The document outlines the evolving role of Chief Security Officers (CSOs) in decision-making related to physical security and risk management, detailing four distinct eras from guardian to integrated security leader. It emphasizes the importance of various decision-making approaches, including organizational, industry, collaborative, and data-driven methods, supported by practical scenarios. Additionally, it presents a case study on the September 14, 2012 Tunis incident, illustrating risk assessment methodologies and the necessity for proactive security measures in managing threats.

1. Executive Decision-Making
and Leadership for CSOs
Navigating Physical Security, Risk Management, and Operations

2. Topics Covered:
➔ CSO: Decision-Making
➔ Case Study: Applying Threat Assessment (Tunis Incident)
➔ Risk assessment methodologies (ASIS standard)
➔ Vulnerability assessments (Risk Identification)
➔ Scenario analysis (Risk Analysis)
➔ Conducting threat modeling exercises (Risk Evaluation)
➔ Assessing threat likelihood and impact (Risk Treatment)
➔ Prioritizing threats based on risk levels (Monitoring and Review)

3. The CSO's Evolving Role
➔ Era 1: The Guardian (1980’s to Early 2000s)
Primarily on physical security, protecting assets
and personnel.
➔ Era 2: The Risk Manager (Early 2000s to Mid-2010s)
Expands to include risk management, assessing
and mitigating threats.
➔ Era 3: The Strategic Partner (Mid-2010s to 2020s)
Shifts towards strategic alignment with business
goals.
➔ Era 4: The Integrated Security Leader (2020s to
Present) Integrating physical security and
collaborating with the CISO.

4. Executive Decision-Making
➔ Organizational decision making model
Leverages the established frameworks, policies, and
procedures within the organization to guide decisions.
➔ Industry decision making
Taps into best practices, benchmarks, and regulatory
requirements specific to the industry.
➔ Collaborative decision making
Involves gathering diverse perspectives from
stakeholders across the organization.
➔ Data-driven decision making
Relies on platforms, analytics, and metrics to inform
decisions.

5. Organizational Decision-Making Example
Scenario: A natural disaster (e.g., hurricane) threatens the company's headquarters.
The CSO must decide whether to evacuate the building and activate the business
continuity plan.
Decision-Making: The CSO references the organization's emergency preparedness
and business continuity plans. They follow established protocols for assessing the
severity of the threat, communicating with employees, and coordinating evacuation
procedures, ensuring the safety of personnel and minimizing disruption to operations.

6. Industry Decision-Making
Scenario: A recent string of high-profile retail thefts has raised concerns about the
security of the company's stores.
Decision-Making: The CSO researches industry best practices for loss prevention and
retail security. They benchmark the company's current measures against those of
similar retailers and implement upgrades to deter theft and protect merchandise,
aligning with industry standards.

7. Collaborative Decision-Making
Scenario: The company is planning a large-scale public event, which poses significant
security risks.
Decision-Making: The CSO assembles a team comprising representatives from
security, event management, local law enforcement, and emergency services. They
collectively assess potential threats, vulnerabilities, and crowd management
challenges, developing a comprehensive security plan to ensure the safety of
attendees and staff.

8. Data-Driven Decision-Making
Scenario: An analysis of security camera footage reveals a pattern of unauthorized
access to a restricted area of the facility.
Decision-Making: The CSO reviews access control logs, employee records, and
incident reports to pinpoint potential vulnerabilities and identify individuals involved.
They use this data to implement stricter access controls, enhance security protocols,
and address any personnel issues, preventing future breaches.

9. Case Study:
Analyzing the September 14, 2012 incident….

10. Timeline: Tunis September 14th Incident
➔ September 11, 2012: Attack on U.S. consulate in Benghazi
sparks global protests.
➔ September 14, 2012 (Morning): Protests escalate outside
U.S. Embassy in Tunis.
➔ Early Afternoon: Protesters breach the embassy
compound.
➔ Afternoon: Protesters move towards and breach ACST
campus, causing extensive damage.

