Article author: Miky Weinberg – Owner of the Tarantula Technologies Ltd and Octagon Security Ltd Companies.
If you would have told me two months ago that I should include among the possible threats in a security portfolio a deadly virus I would say that it makes no sense and I would provide a professional explanation, but life due to its nature is full of surprises and these surprises are the ones that repeatedly prove to us that anything can happen. To a degree, it is likely that even if I were seriously considering whether to incorporate a deadly virus that could cause a cessation of activity into the pertinent threats to the secured object, then the reasonable implementation of this threat happening would be once in a decade, a hundred or two years, this would make me think that there is no chance that such a scenario can actually materialize in my shift.
I would ask, where did this threat come from? I do not remember learning about this in the security management course, in the security concept and/or guidelines or heard of anything similar in my life, then how was I supposed to take such a deadly threat into account? How should I have guessed that such a threat would be realized and attacked after 100 years? Someone reminded me that in 1918 the world was dealing with a similar epidemic. And again, even if I was reminded, probably the last thing I would do in my crazy work routine is to bring the virus threat to the top of the list of potential threats if any.
A security manager derives the security-related threats that are responsible from the attributed threats, these include tangible attack threats that can be seen, heard and felt, and can therefore, be tackled via a number of security measures and results can be achieved immediately.
We as security administrators and personnel have become accustomed to a flesh-and-blood opponent who is physically attacking (shooting, sabotage, violence, ramming attacks, etc.) or remotely (cyber), we did not consider taking a deadly virus threat into consideration that simultaneously paralyzes the organization, company, business or facility where we work.
The coronavirus has caught most of us unprepared for its arrival and its devastating, very devastating consequences.
A virus that, on the one hand, requires us to respond quickly, resolutely and sharply, and on the other, gives us the time to do some personal and professional thinking on some key issues:
The security manager’s role:
In the event of a unique and unpredictable emergency event that lasts for a long time, the importance or unimportance of the security manager is exposed to the avenue of managers and employees in the workplace. A security manager who found him or herself surprised and unprepared until the moment when it was clear that the coronavirus had reached Israel as well, now the manager needs to examine oneself boldly and responsibly. It is clear that, like the executives, the security manager could have been surprised at first by the appearance of the virus in China, but they must not have been surprised that the virus was also active in other countries, including Israel, so he had to initiate a situation assessment with his or her managers or be a full partner to those who initiated the situation assessment that was made in order to prepare and organize for the arrival of the threat and its effects. This is one of the situations where the security manager can really understand whether or not he or she is important to the management, and if not, why is this so. I think that the coronavirus situation clearly emphasizes the importance of the role of the security manager, and in the same breath, believes that the security manager, and only the security manager, can design and create that importance.
Any security manager must take his or her job seriously and professionally for a long duration while meeting 100% of all the definitions and requirements associated with his or her job. Security managers who did not prepare themselves to do their jobs seriously before the coronavirus came, they found themselves with their pants down and a sense of uncertainty, lack of confidence, inability to function effectively and worst of all they don’t look good to the management and employees.
Although this is a clearly unexpected threat which one can’t really prepare for it, at the point in time when the attack began, the security manager is required to use all his or her personal abilities and professional experience to succeed and provide solutions quickly and efficiently, with the full cooperation with the management and employees and the proper operation of the security array that is at his or her disposal. A security manager that failed to create these conditions that are both suitable for routine and emergency situations would not be able to create something like that when the emergency had already started as it is making a fatal impact.
Those who say that it is the wisdom of hindsight are correct, and yet it will not be possible to argue about the fact that a well-prepared security manager with a well-trained and fluidly working array will function much better even in a scenario that was just conceptual a moment ago.
I am sure that on the one hand, no security manager will want a rival in the form of a deadly virus to attack precisely on his or her watch and on the other, the fact that it did happen on his or her watch, gives him or her the opportunity (probably a once in a lifetime opportunity) to understand how an attack can undermine the functional sequence of the secured object and even to eliminate it completely.
I think that the security manager that experienced and / or currently is dealing with the coronavirus attack will not be the same security manager as he or she was before the attack:
If you didn’t take your job seriously – you were wrong!
