Chris Swecker, a 24-year veteran of the FBI and former head of corporate security for Bank of America (2006-2009), took the stage this week at Interactions 2012, a conference held in Nashville for users of NICE Systems. His presentation ranged from the impact of "big data" on security to the changes in the intelligence community since 9/11 and even the value of specialized analysts for corporate security, but one of his main messages was the value of a structured incident command approach.
Chris knows a thing or two about incident command, drawing on his tenure as Former Acting Executive Assistant Director for the FBI at the peak of his federal career. It was a career that included many notable incidents and events to manage, from suicide bombings in Iraq to the Salt Lake City Olympics and even the 9/11 attacks. Chris' message was about the unpredictability of security incidents. "The first thing you learn that will always happen in a crisis is that Murphy's Law will rear its head. The second thing you learn is that communication breaks down and that information will be going in every direction."
To deal with that incident communication issue, Chris said you have to set up a plan that directs the information toward the correct place so that the proper decision can be made. He said the intelligence community before 9/11 experienced this problem. "We had a big ear but a little brain," he said. "We were taking in that information but we were not effectively processing that information; it was a system failure, not a failure of an individual." The information, he said, wasn't getting to the right people to make those correct decisions.
To remedy that, he advocates a three-pronged approach to incident management communication. There are three people who need to be on point during an incident. First is you will need someone to gather and process the information you receive. Second, you need someone to manage the incident -- to decide how that "processed" information will be used in the field. And finally, he said, you need someone to manage the information flow.
Having someone to serve as lead on obtaining and processing the information is key -- especially when you're under duress managing a large-scale event. This person has to be able to provide what he calls "context" for the incident. They have to be able to realize the information sources they need (information which NICE hopes to help provide, through its "Situator" PSIM offering), but also what information they don't have. "Don't just take the information that you know," he said. "You need to constantly be looking at what you don't know. Don't assume you have the information you need."
It's a lesson that he says has been applied well from law enforcement leaders like former NYPD Commissioner Bill Bratton. For example, you can't measure your success based on arrests. Thought leaders like Bratton recognized the value of what is called CompStat -- a police data system approach that looked at measuring all crime, incident and resource allocation statistics -- not just arrest reports.
In addition, Chris advocates for structuring your command posts. By consolidating multiple command points to fit into this three-pronged incident command approach, you also gain value -- ensuring that information doesn't get "stuck" at a remote command post (e.g., field command). Instead that information is freed from the sometimes myopic view of a remote location, and put into context at central command.
It's a lesson that I believe is relevant in the corporate security world. That command structure approach that Chris advocates means feeding information from employees and on-site security officers via regional or local security managers up to the C-level for security and business operations -- since what your local officer or security manager may otherwise decide to do might not line up with the overall incident command picture and operational goals of your business. Take Chris' lesson to heart and you'll be better prepared when a real incident starts to complicate the management systems you have in place today.