Campus & Student

Security Conference

Security Management

System

Mark Wylie

Principal

SECUREcorp Risk Management Services

Campus & Student Security

Learning the lessons of aviation safety

Minimal Security Redundancy Systems

Security latent conditions and causal analysis

Integrating Security Management System

Security Threat Commercial organisations always victims of criminal

activity - organised and opportunistic

Criminals using sophisticated methods and tools are

forever seeking to exploit weaknesses in an

organisation’s defence systems

Terrorist organisations are constantly evolving, planning,

unpredictable, financed and well equipped, generally

driven by geo-political and religious factors, but now

fuelled by a widening set of causal factors – poverty,

government corruption, oppressive regimes, social

upheaval, and the radicalisation of individuals and groups

People in non-security roles have a limited understanding

of what security does and can do

The Challenge

Contemporary threats of terrorism and organised crime

provide asymmetric and networked challenges that are

more difficult to respond to

Organisations suffer from an incapacitating event, or are

vulnerable to errors and violations and unknown threats

and risks that disrupt normal business

Coupled with organisational latent conditions, and the

limitations of people, only increases the opaque

weaknesses

Need to overcome the lure of technology as the panacea

People can be your greatest asset and greatest risk

Current Response …

The current security response is generally the

application of industrial age responses to current

information age problems

The traditional response of applying ever-increasing

levels of reactive security counter-measures, such as

people and technology, does not maximise risk

reduction

Perceptions of Security - 1997

Security Opportunities Ansett Aviation experience - SMS

Easily applied to security – SeMS

Proactive System of Security that integrates key

elements and all stakeholders – balancing competing

perspectives and issues

• Safety Errors and Security Violations = both lead to loss

and harm

Prof James Reason’s accident causation models:

engineering, person, and organisational - demonstrates

how organisational decisions & systems are vulnerable

and lower resilience

OPEN

COMMUNICATION

THE GAPSDEFENCE

IN DEPTH

POOR WORK PRACTICES

& IT SYSTEMS

ETHICAL

CULTURE

GOOD MANAGEMENT

Loss &

Harm

NON COMPLIANCE -

LACK OF AWARENESS

Proactive

Approach

NO REPORTING &

FOLLOW UP

AUDIT CONTROLSOPERATIONAL

PRESSURES & NO

ACCOUNTABILITY

ABROGATION OF

RESPONSIBILITY

POLICIES & PROCEDURES

Professor James Reasons’ Model of Systemic Failure

can be applied... Latent conditions combine with

people frailty

REASON’S MODEL

Safety v Security: Parallel, Independent

Redundancies Ensure Safety

Flight plans

Mutual Monitoring

Procedures

Checklists

Crosscheck

Training

CRM

Back-up systems

Alerts & warnings

Readbacks

SOPs

Automation

Redundant hardware

Redundant software

Manual reversion modes

Pre-flight Wx forecast

Inflight Wx/PiReps

Wx radar, Pilots’ eyes

GPWS, MSAW, TCAS

… against threats to safety that are neither deliberate

nor the result of intelligence and planning

Instrument scan

Alerts & warningsMutual Monitoring

Sandra Hart. NASA – AMES Research Center

Safety vs Security: The security “net” is

vulnerable because it lacks redundancy

Threat Vectors

Nodes in the Security Net

… against threats to security that are ill-defined, evolving,

covert, and the result of deliberate and intentional actions

Sandra Hart. NASA – AMES Research Center

Latent ConditionsSMS identifies Latent conditions - recurring nightmares:

They arise from decisions made years earlier by senior

mgt, regulators, designers – People (limitations)

Float around the ether, like pathogens in a body - looking

to infect clean cells – become unknown causal factors

A decision is made to implement a risk treatment to

control an assessed risk event, but no foreseeability of

the impact of the treatment = Increased Risk

They combine with front line error - Longford Gas Plant

explosion 1998

Need Causal Analysis

Causal Analysis

SMS demands identification of underlying causal factors,

not symptoms – many methods

An important context and approach that could assist is:

Hindsight – ‘knew-it-all-along effect’ = inclination, after

the event, to see it as having been predictable, despite

no objective basis for predicting before the event

Insight – understanding the causes and effects in a

specific context

Foresight – prescience, knowledge or insight of the

future

• Scenario analysis: considering alternative possible

outcomes

• Don’t replace one risk with a risk of another kind

Security Management System

How do we mitigate people limitations, unknown causal

factors, unforeseen catastrophic events?

One way is to implement SeMS

Key Features:

An explicit element of corporate management framework

- to establish a security posture and strategic intent

A structured and systematic means for an organisation

to achieve and maintaining high standards of security

• Strategy, Structure, Systems, Resources, Capabilities

A business like approach - alignment with commercial

objectives, governance and regulatory compliance

Security Management System

Key Features …

Security managers are business managers with security

expertise

Shared accountability - multiple stakeholders

contributing cross-functionally

Nudges security culture

Can reduce the negative impact of:

• Departmental Silos

• Disconnect between senior mgt, middle mgt and

employees

Business

Planning Sales &

DistributionOperations Support

…Can be addressed across an organisation in different areas, at different levels and

with a different focus…

DESIGN & BUILD IMPLEMENT PREVENT

• Executive Support

• Strategic intent

• Structure & roles

• Product & Services

• Policy, Communications

& Training

• Change mgt model

• Cross-functional links

• Risk mgt

• QA - Audit

• Policy, procedures & work

practices

• Reporting & trend analysis

• Investigation, causal

analysis & reporting

• Reviews

• Projects

• Education &

Awareness

• Stakeholder relations

• Evaluate performance

& modify

Security Management System

SECURITY MANAGEMENT SYSTEM

STRATEGY &

ALIGNMENT

STRUCTURE &

ACCOUNTABILITY

MANAGEMENT

SYSTEMS

RESOURCES &

CAPABILITIES

Programs & Activities

Implementation

Confidential Reporting

Training & Awareness

Program

Security Data Analysis

Operational Reviews

& SeMS Audits

Risk, Quality, Tech, HR,

Audit, HF

Security Promotion

Strategic Intent

Cross-Functional

Implementation

Management Security

Committees

Security Organisation

Structure

Line Management Roles

& Accountability

Emergency Response

& BCM

Technology & Labour

Performance

Change Management

Methodology

Investigations &

Causal Analysis

Policy, Procedures &

Work Processes

Knowledge, skills &

experience Exec Management

Commitment & Promotion

Security Culture

Corporate Security

Governance

Planning, Goals &

Objectives

Programs, Activities &

Tools Design

Chief Security Officer

Regulatory Compliance

Information

Dissemination

Document & data

control

Security Maturity?

Technology

Discipline

Science?

Causal analysis -

future scenario

analysis

Reactive linear focus

responding to single

incidents & no analysis

Trend analysis of

security breaches

Human Factors

– Error Mgt

Automation - lure

of technology

panacea

Security Mgt

System

Causal analysis of

security breaches

Perceptions of Security - 2014

MAcceptance Marketing+

Product & service

development Security sign-off

Questions

Contact:

Mark Wylie

Principal

SECUREcorp Risk Management Services

M: 0431 646 762

E: mark.wylie@securecorp.com.au