reThink Security

So we attended the GSX show this year in Chicago to discover what is new (no to much), what is cool (Chicago is very cool) and catch up with colleagues scattered all over the world.

In the topic of what is new, for sure the industry is understanding the the mobile phone is the credential of the future. There are a few different models for implementing the mobile credential from annual subscription to one time fees. Lots of Bluetooth … some NFC . STiD, a company from France, had some cool innovation.

There seemed to be less overall hype about analytics this year and a bit more realism … likely due to folks like me who bought into the hype hook line and sinker in the past and were very let down. I would still love to see Boolean “and” to the rules engine in order to reduce false alarms.

The floor seemed a bit quieter this year … maybe just a perception. Some amazing networking done and some amazing music heard in the bars!

In my previous career, I used to joke that a Consultant is a person who writes great big reports that nobody reads. Now that I am a consultant …. its not so funny! The question is, however, is if it is true?

More is usually better. An extra ice cream scoop or a third encore from an awesome band is readily enjoyed. But what about a consultant’s report. Does an executive want to have to read and digest 100 pages of material in order to take action on my recommendations? I am guessing NOT. And if they do read all 100 pages of material is it because they are is passionate about the material or is it because they are not blindly ready to go ahead with the recommendations. In most cases it is the latter.

So building that perfect report is a science of giving recommendations that are uniquely suited to the problem at hand in the most concise manner possible. There has to be enough content to support the recommendations and there has to be enough content to satisfy the client that I know what I am talking about; meaning the recommendations are based on solid principles and analysis.

The test for the report is asking myself after every paragraph, why my client should be reading this. If it is so they gain knowledge to understand the recommendations then it stays. If it is just to make them a bit smarter about security in general, or for me to feel better about how much I charged them, it will probably go deep into an appendix somewhere.

rbl

start rant …

Apologies in advance for the verbose !! Apologies also for a bit of SCREAMING. “This one is serious”, says the guy who’s loved one has spent 3 decades in health care facilities.

Just back from the GSX show which was amazing by the way. There were an abundance of health care security providers with some significant improvements to existing technologies (battery life, size, integration). All good. My perception, however, is that what is drastically under-represented in healthcare security are solutions to keep health care providers safe in the critical first few seconds of an incident. The conversations at GSX go like this. “Well in the event of an incident, the person activates this super cool device and security is alerted and promptly responds.”

So …. note to architects, electrical engineers, fellow consultants, health care authorities ….. In the vast majority of health care facilities in Canada …. THERE ARE NO SECURITY PERSONNEL! NONE! Health care providers have themselves for the first 5 seconds, each other for the next 5 minutes and only then the police. Even where there is security (large hospitals), they are extremely over-tasked and expecting a response in less than 1 minute is unreasonable.

The FACT is this: The only objective for a health care provider in the first 5 seconds of a security incident is to survive that first 5 seconds. No panic buttons, blue tooth RTLS, video analytics, nurse call …. none of it will do anything in what I submit is the most critical part of a security incident.

Following the first 5 seconds, the ONLY objective of a health care provider will be to survive and make it to 15 seconds without serious injury. Anyone having spent 15 seconds in a critical incident will agree that 15 seconds seems like a long long time. The only objective in the 5 to 15 second interval is to be able to survive for a minute. Some thought may go out to fellow worker and patient safety however for their safety, they need to be 100 percent focused on the threat.

I submit that it is only after this period that the fruit of all the advances in Healthcare Security I saw at GSX will begin to help … and to be fair, they will help greatly if implemented with sufficient staff and resources (subject of a later rant).

So as always it is easy to “raise issues” and I don’t believe in complaining unless there are solutions.

I am going to put that first 5 seconds of survival largely on the backs of the hospital designers (and us security consultants who work with them). Having a hospital room where a health care professional can work effectively while be in a tactically advantageous position is the single best step in allowing an effective escape. A lower bed is harder for a violent person to get out of than a higher bed. Having a site-line to the patient while viewing instruments or providing service is crucial. DON’T PUT THE PATIENT BETWEEN THE SERVICE PROVIDER AND THE DOOR … EVER.

The next time period is also going onto the backs of designers and security consultants. After the first 5 seconds, it is reasonable that fellow workers may be available to assist. THEY ARE NOT TRAINED TO PHYSICALLY HANDLE A VIOLENT PATIENT. What needs to happen is an effective “shelter in place” option.

A typical 1200 page request for tender document for a large healthcare facility “may” have less than 2 paragraphs that address this and I would submit that that is poor. There are dozens of pages describing the electronic systems that are required. Everything is neatly partitioned into a “Division”. The fact is that teams making submissions for health care facilities do not have a realistic understanding of what happens to those camera feeds, access control logs, alarm signals. Security is poorly represented in the existing divisions.

To let the architects and engineers off the hook a bit, their job is to win the project, build the project and then go onto the next project. Health authorities and the teams that prepare statements of requirements need to spend more time (read cost) on this aspect.  And to let the health authorities off the hook a bit, they are under crushing financial constraint.

It is my submission however that money spent on a CPTED front end (with the caveat of proper training) will pay dividends over the life of a facility.

… end rant.

rbl

So I submit that pretty much everyone on the web is either trying get as much exposure as possible …. or as little exposure as possible.

I spent the bulk of my career in the quieter side of police work where if I never had a twitter follow or facebook friend I was happy. Sadly I am old enough to have lived in the age where an unlisted phone number would make me virtually undetectable. I was a turtle … head down and undetected.

So entering private industry, I soon became a Peacock. Peacocks are  wanting to look bigger than they are. I find myself in this camp often when describing my company as “we do this and we do that”. Truth is there is very little “we” and a lot of “me”.

Feeling guilty, I started to look around at my peers …. turns out we are mostly all Peacocks!  I am not convinced this is great for anyone. Potential customers are wise to do a bit of digging … is that downtown address a postal box. Are those dudes on the “team” page still around ? And the Peacocks should be careful in taking on more than they can chew. There is no value for anyone in taking on a job that cannot be completed in the required deadline and budget.

So you will see a lot of “we” on my site (our site haha). Frankly I think it sounds nicer than “me” so I will leave it as such. Truth is these days it is a lot easier to be a peacock than a turtle 😉

Apparently Einstein has been attributed with a saying that goes something like “If you have 100 days to solve a problem …. spend the first 99 understanding the problem.”

While I might not agree on the 99 to 1 ration ratio, I certainly agree that too often not enough time is spent on understanding what the problem is.

Quick Case in Point. Potential Client tells me he needs a video security system. Yikes its a big parking lot …. tell me more?

Well one of my guys came out after work and his window was smashed.

That sucks … has this ever happened before?

Once about 7 years ago.

So we can spend 50K on a video system that would let you have a movie of the next incident … or you could buy your guy a windshield for $500.

So clearly the problem is not the cost of the window. It is way cheaper to replace the window than install a new video system. The problem is the safety and vulnerability faced by his staff.

Thing is, how much safer do his staff feel with video surveillance … 50K safer???  That’s not for the consultant to answer … the building owner can now make an informed decision.

On this occasion, they re-worked a safe walk policy and spent some of the savings on a BBQ.  Poor me … lost a potential consulting gig but maintained a great future client … and I enjoyed a free hot dog !!

So here we are …. not afraid to challenge the status quo. There will be ideas about security … that’s what mostly pays our bills and we love it. But innovations in other industries are super interesting and will have applications both for security and beyond.