Security management covers all aspects of identifying your organization’s assets, followed by the development, documentation, and implementation of policies and procedures to protect those assets – be they people, facilities, machines, systems, information or digital assets.
However, the best policies and procedures can’t stop determined actors when those actors have more knowledge about their future actions than you do as well as the capabilities to bring their attacks off.
What then can organizations do to protect their people and assets? That’s where situational awareness comes in.
Situational awareness, as defined in NIST Special Publication (SP) 800-160v1r1, is the perception of elements in the system and/or environment and a comprehension of their meaning, which often includes a projection of the future status of perceived elements and the uncertainty associated with that status.
How exactly does enhanced situational awareness contribute to robust security management? This article explains the role of situational awareness in security management, tracing back the origins of situational awareness, how it’s been implemented in security management, and finally the policies and security management software capabilities designed to enhance situational awareness in the enterprise.
So, where does situational awareness come from? Despite its meaning, situational awareness doesn’t come from the field of security management.
In fact, the term predates modern protective security by some time.
Academic scholars trace situational awareness all the way back to Sun Tzu’s The Art of War.
There, it refers to the habit of constantly being alert and prepared, which entails being able to accurately read the surrounding environment and correctly decipher signs of danger to always act and react with a temporal and tactical advantage (Krassman and Hentschel).
From there, situational awareness got a modern makeover to remain relevant to the volatile situation of high-tech combat.
That setting required a rethinking of communication structures to achieve what is called shared situational awareness, i.e., situational awareness common to multiple actors.
That level of situational awareness can only be achieved by superior information, knowledge, and decision making.
Around the same time, situational awareness also became important to public safety and emergency management. As severe weather incidents increased, public actors had to better anticipate hazardous events to better absorb shocks and recover.
This also required a higher level of information and advanced knowledge to improve the quality of decisions taken before, during, and after critical events.
Like severe weather events, security incidents have also increased rapidly. And situational awareness lent itself readily to the protective security management milieu.
This environment has been characterized by ever more complex types of security incidents – cyber, physical, and cyber-physical. As a result, key concerns for organizations now include:
The trend toward social networking, BYOD, and cloud computing technologies has specifically exacerbated enterprise information security risk.
However, physical security incidents remain prolific – from tailgating to insider threats to unaccounted visitors to workplace violence. Indeed, the evacuation of many workspaces during and after pandemic has increased security risk to unattended workers and facilities.
How does situational awareness fit in?
Well, best-practice measures, such as those prescribed in international information security management standard ISO 27001, acknowledge that an organization’s level of security risk exposure should guide its risk controls.
Remember, security risk management entails:
This entire security risk management process, though, relies on high levels of situational awareness to determine the appropriate level of risk exposure.
An accurate assessment of overall security risk is, of course, crucial to the risk assessment phase.
What goes on during a security risk assessment?
That phase typically involves the collection of information about the organization’s security resources, including the following:
In all instances, enhanced situational awareness makes the practice of risk assessment more effective.
It also cuts down on the expense typically associated with undertaking the risk assessment. These expenses result from the following:
What’s more, enhanced situational awareness helps overcome common challenges to the practice of security risk assessment. Those challenges or deficiencies include:
How then can enhanced situational awareness help overcome these challenges?
By providing a more accurate understanding of the risks organizations face, enhanced situational awareness helps security managers make more effective decisions regarding the company’s security posture.
The risk management process, in particular, will benefit from comprehensive information collection, analysis, and reporting mechanisms, enabled by situational awareness, to support the decision-making process.
The remaining question is how.
In physical security management, guards tend to be the eyes and ears of the organizations. These guards will have access to video footage and sensor data.
Of course, most acknowledge that this isn’t enough given the scale of the security threat.
Security management software, here, helps organizations proactively safeguard their people, assets, and reputation via enhanced situational awareness through actionable threat intelligence.
In the physical security realm, physical security information management systems (PSIM) stand out as software platforms that integrate multiple security applications and devices to maximize situational awareness.
How so?
PSIM works by integrating security devices and presenting all their relevant information into a single view, the physical security information management software improves detection efficiency and effectiveness. That contributes to greatly improved situational awareness and decision support.
For this to happen, though, physical security information management software requires a few basic components. According to IFSEC Global, a complete PSIM system will have the following capabilities.
Device management independent software collects data from any number of disparate security devices or systems.
The physical security information management system analyzes and correlates the data, events, and alarms, to identify the real situations and their priority.
PSIM software presents the relevant situation information in a quick and easily-digestible format for an operator to verify the situation.
The system provides Standard Operating Procedures (SOPs), step-by-step instructions based on best practices and an organization’s policies, and tools to resolve the situation.
The PSIM software tracks all the information and steps for compliance reporting, training and potentially, in-depth investigative analysis.
That’s not all.