If you told yourself “it won’t happen to me” – you were wrong!
If you did not build the security system under your responsibility in accordance with the instructions – you were wrong!
If you didn’t make sure all your security products were professional – you were wrong!
If you found yourself led and not leading – you were wrong!
If you didn’t understand what to do – you were wrong!
If you were unable to provide the management with the answers and solutions on time – you were wrong!
But if despite the tremendous difficulty of getting employees to take unpaid leave, layoffs, the pressure on the management, slowing down and even stopping the activity, you felt ready, you felt safe and you succeeded in adapting yourself and the security array to the new situation – you succeeded!
Anyone familiar with the risk survey knows that it is the first and most powerful element in building a security concept and a security system and therefore it must not be waived under any circumstances. The coronavirus puts the risk survey on the table for us to relearn and better understand its importance in our professional lives. The risk survey helps us to analyze and understand the threats that are relevant to the secured object and the extent of the damage each threat can do, all with the help of the following table that determines the level of risk which is an international common language:
The coronavirus threat emphasizes why not just anyone knows how to write a risk assessment, and why it is important that professionals whose routine profession is writing assessments are the one who does the task. In analyzing the risk level of each threat, if we do it without deep thinking and professional analysis, it is likely that when we look at a contagious virus threat we will tell ourselves based on history that such a threat should be fulfilled once in decades and therefore it is likely that the risk is realized, we will mark 1 (negligible) but if the threat materializes the damage is marked as 5 (catastrophic), meaning that this can cause things to come to a complete halt. By multiplying the likelihood of realization of the risk (1) by the severity of the damage (5), we accept that the numerical significance is only a low risk that does not require special organization or preparation.
Anyone who is not capable of writing a risk survey will stop here and ignore a contagious virus threat, while a professional will analyze the numerical result with articles published on the topic (“After the SARS in 2002 everyone knew it was only a matter of time before a new epidemic develops in China”), operational and business logic requires us to understand that a low numerical risk must be treated differently in a different way. Now let’s translate this situation into contemporary reality: I believe I will not be mistaken if I state that most executives and security manager did not even think of a contagious virus threat and concentrated on the common list of reports that included cyber and criminal assaults that also included cyberattacks, and whoever thought about the virus, probably placed it at the end of the list of priorities for handling and organizing against it, today we all realize that its severity is catastrophic, leading up to a cessation of activity that totally outweighs all other threats and requires a full response that will probably affect the financial conduct over the years, the increase and readiness for the time of attack. On the day after, you advise your management to buy masks, thermometers, and disinfectant gloves for emergencies, although there is a greater chance that you’ll not have to use them during the shift?
Certainly, the coronavirus requires us all to better understand that there are unique threats that need dedicated and unique analysis and re-run a risk survey or refresh the existing one so that management can better manage the risks.
The coronavirus is also doing a great job on this issue and it may even conquer the parade of threats that redefine the concept of emergency preparedness. The coronavirus illuminates our attention to the fact that the security manager must be an integral part of the management of the secured object when it comes to the level of emergency preparedness and the level of involvement in any subject and / or decision that impacts on it.
Security managers who found the coronavirus happening on their watch, found themselves dealing with several issues simultaneously in a short amount of time and under pressure, such as being acquainted with the local authority’s guidelines and implementing them in the field, dismissal of workers / having them take unpaid leave, closure of entrances, checking entering persons for morbidity, purchasing products, entering teams for disinfecting areas, reducing or increasing the security array, engaging with the security company that is itself engaged in survival and more, and so on. If the manager has not prepared an emergency plan in time that includes him or herself, the system at his or her disposal that is under his or her responsibility, the employees and the management (and the manager did not check that his or her plan is correct and realizable), the manager will probably be in embarrassing situations and the response will be based on improvisation and dependence on others. History shows that those who have prepared themselves better for emergencies are more likely to survive than those who have not prepared themselves, relying on improvisations and much luck.
I believe today there is no security manager that does not understand that they must not function without an emergency plan that takes into account all relevant threats set by the governing agency or approved by management.