ExAM: Putting security and safety first

Heiwa_elementary_school_18 One of the things that’s been incredibly exciting for me personally and for our company has been the development of the ExAM for Schools product.  As somebody who has three kids that will all be in the school system soon and a partner who also has three kids in school, safety is something that we take pretty seriously.  You’re expectation when you drop your kids off at the front door at school is that they’re going to be safe. You’re more concerned with are they going to learn the things that they’re supposed to learn? Are they going to make friends? Are they going to have fun today? Unfortunately, if you look at the statistics around what’s happening in our schools, you probably would be a little more concerned than you are even if you don’t have kids.  After all everyone here is stuck here with the kids of everybody else, those are the people that are going to shape the next generation.  If we want this place to be a better planet over the next 20-30 years, we need to get serious about what our kids are learning at school, what that learning environment looks like, and what are the lessons that they’re taking home every day.

Over the last two years we’ve taken the security expertise that we have and built out on top of Salesforce. We built a comprehensive school security operations platform with the flagship idea of it being security assessments.  This is something that we had a background in. We’ve done assessments for about 190 schools in terms of basic physical security infrastructure. This means we looked at things like how do they stand with regard to lighting? Lighting is an important part of being able to feel safe on a school campus because dark areas invite people to do bad things if they’re so inclined.  Bad lighting makes it so that CCTV is less functional which brings me to the importance of understanding how CCTV is deployed in your environment.  All of these pieces are kind of active monitoring things but just simple things like understanding whether or not the paperwork is up to date from a facility inspection standpoint or from a security officer certification standpoint are important too.

There are so many things that go into ensuring that you’ve done the appropriate amount of facilities and security planning. You need to know that you’ve done the right amount of work to secure the exterior of your facility with regard to fencing, parking, and visitor management and same thing goes for the interior.  How do we manage people within the facility?  What type of monitoring measures do we have in place?  There’s a huge amount of things that go into just the security assessment alone as we work to develop this more comprehensive security and operations package for schools.

As we’ve gone to look and gone into market, so many things have happened over the last two years including a lot of real tragedies. We had a lot of heated debate internally about how do we get this out into the market. We have spent a lot of time talking about it and we’d like to offer it out for free.  I think that as somebody who has a real stake in how we educate people this is something I don’t want to see people miss out on or understand how important this is. You don’t want price to be what keeps somebody from going there with this increasingly vital assessment. What I’m curious about and what I’d really appreciate feedback on from the people out there in the government community, is whether or not this is something that is going to be feasible?  Is free going to be ok given that it might have implications for how school systems leverage it?  Ideally what we’d like to see is everybody take the ExAM, go through and get their scores, and immediately begin addressing areas where they have deficiencies. Then we can come in and try to sell them on our larger approach to school security and operations but first and foremost, we want to start that process of gathering information and beginning to address security situations whether or not we end up with that school system as a client.  So I’m very curious what people think? Is free going to be a problem as a pricing model for us and do people have advice for how to best move forward in terms of trying to get something out there? How can we at least get people engaged around fixing some of the security issues while we work towards some larger set of objectives?

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.

Context: Looking beyond the obvious

One of the things that is pretty interesting as you spend some time talking to people about how they look at information to make decisions and what are the things that are really important is you hear about the power of context.  So to give a great example we’re working with an organization to create comprehensive security assessments. We want a way for them to understand, across all of their facilities, what are the critical factors in ensuring they were as secure as thy could be. This means what are all things that were directly related to the security of the facilities themselves like:

  • Are the fences in good condition?
  • What kind of fences do you have?
  • Do you have closed circuit televisions and where do you have it?
  • What type of policies do you have for people entering the building, background checks, and security planning

All of these different factors and an immense number of other things go into securing a facility. While those things are all important and this particular organization had specific standards, policies, and all these different things it had to adhere that went into how the organization was supposed to secure these facilities, it wasn’t taking into account some critical factors in how secure those facilities really were. So it was the contextual data that as they looked to plan what they were going to do in terms of shoring up their security, it couldn’t just be did they meet all of the standards alone.