PSIM platforms collect and manage information from disparate security devices and information systems, collating that data into one common situation picture.
Per analysts in the field, these devices can be traditional security sensors like video cameras, access control, intrusion detection sensors, or less conventional systems, such as networks and building management systems, cyber security hacking alerts, and even weather feeds (More later).
PSIM systems themselves are vendor and hardware-agnostic. They serve the purpose of giving users the ability to integrate legacy systems.
Indeed, integration is the primary function of PSIM. Users can connect with existing and/or planned systems without being locked in.
PSIM is also intelligence-based, i.e., users have the ability to identify unfolding events, manage them effectively, and therefore mitigate risk.
By giving security personnel access to data from disparate systems, PSIM empowers staff to accurately identify and proactively resolve situations. What systems precisely? Traditionally, the following security systems have typically been integrated into a PSIM solution:
Why weren’t the individual systems enough to contribute to situational awareness?
The data sources and inputs used in PSIM themselves emerged due to the increase in different natural and malicious threat scenarios. Individually, however, the solutions didn’t provide adequate intelligence and reliability.
That’s where PSIM came in. PSIM overcomes technological limitations, synthesizing data from multiple alerting systems and physical sensors.
PSIM also exploits distributed and heterogeneous subsystems to provide advanced event detection capabilities and/or improve detection reliability.
The importance of PSIM comes into greater relief in the scenario where entities must protect open infrastructure spread out across broad spaces and therefore vulnerable to many threats.
In that scenario, cameras and sensors alone run up against the limitations of human-based surveillance – labor intensive, fatiguing work that’s also prone to human error.
In such a context, PSIM yields superior situation awareness and decision support.
PSIM underscores the importance of multiple data sources for situational awareness. Indeed, multi-source data points are needed to establish and heighten situational awareness, improve comprehension and perception, and support effective critical decision making.
And we’ve learned that properly integrated, these multiple data sources offer the following benefits:
Organizations, however, require these data sources for information and cyber security, as well, which PSIM doesn’t cover.
That’s why cyber data alerts are on the rise.
According to a 2020 report on the state of SecOps and automation, more than half (56 per cent) of large companies handled at least 1,000 alerts per day.
Serious challenges have emerged to impede the effectiveness of data alerts for situational awareness, though.
The most acute is alert fatigue.
So, what is alert fatigue? Alert fatigue happens when an overwhelming number of alerts desensitize responding individuals to individual alerts – even when those alerts carry valuable information.
Cybersecurity experts have picked up on this trend toward alert fatigue, catalyzed by COVID which led to a sharp rise in alerts.
How bad has the issue become?
In 2021, the International Data Corporation (IDC) reported that over eight in every ten cyber security professionals said they were struggling to cope with the sheer volume of security alerts.
Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts.
As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations. Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.
Of course, alert fatigue will give security managers a flawed understanding of risk exposure by impeding situational awareness.
What then can be done?
Here, as with PSIM, the right security management solution can ensure actionable data gets through in a format that incentivizes speedy triaging and contributes to situational awareness.
To contribute to enhanced situational awareness, these solutions offer powerful workflow automation, which helps to aggregate and visualize alerts, thereby accelerating investigation speeds and response times.
The flexible, digital solutions which boast such information-management modalities work by capturing and consuming information from multiple sources, to provide a real-time common operating picture of the task or operation at hand.
They also:
Further benefits include:
And there’s more. The genius of these solutions is that they offer a full range of integration options, making it easy to connect and synchronize data and plug in customer systems, to further enhance situational awareness in security management.
The Noggin platform, for example, integrates with ERPs and CRMs, as well as other service management and cyber security systems. When it comes to actionable data alerts, relevant Noggin integrations include:
Integrating with Noggin, Signal is an open-source intelligence tool for security teams who may deal with disruptive or unexpected events. Customers monitor multiple online data sources with a simple, easy-to-use interface, with Signal providing relevant, actionable information in real time. And so, with Signal, you can:
Integrating with Noggin, the Dataminr AI platform detects the most relevant, high-impact events and emerging risks in real time – so customers can respond with speed and confidence. The platform enables a diverse customer base to manage crises more effectively:
Integrating with Noggin, PagerDuty provides a source of truth and coordination for real-time operations and major IT disruptions, useful in the following business cases:
The security environment, whether cyber, physical, or cyber-physical, has never been more perilous. As a result, modern security managers need to know more and anticipate better to keep bad actors at bay.
That’s where enhanced situational awareness in security management comes in.
But just as there are certain practices that enhance situational awareness, there are also technologically-induced challenges to situational awareness, such as alert fatigue.
Fortunately, technologies like Noggin contribute greatly to situational awareness in security management by making more relevant information actionable through powerful (yet configurable) workflows that can be tailored to your organization’s business processes.
Don’t take our word for it, though. Request a demo to check out Noggin Resilience for yourself!