Thinking Smarter About Security

If you work in any facet of public safety and you aren’t thinking about how you secure public and event spaces, you haven’t been paying attention.  Our complacency is the greatest gift we can give to terrorists and criminals.  I certainly acknowledge that the most difficult aspect of dealing with criminal intent versus natural hazards is their determination to circumvent our own protective measures and systems, but we often make it easy for them because it’s too difficult for us to change. Is that really the excuse you want to give to the board, the media, or the families of those killed in a criminal act?

While I will never claim to be a security expert, I try to look at things with a critical eye and take the advice of those who are experts in the field.  Here are a few examples of things I’ve encountered.

Several years ago I was part of a team supporting preparedness at a major sporting venue.  The organization who had exclusive rights to the venue requested support in planning, training, and exercise activities.  I provided incident management training and was the lead on exercises.  As preparation for a tabletop exercise, I coordinated with the organization to observe security procedures during a major event.  The security screeners at the entrances to the venue did a reasonable job with most patrons, although consistently faulted with one type of patron – persons in wheelchairs.  Anyone who came to the door in a wheelchair was waved through ALL security screening without so much as a bag check.  This became the gap that I exploited for the exercise, much to the objection of their head of security who insisted that personnel were trained in how to screen patrons in wheelchairs.  While they may have been trained, it is something they consistently failed in doing and I never observed a supervisor correct the behavior.  Perhaps they weren’t trained at all, or the training wasn’t effective, or it was too uncomfortable or inconvenient for them to do.  Regardless, this is a significant gap that I’ve continued to see at other locations through the years.

Earlier this year I attended a large convention that drew tens of thousands of patrons in a large convention center over a long weekend.  I was an attendee and not working in any official capacity.  Security at the venue was laughable.  Security personnel had three main activities – bag checks, credential checks, and metal detector operation.  Metal detector operation was only performed the first day, utilizing walk through detectors as well as wands.  The personnel clearly had no idea how to operate either (I was among dozens if not hundreds of people who were directed to go through a walk through detector – which I noticed was unplugged).  On the occasion that a walk through alerted (one that was plugged in…), I observed security personnel waiving the wand around people too quickly and too far away from their bodies.  For bag checks, we were asked to open all bags for security inspection.  The ‘inspection’ I observed on each day usually consisted of someone saying thank you and waving you through as they looked around the room or chatted with a co-worker, certainly not actually looking into the bags.  As for checking credentials, every patron was provided with a lanyard and a pass to be attached to said lanyard.  Security personnel were supposed to be checking passes as people entered doors to the main exhibit hall and other areas.  I noted some security personnel did this better than others – some of which didn’t check at all.  I actually managed to keep my pass in my pocket through the entire event, only being challenged by security once.  I was so alarmed by some of the practices that on separate occasions I introduced myself to a county sheriff’s deputy and a fire marshal to point out some of the more egregious issues.

My work has brought me to a number of secure facilities owned by various levels of government and private entities.  One federal facility I’ve frequently visited through the years usually screens vehicles.  As expected, this includes the opening of doors and the trunk of the car.  Not once, in the many years and visits to this facility has anyone ever moved a seat or checked a bag or package.

My last anecdote comes from a few years ago spending some down time in a small park in an area of DC where there a number of embassies.  One embassy seemed to have regular traffic in and out for visitors as well as some light construction work being performed on their grounds.  As one guard would check identification and presumably verify the need of the visitor to be there, another guard would walk around the vehicle with an inspection mirror (the type at the end of a pole with which to inspect the underside of a vehicle).  It was evident that the guard was either not trained in its proper use or the importance of this protocol, as every time he walked around a vehicle holding the mirror, but never actually putting it in position to view under the vehicle, much less ever looking down at the mirror.  He simply took a casual stroll around the vehicle.