While the standards are good and they help you get an understanding of how prepared you might be in a bad situation or if your existence is in a perennial troublesome state, it didn’t really give you a complete picture. To get a complete picture you had to understand the contextual data. You had to understand crime statistics. So if a facility that is in an area where, compared to the national average, there are an extraordinarily high number of homicides, violent crimes, assaults, thefts, and things like that, well all the sudden those physical security assessment characteristics take on a whole new meaning. It becomes a much more critical thing to have fences when those fences are the only thing separating you from an outside world that is very scary. So as the organization looked to prioritize where it was going to spend its physical security resources, the most critical factor wasn’t just the status of the assessment itself but it was the context at which that status existed.

Similarly it’s not just about the facilities themselves but also about what the value of the things in those facilities is. It’s hard to say that a facility with four people requires less security infrastructure than one with a hundred because everybody is important. On the other hand I think that for most people if you look at a facility that’s got 300 people, a daycare facility, a bunch of other high value assets, or just a mass of people, those are places where you might want look to secure them earlier. Other factors might be things like the age of the facilities themselves, the age and time of the last security assessment, or the last building upgrade. These area all factors that go into helping you understand just what the real status is as opposed to simply looking at do they meet the criteria or not. It just doesn’t give you enough information to make decisions.

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.

Why we built ExAM (our Salesforce.com based Facilities Operations & Security application)

This is the story of how we got involved in developing the ExAM application for Salesforce and the problems it solves for facilities managers, security personnel and executives. Below is a transcription of the above video:

Yesterday’s Salesforce event at the Mandarin in DC got me excited to talk about Salesforce but I also wanted to talk a little bit what got us engaged in working with Salesforce. A few years back we were faced with a really difficult problem to solve. We had a client that had facilities all over the United States that had to be maintained, managed, and assessed for security. Unfortunately, the cost to fly to all those places, put staff on the ground, and get it all done in the time that was allocated was just not going to be feasible in the long term. So we started working with them and the first thing that we did was help them do a better job of capturing the data. We then helped them standardize it, looked at best practices around facilities management and security assessments, looked at the various guidelines that were out there within federal and commercial best practice, and began to develop an assessment that would enable them to understand how each of those facilities was being protected ad secured.

The next step was to figure out how to get the information to the right people. We had already figured out how we want to get the data in and we understand the information that we need to make decisions about physical security across these 200 facilities nationwide. Now we need to figure out how do we get it out to these people? How do we ensure that everyone has the access that they need, that they are able to do reporting across all of the facilities but yet still be able to understand their security posture on a facility by facility basis? So what we did was go out to the marketplace and we found Salesforce and salesforece.com. We realized this was really an incredible solution for the problem that we had. It enabled us, through a secure web interface, to deliver all over the United States. It allowed us to rapidly build value for the client because we were able to, in 90 days develop an enterprise application. Something that previously with the similar requirements had taken almost a year to develop. So it was just a very exciting discovery and we didn’t have to give up anything.

We were still able provide it to them in the exact look and feel that they wanted. It looked like the rest of their organization’s user interface. There wasn’t anything that they really had sacrificed to get there. Now they had this really incredible ability to understand their facilities nationwide in a way that they never had before whether it was looking at a map and understanding scoring at any particular school or just being able to glance at a map and see regular green and ask how am I doing and focus in there. It’s just a very easy way to accomplish that.

We were also able to tie in all that best practices and manage all the documentation that goes into one of these types of engagements. There’s always the why and not just why but how do I work with other people, so collaboration and understanding what other people are doing was also important. This tool gave us the ability to have teams be able to follow each other and understand that even if they weren’t geographically connected, you could understand what somebody else was working on. If they made a change to their assessment of a facility, added pictures, documents, or anything changed in their report, we were able to know about it. It was really groundbreaking when you think about it.

