Dr. Marc Siegel is the commissioner of the ASIS International Global Standards Initiative. In this role, he helps ASIS develop American National and ISO standards, as well as training and education programs on standards that address resilience, security, crisis management, preparedness, and continuity. In this interview, Marc talks about ASIS International's recent activities, turf wars within the industry, and the possible adoption of the ANSI/ASIS Organizational Resilience Standard by the Department of Homeland Security.
Why should security professionals get involved in standards development?
Like them or not, standards are a reality you must live with. The important thing for security professionals to realize is that since standards are here and since they will be playing an ever increasing role in the way you do business and provide services, it really behooves them to get very involved in this process. Standards should be useful tools to work with, not barriers to providing services and conducting business. The only way for our industry to ensure that standards are business-friendly and useful tools is to write them. If we don't develop them, somebody else will, and we run the risk of people from other disciplines (such as emergency management) developing standards that can negatively impact the way our members deliver their services.
What's the biggest concern about standards coming from other disciplines?
You have some disciplines that traditionally have worked on developing prescriptive standards. If you look at building codes and fire codes, they're very prescriptive. You must do this or that. Well, that doesn't really work when dealing with security risk. You have to be able to design systems and think about how you're putting together something based on the risk rather than "Here's a prescription and everybody builds the same size fence and everybody puts in the same number of CCTVs and spaces them a certain way." It's important that companies be able to design the systems based on their risk assessment and that they have the freedom to decide what kinds of systems they are going to use. Maybe it's not cost-effective to use some physical protection measures. It may be a better strategy to be prepared in case something does happen, so you can reduce the impact.
So you want members to voice their opinions as much as possible to ensure there's the maximum amount of flexibility possible to do their jobs?
Right. They're going to have to live with standards. It's better that they live with a standard that's a good one that they wrote rather than a bad standard somebody else wrote.
Just to clarify, standards don't carry any legal repercussions when you violate them?
Standards are voluntary. If standards become accepted and popular, they can protect you. If you follow the standards and something bad happens, you can point to the standard and say, "Look, to the best of my ability, I followed the best practices." You can't always be 100 percent. Bad things happen. Standards can provide you some level of protection.
The danger is that there are groups who see this as a market opportunity to develop security standards and promote certification as opposed to implementing best practices for performance enhancement. What they're doing is developing security standards from the perspective of one-size-fits-all, similar to building and fire codes. So it's just very prescriptive, and "surprise", someone is going to check to make sure you're following the code. ASIS members in the U.S. and other countries need to be on their guard that certain consultants, and product and service providers, have an interest in influencing the development of standards that will benefit their organizations while tying the hands of security managers and imposing costly solutions and certification schemes on end-users. The target should always be enhancing performance and not simply certifying to something for a piece of paper.
So you're afraid standard developers will come at it with a one-size-fits-all mentality?
Right. The danger of a one-size-fits-all approach is that you're not basing the decision-making process on the solid foundation of a risk assessment. On a very personal level, I view this one-size-fits-all prescriptive approach very threatening. Some groups feel they are making my life easier if they prescribe a way to protect my house. They don't bother to ask if there has ever been a break-in in my neighborhood. The same system of protective measures with sophisticated equipment should suit my house the same as a house in a high-risk area. Now, with a prescriptive standard like this, if I have a break-in in my house, I run the risk of my insurance company saying "You know what, there was a standard that is essentially a building code, and you didn't put in the bars on the windows and you didn't put in the close-circuit monitoring system, so we're not going to pay your insurance for your loss because you're negligent."
That's the danger. The one-size-fits-all, prescriptive approach can really cause a nightmare. Here's another scenario: A member has done a risk assessment and he decides that there's no need for bars on the window and you don't need the close-circuit monitoring, you just need an alarm system. So he installs an alarm system and something happens and the client goes back and says, "Wait a second, you were negligent in your services, because the prescriptive standard says I should have an alarm system and bars on the windows and machine gun nests on the roof." I laugh but this really isn't funny, there are groups selling certain types of fences that are trying to influence standards developers so one type of fence, by coincidence theirs, is the prescribed solution to all problems.