The things I’ve noted here are just a few that happened to come to mind as I crafted this article.  There are dozens more, and I’m sure each of you can come up with a list of poor practices as well.  Keep your eyes open when you go to a public space to see how security is handled.  Look at things through the lenses of potential adversaries.  How could someone gain entry?  Are there recognized security patterns they can circumvent?  What vulnerabilities exist?  If you are responsible for security for a facility, have a security audit performed.  While formal security audits are valuable, often the most meaningful ones are casual and unannounced, with someone the front-line security personnel don’t know trying to gain entrance to the facility.  Are they challenged appropriately? Are they screened effectively?

The mitigation, prevention, and protection against security threats is something that many take too lightly – clearly even those whose job it is to focus on those matters.  Highly effective training programs are available – but we need to ensure that people take these courses and implement what they’ve learned in accordance with documented organizational practices.  Supervisors must be present and constantly maintain quality control.  This is a good matter of practice, but even more important when most non-sworn security personnel have a high rate of turn over or may be part time or temporary employees, or even volunteers.  For large events, proper just-in-time training must be performed for supplemental security staff who are not certified or otherwise professionally qualified security personnel.

Security is a challenging environment to work in.  We must constantly be recognizing threats and trying to out-think potential adversaries.  We must strive to keep passive and active security practices up to par, meeting or exceeding standards without becoming predictable to an observer.  How do you assess security in your facility?  What best practices have you identified?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

NOAA Issues Updated 2017 Hurricane Season Outlook

<From FEMA>

On August 9, 2017, the National Oceanic and Atmospheric Administration (NOAA) issued the scheduled update for its 2017 hurricane season outlook. Forecasters are now predicting a higher likelihood of an above-normal season, and they increased the predicted number of named storms and major hurricanes. The season has the potential to be extremely active, and could be the most active since 2010.

Forecasters now say there is a 60 percent chance of an above-normal season (compared to the May prediction of 45 percent chance), with 14-19 named storms (increased from the May predicted range of 11-17) and 2-5 major hurricanes (increased from the May predicted range of 2-4). A prediction for 5-9 hurricanes remains unchanged from the initial May outlook. 

Is New Media Really Journalism?

This is a concept I’ve been struggling with for a while.  I see bloggers, podcasters, and YouTubers portray themselves as journalists quite often.  But are they?

The more traditional part of me wants to laugh at their pipe dream, considering that newspapers, TV and radio, and magazines fit into the definition of media and journalism that I’ve had most of my life.  But times, they are a changin’.  The term ‘new media’ isn’t new anymore.  Bloggers, podcasters, and YouTubers, as a whole, are mainstream and it appears they are here to stay.

While I’ve seen this on occasion in governmental and emergency management media relations, I see this most often in another facet of my life – pop culture.  Along with being a blogger on emergency management and homeland security matters, I’m also a co-host on several pop-culture and entertainment related podcasts.  Looking at things like fan conventions (think ComicCon and similar events), dozens and even hundreds of media badges are given to bloggers, podcasters, and YouTubers.  While some media credentials go to more traditional media outlets, the proportion is rather staggering.  In entertainment and pop culture this makes sense to a great extent.  Many who pay heed to pop culture also seem likely to consume blogs, podcasts, and YouTube content.  It’s also not necessarily location-bound (i.e. following a new media provider because they are local to you and report on local things – although some do).  The free media badges given out by convention organizers turns into free promotion of the goings-on of their events – so it makes sense, but what are the limits?  The sheer number of people applying for media badges for these events is staggering, and many are denied.

Why is new media so popular?  On the provider end, the barriers to entry are insanely low.  Generally, you need a computer, an internet connection, and an account to whatever portal you want to push your content through.  There are a few other resources needed depending on the actual medium, such as cameras and microphones, editing software, etc., but good quality in all of these can be found at very reasonable prices.  You can also go really lean and do it all from your smart phone.  Certainly there are the intangibles such as talent, good ideas, and persistence, which all tends to cull the herd.

On the consumer end, people crave new media content to read, hear, or see more about the things that entertain and interest them.  Despite things said about people’s attention spans, most blogs I read (as well as my own) have a reasonable length to them.  Most podcasts run 30-90 minutes.  YouTube videos tend to be shorter, but obviously tend to have a higher production value.  There is also a huge variety of new media available, with differing opinions and formats, and generally something for everyone.