It wasn’t just us delivering a solution, it was us empowering those users to build reports for themselves and for them to be able to do their own mining of the data. You come in and you begin to understand this platform and yea, there’s some effort that goes into getting the information in and understanding what information you want to look at, but there really is an opportunity rapidly create value. You create this value not just at an enterprise level with analytics that mean something to the one group at the top that came in and helped work with us at the beginning of the project but for people to come in on their own. They can create their own analytics and make something that works for the way that they want to do their work. That’s the part that came out of the box with the Salesforce platform and we just leveraged it. So we were able to drop in all this expertise and subject matter expertise around facilities management, security, and BI but it was all enabled by the platform. So we were able to take what we knew and get there very rapidly and it’s an ongoing process.

The nice thing about this is it allows us to continue to tailor really rapidly. So when it becomes about more than just security assessments and you want to track visitors or you want to do something that is operational you can do that. You can have people come in, register through a kiosk, and then report out. You’re talking about something that was developed in three hours after a client conversation. Again it’s just a very simple way to get access to this so if you want to learn more about this go to exam4schools.com. That is exam, 4 the number, schools .com and take a look at some of the work we’re doing. This is specific in this case to the school environment but this is something that is applicable across all facilities. You could do this if you’re a large retail organization or a large federal organization. A lot of this is drawn directly on federal security standards. It’s all best practice so I hope you’ll get out and take a look at it and please share back what you think.

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.

The Unification of IT and Physical Security

uni of it and physical security

I think IT security and physical security are converging.  It’s a part of the overall trend towards the integration of technology with our everyday lives. It just shows how separated certain aspects of corporate business have been from the technology that could, or does, underpin them. You see there a separation from the mission, or from the types of activities that you would undertake, that’s emblematic of larger issues within an organization.

When you think about separating the securing of information assets and how you prevent cyber security issues from occurring and then make a distinction between that and how you protect the rest of your physical infrastructure, it highlights this sort of divide between technical skills and business or mission oriented skills that probably shouldn’t be there. Security is security whether you’re protecting information assets as a company or the physical assets of the company. Having a divide there because of the skills required to accomplish the objective doesn’t make a lot of sense. The value gained by intertwining those activities is immense. For example a lot of organizations own data centers and within those data centers there’s security, network firewalls, and information technology approaches that you’re going to use to safeguard that information. Unfortunately, all that is moot if somebody can get physical access to the keyboard or physical access to the facility. You’re going to be hard pressed to prevent them from being able to affect the processes and mission critical applications that your business needs to support its everyday activities. So there really is no reason to have those things split. It’s simply a function of the types of skills used to perform them and so I think it’s natural that the convergence is occurring. I think we’ll see more of that convergence over time in areas where technology and the business have previously been split. You’ll see more embedding of technical skills with mission skills to create the right combination to get the job done.  I’m curious to see what other areas people have noticed where they see an unnatural split between mission and technology.

-Photo by Sudhee

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.

MB&A: Changing the world

I’ve had a few different people ask me about the types of work we do at MB&A so I thought I would put together a few posts that highlight what we are working on as a company. Of course we do many of the things that I consider to be the bread and butter such as management consulting activities like providing advisory services, enterprise architecture, business process reengineering, and business intelligence & analysis. What I think people may find more interesting, and one of the reasons I’m excited to get to the office most days is the innovative projects we have been able to take on where we are deeply involved in creating something new for the customer. Whether it is something that is completely custom or a unique implementation or integration that meets specific client requirements, we have been able to solve some pretty complex problems for clients based on our ability to bring together the best parts of the engineering, software development and management consulting disciplines. In this post I’ll be focused on a few of our most recent projects and also provide some insight into how we leverage our strategic partners to bring unique benefit to the end customer. For today’s post I’ll focus on solutions we have developed in coordination with Troux, Salesforce.com, and the SAAB Group.

SAAB Group – Mobile Situation Awareness for Enhanced Security (MSAFE)

MB&A has developed a mobile situational awareness capability that enables organizations to bring advanced command, control, and security capabilities with them into the field to events, as well as to buildings where advanced security capabilities are needed on short notice. At the core of this system is the open architecture SAFE (Situation Awareness for Enhanced Security) software. SAAB is a leader in the Physical Security Information Management (PSIM) space and its SAFE software is a flexible, scalable and robust Security Management system designed to provide enhanced situation awareness capabilities for Critical Infrastructure Protection and Emergency Response. Based on a Command & Control system and a highly advanced Integration Platform, SAFE provides advanced capabilities managing security and efficiency needs in daily operations.

