Metrics For Success: Working with Customers for Better Access Control

March 23, 2009

If you have been reading this column each month, you know of my passion for testing and reporting on the effectiveness of the safeguards we have installed to protect our people and assets. You will not influence anyone with metrics that just count things, but you will with ones that really measure how well you and your customers are meeting your responsibilities to protect the company.

Objective: Our intent is behavior modification — not just from our customers, but from ourselves. We may find that we need to take a look at our own ideas about what works and what does not in our protection strategy.

Strategy: If we are serious about our mission, we test safeguards on a regular basis. But we also test them to measure how well they are working and to find soft spots in our strategy. There is no security manager reading this that has not had to deal with a business unit that pushes back and demands “an inviting space and convenience”— translation: unrestricted access involving disablement of electronic or staffed entry controls. Let’s think about this for a minute.

How well have we considered the business culture as we have dealt with this “difficult” client? You can bet that for every person openly complaining about security controls, there are more out there who are simply looking the other way when those controls are purposefully bypassed to make life easier for the employees or residents. Any good patrol plan and a cadre of engaged security officers would have already told you which business functions would be targets of opportunity because of such bypasses. In the example above, Security went a step further and conducted 10 unannounced access attempts for each business unit.

If we look at the results of these penetration tests, what might we speculate are the biases of the three bad guys here: marketing, human resources and sales? I do not think I’m generalizing when I state that these functions are typically hard sells for the kind of controls we tend to like. They want convenience and freedom, and we either post someone who challenges entry or install things that impose restrictions.

What should we do with these results? First, let’s understand that the findings of these tests revealed access to customer lists, an unsecured CFO Laptop, desktop access via posted password and piggybacking into the computer room by unknown individuals, so it is clear that we have to find ways to improve. We could run to the CEO and drop a dime on the top guys of the Freedom Three, or we could approach each of these managers, discuss what we found, and then find solutions that serve a common ground of enterprise risk management.

At the end of the day, these senior managers cannot excuse the potential exposures presented by these findings, nor can we in security escape finding more creative and business-compatible asset protection solutions. The security approach we see here is a one-size-fits-all: You have our solution to access control and that’s that! Working with each business unit to direct greater protection around tighter, more internal and focused areas where convenience can agreeably give way to expedience is the middle ground found here. I would add that in this case, HR did agree that their exposure to disgruntled and potentially hostile individuals did demand greater access management and control. The model they adopted reflected the lessons from “gatekeeper” risk assessment training for receptionists and assistants coupled with duress-related technology.

Summary: Access management is a core safeguard, but there are a variety of ways to achieve that goal and a variety of user perspectives on how it could best work. Understand the range of risks driving this set of safeguards and work with your customers to tailor the protection strategy for results.

George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the Security Executive Council Web site. The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing tools that help lower the cost of members’ programs, making program development more efficient and establishing security as a recognized value center. For more information and inquiries on membership requirements, visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.