Often when we think of quality assurance or control, it’s in terms of customer service or manufacturing. You bought a coffee maker; it was missing a part – poor quality control. And while that is a hassle, think of how much more critical quality assurance is vis-a-vis security. The consequences of poor security are far more grave than a dissatisfied coffee maker customer.
The measures against which one evaluates manufacturing quality is through put, customer satisfaction, costs and overall efficiency. In security, the main and most important factor against which one measures quality is the adversary. What is the adversary planning and what is their capacity? The main objective of security, after all, is preventing the adversary from accomplishing its goals.
To fully insure the security of an organization or environment, it is absolutely essential to test its security procedures, the skills of its security personnel and framework. When we consider that threats are ever changing, being up to date also becomes important. Lastly, we need to able to evaluate one’s vulnerabilities through the eyes of the adversary, from the outside in. The mission of a quality assurance program is to insure that the system can detect threat, deter and prevent it. A major component of Q/A is testing. You don’t want the first time a security officer deals with a threat to be when it’s happening real time, with a real perpetrator.
By implementing a Q/A program that hinges on red team, security officers can experience prevention through a detect, determine and deploy process multiple times, and well in advance of an occurrence.
Red Team is defined as the process of simulating the methods by which a potential adversary would go about attacking a particular, protected environment. A red team exercise can simulate an entire attack cycle including marking a target, intelligence gathering, surveillance, planning an attack, etc. Red team exercises are used not only as a quality assurance tool, but also to train personnel and to identify and articulate adversarial methods of operation and security system vulnerabilities.
Unfortunately red team practices are not common, neither in private nor in governmental security systems. The reluctance to conduct red team is often out of a fear of exposure. Management is sometimes more concerned that red team reports may be leaked to the public than they are with assuring the very best security system possible.
On the other hand, companies who use red team and who quality control their security program against threat, cannot imagine ever doing it differently. Chameleon provides red team and security quality assurance services. For more information, contact us: http://www.chameleonassociates.com/contact.php
Red team is as a great idea unfortunately few organizations will utilize it for the reasons you have stated as well as the cost factor as it relates to ROI. Property Management for high rises can’t even supply an adequate CCTV system in most cases.
Can’t companies utilize red teaming in a fun way that does not increase costs or impact ROI? For example, at a DHS Threat Assessment course, “we” red teamed a specific University building. It was fun and cost nothing. Seems like the softer benefits of red teaming are overlooked: improves employee morale, motivation, and job satisfaction. Imagine Joe X piddled on during a cross departmental meeting – get permission from Joe X’s boss to red team his department. Finish up with a good laugh.