MB&A has used this software as the brain behind its mobile units and combined it other hardware and software to develop a platform from which sensors, alarms, devices, access control, radar, CCTV, network devices, etc can be controlled from a single or multiple operator stations.

SAAB

Salesforce.com – Security Assessment and Management

Our Saleforce.com app, Fedblueprint: Security Assessment and Management (SAM), was created specifically to meet the unique security needs facing our school systems today. Our app was developed for school physical security inspectors so they can conduct physical security assessments on measures such as effective use of architecture, landscaping, perimeter, parking, facility access control/interior, physical barriers, access control, and lighting to achieve improved security by deterring, disrupting, or mitigating potential threats. This assessment is built to meet federal requirements for facilities safety and the first version of Fedblueprint: SAM was used to assess 189 schools and reduced the total cost to perform security assessments by more than $25,000 on a per facility basis. This cost savings was possible because the Office of Homeland Security and Emergency Management did not require an investment into hardware, software and complex systems. They simply bought the assessment service the same way people use gmail, itunes, social media or iphone apps. This complex requirement can be met by SAM because Salesforce.com, one of the world’s fastest growing fortune 500 companies, is also one of the most secure, built to handle federal security requirements.

The app facilitates the assessment of security requirements. The following briefly highlights SAM’s major capabilities:

  • Includes relevant data regarding physical security standards and governance.
  • Tailored to provide an easy to use interface that is comfortable to the user community.
  • Mobile ready
  • Includes an extensible library enabling the development of comprehensive information relevant to the security.
  • Fully developed manual which can be accessed via print or online and includes coverage of every question asked on the survey as well as all of the tool’s survey related features.
  • Standard set of dashboards and analysis that enables management to understand survey progress and to ensure compliance with requirements.
  • Core set of dashboards to facilitate understanding and analysis of the data that is being gathered.
  • Core set of reports to facilitate understanding and analysis of the data that is being gathered.

The cost is incredibly low for an application that can be accessed by you and your personnel securely on a mobile device or via a web browser. With more than 100 out of the box security questions covering everything from key personnel contacts to CCTV, SAM is able to help you immediately begin to better understand the physical security posture of your organization. Since it sits on top of the Salesforce platform you also get access to the power of Salesforce.com’s inherent capabilities around document management, messaging, task management, and other capabilities that have made Salesforce.com a staple of Fortune 500 companies like Dell, Wells Fargo, and Comcast as well as the number one CRM tool in the world.

Salesforce

FedBlueprint: Investment Portfolio Manager (IPM)

Our team developed a custom report and data collector on top of the Troux transformation platform to help federal customers ingest IT investment data and understand their portfolio in the context of risk, cost, and capability. One of the hardest things to do when thinking about developing analytic components is to develop the statement encapsulating the purpose of the analytic component. Our first analytic component for Federal investment portfolio managers (IPMs) is focused on helping guide the IPM’s eye to the investments that most require attention. One of the hardest things I find in developing high-level dashboards is to resist the temptation to overcomplicate or try to service a broader audience than is really intended. Our dashboard is intended for the person in charge of managing the entire IT investment portfolio.

As such, some detail that is available from more analyst-oriented dashboards is abstracted or otherwise wrapped into the presentation layer. The design tension here – between giving enough detail to support decision making and presenting a very complex information set in a manner that is accessible – was difficult. Throughout the development we focused on identifying measures and views that were very relevant to other stakeholders. In the case of this example, we are going to find a great deal of information and views that will resonate with individual investment managers, project portfolio managers, project managers, and analysts. Keeping laser-focused on the objective of our high-level stakeholder was critical to ensuring the eventual success of the dashboard. In fact, we ended up building many of the lower level analytics required by other stakeholders in order to understand the various components of the high level analytic well enough to understand the interplay and relationships of the various components.

