Do students and faculty have the right to feel safe and secure on campus?  The answer is obvious.  Over the last decade, schools and college campuses have suffered from significant impacts from major disruptive events.  Gone are the days when students, faculty, vendors and parents were allowed to walk onto a school campus without being screened, identified and checked against several databases.  Security is bringing major changes to schools and college campuses around the world.  In the next few years, we will see school security change in a way that we never would have imagined.   While there will be dramatic improvements in security technologies, and these technologies are important, reliance on them solely will not solve the problems currently faced.

A school or college needs to be organizationally resilient in the face of the threats and disruptive events.  According to the ANSI/ASIS Standard – “Organizational Resilience is the adaptive capacity of an organization, faced with complex and changing risks, threats and disruptive events, to be able to absorb impacts and continue operations with minimal disruption to its employees, stakeholders and the public.”   The TRUSYS methodology for implementing Organizational Resilience is built on R-SEC which begins with a Risk Assessment, identifies Teams of people, appropriate Techniques, effective Technologies, and regular Training.   All of this, when done in a Plan, Do, Check, Act model leads to resilient schools and colleges.

Effective implementation of Organizational Resilience with R-SEC is paramount to ensuring the best possible outcome when the disruptive event occurs.  Key to implementing Organizational Resilience is first a recognition that there is a need for the entire organizations ecosystem (employees, suppliers, external agencies & stakeholders, students, staff and parents) to be involved.  This involvement is enhanced when it is issued as a written policy.  When this has occurred, the process of creating schools and colleges that are resilient to any type of disruptive event will begin.  The end result will be a safer, more productive and efficient education environment.

Resilient individuals taking security and fire safety into their own hands? This will be one of the biggest changes to security that will occur over the next five years. The security industry cannot rely on our technical innovation and expertise and assume that we will not be disrupted by consumer-led initiatives. Our roles will be transformed by disintermediation just as occurred in the travel industry, book publishing industry and product distribution.

We were easily able to dismiss the first consumer analog security cameras due to their poor quality and performance. At that point we were right, but this new technology is not so easy to dismiss. Consumer technology is rapidly changing in performance and quality, and now has an advantage over our traditional hierarchical security practices.

Crowdsourcing is not to be ignored, it deserves our full attention. The smartphone will soon be the security device of choice. While the smartphone may lack in certain areas, it is made up by its ubiquity, massive numbers and online reliability.

Two examples caught our attention this week. SOS-Response offers a free app that sends a burst round of 30 photos to first responders. This app is now available for IOS and Android phones. This technology allows a camera phone to turn into a mobile safety/security device that includes geo-location and time stamping. It provides first responders with real time data as an incident is being observed by a consumer.

 An even more impressive initiative is Galileo robo-cam which provides a platform for safety and security applications. This device allows a user to remotely point an Iphone or camera in virtually any direction via mobile device such as the ipad. The irony of this new device is that the funding for its manufacture is being accomplished via crowdfunding. This project has raised almost four times its original budget by using Kickstarter – no red tape, no angel investor and no venture capitalist required.

Youtube Video of Galileo Robo-Cam

This new technology certainly poses a new challenge for our industry. We have operated in a Command and Control hierarchical culture as long as we can remember. A new type of “fog of war” is about to be unleashed. This will raise our stakeholders’ expectations, and demonstrate how we are able to respond to rapid industry change. The demand for accountability is about to rise significantly, and the stakeholders holding us accountable will have all the data they need to show we failed.

At first glance, it may seem that this consumer technology will be kept at bay because we feel we are the ones with the “right corporate technology”. Unfortunately, this will most likely not be the case.

How long before access control is challenged by the smartphone? The answer is not clear, however, it would be a safe bet that eventually apps will be available for a multitude of safety and security tasks that today we can’t imagine. If cash registers are being replaced by a small attachment that can be plugged into an IPhone, why would we think that we would be exempt from similar technology?

