Know yourself, know your enemy. A hundred battles, a hundred victories.

Sun Tzu, the famous ancient chinese warrior/philosopher wrote the “The Art of War” about 2,500 years ago and his work has been greatly admired by many politicians, businessmen, military etc in modern days. His original masterpiece outlined the warfare strategies that is applicable not only for military, it can be used in business and security. One of his famous quotes is “Know yourself, know your enemy. A hundred battles a hundred victories.”. It means that generals who know themselves and their adversaries will triumph in all its battles. A general who knows only themselves or the adversaries, will face failures (Scott A Watson, 2007).

When applied to modern security environment, institutions must know its security measures well, including both its strengths and weaknesses. On top of that, institutions should also understand about its adversaries. They should identify them and know their motives and possible modus operandi.

There are many different ways to “know yourself and your enemy”. Some of these methods include security risk assessment, security audits, training, exercises, tests, intelligence gathering etc.

One effective way to know about oneself and the enemy is to think like an enemy. By using this critical thinking approach, one can “wear the hat” of the enemy and look at the institution from an outsider perspective. This may require detachment of emotions and associations with the institution and may be better achieved by an external party of the institution. The thinking process is then translated into action plan. This method is known is “Red Teaming” (Zenko, 2015).

What is Red Teaming?

In layman term, red team can sometimes be referred to as devil advocate. When someone says he plays devil advocate during a discussion, he acts the role of the “bad guy” or sceptic who takes on the opposing view with the rest. He challenges assumptions and throw “spanners”. Such actions will stir up the emotions, thinking and assumptions of the team and seek to gain different perspectives from the norm, with the aim of making better informed decision.

Red Teaming was popularized by the US military around 1950s during the Cold War (Zenko, 2015). It is now adopted by military, commercial and industrial entities around the world.

The Federal Aviation Authority (FAA) is one prominent organisation that leverages on the red teaming program to enhance airport security. FAA was directed by a 1990 Presidential Commission to develop “measures to improve testing of security systems” after the bombing of the Pan Am 103 in 1988. This led to the implementation of Red Teaming by FAA.

In Singapore, the use and application of Red Teaming was gradually implemented at various government entities after the 911 terror attack. Other non-government organisations with critical functions or facing high terrorist threats also follow suit to implement red teaming.

In 2018, the application of red teaming gained further traction when the Singapore Police Force (SPF) included red teaming as a criterion in the annual grading of all security agencies in Singapore. TODAY reported that “Operational procedures will be validated through red-teaming exercises, which use different scenarios to assess the effectiveness of security measures” (Ng, 2018). This strategic move by the SPF would lead to more institutions benefiting from the Red Teaming program.

PS: This is an extract of my upcoming new book “Red Teaming 101”. Look out for more posts and articles on the red teaming concepts, applications and stories.

References

Ng, K. (2018, February 13). Grading for security agencies tightened to improve industry standards. Retrieved from Today: https://www.todayonline.com/singapore/grading-security-agencies-tightened-improve-industry-standards

Scott A Watson. (2007). The Art of War for Security Managers. Elsevier.

Zenko, M. (2015). Red Team – How to succeed by thinking like an enemy.

BIG DATA: The Next Frontier for Physical Security

According to McKinsey (1), Big Data refers to “datasets whose size is beyond the ability of typical database software tools to capture, store, manage and analyse.” It does not define big data in terms of being larger than a certain byte size, since technology advances over time and the size of datasets that qualify as big data will also change.

There are three main characteristics of Big Data: Volume, Velocity and Variety. Volume refers to big data size. Velocity is the speed and frequency of data been generated. Data is flowing at faster speed, hence making it challenging for traditional systems to handle. With the advancement of technologies and proliferation of Internet of Things, sources of data become increasingly varied and this constitutes the characteristic of Variety.

What are Big Data Applications ?

In the Infocomm Technology Roadmap 2012 (2), Big Data was identified as one of the nine key technology themes. It also identified several areas of opportunities for both the public and private sectors to leverage on for business improvement. In particular interest to the Security and Law Enforcement communities are Predictive Analysis, Complex Event Processing and Video Content Analytics (VCA). The value of Big Data is turning the 3 “V”s (i.e. Volume, Velocity and Variety) into 3 “I”s (i.e. Intuition, Intelligence and Insight)

There are many suppliers providing these 3 systems in the market. Each of these applications can be leveraged in many different ways to enhance physical security protection. For example, VCA could be used to monitor perimeter fence line to detect intrusion. It can also be used to detect suspicious vehicles or persons outside the fence line. Such applications can greatly enhance security and possibly reduce manpower costs. In the long run, only a lean security manpower team is required to protect a large-sized property. This will definitely address many of the current challenges faced by security professionals.

Where are you now?

Bob Banerjee (3) developed a Big Data Maturity Model that describes the progression of physical security solutions on a big data continuum. At the bottom (layer 1) of the pyramid is “datafication”. The first step towards Big Data is to convert data into digital format. It can mean migrating from analogue CCTV system to digital CCTV system. You would have started the big data journey if you have digitised your processes/ systems.

With digital data, you can move on to the next step (layer 2) for big data collection. At this layer, various sources of data are fed into one common platform (e.g. Physical Security Information Management System or PSIM). Depending on the advancement and sophistication of the PSIM, the system would be able to produce intelligence and insight to enable the security operators to take further actions. At the higher levels of the pyramid, it involves the ability to predict the future. This sort of capability can be easily imagined by referring to those scenes we saw in the “Minority Report” movie where criminals are apprehended moments before they commit crime

Conclusion

Big Data will be the next frontier for Physical Security. Now is the right time to take small steps toward the “big future”. Start by “datafication” and gradually move towards more sophisticated analytic solutions. Think Big.

References

1) James Manyika, et al. Big Data: The next frontier for innovation, competition, and productivity [online]. McKinsey Global Institute, May 2011 [viewed 24 Oct 2015]. Available from: http://www.mckinsey.com/insights/business_technology/big_data_the_next_frontier_for_innovation

2) IDA. Infocomm Technology Roadmap 2012 [online]. Singapore: IDA, 2012 [viewed 24 Oct 2015]. Available from: http://www.ida.gov.sg/Tech-Scene-News/Technology/Technology-Roadmap

3) Bob Banerjee. Demystifying Big Data’s Next Conquest: Physical Security [online]. USA: Homeland Security Today, 2014 [viewed 24 Oct 2015]. Available from: http://www.nxtbook.com/nxtbooks/kmd/hst_201402/#/14

 

This article was originally published in the Dec 2015 Security Professional newsletter.  http://www.asis-singapore.org.sg/p/chapter-newsletter.html