FedBlueprint

This work was an outgrowth of the work we did to develop our whitepaper “From Compliance to Transformation,” where we looked at specific federal requirements including Shared First, Cloud First, PortfolioStat among others and attempted to pull together a comprehensive approach to managing these various mandates in a manner that fosters transformation and organizational improvement.

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.

5 skill areas needed to transform your organization

Don’t miss the mark, develop the right skills

Change happens every day both inside the organization and outside the organization. I’ve talked quite a bit about the fact that I believe this change is happening at a faster pace than we have ever seen and that this is driving high performing organizations to look for ways to develop organizational transformation capabilities. As someone who has spent a lot of time talking to the stakeholders within organizations, I have seen a lot of soul searching around what it really takes to pull off organizational transformation. Enabling an organization to regularly be able to move from a current state to some future state that is better suited to meet evolving stakeholder requirements, changing compliance criteria, disruptive technologies and other forces that drive the need for organizational change is tough stuff.

I believe that there are really five key areas that organizations should be focused on developing in order to deliver a truly world class ability to enable change:

Leadership: I fall firmly in the camp of folks that believe leadership skills can be developed and that focusing on this area of development can pay real dividends for organizations that are willing to invest in it. I also do not believe that leadership skills are something that an organization should only focus on at the executive level. The fact is that as organizations become flatter and more agile leadership skills have become more important than ever even at much lower levels of the organization than have previously been focused on. This also ensures that people who are thrust into leadership roles have some skills when that occurs and aren’t learning on the fly (and failing) until they figure it out.

Transformational methodology: If you buy into the fact that understanding and executing on change within the organization should be a primary capability, then you will need to find something that can function as a repeatable process focused on helping you identify areas that require change and then execute that change. Properly executed enterprise architecture should fulfill this role. Focused on understanding the strategic direction, resources, processes, assets and operating environment of the organization this function should rightly be the focus of managing the information driving change and providing real input into both planning for change and executing on it.

Risk: More change means more risk. Organizations are almost always focused on the simple execution of change and not on the implications with regard to risk for the business. Rapidly implementing an online application may help you shave costs, meet customer requirements, or improve productivity. It may also introduce risks that need to be mitigated. Risk management skills need to be embedded within your transformation team in order to ensure that someone is thinking about the dark side of transformation.

Security: See risk. Change always has security implications. The downside of your new found agility means having more discussions around the security implications of that change and so having skills in this area are critical for transformation teams. Leaving security out as an afterthought means inviting last minute changes of the worst kind. Find out up front what the implications of your actions are for security and you may be able to tailor your solution more easily in the early stages or even alter the scope to ensure your solution is viable.

Personal Productivity: You may be surprised to see this on the list, but I think it is a major oversight to think that everyone is functioning at the same high level with regard to organizational, presentation, speaking, writing, negotiation and other critical core skills. None of the rest of your transformation team’s domain expertise matters if their insights cannot be communicated to the outside world. I have often heard the counter argument that “we” don’t hire people without those core skills. I’m sure that is the intent but usually when someone is being recruited as a java developer, accountant, or other functional area specialist at the beginning of their career the focus is on their domain expertise. This stays the same through much of an individual’s career with advancement mostly tied to domain expertise – not these skills. When thrust into senior roles where these skills are required because getting the job done requires the ability to get others to see their point of view, etc. they fail. Do not make this mistake when you begin working to develop your transformation team.

Conclusion

In this I have tried to lay out some core areas of focus as you work to develop your transformational capabilities. I’ve tried to stay at a fairly high level, while still providing some insight into the types of backgrounds you may want for folks on your team as well as areas where you may want to focus on as you pursue your organizational development objectives. The above is not meant to be an all-inclusive list and in fact I invite your feedback. What have you done to prepare your organization for change?

Thanks as always for reading my blog, I hope you will join the conversation by commenting on this post.

If you liked this post, please consider subscribing to this blog and following me on twitter @jmillsapps. I regularly give talks via webinar and speak at events and other engagements. If you are interested in finding out where to see me next please look at the my events page on this blog. If you would interested in having me speak at your event please contact me at events@joshmillsapps.com.

If you are interested in consulting services please go to MB&A Online to learn more.