Discussion Questions: What are the various components of knowledge management, and provide a brief description of each and the impact they have upon overall security efforts? Describe the overall process of business continuity management and the important considerations that must be emphasized in such a plan and why.

Overview

As the overall title of this course entails, our primary focus has been centered upon the administration of security-related functions as they relate to a given environment or to meet a particular need. Yet interjected within our discussions have been a number of words and phrases that are quite similar, yet have some fundamental differences as well. One of those concerns the word “management;” something we will discuss at length in this particular lesson. At first glance, administration and management might appear to be one and the same, and there are certainly some similarities. Yet where administration alludes to the process used to effectively direct, run, and operate an entire organization or subcomponent of it (i.e. security), management can be understood as the skills needed to get work or efforts accomplished through individuals or other facets of an organization. So this week, we will look at two broad topics related to management, and they will deal with the broad issues of knowledge, as well as that related to business continuity.

Knowledge Management

An overall security plan that seeks to identify probable areas of risk and formulate strategies in which to manage them is dependent upon a number of resources; not the least of which is credible and relevant information. Such information related to risk and threat assessments is carried out in large part through knowledge management. Yet here again, attention must be directed towards various terms being discussed that on the surface might seem to be interchangeable, but a thorough understanding of their differences must be maintained.

Information concerns various facts that are provided or learned about something or someone.

Knowledge concerns information that has been acquired through various experiences, education, the environment, or the theoretical or practical understanding of a particular topic.

Intelligence is information that has been evaluated, interpreted, and processed in a way that provides accurate, timely, and relevant insight for a particular purpose.

So as to be seen, overall knowledge management can be somewhat broad in nature, as it is made of various subcomponents that deal directly with the location and storage of relevant information and intelligence, as well as supporting systems that aid in the decision-making process. The dimensions associated with knowledge management include overall strategy, the processes needed to carry it out, as well as ways in which output is measured. A range of methodologies have been developed, as no single “one-size-fits-all” approach can be expected to be effective in any organization or environment. Smith and Brooks share three such approaches that have been developed through both theory and actual practice, and include:

• Technocentric knowledge management approach has an emphasis on technology, which enhances knowledge dissemination and creation.
• Organizational knowledge management approach is concerned with the design of an organization to best facilitate the knowledge processes.
• Ecological knowledge management approach is concerned with the interaction of people, identity, knowledge, and environmental aspects as a complex adaptive system. (2012, p. 180).

So as can be seen, that knowledge is to be managed as needed, there are a host of factors that must be considered related to the role that technology can play, the manner in which the organization itself is structured, as well as the overall environmental “make-up” as it relates to the people involved and the manner in which they interrelate. So let us look at some of the strategies that have been employed.

Strategies

Given the fact that knowledge can be accessed before, during, and after a particular step or phase in the overall security management process, there are a variety of options available to the security practitioner in order to both generate and obtain requisite knowledge. For instance, there is what is known as the push strategy, which involves individuals purposely adding knowledge into a defined database or repository, where it is available for others to access on a defined needs basis. Conversely, there is the pull strategy, where requests are made for particular bits of knowledge that are produced by those possessing expertise regarding that particular issue, field, etc. Others that have been identified and are noted within the reading Security Science: The Theory and Practice of Security include, but not limited to providing incentives for sharing knowledge, formulating systems that allow the transference of best practices, methodically evaluating particular competencies of employees, as well as measuring and reporting intellectual capacity found within an organization.

Motivating Factors

So given the different approaches available to produce effective knowledge for an entity, what might these motivations for its application? From an economic perspective and desire to maintain relevance in the corporate world, there are a host of reasons. These include the fact that increase knowledge will aid in the development of future products and services demanded by customers and clients, shortening the time related to research and development, benefiting from the expertise found within the organization, as well as taking full advantage of both internal and external networking opportunities. Yet from the perspective of the security administrator, a comprehensive knowledge management system can take full advantage and integrate the various elements related to information and intelligence that aid in furthering their roles and responsibilities. For instance, the various policies, procedures, and guidelines that must be formulated and adhered to could be controlled to a greater degree. When incidents must be reported related to the health and safety of employees and other such individuals found on premises, as well as those related to the environment, such a system would prove to be advantageous. Also, whether approaching threats and hazards internally or in conjunction with recognized external partners, maintaining records related to such areas of risk in an organized and easily accessible manner cannot be underestimated. These are just a few examples of how such a system can aid in the coordination and integration of security-related information.

Knowledge Management Systems

As far as the system itself is concerned, it must carry out a number of functions that must support actions related to the acquisition of information, how it is stored, as well as how it is disseminated in an appropriate manner. It must meet the particular needs of the organization in order to justify the time and resources needed to formulate and maintain it. A basic knowledge management framework is offered in Security Science: The Theory and Practice of Security and as seen here, illustrates the various processes related to both the input and output of knowledge generation.

