response time: the key to better security outcomes
Post on 02-Mar-2022
1 Views
Preview:
TRANSCRIPT
Response Time: The Key to Better Security Outcomes
WH
ITE
PA
PE
R
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E 3
TABLE OF CONTENTS
Unlocking a More Efficient Security Command Center 5
Defining the Importance of Response Time 7
What Factors Impact Response Time? 8
WHEN LOOKING AT OPERATIONAL BOTTLENECKS, HERE ARE
A FEW QUESTIONS TO CONSIDER: 9
WHEN LOOKING AT SYSTEMS BOTTLENECKS, HERE ARE A FEW
QUESTIONS TO CONSIDER: 9
7 Tactics To Improve Response Time 10
1. MEASURING AND ANALYZING DATA 10
2. REDUCING FALSE ALARMS 12
3. PRIORITIZE EVENTS AND AUTOMATE THE REST 15
4. CREATE SIMPLE ACTION PLANS FOR COMMON EVENTS 16
5. MAKE KEY INFORMATION EASILY ACCESSIBLE 18
6. AUDIT OPERATOR ACTIONS 20
7. DEVELOP A CULTURE WHERE RESPONSE TIME IS THE KEY METRIC 22
Improve Outcomes 22
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E 5
UNLOCKING A MORE EFFICIENT SECURITY COMMAND CENTER
Every security command center is tasked with improving security outcomes. This
can mean different things to different organizations depending on their industry,
facilities, corporate mandates, and compliance requirements. Measuring these
outcomes can be difficult: some performance requirements are almost impossible
to measure, while other incidents happen so infrequently that tracking them for
performance provides no valuable data.
Ultimately, there’s a single core metric to gauge security performance and
outcomes: response time. In this paper we’ll explore the 7 essential steps to
speed-up response time so that you improve your overall security outcomes.
S U R E V I E W | R E S P O N S E T I M E 76
DEFINING THE IMPORTANCE OF RESPONSE TIME
Response time is “the elapsed time between an inquiry on a system and the response to that inquiry.” In the context of command center operations, response time is simply the lapse between when an event is raised and when an operator takes action.
Out of all the performance metrics your security team measures, why does
response time have the greatest impact? Metrics such as dispatch time, assets
lost, injuries, and others are critical for any successful monitoring operation, and
are undoubtedly important. However, improving response time is proven to have a
ripple effect on all critical metrics.
The closer you get to achieving a “real time” response, the better chance you
have of a positive outcome. For example, let’s consider a simple unauthorized
after-hours building access incident. If it takes the operator 4 minutes to respond
to an alarm, it will take longer to identify where the intruder actually is, which in
turn means it takes longer for a dispatched guard to find the intruder.
However, if the operator responds within 30 seconds, the dispatching officer is
likely to find them quickly because the person has had less time to get far from
the point of entry. In this example it can be the difference between intercepting
the person in under 5 minutes versus taking 15-20 minutes to find them. A lot can
happen in 15 minutes!
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E8 9
WHAT FACTORS IMPACT RESPONSE TIME?
Not every command center is the same, but in general the types of things that
can impact response and create bottlenecks can be broken into two categories—
operational bottlenecks and system bottlenecks. Operational bottlenecks take the
form of processes, procedures, and HR, while system bottlenecks typically take the
form of overwhelming amounts of data stored in multiple different systems.
WHEN LOOKING AT OPERATIONAL BOTTLENECKS, HERE ARE A FEW QUESTIONS TO CONSIDER:
• Are there enough operators on shift to adequately respond to the
number of events that occur?
• Can these operators handle the volume of this traffic?
• Are responses operationally consistent across the organization?
• Is the process operators follow the same every time, or do they
rely on their knowledge and experience?
• Are operators effectively trained for all the scenarios they’re
likely to encounter on shift?
WHEN LOOKING AT SYSTEMS BOTTLENECKS, HERE ARE A FEW QUESTIONS TO CONSIDER:
• How many systems are creating events?
• Are events from all systems correlated into one central queue?
• How many of these events/alarms are false?
• Is the 80/20 rule in effect? (Are 80% of my alarms coming from
20% of locations?)
• How many alarms are presented to operators that don’t
require an action?
• How are alarms prioritized, and is this prioritization consistent
across systems?
• How many different systems contain data required to
coordinate a response?
It’s time to begin looking critically at your systems. These questions can help guide your conversations with your teams.
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E10 11
7 TACTICS TO IMPROVE RESPONSE TIME
1. MEASURING AND ANALYZING DATA
Security professionals are faced with difficulties normalizing and processing complex data on operator response times, alarms, and dispatches captured in multiple systems and formats.
Systems like SureView centralize the response process in the command center and
capture these key metrics as operators do their job. Using the interactive reporting
module, Insights, managers and supervisors can quickly analyze performance
across both operations and systems.
