Securing a Security Budget: Probable Threats vs. Describable Threats

One of the greatest challenges for any security professional is to convince management to provide an adequate budget to protect corporate assets. One of the more recent trends in the industry is to provide management with a calculated return on...

We went back to our Disney resort hotel room to see what would happen next. We watched the news and could see the progress of the storm as it moved closer to Orlando. The weatherman was predicting when the storm was going to reach particular communities. The storm hit Orlando at approximately 9:00 pm. As it moved close to the hotel, we moved away from the windows and spent about 30 minutes in the bathroom. We survived the hurricane, but what about Disney? Saturday morning three of the four parks announced they would be open all day. We headed back to Epcot Center, where it was business as usual. There were only a few signs that a hurricane had passed through; the monorail was not running, and a handful of trees had been uprooted. But the vendor carts were in use, the ticket booths were in use with no damaged glass. Did Disney management make the right decisions regarding the hurricane? Absolutely. Why? Because they focused their energies on protecting their facilities, their employees and their guests from a probable threat.

Local Threat Tracking Resources
A hurricane is a clear example, but what about other, less obvious threats? Can they be tracked in a similar fashion? Absolutely. Current trends and threats are tracked, monitored and reported by numerous groups and organizations. Local groups can often be the best source of information because they can address the most immediate concerns.

In the Kansas City metropolitan area there is a group called ASAP, the Association of Security and Police, which meets monthly to discuss current crime and security problems that local law enforcement and private security professionals are encountering. For example, if vehicle break- ins are on the rise in a particular part of town, businesses in that area of town can direct additional resources at protecting company parking lots. They can dedicate these resources because they are aware of probable threats in their area. Other information that is passed along includes descriptions of individuals that are wanted by the police for various crimes. All of the information that is shared by this organization allows security professionals to be aware of the most current threats in the metropolitan area.

A security director can present this information to management when requesting resources for the security department, and management is more likely to listen because the threats are credible and identifiable. Approaching management with a generic list of threats is counterproductive, and can make any security professional appear to have a Chicken Little approach to security. Yes, there are numerous threats to any business, but practical businesspeople will only release funds for security if they recognize that the expenditure will directly and immediately protect the business from a loss.

Local organizations are helpful in disseminating information regarding local threats, but where can security professionals learn of national and international threats? One valuable source is the FBI-sponsored InfraGard organization, which began in 1996 to facilitate local and national information sharing. According to the InfraGard Web site, its objectives are as follows.

  • Increase the level of information and reporting between InfraGard members and the FBI on matters related to counterterrorism, cyber crime and other major crime programs.
  • Increase interaction and information sharing among InfraGard members and the FBI regarding threats to critical infrastructures, vulnerabilities, and interdependencies.
  • Provide members value-added threat advisories, alerts, and warnings.
  • Promote effective liaison with local, state and federal agencies, to include the Department of Homeland Security.
  • Provide members a forum for education and training on counterterrorism, counterintelligence, cyber crime and other matters relevant to informed reporting of potential crimes and attacks on the nation and U.S. interests.

InfraGard provides its members with daily reports regarding current threats. In addition, members are encouraged to share information with each other regarding security issues or breaches they have encountered. To provide a secure environment where members feel comfortable exchanging information, InfraGard conducts background checks on all members. Since this organization provides information on threats in a timely fashion, it seems odd that in eight years it has amassed only 13,512 members. It would appear that this resource is significantly underused by the security industry. It seems logical that more security practitioners would become members, because what better way to demonstrate credible threats than to pass along information to management that has been disseminated by the FBI? To learn more about InfraGard visit