It should be noted that existing systems can be tailored to carry out these knowledge management functions, where efforts that have already been carried out to validate their reliability has already been accomplished. Yet, what distinguishes a knowledge management system from those that might already exist within an organization must be recognized. They must possess the defined purpose of managing knowledge related to an organization, do so in the proper context, take advantage of needed processes that create, capture, transfer, and retrieve information as needed, as well as other issues related to those who participate in the program and various instruments that allow management efforts to proceed as needed. Such a system can prove to be a great asset to the security administrator, but there are issues that must be recognized when contemplating the type and approach that should be pursued. All facets of an organization should be solicited in regards to what they may require and expect; those that include both executive and those involved in direct operations. In addition, issues related to the integration of technology, coordinating various vendors, as well as how proprietary applications may work those that are not branded in like manner.

Intelligence

Based upon earlier comments, intelligence goes beyond the acquisition of knowledge and information, but collects evaluates analyzes and synthesizes it in a manner that aids policymakers and security administrators to make effective decisions. Such intelligence will greatly aid in protecting assets of an organization and can provide the foundation that a security manager needs to counter those threats and hazards that are discovered and exposed by intelligence. There are a number of defined steps that take role and basic information and turning it into actionable intelligence. Known as the “intelligence cycle,” its individual components and the manner in which they are interrelated in a cyclical nature allows the process to be repeated as needed; incorporating needed feedback and adjustments in order to address specific issues at hand. Although they are placed in a defined manner within the cycle, it must be understood that these are not required to be carried out in a sequential manner, but are in fact carried out concurrently. A brief overview of each, as well as a graphic depicting the intelligence cycle can be seen below. The student is encouraged to review Security Science: The Theory and Practice of Security for additional details regarding these individual components, as well as insight obtained from conducting their own research.

• Direction or requirements will be decided jointly by upper management decision makers, and security managers that will be based upon policy and security issues.
• Collection of pertinent information and data can be accessed from various sources internal to the organization, as well as from a host of external groups and agencies.
• Processing of information requires transforming large volumes of data retrieved into a form that is manageable and appropriate for the task at hand.
• Analysis is the stage in which information is reviewed and evaluated by subject matter experts in order to place it into its proper context for the protection of the organization.
• Dissemination is the point at which the intelligence product is actually passed on to those who have requested it and/or use it for defined, appropriate applications.
• Feedback is an optional phase where the recipient or security manager can make needed revisions in the overall process or a particular facet of it.

Obviously, there is a great deal that goes on “behind-the-scenes” regarding each of these individual steps of the cycle. A great deal of time and effort must be devoted to determining the various sources in which information might be collected, where professional analysts must then make complex judgments at the most basic of levels in order to enhance decision-making for intended consumers based upon various situations or within a specific setting.

Thus far, the topic of intelligence has been approach from a rather global, generic perspective; one that can be applied to a host of settings in order to carry out a variety of objectives. Yet, regarding its application to security management, there is a subset known as security intelligence (SYINT) that represents a process that collects and examines information specific to defined overall goal of lessening impact a threat might have upon an organization. As it relates to internal and external threats, a primary capability of SYINT is to augment current knowledge regarding each and every aspect of a probable threat. In other words, where might it present itself? What might be the threat’s intentions? In what ways might it take advantage of current security measures? A basic expectation of such intelligence would be to decrease the level of uncertainty regarding such capabilities and intent, and by doing so, valuations carried out by security administrators will be more factual in nature rather than subjective.

As noted in the introductory remarks, management activities in which the security administrator might be expected to be intimately involved in can take on many forms. So in addition to what has been discussed thus far related to the broad issue of knowledge, attention will now be directed towards that related to business continuity.

Business Continuity Management

Let’s face it; sooner or later a disaster will take place that will negatively impact an organization in some form or fashion. Granted, how a “disaster” is defined and its magnitude will differ, but generally speaking, it will overwhelm those impacted by it for a certain period of time. However, with proper planning and related supporting actions, these disruption-related events can be properly managed. This serves as the essence of business continuity management (BCM); a broad effort that allows an organization to not only fully understand what must be achieved and maintained during such occurrences, but how they articulate and carry out critical objectives as well. As noted in the Guide to Business Continuity Management (2013), BCM actually consists of three core elements:

• Crisis management and communication – this is focused upon providing the capabilities for an effective response to an emergency situation; dependent upon effective planning, strong leadership, and effective communications.
• Business resumption planning – this involves the retrieval of identified business functions deemed critical in nature that have a direct impact upon the provision of essential services.
• IT disaster recovery – as would be expected, this component is focused specifically upon those issues (i.e. networks, databases, storage, etc.) related to information technology.