But the question still remains, is new media actually journalism?  Obviously, I haven’t missed the irony in this.  Despite having and maintaining a blog for several years as well as my involvement in podcasts, I don’t consider myself a journalist.  At best, I’m an op-ed writer on the blogging side; and whatever the equivalent is on the podcasting side.  I appreciate that people value the content and opinions I put out there, but I’m no Walter Cronkite (really who is, but Walter himself?).

At the risk of taking heavy fire from my fellow bloggers and podcasters, I’m reluctant to broadly categorize much of new media as journalism.  It just seems there needs to be something that qualifies you to use the title.  I’m not saying a certification or anything bureaucratic like that, but honestly I don’t know what it should be.  When any person on any given day with little investment can suddenly announce that they are a journalist (or honestly anything), that tends to not sit well with me.  There needs to be a demonstration of commitment and professionalism.

There are some bloggers, podcasters, and YouTubers that I would consider journalists because of their longevity, their professionalism, and their following, but these are few.  I think most new media folks are entertainers.  Some are informers, yet still not journalists.  But there are some that are journalists, and they should be respected as such.

On the event management side of this (both in regard to pop culture as well as emergency management), where does the paradigm sit and does it need to change? How do you determine who you will give a media badge to?  In emergency management and government as a whole, it’s long been a best practice to maintain positive relationships with media outlets.  What kind of relationships, if any, are you maintaining with bloggers, podcasters, and YouTubers?  Do you need to?

I’m interested in thoughts and opinions on this – from everyone.  Are you a producer of new media – Do you consider yourself a journalist?  Are you a traditional journalist – what’s your take on this?  On the government and emergency management side – are you involved in media relations, and if so, what are your ideas?  Are you not involved in either, but have an opinion?  Please share it!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

 

Exercises: Simple is Usually Better

I find often that people want to run exercises they aren’t quite ready for.  Sometimes those exercises are too complex, or they simply aren’t the appropriate type.  Most often, we run exercises to test plans, policy, and procedures; but sometimes those plans, policies, and procedures aren’t quite ready to be tested.  Last year I advised a client to run a workshop instead of a tabletop exercise.  The initial goal of the tabletop was to validate a new plan, but this plan wasn’t ready to be validated.  The problem was that many stakeholders hadn’t yet seen the plan, and the review of that plan by our team in preparedness for the exercise wasn’t favorable.  The plan had much of the needed content, but it was disjointed and didn’t have any logical flow.  By conducting a scenario-based workshop, we were able to identify not only the ideal flow of the plan by flagging benchmark activities, but we were also able to discuss expectations of and for each stakeholder agency in the plan.  The client was then able to apply the results of the workshop to restructure their plan and make some needed substantive changes.

Similarly, I’ve encouraged a current client to conduct a workshop instead of a tabletop.  The initial goal of this tabletop was to identify how a new group of stakeholders could integrate into an existing plan.  In this situation, the tabletop would have been less than effective as the new stakeholder group isn’t yet identified in the plan.  The outcome of the workshop will be to identify how this integration can occur.

I think that sometimes people gravitate to certain exercises simply because they are more popular in a certain application.  That preconceived notion might be too complex or simply a poor choice for what you really need to accomplish.  When it comes to discussion-based exercises, most people default to a tabletop.  With operations-based exercises, it can vary.  Drills are often used for tactical applications, but we don’t see them as much in EOCs.  Drills certainly have a place in an EOC if you are looking to test a very specific function or activity.  While full-scale exercises are fun and sexy, I’ve been to the site of plenty that are total chaos because the fundamental premise of certain plans hasn’t been worked out (or some stakeholders aren’t familiar with them), which perhaps should have been done through a discussion-based exercise or a drill or functional exercise first.  Running a drill to test and familiarize the process of setting up key equipment prior to doing it for the first time in a full scale will pay a lot of benefits, and certainly prevent dozens or hundreds of other people being held up in a full scale.