So the funny thing I would guess is that you always have the frustration of competing standards then, right?
Yes and no. It is more frustrating that some standards development organizations (SDOs) feel they need to develop standards for the industry rather than the standards should be developed by the industry. Competing standards are less of a problem than a lack of compatibility of standards. ASIS strongly supports international cooperation in standards development to assure compatibility and avoid competing standards.
At ASIS 2009, one of your sessions was focused on security management versus continuity management. What I don't understand is that aren't these two concepts complimentary and not antagonistic to each other?
Well they are, and one of the reasons they picked that title is to try to get people to recognize the absurdity of this debate and attend the session. Unfortunately, there is a serious battle going on right now. Over the past five years or so, you have a general movement within our membership, and generally within the security and risk management industry, that the security manager is now being told, "Thank you, you're the security manager, but you're also the crisis manager and you're also the business continuity manager." And that movement has run head on into a small, guild structure of some of the traditionalist business continuity professionals. Some business continuity professionals feel like their livelihood is being threatened because people they've always mistakenly viewed as the guards-and-guns-types are now involved in business continuity management and crisis management.
So how do you overcome that tension then?
If you're a security manager you just ignore them. The problem is trying to get the "old school mentality" to understand that most major companies, and organizations large and small, believe you can't do these things separately. It's all about managing risks. Those who hold a traditionalist perspective want to continue to silo risks, which have time and again proven to be costly and inefficient. You have to have a comprehensive strategy to manage risk. There's been a convergence of the disciplines in progressive and efficient companies to think in terms of how to cost-effectively prevent, protect, prepare, mitigate, respond, and recover from disruptive incidents. You don't think in terms anymore of there's security and there's crisis management and there's continuity management and there's recover management. It's all one continuum. You have to decide on the best strategy for managing risk and how to deal with all the different phases
of a disruption.
So professionals who are too specialized are a dying breed?
Yeah. I think ASIS members luckily discovered that early. I think it wasn't their choice but I think a lot of companies know that they have to look at the full picture. And since you can't prevent everything from happening, if something bad happens, "Do you have a plan?"
That brings up another question. There's a lot of confusion surrounding the concepts of resiliency as compared to continuity. Why is that?
Continuity, traditionally, looks at the consequences of something bad happening, "How do you respond and recover from the disruption? How do you get your critical functions back up and running as quickly as possible and get back to normal operations?" Whereas the resilience people, they're looking at things as a three-pronged strategy. You have adaptive, proactive, and reactive strategies. You don't silo the risks and wait for something to hit the fan so you can clean it up. So in addition to developing a strategy to minimize the consequences of a disruption, you look at the potential for disruption and you think about how to develop an adaptive and proactive strategy to minimize the likelihood of a disruption. So the resilience perspective is more coming from "Do you need to change what you're doing in some cases to minimize the chance of something bad happening? Or can you better prepare for something bad happening? Or how do you treat a risk after it materializes?"
So is resiliency considered the more intellectual, holistic approach to security management?
I don't know about more intellectual, but resilience is much more cost-effective, commonsensical, and holistic because it covers the whole spectrum of prevention, protection, preparedness, mitigation, response, and recovery.
So once again, this is a matter of diversifying your skills?
Yes. I just helped a group develop a resilience-in-the-supply-chain standard, and they were very much into this idea of resilience because it avoids siloing risks. And when you start siloing risks you start overlooking a lot of stuff. Companies really have to start thinking in terms of how they're going to use their resources effectively to minimize risk and to deal with with the likelihood and consequences of disruptive events.
Where do you stand on the intellectual fight over prevention as opposed to resiliency?
The people who are in the resilience movement include protection as part as resilience.
So is this a public relations argument? What I mean is that too many security professionals are afraid to say they can't prevent everything.
