144 ◾ Security Strategy: From Requirements to Reality
video surveillance to observe people’s actions and monitor safeguards. Observation in operations
also includes alarm systems such as smoke and fi re detectors. Information systems are equipped
with antivirus, intrusion detection, and other controls that observe
what comes into the system to see if it contains any malicious con-
tent or represents an attack pattern. All of these examples are based
on observation because observation is what invokes response and
response is what is required to curb malicious activity. Preventative
controls, locks on doors, chain-link fences, turnstile gates, and the
like, are not designed to stop malicious activity; they’re designed to retard the eff ectiveness of an
attack so that it can be observed and responded to. e eff ectiveness of security is based on our
ability to observe what is happening and invoke a response.
Observation Objectives
A large portion of strategy in general is based on observation—for example, observing what the
competition is doing, observing what customers want, and observing our capabilities. When
we do strategic planning, we seek tools that improve our observation: business and competi-
tive intelligence, surveys, focus groups, and the like. Why? Because observation is what gives
us the ability to respond to changes in our business or technical environment and make good
decisions on how to address those changes. e principle isn’t any diff erent when it is applied
to the realm of security; the only thing that changes is the scope. e essence of our strategic
security objectives is to have unsurpassed observation capabilities. Ideally, we want no gaps in
our observation; we want to be able to observe and detect every instance of malicious activity.
Of course, the ideal isn’t obtainable, but keeping the ideal as the goal allows us to continuously
close the gaps.
Observation is directly linked to the principles of timeliness and response. e better our
monitoring, the quicker we will be able to detect something is wrong and raise an alarm. Real-
time observation invokes real-time responses, but not all observation is real time. For example, the
periodic review of a log fi le or an audit trail will detect security events from the past; reviewing
video surveillance tapes is a similar example. e timeliness of our response is based entirely on
the timeliness of our observation.
Observation is also key to the principle of economy from two standpoints. e fi rst is econ-
omy of response. e quicker the response, the less the potential damage from the malicious
activity. Second, is the economy of force. Superior observation provides the information required
to make a reasoned response that only pulls in the resources required to eff ectively address the
situation. Automation can also reduce the number of people required for observation tasks. For
example, installing a continuously monitored camera may eliminate the need for a guard, or
combining video feeds onto a single monitoring station can reduce the need for monitoring per-
sonnel. Superior observation also facilitates coverage because the information it provides helps the
response commander make better decisions.
Observations frequently overlap, for example, when someone comes into work, the card
reader observes the person’s entrance into the facility, video surveillance records the entry, and the
authentication server observes the person’s log-on. is provides a level of redundancy, but it also
improves the quality of the observation.
Finally, observation supports the principle of preparedness by providing an early warning of an
eminent attack or, in the case of reconnaissance, helping prepare for future attacks.
Safes are not designed to keep people
out, otherwise they wouldn’t have doors
on them; they are designed to make it dif-
fi cult for some people to open the door!
Unknown
TAF-K11348-10-0301-C009.indd 144TAF-K11348-10-0301-C009.indd 144 8/18/10 3:09:28 PM8/18/10 3:09:28 PM