Quality guarding contractors, and efficient in-house security management teams, will be measuring the day-to-day effectiveness of their guarding teams through a range of different professional processes. These will include, for example, SLA’s, daily occurrence reports, customer feedback questionnaires, regular meetings with operational personnel, and various other performance measurement tools, writes The Security Institute Chairman, Mike Bluestone. All of these combined measures will contribute to understanding just how effective a team really is. But there can be no doubt that another useful tool in highlighting any gaps in the operational procedures or guarding activities, is by carrying out what are frequently called, ‘Penetration Tests’. Physical Penetration Tests are a proven method of identifying weaknesses and/or vulnerabilities in site operational procedures and Assignment Instructions. Such tests can also be beneficial in pointing out physical security and safety deficiencies. This could include, for example, highlighting the increased safety risks to a security officer who is deployed in guarding an open entrance, without the benefit of a physical barrier in support.
The methodology
for actually implementing such tests can vary, but the success of such tests
will depend first and foremost, upon the care and professionalism in which they
are carried out, and secondly, the imagination and innovation of those tasked to
do the testing. One thing that should always be borne in mind, by both the
testers and those being tested, is that such tests should never be about
‘finding fault’, or apportioning blame. Such tests (when carried out
professionally) should be seen solely for what they are, namely an independent
method of verifying the veracity of a system and the identification of any
shortcomings. Indeed, it is not uncommon for the outcome of a test to show that
there are no defects or shortcomings. Should such an outcome be termed a ‘failed
test’? Not at all. A ‘failed’ penetration (which reveals no defects) is
verification of both the effectiveness of the security team, as well as the
robustness of the operational procedures. It’s a ‘win win’ all round. My
contention is that even the ‘successful’ penetration of a secure environment, is
also a ‘win win’ result. The reason being that it is surely far better to be
made aware of a gap in security (which can then be corrected by the ‘good guys’)
instead of allowing that gap to be exploited by an adversary.
The message is
two-fold. Firstly, only use experienced professionals to carry out such tests,
and secondly educate and inform security teams of the true objectives of such
tests, namely to identify weaknesses and enable their correction. After all, the
final outcome will lead to the prevention of loss of assets, as well as the
potential saving of life. Penetration testing is indeed a serious business.
Mike Bluestone MA FSyI MCMI is Director of Security Consulting at CIA Excel
Group and
the current Chairman of the Security Institute
CIA EXCEL WEBSITE
|
