The Art of Planning for an Attack

Today, we’ll be discussing planning for risks, then I’ll step into the controversy of planning for active shooter situations - but before we do, I’d like to talk about my dog.

Big Fluff and I spend a lot of time alone on the trails together. While we run and walk, he likes to greet people, kiss babies and loves to play with toddlers; and I spend the time thinking about the next article to write for you. We have a system, Fluff, and I – even when we are alone, we understand our surroundings and potential threats. We plan for risk, and we train for situations that we hope never happens.

There are no other words to describe Fluff, except big. For the most part, he’s laid back and easy going; but on the rare occasion that we have encountered an abnormal situation (deer, coyote, or weirdo on the trail), he’s learned to assess the situation and if needed, can become unhinged. He looks for me to give him a sign that the situation isn’t right and he’s the perfect dog to walk alone with. When the threat is not real, he listens well to commands and backs down accordingly.

When I run, I have a plan that has several components in the event of a situation. These components won’t be disclosed, though I can assure you, the plan is often thought of and modified as needed. Out on the trail, a perpetrator may assess me as a small-framed women with a very large dog. If they are thinking beyond an intended behavior, they would also need to assess my ability to defend myself against an attack, which is a judgement call on their part. The perpetrator has no idea if I’m prepared for a threat or if I plan and train for different scenarios. They don’t know that my career is to protect companies from unwanted and unwarranted bad situations. As a runner, why wouldn’t I plan for my own personal needs? As a team, Big Fluff and I have a better chance of defending ourselves than individually. We’re also smart, we don’t take uncalculated risks and always know our surroundings, but sometimes in real-life the inevitable happens.

My personal rant regarding the latest school shooting in Nashville that did not need to occur if the school had a better plan in place. Like it or not, planning to defend against attacks is unfortunately an uncomfortable need and a part of life. It is time to stop active shooters in our school systems, personal lives, and workplaces.

While our government continues to dispute the topic, I advise parents to find out how your school system prepares and trains to respond to an active shooter scenario, then make sure that they are running practice tests before a scenario occurs. These tests should include teachers, administrators, law enforcement and children. Questions to be asked of the school administrators include:

• Are doors and entryways locked at all times (including stairways and loading docks)?
• Are there any other types of entranceways that need to be locked and protected?
• Is the protection of windows a part of the plan?
• Is anyone responsible throughout the day to check and ensure that doors and entryways stay locked?
• Is the checking of the doors logged and audited, and would anyone know if any of the doors were missed in the checkpoint?
• Are there cameras on each door and entryway (pointing in and out)?
• Is there someone watching or sitting at the doors and entryways?
• Are these individuals armed?
• If they are not armed, what would they do to stop someone from entering the building?
• Is there only one way into the building for employees and students?
• Are employees and students trained on how to enter the building (tailgating not allowed)?
• Is there a stop gap measure in the event the person entering the building shouldn’t be there?
• Who is the person responsible for stopping someone from entering the building?
• Is this individual physically able to stop someone from entering the building?
• Are individuals logged in/out of the building?
• Are there plans created if anyone compromises the building?
• What is the scenario if the threat starts internally vs externally?
• Can classrooms be shut off from the main corridors?
• Are there safe rooms/places where students can go in the event of a breach?
• Is there a place to meet outside of the building and who is accountable to collect and count students?
• How is law enforcement contacted?
• Is there a backup plan if communication lines are down or if individuals are not able to contact authorities?
• How are parents informed during the incident?
• Has anyone been brought in to assess the building and to make recommendations to reduce the risks?
• What is the frequency to test the plan?
• Who is responsible to maintain the plan after tests are run and modifications are made?

There shouldn’t be any excuses to avoid planning and training for an active shooter situation. Our children need to be protected by the preparation of plans that include different types of scenarios and how to resolve them. Law enforcement can be engaged to help in testing scenarios, as they are a part of an effective resolution. Parents should demand answers and not relent until there is a satisfactory plan in place. Please get involved and stay informed.

Let's go back to planning. Most businesses have a CIRT (or SIRT) to follow. The cyber or security incident response plan is a large part of having a security program and ensures that the staff is testing for different types of situations and has the answers figured out before a situation occurs. If your company is audited by a firm, the CIRT is one of the first items of evidence requested. Ask your security team if they have a CIRT plan in place and if they understand what to do when the unexpected happens. As mentioned above, CIRTs are frequently tested and modified as needed.

Testing the plan is called a tabletop exercise and there are three ways to run one: (1) the actual situation is documented, along with how the situation was resolved (2) new scenarios are created, and the group works together to resolve each one (3) automated software solutions can be purchased for the team to participate in.

Tabletop exercises should also include the departments within the organization that are a part of the CIRT and include technical and business representatives. One component of the CIRT is a communications workflow, which describes who is on point to communicate a disruption of business operations, from the department impacted all the way up to the Executive, Board, shareholders and to the public. Each scenario is discussed, and role played amongst the participants. For added value, when I run a tabletop, my management team is requested to stay silent during the exercise and the direction is given upfront that the team will need to come up with the answers on their own. After the test, we’ll revisit the scenarios as a group and critique how we’ve done. Modifications to each plan are made in response to the exercise.

The point of the test is to ensure that each representative has stepped through the actions for the scenario and knows what to do while the situation unfolds - instead of making it up in the heat of the moment.

As I like to say, the best time to plan for a situation is before it happens and make sure that the element of surprise doesn’t overwhelm you.

As always, your feedback on these articles is encouraged.

? 2023. All Rights Reserved

Sue Bergamo is a CISO and CIO and is an executive advisor to C-Suite executives. She can be reached at [email protected].The content within this article are the sole opinions of the author.