For Operations, Insights provides top-line metrics for both response and
processing time by operator and regions. When looking at systems, Insights
focuses on alarm event counts by location and point-over-time. Managers can use
these reporting metrics to set performance baselines and SLAs, allowing them to
easily measure the impact on overall security outcomes.
Management thinker Peter Drucker famously said: “If you can’t measure it, you can’t improve it.”
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E12 13
Reducing false positives requires an understanding of the behaviors that are
causing the alarm, then either changing the configuration of the device, updating
the system, or changing operating procedures. There is no silver bullet for false
alarms as each circumstance is different.
The reporting capabilities of SureView make capturing this data easy. It’s very
common for alarm reports to show 80% of traffic coming from 20% of points. Dig
into the data to work out if these alarms are being caused by faulty equipment
or false positives. By reducing and ultimately eliminating these false alarms,
operators’ response times will be greatly improved because they will be focusing
entirely on processing genuine alarms.
2. REDUCING FALSE ALARMS
Once you’ve effectively implemented a process for measurement and analysis, it’s time to take your captured data and drill down into one of the most common response time detractors: false alarms.
It’s a well-known story: operators have a long, scrolling list of alarms in their queue
and see “another one of those alarms” pop up. They have seen this alert so many
times they have become numb to the condition. Consequently, buried in this
list of alerts is a real event that requires immediate action that doesn’t receive a
quick response. Before developing a plan to reduce false alarms, it’s important to
understand what causes them.
Alarms caused by faulty equipment are relatively easy to resolve. Faulty systems
and equipment can present as either sending large quantities of alarms
(i.e. multiple alarms a second) or alarms for an unanticipated or nonexistent event
(e.g. door-open alarm being triggered when the door is, in fact, closed). Security
technology professionals can troubleshoot these systems to identify the source
of the alarms. While this investigation is underway, security teams can mask these
points from monitoring until the system is restored. False positives are a far more
difficult issue to resolve. The system or device is operating properly but triggering
alarms that, while not true threats, still require operator action. One example of
a false positive is an expired access control card. The system raises a valid alarm,
albeit one that could have been avoided if the card had been updated prior to its
expiry date.
FALSE ALARM EVENTS TYPICALLY FALL INTO TWO CATEGORIES:
1. Alarms caused by faulty equipment2. False positive alarms, which falsely identify
an activity as a threat
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E14 15
3. PRIORITIZE EVENTS AND AUTOMATE THE REST
So far, you have metrics to understand the traffic in your environment and a plan to reduce false alarms. It’s also important to identify the events that operators are responding to, and if their responses are appropriate and necessary.
SureView can automate many common processes for an operator, such as
recording cameras, sending notifications, and triggering actions. This automation
can be used to eliminate the need for an operator to respond to repetitive events
that are not an active threat and don’t require the operator to make decisions.
Of course, you could just ignore these alarms. However, many operations require
logging all events for compliance or management reporting. SureView allows these
events to be auto-handled and logged, eliminating distraction for the operator.
When deciding which events require operator action, it’s important to be
consistent. SureView uses a flexible model where alarms are given a numerical
priority rating, with priority 1000 as a threshold. Alarms at this rate or higher
override any masking and will still be presented to operators even if an area is
disarmed.
Prioritizing events not only helps to rapidly order the alarm list, it can also help
group similar events and route traffic to the appropriate operator groups. These
workflows can be used to improve the performance of your team and can include
internal SLAs that trigger additional actions or escalations based on response time.
For example:You decide that first-line operators are responsible for events with a low priority, while second-line operators respond to the higher priority events and escalations. As alarms are received, the priority level indicates how they are routed. You can add an SLA that automatically escalates a priority alarm if doesn’t receive a response within 1 minute.
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E S U R E V I E W | R E S P O N S E T I M E16 17
SUREVIEW PROVIDES CLEAR OPTIONS FOR THE TYPE OF ACTIONS YOU WANT TO CREATE, INCLUDING:
1. The ability to create basic actions that tell the operator what to do
2. The ability to input actions that require the operator to add information to the
event (e.g. What color shirt was the person wearing)
3. Yes/No questions that provoke an action or response
4. Steps that require the operator to dispatch a guard/officer
5. A URL that provides a link to website (e.g. a link to your ticket system to raise
a device issue that requires investigation by the Security Technologies team)
6. Dependency actions, which are especially useful with Yes/No questions
7. Action categories, such as medical, dispatch, or surveillance actions
8. The ability to quickly share actions with other operators, especially in a crisis,
so that operators can collaborate closely on the response
4. CREATE SIMPLE ACTION PLANS FOR COMMON EVENTS
Organizations typically have detailed Standard Operating Procedures (SOPs) to dictate how their team should respond to a given event. Too often, these SOPs are complex and inaccessible.