Therefore, some primary objectives related to such management efforts include bringing stability to the affected environment in as short as time period as possible, as well as allowing a quick resumption of normal operations; both of which lead to overall organizational resilience. So whether these types of events are labeled as a disaster, crisis, critical incident, or given something else, the point is that BCM is a strategy used to properly manage an event that would be considered unlikely, yet be deemed a significant disruption if it did. Above and beyond the fact that it is simply a good, prudent, and responsible step to take, there may be situations where an organization is required to adopt a BCM program, whether that is through insurers or industry regulations. Yet whether mandated to do so or recognize that it is simply a good business practice, it has a direct impact upon security efforts as well. Traditionally, security officials have embraced an emergency and crisis approach within their own practices, seen in efforts such as fire evacuation plans. Yet even though the security administrator may not be the “lead” as far as a BCM program is concerned (although they certainly could be), the actions carried out when implemented during a critical incident can have a direct impact upon security measures in place. Therefore, the administrator must recognize their responsibilities that will focus upon issues related to life safety and protection of property and assets, utilize security personnel to ensure access points are controlled, provide needed a and resources to support overall BCM efforts, and play and integral role in communicating with and supporting both internal and external resources.

Framework and Elements

Regarding an overall BCM program, there are those that might ask if there a single, “best” method to carry this out. As with all things, there simply is no “one size fits all,” as there are so many factors at play that must be considered regarding the requirements and expectations of the organization under consideration, areas of risk it is exposed to, resource available, and other matters at play. However, there are some characteristics that will be common in any BCM effort. What follows is a brief description of some of the more widespread.

Program design, initiation and management: This would include defining applicable policies that will provide guidance throughout the process, as well as determining critical elements of the overall initiative. For each of these, responsibility and accountability clearly defined and assigned. Yet one of the most crucial features here at the outset is to obtain needed support from the decision makers and others in key leadership roles.

Risk assessment and business impact analysis (BIA):  Although a number of approaches can be taken to identify and assess risk, generally speaking, employing a combination of the likelihood or probability of an event occurring, coupled with its severity or impact is used. In regards to the process to be carried out to the BIA, here again, a number of factors must be considered that include the dynamics of the industry in which the organization operates, how complex business operations might be, as well as management style involved. The primary components of the BIA itself include identification of business functions, collecting relevant data and information regarding them, arriving at some conclusions related the types of impacts a work stoppage might have, as well as reporting the findings in an understandable and actionable manner.

Strategy design and implementation: In the design stage, some basic issues must be discussed that determine objectives related to recovery, the order in which recovery is to take place, how various interdependencies can impact the overall process, as well making assumptions regarding what could transpire based upon resources available in relation to risks encountered. Some of the overarching issues that will be addressed concern alternate facilities, recovery solutions that can be conducted “in house” versus those provided by a third party, considering whether a mobile recovery site is feasible, the role an Emergency Operations Center might play, as well as the role and impact technology might play. Once these and other issues have been addressed, attention can then be turned to actually developing and implementing the plan. Here some of the most vital issues to be confirmed include the identification of essential services and key personnel. Concerning the latter, clearly defining order of succession and delegation of authority is paramount. Also, the great importance of communications must be recognized, as it takes place, before, during, and after an incident takes place; both from an internal perspective. Obviously, clear and consistent communications must be maintained between upper management, employees, marketing, human relations, and those overseeing the BCM project throughout the process. Yet there are countless outside agencies that also be included, whether that includes emergency response agencies, the media, or a host of other entities that might be impacted or involved in some form or fashion.

Training and awareness: Although some may consider these as a single overarching effort, they represent two varying levels of attention and involvement. For instance, awareness may include those steps to ensure employees and appropriate members of the community are cognizant of the BCM plan itself through a company newsletter, social media, or other appropriate avenues. Yet for those who have been assigned specific roles, targeted training must be conducted. It would be unfair to ask anyone to fulfill these duties before providing them with the appropriate education, training, and support. This should include the provision of needed resources, as well as the opportunity to exercise skills in an environment that seeks to replicate the critical incident under consideration; whether that is through the use of a “table top” drill or within the setting of a notification, callout, or live scenario exercise. The overall BCM should be tested on a regular basis; where needed revisions are made as appropriate. Lastly, this initiative must be audited and monitored in a way to ensure that it complies with industry standards and other appropriate guidelines.

This particular section has served as an overview of some of the components found to be most common in a BCM program. It cannot be overstated the important role that security personnel can and must play in these initiatives. Whether that is through serving as a consultant in regards to those matters related to safety and protection, or in taking on the overall or other leadership role, the security administrator should take full advantage of these opportunities.

Conclusion

This week, we have looked at a couple of defined ways in which the security professional can fulfill roles related to management. As has been seen, working with the energy and commitment exhibited by others can serve as a great force multiplier. So as we turn our attention to the final lesson in this study, our focus will be directed towards what awaits us on the horizon. This will not only entail the future demands and expectations of the security profession itself, but how current processes of security can have an impact on predictive strategies for future planning, as well as the integral role technology will play in these efforts.

References

Guide to Business Continuity Management. (2013). Frequently asked questions. Protiviti. Retrieved from https://www.protiviti.com/sites/default/files/united_states/insights/guide-to-bcm-third-edition-protiviti.pdf

Smith, C., & Brooks, D. J. (2012). Security Science: The Theory and Practice of Security. Burlington: Butterworth-Heinemann.