No, I think it turns out to be just turf wars. You have a group of people who have always worked on, "How do you come back?" when bad things happen. And then you have a group of people who are focused more on "How do you prevent things from happening?" I think resilience is a challenge to both of them. I think in terms of the end user, the organizations that have to deal with disruptions, they really have to start shifting their view of "Yes, the ideal thing is to prevent something from happening," but you can't always anticipate everything and you can't always protect against everything. Bad things are going to happen, and when something bad happens, you have to have a plan for how you're going to bounce back from it.
How will the ANSI/ASIS Organizational Resilience Standard help private organizations
achieve resiliency?
The resilience standard, first of all, takes a management systems approach. A systems approach looks at how everything you do fits together. It also looks at how you develop a strategy where all the different pieces fit together and you understand how the different things you are doing link together rather than a more conventional program approach that says have a plan for this and a plan for that. That doesn't necessarily connect the pieces together, so you could have an excellent plan for something, but because you didn't think of linking it with your training and human resources, nobody really understands what their role is in the game. Another thing that is different about the organizational resilience standard is it takes this holistic view that you're looking at how you're going to manage risk. And you're thinking about managing risk from the perspective of preventing, protecting, preparing, mitigating, responding, and recovering. So it really is an umbrella standard. It takes the broad approach that you analyze your risk and then you develop a strategy based on how you're going to treat and control the risks before, during, and after the disruption.
How does the ANSI/ASIS Organizational Standard meet all of the DHS preparedness criteria?
The Organizational Resilience standard meets all the preparedness criteria published by the DHS, not surprisingly since the standard was developed to provide organizations a business-friendly tool to enhance their resilience. The significance is that the ASIS standard is the only standard of the three selected by DHS that is 100 percent compatible with existing ISO standards that address other sorts of risks and issues companies manage. It's 100 percent compatible with the existing quality, environment, occupational health and safety, information security, and supply chain standards. Companies can develop one holistic management approach that can deal with all of these issues rather than develop separate approaches for all of them. Cost-wise, it's a very effective approach.
The other thing is that the ASIS standard is 100 percent compatible with the way ISO standards are made, written, and executed. People who already worked within their companies with ISO-management-style systems have no problem looking at this and saying, "Ah, it's clear and very simple how I apply this because I know how to apply this from the work I did for quality, environment, and occupational health and safety."
Did you fear DHS was going to hand down standards that didn't take into account private sector needs?
Yes, initially some parties with a vested interest in certain standards seemed to be trying to make this a stimulus plan to create a marketplace solely for their services and training programs. From the beginning, ASIS International maintained that DHS support of awareness and education programs would be helpful but the decision to implement and certify to standards should remain a business decision in the private sector. ASIS has steadfastly argued that the private sector should be given the flexibility to choose from various standards, guidelines, and best practices that best meet their organizations' needs for preparedness with a focus on performance improvement and not a piece of paper. For the private sector to improve preparedness performance, it needs the tools and knowledge on how to address preparedness in a business sensible fashion, not a stick to encourage them to seek "voluntary" external certification.
We are glad that DHS took the wise path and gave the private sector a choice of standards. Right now the private sector has three very different standards to choose from. Organizations should make their choice based on their business model and circumstances. The Organizational Resilience standard is the most robust and internationally compatible.
How did ASIS get a seat at the table then?
In the end it was an open process where the law said that DHS would designate one or more standards. The ASIS standard was evaluated against a set of criteria published by the DHS. Anyone interested can map the Organizational Resilience Standard against those criteria and see it fits perfectly. So that made our standard one of the candidates for consideration.
Since we're ending on the topic of the Title IX PS-Prep program, I'd like to end by stepping up on the soap box. Regrettably, the law actually takes the focus off the important element, improved preparedness performance, and instead diverts attention to external certification. Organizations should focus on how you can use any, or all, of these standards to cost-effectively improve your organization's preparedness. Review all three standards, they're available for free download, so now's the time to do it. After you've succeeded in improving your preparedness performance, and you're not introducing undo risk by sharing your risk assessment and business impact analysis with an external entity, then consider if you have a compelling business case to pay for the ongoing costs of certification by an external body. But always keep your eye on the target, which is continually enhanced performance.
A Security Management interview with Dr. Marc Siegel, Commissioner, ASIS International Global Standards Initiative