So, as safety and security practitioners, we have a two prong transition to navigate. First we will need to integrate consumer devices in our technology strategies and tactics. This is the easy part. It will require us to complement our traditional skill sets with IT expertise beyond networking, which most of us have mastered. Data mining will have to be done in real time to extract the most relevant information as incidents are being reported. Then, by mastering the use of data dissemination tools, stakeholders will become acutely aware of their risks. Each new shooting incident, natural disaster, or unexpected incident seems to highlight our inability to tap into the networks that link all our constituents and warn them of the danger they may face.

The real challenge we face in our industry is in our behaviors and responses. Our current hierarchical model requires that we put expertise in silos to accommodate our Command and Control practices. Silos are out. Organizational resilience, which is built on the strength of individuals and their resilience is in. With a multitude of electronic eyes and ears, no action will be isolated from its intended, or unintended consequences. Quicker and smarter responses will be demanded. Evidence of poor performance on our part will be immediately exposed.

John Gargett is a TRUSYS Principal.  He recently authored a paper about the R-SEC methodology for ASIS Organizational Resilience Maturity Model (ORMM) Standard Comittee chaired by Dr. Marc H. Siegel.

Q: You recently delivered a TRUSYS Institute white paper on Organizational Resilience presenting the R-SEC methodology as a method to achieve Organizational resilience.  What prompted this research?

Gargett:  Over the last 30 years that I have been working in Security, Emergency and Crisis Management, I believe we as a community have to admit that many initiatives have failed, or at very least we have not achieved the goal of disaster resistant communities, organizations or companies. Over this same time period a number of lessons were learned, which can be simply summarized as not viewing security, emergency and crisis management as an ecosystem.  When this is ecosystem approach is undertaken, a different approach is taken, and I define this as R-SEC.

R-SEC recognizes that the traditional safety & security, emergency and crisis management planning is not sufficient for the changing world in which we now live.  The underlying premise of R-SEC is that silos of safety & security, emergency and crisis management, as well as these silos of organizational response do not ensure business continuity or organizational resilience.  R-SEC cuts across silos and views risks, threats and the potential for harm across the enterprise with every person in the enterprise having a role, a responsibility and commitment to achieving Organizational Resilience.

The ANSI/ASIS Organizational Resilience Standard is the only preparedness standard that takes an enterprise-wide view of risk management, enabling an organization to develop a comprehensive strategy to prevent when possible, prepare for, mitigate, respond to, and recover from a disruptive incident. This allows seamless integration with the new ISO 31000 Risk Management standard for a comprehensive risk management program and is 100% compatible with existing ISO management system standards (such as ISO 9001, ISO 14001, ISO 27001 and ISO 28000), thus enabling a cost-saving integrated application. By implementing the ASIS Standard, organizations can satisfy both ISO 28000 and BS 25999 requirements.

Q:  How do you define Organizational resilience?

Gargett:  Organizational Resilience is defined as the adaptive capacity of an organization to respond to chaotic events.

Q: What are the key elements of the R-SEC methodology?

Gargett: R-SEC brings together all departments and stakeholders, both internal and external, to develop a strong, resilient, and sustainable organization able to continue forward in the face of any risk, threat and potential for harm. R-SEC is implemented using T4 NetCentric Operational Excellence that is simply defined:

Four T’s: Teams, Techniques; Technology; and Training;

NetCentric: Technical, Social and Human Networks; and;

Operational Excellence: Leadership, teamwork and problem solving resulting in continuous improvement.

The underlying strength of T4 NetCentric Operational Excellence is the role of the individual.  The individual forms the cornerstone of responding to the impacts of events.  Everyone has a role. Every organization needs to recognize that its ability to remain resilient and sustainable is based on the collective strength of the individuals that comprise it.

Q: How is R-SEC different from past approaches to Organizational Resilience?

Gargett: R-SEC is different from other approaches principally because it is cross-silo, cross-risk, threat and vulnerability and has specific steps to achieve resilience through T4 NetCentric Operational Excellence.

Q:  You have worked into and observed our industry for over 30 years, and you are known for your passion.  What prompted your interest in Organizational Resilience?

Gargett: Simple.  Organizational Resilience is the first approach since the days of Civil Defence that takes a holistic ecological view of Security, Emergency and Crisis Management.