Another issue I often see with exercises is very long and complex Master Scenario Events Lists (MSELs).  The MSEL is essentially the timeline or script of the exercise.  Along with listing all injects, it also identifies all benchmarks in the management of the exercise, such as StartEx and EndEx, and the introduction of new elements or transition to a different segment.  While there is no particular rule of thumb for how many injects are needed for different exercise types, everything needs to associate back to the objectives of the exercise.  I hate injects that are crafted simply for ‘noise’ (unless it’s an intel exercise), or injects intended to just give someone something to do.  Arguably, if the participants take an exercise seriously, such as a functional exercise, and play out the situation as they would in real life, you can engage an entire EOC for a few hours with even ten well-crafted injects.  While some functions are very focused, consider that the vast majority of what we do in emergency management requires coordination among a variety of elements and functions.  Capitalize on that.  One inject may engage multiple agencies or functions because of the need to coordinate and problem solve.  It’s not enough to identify a solution to the problem, but work through where the resources will come from, how they will get to where they need to go, and what support is needed for them and how long.  That’s a lot of problems to solve and will often transcend every function within the incident command system.  Exercises don’t need to be complex to be effective.  Create a handful of objectives and make sure everything relates back to them.  Simplicity can work.

My last recommendation is to keep your exercise planning team a manageable size.  I’ve been the lead planner for some very large exercises.  These exercises, largely due to their sponsors, ended up involving massive exercise planning teams – and by massive I mean over five or six dozen people – or more.  These are just sheer insanity.  Not every agency or organization involved in the exercise needs to be directly represented, nor does each organization need to send a small army of people.  What you do need is consensus from those organizations on the objectives and their scope of play.  That doesn’t mean they have to be involved in every aspect of planning the exercise.  Just like any other meeting or group project, a large exercise planning team can be cumbersome and management by committee is never efficient.  If need be, stakeholder groups can be developed based upon function.  For example, a fire service exercise planning team would develop their contributions to the exercise.  Just make sure that these groups are well coordinated and the overall exercise planning effort is unified, otherwise you’ll end with a disjointed exercise effort.

In the end, simplicity rules.  As you begin planning your exercise, consider, in every step if it can or should be simplified.  Always refer back to your intent and your objectives.  Chances are you can create a simpler exercise that is just as impactful, or perhaps more impactful.  When our inclination is to make things overly complicated, we often miss the point entirely.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

 

 

NIMS is Worthless, Unless You Put it into Action

It’s so often that I hear people proclaim in response to a problem that NIMS will fix it.  I’ve written in the past that many organizations reference the National Incident Management System (NIMS) and the Incident Command System (ICS) in their plans, as they should, but it’s often a reference with no substance.  The devil is in the details, as the saying goes; and the details of implementation are necessary to ensure that difficulties can be overcome.

The premise is simple… NIMS is a doctrine, only as valuable as the paper you print it on.  So fundamentally, NIMS has no value – unless it is implemented.  This human factor is the biggest hurdle organizations and jurisdictions must face, yet so many are lulled into a false sense of security because they cite it in their plans and they’ve taken some ICS courses.  I encourage every organization to review the NIMS doctrine and give your organization an honest assessment of how you are actually following it.  It’s bound to be pretty eye opening for many.

nims_document

We also have to keep in mind that NIMS isn’t just for your own organization.  While there are plenty of great practices in NIMS for your own organization, the greatest value in it is for multi-agency responses.  These don’t have to be to the extent of Hurricane Katrina or a massive wildfire, either.  Multi-agency responses occur in most jurisdictions every day – even what we regard as some of the most simple or routine incidents require multiple agencies to respond.  While the actions and responsibilities of these agencies are fairly rote and well-practiced, a slight increase in complexity can cause significant changes.

