through' tours of schools in case of emergency
Kansas City Star (MO) (KRT)
via NewsEdge Corporation

Jan. 14--The Clay County Sheriff's Department has a new tool in responding to bad situations in public school buildings -- one they hope they will never use -- a flash drive.

Through a grant, the department is providing fire and law enforcement agencies in the North Kansas City School District a USB flash drive that contains virtual tours of all 31 district school facilities.

The flash drives feature "walk-through" tours designed to increase the preparedness of first responders to a school threat.

Officials said school shootings at Columbine High School in Colorado and at Virginia Tech University highlight the need to make school safety an ongoing issue.

"It is a tool we hope we never have to use," said Capt. Ron Nicola, who leads the Sheriff's Department tactical response team.

The grant from the Mid-America Regional Council through the U.S. Department of Homeland Security allowed the sheriff's department to purchase a camera that records a 360-degree virtual image of all building interiors.

Clay County school resource officers assigned to the schools in the district used the cameras to capture the necessary footage of their schools.

"We now have a more fluid and higher-tech view of school hallways, classrooms and stairwells in each of our buildings," said Jon Brady, the district's safety and security coordinator.

Park Hill School District developed such a detailed database with its law enforcement agencies in 2005.

Marcus Harris, director of security for the Kansas City School District, said the district does not have the virtual images of their school facilities.

However, police have floor plans of all the schools in the department's computer system.

Representatives of the two largest districts in eastern Jackson County -- Lee's Summit and Blue Springs -- said they have not forged a partnership like the one between the Clay County Sheriff's Department and the North Kansas City School District.

Sgt. Brian Wessling, a supervisor responsible for school resource officers in Olathe, said several police agencies offer something similar but may not be as detailed as the Clay County effort.

Clay County officials said the flash drives contain aerial maps, satellite maps and the internal layout of each classroom. Also, they have maps of the buildings' utility lines.

"The obvious asset will be to our tactical response teams," said Deputy Gary Johnson, who works as a school resource officer at Maple Park Middle School and was part of the team that gathered the information.

"If someone barricades themselves in a classroom, we are now able to report where the windows and doors are located. We also can check for blind or hidden spots," he said.

The photos allow users to maneuver the computer mouse to sweep around the room, Johnson said.

The department would eventually photograph similar images for all of the schools in Clay County. They also plan to photograph the county courthouse and other facilities where shootings and hostage situations might occur, Johnson said.

Maj. Jan Zimmerman, commander, of the Shoal Creek Patrol Division, said the technology would enable officers to better respond in emergencies.

"This is an outstanding piece of technology that will benefit our officers in the unlikely event of a rapid-response scenario," Zimmerman said. "They will know what every room looks like without actually having been inside the facility beforehand."

School officials are constantly reviewing and upgrading security measures, she said.

Dennis McCarthy, director of safety and security for the Blue Valley School District, said they do not offer a program like Clay County's, but the district has surveillance cameras at all of their facilities.

"But from a law enforcement standpoint, this is great," McCarthy said.

"I am all for cameras and communications, but my belief is we need to spend time preventing violence from occurring."

The Star's Mike Sherry and Joe Robertson contributed to this report. To reach Glenn E. Rice, call 816-234-5908 or send e-mail to grice@kcstar.com.

(Kansas City Star (MO) (KRT) -- 01/15/08)

- The Hackett Security Team

1.03.2008

Security Benchmarking - A guide to obtaining upper management financial support

Securityinfowatch.com has a good article on on Security Benchmarking in regards to obtaining upper management financial support to advance your security program. It is an article by Sean Ahrens, CPP, CSC, full of some really good tips to all of you security professionals out there struggling to get the financial support for your new security initiatives that you realize is important but management won't write a blank check for.

Security Benchmarking
A guide to obtaining upper management financial support and to advancing your security program

As security professionals, we are continually being asked to do with more with less. As a corporate security professional takes on these new responsibilities, their core organizational offering becomes strained. This article delves into security benchmarking, which can provide another viable means to obtain funding for important security projects, thereby assisting your organization in being “proactive about tomorrow's uncertainties.”

The most important thing that a security professional needs to realize is that the days of walking into an executive's office and getting a blank check are, for the most part, over. Security professionals need to become knowledgeable and proficient in the business etiquette of requesting funds. To do this, a security professional should become familiar with topics including value, cost, risk, and most importantly, their independent evaluation through the business proposal. A good business proposal will indicate the costs compared to risk; and the costs compared to the expected value of the implementation.

Security professionals should also be aware that security risks, from a corporate executive's standpoint, are generally classified as low-impact, low-risk with a high probability. As a result, many executives choose to absorb or transfer these risks, rather than mitigate them. There are few methods to motivate an executive to finance a business proposal for additional funds to support a security management program. Some examples include:

• Codes, Standards and Guidelines — For the most part, as it relates to security, this is not recognized by executives currently. However, this influx takes time and you can expect changes in executive's attitudes as these are continually developed and integrated into the business community.

• Legislative requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), etc.

• Current organizational security statistics, calls for assistance, losses through theft, damage, and litigation, etc.

• Benchmarking — Statistical evaluation of like programs within like organizations.