Q:  What keeps you passion for Organizational resilience alive in 2011?

Gargett: Chaos happens, it will continue to happen, and organizations continue to find they are not resilient.  Resiliency means that there are fewer human losses, property damage and that a state of normality can be achieved in less time and at less cost.

Click here to download John Gargett’s R-SEC and Organizational Resilience Paper.

I have recently been asked by clients and Authorities Having Jurisdiction (AHJs) my opinion on the use of Internet Protocol (IP) communicators in lieu of the Digital Alarm Communicator Transmitters (DACTs) which have traditionally been used to communicate from a premise to a supervising station.

It appears that Section 8.6.4 in National Fire Protection Association (NFPA) 72 – 2007 allows for “Other Transmission Technologies”.  Many of the fire alarm manufacturers are now beginning to offer an IP communicator that is listed to the requirements found in 8.6.4.

My concern about an IP communicator, with no other alternative communication path, is that while they will be designed to have a battery backup for 24-hours or more, how do we ensure that the data equipment upstream, i.e. switches, routers, and gateways have same sort of emergency backup?  I have calculated a UPS (uninterruptible power source) for my home’s IP equipment, and it is not inexpensive.  List price for the UPS was over $10,000 as I recall.

So, in a long power outage, if we don’t have 24-hours or longer of emergency power to the IT equipment, how do we ensure that a fire signal gets to the Central Station?  The answer is that we cannot, but if correctly installed, the system will notify the end user at the site with a trouble signal.

There are some steps that I would suggest to help minimize this issue:

1. First you have to minimize the number of data connection points in the circuit.  If possible, I would connect directly to the router/gateway.
2. I would ensure that the IT components are secured in a locked room, cabinet, or enclosure to ensure that someone trying to obtain a spare data port doesn’t simply unplug the connection.
3. I would put wording into your monitoring contract that states effectively that if the client doesn’t have emergency power for those data components, that you, the monitoring provider, are indemnified against loss of signal due to the power loss.  (You should consult your attorney for specific language.)

An alternative is to use an IP/GSM (Global System Mobile Communication) dialer which can allow the IP communicator as the primary path and use the GSM as the alternative path when IP communication is not available.  This would be more like a traditional slave communicator that would monitor alarm, supervisory & trouble conditions.  To obtain a UL Commercial Fire Listing you must use all of the required components.

Prior to implementing this solution, you will need to make sure that your central station can receive both the IP and GSM signals, and that it is affiliated with the GSM network.

It would be great to hear from other members of the fire alarm industry on how the issue of IP communicators is being addressed in their area.

This post is contributed by Mr. David Miller, Principal at TRUSYS.

Two years ago we changed our design practices to make Building Information Modeling (BIM) and Integrated Project Delivery (IPD) a central piece of our processes.  We invested time to learn Autodesk and Revit and to investigate how these new 3d tools could enhance our designs and how we communicate better with our clients through the inevitable revision cycles.

BIM and IPD are now gaining traction with architects, engineers and building owners and operators.  TRUSYS pioneered using BIM and IPD for physical security systems design and we have been rewarded by growing revenue coming from leading BIM and IPD users.

For those of you not familiar with BIM and IPD follow this link to a brief article published by ITBusiness.ca illustrating with a real business case the great benefits of BIM and IPD.  Retrofitting a 61,000 square feet building in Massachusetts to LEED Platinum standard took 8 months from zero design to occupancy permit, a significant gain from the 12 to 15 months it would have taken without BIM and IPD.

Contact us if you’d like to know more about applying BIM and IPD to physical security systems design.

Courtesy of our friend Ray Bernard of RBCS, see a fascinating map of current geo-political and economic risks.  Ray shared this comment with us: “This map was passed along to me by George Campbell, author of Measures and Metrics in Corporate Security and Faculty Emeritus member of the Security Executive Council.  George said, “This one page offers an incredibly powerful overview of one source’s assessment of risk in 2010. It shows how a very complex map can be made to provide a mind boggling level of detail for a huge range of global risks.”

Warning… You may end up spending a few hours testing the various risks interconnections.