Consider that different agencies, even those within the same discipline have some different ways of doing things.  These can be simply in the mechanics of what they do, or they can be driven by procedures, equipment, or personality.  Some of this may be in writing, some may not.  Where this matters is in tactics.  NIMS won’t solve differences in tactical application or ensuring interoperability.  Only preparedness can accomplish that.  Before an incident occurs, we need to be having regular conversations with other agencies within our jurisdiction and outside of it.  How often do you exercise with your mutual aid partners?  I mean really exercise with them…  It’s great that you all arrive to the exercise site and set up your own stuff, but how about mixing and matching equipment?  What will work?  What won’t?  How will it impact tactical application?  These are some of the most meaningful lessons learned.

Bottom line – don’t try to pencil-whip NIMS as the solution to your problems.  It’s meaningless unless it’s actually put into action – and the way to proactively do that is through preparedness efforts.   Work together through POETE activities – Planning, Organizing, Equipping, Training, and Exercises.  Once you put the concepts of NIMS into action, then it will work for you!

How has your organization implemented NIMS concepts?

© 2017 –  Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Management and Organization of EOCs

I’ve always been fascinated by emergency operations centers (EOCs).  Through my career I’ve worked in many of them across the nation as a responder, trainer, and exerciser (is that a word?).  I’ve seen EOCs large and small, dedicated facilities and multi-use rooms.  I’ve been in EOCs on the top floor of buildings, so as to have a bird’s-eye view; and those underground, originally designed to withstand a Soviet nuclear attack.  I’ve seen technology that rivals NASA’s Mission Control, and EOCs that drop phone and internet lines from the ceiling when needed.  While the size, layout, and technology can all support an EOC’s mission, it’s really all about the people.

IMG_3226Over the past several months I’ve seen an even greater variety of EOCs due to a broad range of consulting projects I’ve led for my company.  These projects have brought me to EOCs in states, cities, and airports across the nation.  While coordination is the commonality, there are a great deal of differences between and among these EOCs, not only in their physical space, but also in how they operate.  While all pay heed to the National Incident Management System (NIMS) in some fashion, some lean more heavily on the Incident Command System (ICS) than others, while some prefer the emergency support function (ESF) model, and others yet seem to be in limbo, searching for the best model.

It’s been over a year since the National Integration Center (NIC), charged with maintaining NIMS, released a draft for public comment of the NIMS Refresh, which included the Center Management System (CMS) concept.  CMS is/was intended as a model for organizing EOCs and other such incident support functions.  Despite promises, we have yet to see any of that come to fruition.  That said, there are certain expectations and activities that must still exist for an EOC to be successful and productive.

With tactics being managed by the Operations Section in the Incident Command Post (ICP), planning is really the focal point of an EOC.  The perspective of an EOC is generally much bigger picture than that of an ICP.  Assuming a traditional coordination and support role of an EOC, the Operations Section of an EOC is really geared toward pulling agencies together and facilitating strategic-level problem solving through proper coordination.  For an EOC to function properly, current information is just as important as the ability to anticipate future needs so that problems can be solved and resources obtained.  This information management and forecasting is the responsibility of the Planning Section in an ICS-centered model, or of a planning function in any other model.

Every agency that contributes to the EOC, regardless of the model, should be prepared to contribute time and potentially even staff to this planning function.  Often, the incident is ‘routine’ enough that the planning staff are familiar with the various facets of the incident to do proper information collection, analysis, and forecasting; but on occasion subject matter experts are needed to support each of these critical activities.  Those subject matter experts often come from the agencies or emergency support functions represented in the EOC.  As forecasting is performed, opportunities are identified for needs that may need to be supported.  This is where the forecasting loops back to Operations to coordinate the agencies/emergency support functions to solve these problems.

None of this actually means that an EOC doesn’t oversee tactics, even indirectly.  While an ICP, for most incidents, doesn’t report to the EOC, there may be ancillary organizations developed to address other matters which the ICP isn’t overseeing.  While the ICP is focused on immediate life-safety issues, the EOC may be coordinating evacuation, sheltering, or public health matters.  In each of these examples, or numerous others which could be contrived, someone has to be in charge of them.  If the incident commander’s attention is focused on the highest priorities, these other matters are likely to be run by the EOC.  Typically, these would be within the chain of command of the EOC’s Operations Section or through an ESF.