In the absence of internal incident reporting statistics. standards , codes or legislation, many executives are apt to provide funds for a business proposal if you can show a statistical correlation through benchmarking. Benchmarking compares what you want to do with what other organizations are currently doing or planning to do. In many instances, benchmarking your organization will have a greater benefit than statistical incident data.

Individual organizations and their senior management teams are continually comparing themselves to like organizations. From a process and liability standpoint, it is easy to convey that there is liability associated security programs that are delinquent compared to other like organizations being benchmarked. Also, the data presented is more readily verifiable as opposed to security incident data.

The Process

No matter what you are trying to do, ideally, the benchmark process is preceded by an idea that leads into a business proposal. A well-articulated business proposal or white paper backed by reliable, verifiable and quantifiable benchmark statistics, will both assist in validating your opinion to senior management, and also aid in your plan's implementation. A business proposal, at the minimum, must include an executive summary, which will include subsets of the entire proposal, such as:

• The problem statement;

• Methodology;

• Proposed resolution;

• Implementation Plan;

• Impact on budget;

• Return on Investment;

• Return on Investment (ROI) over “x” amount of years;

• Statistical data; and

• Respondents contact information.

The Benchmark

It is important to note that the benchmark is a tool, which substantiates the need for funding to support security management programs. Security professionals need to take into account the costs and the perceived ROI.

An important part of the benchmarking process is to validate and identify to senior management the need for security by comparing your organization to other like organizations. However, before you start your benchmarking process, you should be reasonably sure that the data you collect will validate your business proposal. I have worked with organizations that conducted benchmark analyses only to learn that there was no validation in what they wanted to prove, and that the data collected actually contradicted their assumptions. An unsubstantiated benchmark wastes a lot of time and the data cannot be released.

A benchmark, if correctly implemented, should clearly identify synergies and consistencies, in the areas you wish to compare like organizations or business units of related companies. Typically, security professionals will know that they have a need for benchmarking, but are unsure what they want to learn. The best method for vetting this would be an open and collaborative staff white board session. During this white board process, a multitude of topics and ideas can be expressed.

The second part is to validate and score all available topics for inclusion into a potential question pool. One suggestion is to associate each question to a rating on a scale of 1-10. Only questions in the 7-10 range should be selected for final inclusion into the development of the benchmark.

Once the question pool has been scored, you may have to further vet this process and narrow the question pool. The benchmarking process must not be qualitative, that is, in the form of open-ended questions such as: describe your organizational structure; to who do you report; and what types of security are in use. Questions, no matter how they are administered, must be quantitative and focused, which is easily achieved by providing multiple-choice answers. By implementing a quantitative process, there will be a clearer and more defined statistical correlation with the items that you wish to benchmark, validate and present to upper management.

Creating a Survey

Once you have the questions, you need to determine the depth of your benchmark. Clearly, whenever applicable, it is important to seek out like organizations, which are commensurate in staffing and geography. It is not necessary for you to obtain 50 or 60 respondents. Ideally, your respondents should be chosen using sources that identify competitors — which executives can relate to and will want to outpace. In a hypothetical scenario, showing an executive that 5 out of 6 competitors have selected digital video recorders will carry more weight than simply asking to deploy a DVR.

Consider how the survey will be administered — will it be on paper, online or via phone? In some instances, certain types of businesses, such as banks, may elect not to participate in a blind online survey. In these cases, allow plenty of time for a telephone interview. Typically, the most cost-effective route is to use a semi-free service such as SurveyMonkey.com. However, the best method to guarantee results for your benchmark will be through time-intensive phone calls and interviews.

A byproduct of the phone interviews is networking and relationship-building with organizations that are most likely dealing with the same issues. Timing is also critical to your survey, and should be considered throughout the administration of the benchmark. Avoid the holidays and end-of-fiscal year because like you, your respondents will be busy and less likely to participate.

The quantity of questions is also very important — the fewer the amount of questions, the more likely you will obtain responses. When faced with an extremely long questionnaire that cannot be reduced or vetted any further, identify leverage for the participant to take the survey, including free gifts, such as a gift card, or offering access to the final results of the benchmarking study.

Obviously, the number of respondents will determine the budget, but leverage can be found in networking and other avenues.

Consider Timing

Timing is critical — realize that even with the correct amount of leverage, organizations you wish to benchmark will be slow to respond. A benchmark process may take several months, which should be calculated when considering business budgeting cycles. Correlating your benchmark just before a budgeting cycle will allow enough time to present results and provide the best opportunity for obtaining additional funding.

As security professionals, we will continually be called upon to do more for our respective organizations; however, meeting those challenges does not mean that we have to do it with less. Use these concepts to validate to executive management the need for additional funding, and benchmark similar organizations to assist you in meeting your goals and assist your organization in being “proactive about tomorrow's uncertainties.”

Sean Ahrens, CPP, CSC is a project manager for security consulting and design services with Schirmer Engineering and has more than 16 years experience in the security industry, 11 of which has been as a practicing consultant. Mr. Ahrens volunteers his time on the ASIS International Commercial Real Estate Council (CREC). He can be reached at (847) 272-8340 or via e-mail at sean_ahrens@schirmereng.com.

- The Hackett Security Team