Quality guarding contractors, and efficient in-house security management teams, will be measuring the day-to-day effectiveness of their guarding teams through a range of different professional processes. These will include, for example, SLA’s, daily occurrence reports, customer feedback questionnaires, regular meetings with operational personnel, and various other performance measurement tools, writes The Security Institute Chairman, Mike Bluestone. All of these combined measures will contribute to understanding just how effective a team really is. But there can be no doubt that another useful tool in highlighting any gaps in the operational procedures or guarding activities, is by carrying out what are frequently called, ‘Penetration Tests’. Physical Penetration Tests are a proven method of identifying weaknesses and/or vulnerabilities in site operational procedures and Assignment Instructions. Such tests can also be beneficial in pointing out physical security and safety deficiencies. This could include, for example, highlighting the increased safety risks to a security officer who is deployed in guarding an open entrance, without the benefit of a physical barrier in support.
The methodology for actually implementing such tests can vary, but the success of such tests will depend first and foremost, upon the care and professionalism in which they are carried out, and secondly, the imagination and innovation of those tasked to do the testing. One thing that should always be borne in mind, by both the testers and those being tested, is that such tests should never be about ‘finding fault’, or apportioning blame. Such tests (when carried out professionally) should be seen solely for what they are, namely an independent method of verifying the veracity of a system and the identification of any shortcomings. Indeed, it is not uncommon for the outcome of a test to show that there are no defects or shortcomings. Should such an outcome be termed a ‘failed test’? Not at all. A ‘failed’ penetration (which reveals no defects) is verification of both the effectiveness of the security team, as well as the robustness of the operational procedures. It’s a ‘win win’ all round. My contention is that even the ‘successful’ penetration of a secure environment, is also a ‘win win’ result. The reason being that it is surely far better to be made aware of a gap in security (which can then be corrected by the ‘good guys’) instead of allowing that gap to be exploited by an adversary.
The message is two-fold. Firstly, only use experienced professionals to carry out such tests, and secondly educate and inform security teams of the true objectives of such tests, namely to identify weaknesses and enable their correction. After all, the final outcome will lead to the prevention of loss of assets, as well as the potential saving of life. Penetration testing is indeed a serious business.
Mike Bluestone MA FSyI MCMI is Director of Security Consulting at CIA Excel Group and the current Chairman of the Security Institute