I love seeing how different EOCs address problems and manage their own functions.  I’m all for creativity, but there fundamentally should be some standardization to the organization and management structure.  What’s unfortunate, however, is that so many EOCs don’t have proper plans which identify these functions or how they will be managed.  Some simply insert the phrase ‘NIMS/ICS’ into their plan, and assume that’s enough (it’s not).  Others have no plan at all.  The enemy of coordination is chaos, and if you don’t have quality plans in place, which have been trained to and exercised, the EOC stands to add even more chaos to the incident at hand.

Put some thought into your EOC management structure and plans.    How would the EOC run if you or someone else who usually runs it weren’t there?  Are plans and procedures detailed enough for it to operate smoothly?  Are personnel from all agencies trained properly in their roles and responsibilities?  Have you exercised these plans recently?  If so, what lessons learned do you usually see and have you worked to address them?

Feedback is always welcome!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

New Release: Core Capability Development Sheets

Today’s FEMA Daily Digest Bulletin announced the release of Core Capability Development Sheets which are intended to help jurisdictions build or sustain each capability by integrating:

  • Available training courses
  • Capability targets for the THIRA
  • Nationally typed resources
  • Partners to support development of capabilities
  • Exercise support and guidance to validate capabilities
  • Assistance from the FEMA National Preparedness Directorate

In all, there are 48 Core Capability Development Sheets.  This made me raise an eyebrow when I first read it, as there are 32 Core Capabilities.  The 48 sheets account for the common Core Capabilities (Planning, Public Information and Warning, and Operational Coordination) being carried across each of the five mission areas, as well as other Core Capabilities that are carried across more than one mission area, such as Infrastructure Systems.  This is smart, since, for example, Operational Coordination has some different applications between mission areas, such as Prevention and Recovery.

The sheets themselves offer some good information and make a nice quick reference, particularly for those who aren’t hip-deep in the Core Capabilities on a regular basis.  Matching the National Preparedness Goal, each Core Capability starts off identification of the applicable mission area and a description.  The sheets also identify some training programs across DHS training consortium entities, such as EMI and CDP, which can support the capability.

I like the inclusion of example capability targets, which compliments THIRA development, but also helps users wrap their heads a bit more around the concept of each Core Capability, how progress can be measured, and what can be strived for.  They also offer some identification of resource types that fall in line with the national Resource Typing Library Tool.  I’m a bit ambivalent about this, as the resources identified are response-oriented resources.  For example, the Planning Core Capability identifies two resources – Planning Section Chief (Type 3) and an EOC Planning Section Chief.  Yes, there is obviously a strong case for operational planning in an incident (i.e. the ICS Planning Process), but there is no acknowledgment in this area of resources needed for pre-planning, even though the recommended training does focus on pre-planning.

Each sheet also provides summaries of information on potential partners to help support capability development as well as resources to assist in validating capabilities, the latter being largely exercise focused.  Every sheet has a number of links and even email addresses to DHS program areas which can provide additional information, which may be one of the best aspects of these sheets.

While it’s not indicated that the Core Capability Development Sheets are in any kind of draft form, FEMA’s Technical Assistance program does ask that feedback and comments are emailed to them at FEMA-TARequest@fema.dhs.gov.

I like the concept of these sheets and most of the information contained within.  They are a good quick reference for those that don’t work with the Core Capabilities all the time, and I envision these being circulated for study ahead of meetings, such training and exercise planning workshops (TEPWs) and THIRA/SPR meetings to make sure there is a foundational understanding of each Core Capability and some ideas on how they can be further developed for a jurisdiction.  Kudos to FEMA’s Technical Assistance program on these!  I hope they continue to develop as we all gain a better understanding of how to grow our capabilities.

I’m always interested in the thoughts of readers.  Please look these over and share what you think about them.

© 2017 – Timothy M. Riecker, CEDP

Emergency Preparedness Solutions, LLC