11. Risk Assessment Methodologies In a ideal
world this is
how it should
work!!

12. Even the most meticulously crafted security plans can be
disrupted by unforeseen events
➔ Adaptability: The ability to adjust
security measures in response to
new threats or vulnerabilities.
➔ Resilience: The capacity to recover
quickly from security incidents and
minimize their impact.
➔ Continuous Improvement: A
commitment to learning from past
incidents and strengthening security
measures accordingly.

13. ASIS Security Risk Assessment Standard
➔ Risk Identification
➔ Risk Analysis
➔ Risk Evaluation
➔ Risk Treatment
➔ Monitoring and Review

14. ➔ Risk Identification
This involves systematically identifying
and documenting assets, threats, and
vulnerabilities relevant to the
organization.
A thorough understanding of the
organization's operating environment,
including internal and external factors is
REQUIRED.

15. ➔ Risk Analysis
Qualitative Methods Quantitative Methods
Interviews/Focus Groups: Gather expert
opinions and insights on risks.
Probability Analysis: Calculate the
probability of a risk occurring.
SWOT Analysis: Assess strengths,
weaknesses, opportunities, and threats.
Impact Analysis: Quantify the impact of
a risk on various factors.
Scenario Planning: Explore potential
scenarios and their impact on the
organization.
Statistical Modeling: Use data to model
risk patterns and trends.

16. ➔ Risk Evaluation
This involves assessing the
significance of each
identified risk based on its
likelihood and impact. Risks
are then prioritized to
determine which ones
require the most immediate
attention and resources.

17. ➔ Risk Treatment
This step outlines various
strategies for managing risks,
including risk avoidance, risk
reduction (mitigation), risk
transfer (insurance,
outsourcing), and risk
acceptance (when the cost of
mitigation outweighs the
potential impact).

18. ➔ Monitoring and Review
Regularly updating the risk
assessment based on
changes in the
organization's operating
environment, new threats,
and evolving vulnerabilities.

19. Step Description Application in September 14th Attack
Risk
Identification
Identifying potential threats to security
and assets.
- Identified Threats: Protests, unauthorized access, arson,
vandalism.
Critical Assets: Students, staff, buildings, data.
Risk Analysis Assessing the likelihood and impact of
identified risks using qualitative and
quantitative methods.
- Likelihood: High probability of protest-related violence.
- Impact: Severe damage to property, potential harm to
individuals.
Risk
Evaluation
Prioritizing risks based on their analysis
to determine which require immediate
action.
- Prioritized Risks: Protest-related violence (High likelihood,
High impact). Secondary Risks: Vandalism, arson (Medium
likelihood, Medium impact).
Risk
Treatment
Implementing measures to mitigate,
transfer, accept, or avoid risks.
- Mitigation Measures: Early dismissal of students,
increased patrols, collaboration with third-party security.
Emergency Plan: Lockdown protocols.
Monitoring
and Review
Continuously monitoring risks and
reviewing the effectiveness of treatment
measures.
- Ongoing Actions: Regular updates to threat assessments,
continuous monitoring of regional security climate, post-
incident review and adjustment of protocols.

20. Lessons Learned & Key Takeaways
➔ Proactive Security is Vital: Prior threat assessment and
collaboration with security partners enabled early action, preventing
harm.
➔ Information Sharing is Key: Open-source intelligence and
professional networks provided crucial situational awareness.
➔ Early Action Saves Lives: Decisive decision-making (early
dismissal) mitigated the potential impact of the attack.
➔ Continuous Vigilance is Necessary: Even with preparation,
unexpected events can occur. Threat assessment must be an
ongoing process.

21. American School continues to thrive in Tunis!
The American Cooperative School of Tunis (ACST) is a 600-student
international school serving students from pre-kindergarten through
12th grade.

22. End of Presentation.
Connect with @DavidSecurity on LinkedIn
https://www.linkedin.com/in/davidsecurity/