Response Time: The Key to Better Security Outcomes

Response Time: The Key to Better Security Outcomes

WH

ITE

PA

PE

R

S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E 3

TABLE OF CONTENTS

Unlocking a More Efficient Security Command Center 5

Defining the Importance of Response Time 7

What Factors Impact Response Time? 8

WHEN LOOKING AT OPERATIONAL BOTTLENECKS, HERE ARE

A FEW QUESTIONS TO CONSIDER: 9

WHEN LOOKING AT SYSTEMS BOTTLENECKS, HERE ARE A FEW

QUESTIONS TO CONSIDER: 9

7 Tactics To Improve Response Time 10

1. MEASURING AND ANALYZING DATA 10

2. REDUCING FALSE ALARMS 12

3. PRIORITIZE EVENTS AND AUTOMATE THE REST 15

4. CREATE SIMPLE ACTION PLANS FOR COMMON EVENTS 16

5. MAKE KEY INFORMATION EASILY ACCESSIBLE 18

6. AUDIT OPERATOR ACTIONS 20

7. DEVELOP A CULTURE WHERE RESPONSE TIME IS THE KEY METRIC 22

Improve Outcomes 22

S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E 5

UNLOCKING A MORE EFFICIENT SECURITY COMMAND CENTER

Every security command center is tasked with improving security outcomes. This

can mean different things to different organizations depending on their industry,

facilities, corporate mandates, and compliance requirements. Measuring these

outcomes can be difficult: some performance requirements are almost impossible

to measure, while other incidents happen so infrequently that tracking them for

performance provides no valuable data.

Ultimately, there’s a single core metric to gauge security performance and

outcomes: response time. In this paper we’ll explore the 7 essential steps to

speed-up response time so that you improve your overall security outcomes.

S U R E V I E W | R E S P O N S E T I M E 76

DEFINING THE IMPORTANCE OF RESPONSE TIME

Response time is “the elapsed time between an inquiry on a system and the response to that inquiry.” In the context of command center operations, response time is simply the lapse between when an event is raised and when an operator takes action.

Out of all the performance metrics your security team measures, why does

response time have the greatest impact? Metrics such as dispatch time, assets

lost, injuries, and others are critical for any successful monitoring operation, and

are undoubtedly important. However, improving response time is proven to have a

ripple effect on all critical metrics.

The closer you get to achieving a “real time” response, the better chance you

have of a positive outcome. For example, let’s consider a simple unauthorized

after-hours building access incident. If it takes the operator 4 minutes to respond

to an alarm, it will take longer to identify where the intruder actually is, which in

turn means it takes longer for a dispatched guard to find the intruder.

However, if the operator responds within 30 seconds, the dispatching officer is

likely to find them quickly because the person has had less time to get far from

the point of entry. In this example it can be the difference between intercepting

the person in under 5 minutes versus taking 15-20 minutes to find them. A lot can

happen in 15 minutes!

S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E8 9

WHAT FACTORS IMPACT RESPONSE TIME?

Not every command center is the same, but in general the types of things that

can impact response and create bottlenecks can be broken into two categories—

operational bottlenecks and system bottlenecks. Operational bottlenecks take the

form of processes, procedures, and HR, while system bottlenecks typically take the

form of overwhelming amounts of data stored in multiple different systems.

WHEN LOOKING AT OPERATIONAL BOTTLENECKS, HERE ARE A FEW QUESTIONS TO CONSIDER:

• Are there enough operators on shift to adequately respond to the

number of events that occur?

• Can these operators handle the volume of this traffic?

• Are responses operationally consistent across the organization?

• Is the process operators follow the same every time, or do they

rely on their knowledge and experience?

• Are operators effectively trained for all the scenarios they’re

likely to encounter on shift?

WHEN LOOKING AT SYSTEMS BOTTLENECKS, HERE ARE A FEW QUESTIONS TO CONSIDER:

• How many systems are creating events?

• Are events from all systems correlated into one central queue?

• How many of these events/alarms are false?

• Is the 80/20 rule in effect? (Are 80% of my alarms coming from

20% of locations?)

• How many alarms are presented to operators that don’t

require an action?

• How are alarms prioritized, and is this prioritization consistent

across systems?

• How many different systems contain data required to

coordinate a response?

It’s time to begin looking critically at your systems. These questions can help guide your conversations with your teams.


7 TACTICS TO IMPROVE RESPONSE TIME

1. MEASURING AND ANALYZING DATA

Security professionals are faced with difficulties normalizing and processing complex data on operator response times, alarms, and dispatches captured in multiple systems and formats.

Systems like SureView centralize the response process in the command center and

capture these key metrics as operators do their job. Using the interactive reporting

module, Insights, managers and supervisors can quickly analyze performance

across both operations and systems.