Chances are, your security response SOPs are in a thick binder collecting dust
under a workstation. Consequently, your team can’t quickly access the information
they need when an event occurs, making your SOPs all but impossible to enforce.
We encourage security teams to simplify these SOPs into on-screen, interactive,
checklists or action plans that provide operators with an easy way to consistently
respond to events. SureView provides a straightforward way to create simple
actions plans and enforce them, ensuring that every time an operator processes an
event the response is consistent.
Any of these simple actions can be set to be mandatory,
ensuring that operators complete the most essential steps.
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E18
5. MAKE KEY INFORMATION EASILY ACCESSIBLE
It is critical to identify the key information operators need to respond to an event.
Call lists, location maps, alarm and event details, area notes, and schedules, are all
essential to ensure a quick response. Putting all this information in one place gives
the operator the situational awareness to coordinate a response without jumping
between multiple systems to find the relevant information.
Take a call list as an example. Operators often need to access multiple systems
to identify the key personnel to contact at various buildings. These systems were
designed to support a single building or function, not to offer the security team
easy access from a command center. With SureView, an operator simply clicks on
the location to access the key contacts for that site.
Maps provide operators with critical information that helps in rapid response.
Maps should always include the location of cameras, doors, and your organization’s
physical assets. Equally important are locations of nearby police, fire stations,
hospitals, and guard posts. Sureview utilizes Google or ESRI mapping interfaces to
put this key security information at the heart of the response rather than buried in
another business system.
It’s rare that security teams have easy and immediate access to this sort of
information without having to jump across various systems that were not designed
with the unique needs of security in mind. These operators are often responding to
remote events in locations they have likely never visited, making centralized access
to this information even more important for rapid response.
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E20
6. AUDIT OPERATOR ACTIONS
As you begin to break down operational and system bottlenecks, it’s important to be able to constantly adapt to change. An audit trail makes this possible.
Keeping detailed audits of operator actions helps managers identify opportunities
to improve response. Action plans, dispatch instructions, and escalation rules will
need to be constantly adapted for new threats, changing service requests, or new
compliance rules.
Auditing operator actions provides managers with the details they need to
understand changes and how these changes might impact operations.
SureView tracks all of this information without any additional operator actions.
Operators simply do their job as usual—responding to events following
their action plans— and the system captures audit data in the background.
Management can then focus their attention on improving operational response
rather than trying to implement a process to consistently capture this critical data.
With Sureview everything the
operator saw, said, and did,
is recorded in a time-stamped,
multi-media, audit trail,
which empower managers in
several ways:
1. It retains a record of exactly what the
operator did in their response–what
cameras they looked at, what they saw,
what actions they took
2. It tracks the timing of all these
actions, providing baseline reporting
metrics
3. It helps identify exactly when
changes occur and how they affect
the overall response
S U R E V I E W | R E S P O N S E T I M ES U R E V I E W | R E S P O N S E T I M E22
7. DEVELOP A CULTURE WHERE RESPONSE TIME IS THE KEY METRIC
Real progress in improving response requires a full team effort.
Managers and supervisors need to develop response SLAs and triggers for
escalation when these are broken. Security technology teams need to focus on
false alarm reduction. Operations staff need to focus on identifying any steps in
their response that are consistently slowing them down.
Everyone on the team has a role to play in delivering a command center that
is efficient and able to respond quickly in order to improve security outcomes
for the organization. SureView provides the platform that enables everyone to
deliver this goal.
IMPROVE OUTCOMES
Response time is the single most powerful indicator that your team is achieving the best possible security outcomes.
In order to effectively improve your security operations and maximize the
capabilities of your technology, you need to effectively measure your performance.
Leveraging a solution to centralize your security technology and streamline
operations is the key way to improve response time, standardize security response,
and improve event outcomes.
400 N Tampa St Suite #1750 Tampa, FL 33602
101 Jefferson Drive Menlo Park CA, 94025
Hawthorne House, Tawe Business Village, Phoenix Way, Enterprise Park, Swansea, SA79LA, UK
Phone +1 (888) 387.2860
Phone +1 (888) 387.2860
Phone +44 (0) 1792 278 110
sureviewsystems.com
Florida Office California Office UK Office
Response Time: The Key to Better Security Outcomes
WH
ITE
PA
PE
R400 N Tampa St Suite #1750 Tampa, FL 33602
101 Jefferson Drive Menlo Park CA, 94025
Hawthorne House, Tawe Business Village, Phoenix Way, Enterprise Park, Swansea, SA79LA, UK
Phone +1 (888) 387.2860
Phone +1 (888) 387.2860
Phone +44 (0) 1792 278 110
sureviewsystems.com
Florida Office California Office UK Office
top related