One of the most crucial elements of mitigating risk, be it in the public or private sector, is how an organization handles the information that is available to it. For many years, however, both law enforcement and security managers were reactive in nature when it came to analyzing data that could be used to mitigate threats.
According to Chris Swecker, former assistant director of the FBI's Criminal Investigations Division and the former global security director at Bank of America, the 9/11 terror attacks would change that.
"We started to realize that wasn't the best model," said Swecker, who spoke at a seminar held by NICE Systems last week in Atlanta. "9/11 was a failure to connect up information. We had a system that did not facilitate information sharing."
After spending more than 20 years at the FBI, Swecker said that the concept of "prevention" was etched into his mind when he joined Bank of America in 2006 where information management was also an issue. When he first arrived at Bank of America, Swecker said he found more silos of information in the company than when he was with the FBI as each fraud prevention division functioned as its own individual unit.
To address the problem, Swecker said he consolidated these information silos to create one comprehensive source of information. He also integrated all of the company's security command centers into a single facility from which incidents could be managed.
In addition to consolidating security divisions within a company, Swecker recommends that organizations break down all of their information silos, which includes technology (surveillance cameras, access control systems, and alarms), organic information(security staff and employees), government information sharing programs, public data sources, subscription services, and even personal contacts into a streamlined source of information to analyze.
"It's all good information to put into the machine," he said.
Swecker said it's also a good idea to identify "crown jewels" within an organization or which assets within a company should receive more enhanced security measures than others. At Bank of America, for example, Swecker said that of the hundreds of buildings that the company utilized, there were five that they identified as being critical to the company's operations and that received special security treatment.
Swecker also encourages good communication between not only security staff and the organization, but also employees who can help in the information gathering process. Another way companies can be proactive in their approach to security is through the utilization of analysts that can determine threats that may be looming on the horizon.
"Even if you hire and train one analyst, they are worth their weight in gold," noted Swecker. "You want to create subject matter intelligence within the organization."
While no risk mitigation strategy can ever be full-proof, Swecker said that being proactive and improving the way information is handled can go a long way in helping organizations reduce their threat level.
"You can't prevent everything, but you can adopt proactive strategies to reduce incidents," he said.