For Operations, Insights provides top-line metrics for both response and

processing time by operator and regions. When looking at systems, Insights

focuses on alarm event counts by location and point-over-time. Managers can use

these reporting metrics to set performance baselines and SLAs, allowing them to

easily measure the impact on overall security outcomes.

Management thinker Peter Drucker famously said: “If you can’t measure it, you can’t improve it.”


Reducing false positives requires an understanding of the behaviors that are

causing the alarm, then either changing the configuration of the device, updating

the system, or changing operating procedures. There is no silver bullet for false

alarms as each circumstance is different.

The reporting capabilities of SureView make capturing this data easy. It’s very

common for alarm reports to show 80% of traffic coming from 20% of points. Dig

into the data to work out if these alarms are being caused by faulty equipment

or false positives. By reducing and ultimately eliminating these false alarms,

operators’ response times will be greatly improved because they will be focusing

entirely on processing genuine alarms.

2. REDUCING FALSE ALARMS

Once you’ve effectively implemented a process for measurement and analysis, it’s time to take your captured data and drill down into one of the most common response time detractors: false alarms.

It’s a well-known story: operators have a long, scrolling list of alarms in their queue

and see “another one of those alarms” pop up. They have seen this alert so many

times they have become numb to the condition. Consequently, buried in this

list of alerts is a real event that requires immediate action that doesn’t receive a

quick response. Before developing a plan to reduce false alarms, it’s important to

understand what causes them.

Alarms caused by faulty equipment are relatively easy to resolve. Faulty systems

and equipment can present as either sending large quantities of alarms

(i.e. multiple alarms a second) or alarms for an unanticipated or nonexistent event

(e.g. door-open alarm being triggered when the door is, in fact, closed). Security

technology professionals can troubleshoot these systems to identify the source

of the alarms. While this investigation is underway, security teams can mask these

points from monitoring until the system is restored. False positives are a far more

difficult issue to resolve. The system or device is operating properly but triggering

alarms that, while not true threats, still require operator action. One example of

a false positive is an expired access control card. The system raises a valid alarm,

albeit one that could have been avoided if the card had been updated prior to its

expiry date.

FALSE ALARM EVENTS TYPICALLY FALL INTO TWO CATEGORIES:

1. Alarms caused by faulty equipment2. False positive alarms, which falsely identify

an activity as a threat


3. PRIORITIZE EVENTS AND AUTOMATE THE REST

So far, you have metrics to understand the traffic in your environment and a plan to reduce false alarms. It’s also important to identify the events that operators are responding to, and if their responses are appropriate and necessary.

SureView can automate many common processes for an operator, such as

recording cameras, sending notifications, and triggering actions. This automation

can be used to eliminate the need for an operator to respond to repetitive events

that are not an active threat and don’t require the operator to make decisions.

Of course, you could just ignore these alarms. However, many operations require

logging all events for compliance or management reporting. SureView allows these

events to be auto-handled and logged, eliminating distraction for the operator.

When deciding which events require operator action, it’s important to be

consistent. SureView uses a flexible model where alarms are given a numerical

priority rating, with priority 1000 as a threshold. Alarms at this rate or higher

override any masking and will still be presented to operators even if an area is

disarmed.

Prioritizing events not only helps to rapidly order the alarm list, it can also help

group similar events and route traffic to the appropriate operator groups. These

workflows can be used to improve the performance of your team and can include

internal SLAs that trigger additional actions or escalations based on response time.

For example:You decide that first-line operators are responsible for events with a low priority, while second-line operators respond to the higher priority events and escalations. As alarms are received, the priority level indicates how they are routed. You can add an SLA that automatically escalates a priority alarm if doesn’t receive a response within 1 minute.

S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E S U R E V I E W | R E S P O N S E T I M E16 17

SUREVIEW PROVIDES CLEAR OPTIONS FOR THE TYPE OF ACTIONS YOU WANT TO CREATE, INCLUDING:

1. The ability to create basic actions that tell the operator what to do

2. The ability to input actions that require the operator to add information to the

event (e.g. What color shirt was the person wearing)

3. Yes/No questions that provoke an action or response

4. Steps that require the operator to dispatch a guard/officer

5. A URL that provides a link to website (e.g. a link to your ticket system to raise

a device issue that requires investigation by the Security Technologies team)

6. Dependency actions, which are especially useful with Yes/No questions

7. Action categories, such as medical, dispatch, or surveillance actions

8. The ability to quickly share actions with other operators, especially in a crisis,

so that operators can collaborate closely on the response

4. CREATE SIMPLE ACTION PLANS FOR COMMON EVENTS

Organizations typically have detailed Standard Operating Procedures (SOPs) to dictate how their team should respond to a given event. Too often, these SOPs are complex and inaccessible.

