Operational Security: Reflections from an all-hazards perspective
Bob Fields, CEM
Emergency Services Manager
Santa Clara Valley Water District
San Jose, California
Perceptions can be and often are very volatile. For instance, from an organizational point of view, many people today believe that we are never going back to Homeland Security Level GREEN (low). Although technically present at Level YELLOW (elevated), security operations at this threat level condition are rapidly becoming routine. It is inconceivable to many individuals that we will ever resume casual business practices.
Awareness and perception of the inherent dangers and complex threats facing public service organizations today and the potential consequences they could have on our existence have changed significantly since September 11, 2001. These threats cross a broad range of contingencies from malevolent (criminal or terrorist) acts to natural or technological disasters and they all carry a potential for an organizational mission disruption. For example, it is conceivable that a terrorist disruption of a large area electric power grid could indirectly put you out of business even though your facilities were not directly attacked.
A fresh all-hazards paradigm for operational security and emergency management is needed. One way to look at it is to compare mission capability disruption to potential adverse consequences. For example, in Figure 1 (Simplified Event Consequence Table - August 2001) the author's employer depicts how progressively adverse consequences on organizational mission are met with a corresponding rise in the intensity of response countermeasures. When the national Homeland Security Advisory System color-coded threat level chart appeared in February 2002, the author's organization in turn developed the Simplified Homeland Security Table (March 2002) depicted in Figure 2.
The reality is that operational security of any organization is threatened by two fundamental vulnerabilities:
Both vulnerabilities may arise from an exposure to earthquakes, hazardous materials incidents, hurricanes, winter storms, fires, floods, tornados, financial distress, accidents, loss of public confidence, evil acts, and in some cases, potential fear of the events or acts themselves.
Examples of how operational security vulnerability mitigation can be accomplished:
All-hazards vulnerability mitigation tools may include:
Soon after that fateful September date, many critical infrastructure and/or public service organizations conducted assessments to assess evil act threat exposure. The assessments often performed valuable pair-wise comparisons to prioritize critical facilities and yielded site characterizations to evaluate the loss of these sites. However, many vulnerability assessments were perceived to provide the right answers to the wrong questions in that they may have:
The bottom line
Security and emergency management cannot be simply event driven! The new paradigm must be approached through increased awareness, preventive measures, and robust preparedness. Preventing an incident from ever occurring reaps far more benefits than simply reducing the costs of post-incident response and recovery. To make the response and recovery aspects of the organization's readiness as efficient and effective as possible, a collaborative and comprehensive effort is essential, one with a unified approach to all-hazards event management, and with the ultimate goal of a significant reduction in the organization's vulnerability to disruption over time. In many parts of the world this has evolved into significantly restricting the public's access to government officials and/or facilities. Are we ready or willing to embrace such Draconian measures by enforcing their application in our open society at home?
Of paramount importance for successful implementation of this new paradigm is developing an organizational culture that fosters and believes successful operational security implementation is critically dependant on information sharing; consistent, timely, and open communication between all affected parties; and a common planning framework that captures and implements valuable best practices across the spectrum of contingencies. This consistency must reach from all levels of the organization, from the highest echelons to individual field-level staff, in an open and collaborative partnership.
Bob Fields can be reached at firstname.lastname@example.org.