How are organisations managing or going to manage the new and substantial demands placed on site security teams? Bruno Brunskill challenges whether these demands have been fully appreciated

It is no longer sufficient to refer to site security teams (SSTs) as corporate guard forces. They no longer focus purely on perimeter and building protection and on access control. They are now integral to incident handling (protests, angry customers, bomb threats), incident response (staff control) and business continuity processes.

SSTs are now integrated with organisations' corporate risk management processes. This brings new duties and responsibilities. Among their new requirements is the increased number and diversity of the liaison relationships that they need in order to function effectively.

An organisation's site is a high value enterprise asset. The site is the platform for the organisation's business, as well as the location of the workforce that is an organisation's most valuable asset. There is also the significant value of buildings, land and other fixed property.

SSTs are involved in the management of risk to all of these assets.

Controlling the perimeter of the site and the high value buildings, generator houses and data centres is routine day-to-day work. Traditionally this has meant protection against malicious damage, but protection now includes safety issues affecting people and equipment.

There are also numerous incidents that SSTs have to respond to. Incidents range from the trivial - a local planning protest for example - to the catastrophic, such as a terrorist attack. All, even the seemingly trivial, can cause serious damage to the business in terms of its brand, image, corporate social responsibility initiatives and, ultimately, market value.

A clumsy and aggressive response to a local protest, for example, would be damaging for corporate image and therefore to the business.

The SST is now a critical part of an organisation's business continuity plan (BCP) and disaster recovery (DR). In the event of a major incident, the front line work of managing an organisation's main site must continue, with the team probably having to cope with damage to the protection measures and systems on the site.

There also needs to be a safe and secure transfer of people and some materials to a secondary or DR site. Here again, the SST will have a critical role in providing a protection regime for the alternative (DR) site(s).

Even with good planning, the team will be challenged by an unfamiliar, under-resourced and fluid environment. It must be able to mobilise more people rapidly, and will need to have resilient and flexible communications and other system infrastructures to support its split role.

SSTs and systems

The SST's greater integration with corporate risk methodologies, BCPs, incident/crisis management and DR sites brings an entirely new use of, and dependency on, corporate electronic information systems. For financial and technical reasons, access control, closed circuit television, person identification and security communications systems are integrated with corporate system infrastructures. Corporate guard forces in the past used stand-alone and specialist systems; this is no longer the case. Figure 2 shows the place of the team in the corporate risk management process and the consequent high-level dependencies.

There is a new technology driver. The systems supporting site security businesses are becoming more inter-connected with other parts of their parent organisations and are being hosted by the corporate network. It is, for example, now common for a security access control system to be linked to HR systems for sickness, absenteeism, data protection and efficient inputting of personal data of employees. As well as conforming to the Data Protection Act, it saves time and resources to input personal details once only, and to rely on systems to select the data needed for each application.

It has also become cost effective to route digital command and control systems across the corporate Local/Wide Area Network (LAN/WAN) for doors, windows and gates as well as CCTV. This is now digitised information, passing over and through typical infrastructure components of routers, switches and firewalls, as well as being recorded for audit purposes on database servers. So SSTs must examine the impact that an electronic attack, perhaps associated with another type of damaging disruption, might have on the way they can respond to and manage an incident. The new challenge is to stop the local script kiddies hacking into a nearby corporate access control system and opening all the gates - a strategem which they feel beats climbing over the fences!

Increasingly, therefore, it is important for SSTs to have a good understanding of corporate systems and to be part of the corporate user community. It is essential that they appreciate the impact that an operating system upgrade to Windows 2003 or to a new Open Source product for example, will have on SST activities. SSTs must know whether activities taking place within the corporate infrastructure will affect their business and activities.

It is not just an IT problem; it is an SST business issue.

Challenges

SSTs must undertake the full range of risk-associated business activities.

They must complete risk assessments for their own capabilities, to ensure they are resilient business units. An SST business risk register is highly desirable.

BCP has jumped up the corporate board agenda since 9/11 and the coming into effect of the increasing regulatory and legislatory pressures of corporate governance. SSTs must have their own BCP, as well as being integral to the BCPs of other parts of the organisation. Resilient, versatile and highly flexible BCPs are necessary, so that a good response by team can be assured in a wide range of highly unpredictable situations.

SST managers must be sufficiently resourced and skilled to be involved in the risk and resilience issues associated with the systems and the electronic infrastructure on which their business is increasingly dependent.

It is desirable that at least the shift leaders as well as SST managers have an appreciation of the risks, vulnerabilities, limitations and resilience of the systems.

Overall, security businesses within organisations are being faced with the challenge to move with the times. They must recognise their new position within the corporate business model and be competent in dealing with their new system inter-connectivities and dependencies.

- Bruno Brunskill is an executive consultant, Anite Public Sector, Tel: 01753, www.aniteps.com BUSINESS CONTINUITY SURVEY

IMP Events, organisers of Business Continuity Expo 2005 and Technology for Compliance 2005, and the Business Continuity Institute (BCI) have joined forces to conduct the sixth annual business continuity awareness survey. They claim that the survey will be the most comprehensive research into business continuity planning ever undertaken in the UK.

This year's research will focus on questions which include:

- Do companies understand the difference between disaster recovery and business continuity?
- How does business continuity management differ between small medium and large companies?
- How important is IT and telecoms business continuity and who is in the decision making chain?
- How important is business continuity in investment decision making?


"The BCI have decided to commission more research this year to underline the fact that business continuity is growing as an essential management tool. This research will raise the profile of business continuity as a recognised business discipline," says Steve Mellish, new chairman of the BCI. "It's important for the BCI to provide a benchmark for business continuity practice in the UK."

THE ROAD TO INFORMATION AVAILABILITY

Recent events have placed the spotlight upon the business continuity industry, and a general sense of post-9/11 global unrest is persuading wider audiences of the need to make preparations to improve organisational resilience to - as well as enable recovery from - disaster and interruption.

Fortunately, the attention grabbing fires, floods and terrorist attacks are comparatively rare events, when compared to power outages, hardware and software failure. Indeed, for many years, technology has been the driver behind the increasing pace and sophistication of modern enterprises.

Today, with more people requiring more access to more information more of the time - in or out of the workplace - our definition of 'disaster' has become far broader and our tolerance to it much reduced. And when a business requires an instantaneous and transparent response, the goal moves from getting the business back up and running to keeping it running at all times.

Hence, the challenge goes beyond recovering critical information to keeping people in the organisation connected with it at all times - no matter what happens. We have progressed from IT-centric disaster recovery, through the process of business continuity planning to the age of Information Availability.

For organisations needing to be 'always prepared', 'always ready' and 'always on', Information Availability involves proactive, reactive and interactive measures which offer today's organisations a strategic response to issues of continuity and availability: issues such as responding to increased regulatory pressures or crafting preventative and continuous measures as a result of the technology strategies they adopt.

As leading provider and industry pioneer, SunGard recognises that information is the main competitive advantage for businesses today. To this end, SunGard will be showcasing Information Availability solutions for continuous access to information, with special emphasis upon SunGard Paragon(TM) - software to maximise Information Availability - and Email Availability Services (EAS) - for secure email continuity - at Business Continuity Expo on 16-17 March 2005, ExCel, London. Demonstrations available at Stand 604, pre-bookable at