Chances are, your security response SOPs are in a thick binder collecting dust

under a workstation. Consequently, your team can’t quickly access the information

they need when an event occurs, making your SOPs all but impossible to enforce.

We encourage security teams to simplify these SOPs into on-screen, interactive,

checklists or action plans that provide operators with an easy way to consistently

respond to events. SureView provides a straightforward way to create simple

actions plans and enforce them, ensuring that every time an operator processes an

event the response is consistent.

Any of these simple actions can be set to be mandatory,

ensuring that operators complete the most essential steps.

S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E18

5. MAKE KEY INFORMATION EASILY ACCESSIBLE

It is critical to identify the key information operators need to respond to an event.

Call lists, location maps, alarm and event details, area notes, and schedules, are all

essential to ensure a quick response. Putting all this information in one place gives

the operator the situational awareness to coordinate a response without jumping

between multiple systems to find the relevant information.

Take a call list as an example. Operators often need to access multiple systems

to identify the key personnel to contact at various buildings. These systems were

designed to support a single building or function, not to offer the security team

easy access from a command center. With SureView, an operator simply clicks on

the location to access the key contacts for that site.

Maps provide operators with critical information that helps in rapid response.

Maps should always include the location of cameras, doors, and your organization’s

physical assets. Equally important are locations of nearby police, fire stations,

hospitals, and guard posts. Sureview utilizes Google or ESRI mapping interfaces to

put this key security information at the heart of the response rather than buried in

another business system.

It’s rare that security teams have easy and immediate access to this sort of

information without having to jump across various systems that were not designed

with the unique needs of security in mind. These operators are often responding to

remote events in locations they have likely never visited, making centralized access

to this information even more important for rapid response.


6. AUDIT OPERATOR ACTIONS

As you begin to break down operational and system bottlenecks, it’s important to be able to constantly adapt to change. An audit trail makes this possible.

Keeping detailed audits of operator actions helps managers identify opportunities

to improve response. Action plans, dispatch instructions, and escalation rules will

need to be constantly adapted for new threats, changing service requests, or new

compliance rules.

Auditing operator actions provides managers with the details they need to

understand changes and how these changes might impact operations.

SureView tracks all of this information without any additional operator actions.

Operators simply do their job as usual—responding to events following

their action plans— and the system captures audit data in the background.

Management can then focus their attention on improving operational response

rather than trying to implement a process to consistently capture this critical data.

With Sureview everything the

operator saw, said, and did,

is recorded in a time-stamped,

multi-media, audit trail,

which empower managers in

several ways:

1. It retains a record of exactly what the

operator did in their response–what

cameras they looked at, what they saw,

what actions they took

2. It tracks the timing of all these

actions, providing baseline reporting

metrics

3. It helps identify exactly when

changes occur and how they affect

the overall response


7. DEVELOP A CULTURE WHERE RESPONSE TIME IS THE KEY METRIC

Real progress in improving response requires a full team effort.

Managers and supervisors need to develop response SLAs and triggers for

escalation when these are broken. Security technology teams need to focus on

false alarm reduction. Operations staff need to focus on identifying any steps in

their response that are consistently slowing them down.

Everyone on the team has a role to play in delivering a command center that

is efficient and able to respond quickly in order to improve security outcomes

for the organization. SureView provides the platform that enables everyone to

deliver this goal.

IMPROVE OUTCOMES

Response time is the single most powerful indicator that your team is achieving the best possible security outcomes.

In order to effectively improve your security operations and maximize the

capabilities of your technology, you need to effectively measure your performance.

Leveraging a solution to centralize your security technology and streamline

operations is the key way to improve response time, standardize security response,

and improve event outcomes.

400 N Tampa St Suite #1750 Tampa, FL 33602

101 Jefferson Drive Menlo Park CA, 94025

Hawthorne House, Tawe Business Village, Phoenix Way, Enterprise Park, Swansea, SA79LA, UK

Phone +1 (888) 387.2860

Phone +1 (888) 387.2860

Phone +44 (0) 1792 278 110

sureviewsystems.com

Florida Office California Office UK Office

Response Time: The Key to Better Security Outcomes

WH

ITE

PA

PE

R400 N Tampa St Suite #1750 Tampa, FL 33602

101 Jefferson Drive Menlo Park CA, 94025

Hawthorne House, Tawe Business Village, Phoenix Way, Enterprise Park, Swansea, SA79LA, UK

Phone +1 (888) 387.2860

Phone +1 (888) 387.2860

Phone +44 (0) 1792 278 110

sureviewsystems.com

Florida Office California Office UK Office

Response Time: The Key to Better Security Outcomes

Documents

Transcript of Response Time: The Key to Better Security Outcomes