People and plans: training's role in homeland and workplace security: is your business secure? Here's how some organizations and training functions are preparing for the unexpected

T+D, Sept, 2003 by Eva Kaplan-Leiserson

Crucial to the success of a CSO or other director of security is buy-in and commitment from the CEO, experts say, demonstrated by budget, personnel, and a consistent message to the entire organization about the importance of security. It's key for the head of security to have the cooperation of all workers, Bowen says, to do his or her job effectively. In return, security chiefs have the responsibility to create policies and procedures that are in line with the vision of the company.

Assess vulnerabilities, threats, and risks. Usually the first step for the security driver is to determine the organization's vulnerabilities. A list of those quickly becomes an action list determining direction, CEI says. Possible vulnerabilities include lack of standard policies or training, outdated facilities security, open networks, and old passwords. Conducting a vulnerability assessment provides a baseline to work from, says Lenny Hall, adjunct instructor at the University of Findlay Center for Terrorism Preparedness http://seem.findlay.edu/terrorism. Then, assess threats and identify risks.

The threat assessment identifies potential adversaries and their capabilities and intentions. Hall points out that there's a significant difference between making a threat and posing a threat: "Many people make threats," he says, "but few pose a threat." Businesses can't respond to every threat that's made with all of their resources; that would be costly and ineffective.

A risk assessment, as defined by South Carolina's report on best practices in workplace security * www.llr.state.sc.us/ workplace/workplacesecurity.htm, measures the probability that a threat will result in an incident and evaluates the severity of the consequences from that incident. If an organization hasn't done a separate threat assessment, the risk analysis will often assess threats as its first task. Hershman includes an assets assessment (listing and prioritizing assets) as part of the risk analysis.

For companies already involved with the ISO certification process, ISO registrar BVQI has developed a security management system standard that applies management tools and techniques to security, following the same plan-do-check-act format as other ISO standards. Like processes developed by company security departments or security consultants, it includes vulnerability and risk assessments and then goes on to apply such management tools as internal auditing, training, preventative action, controlling documents, keeping records, and so forth * email dchurch@bvqina.com for a copy of the standard.

Create a crisis-management plan. Although not every company will have the same degree of risk, every company should have a crisis-management plan--not only for potential terrorist attacks but also for natural disasters, fires, and workplace violence. The goal of such a plan is to protect employees and the business while an incident is occurring and minimize the damage to both. Jane's Workplace Security Handbook suggests a close tie between the threat assessment and crisis plan, saying that security policies and procedures should be "based on the priorities identified by the threat assessment team."