Sometimes, when I propose red teaming as part of a security assessment or training program, I get an uneasy response. Or a flat out rejection: we don’t do red teaming. It’s odd when you consider no one would object to a drill for emergency responders. It is understood that realistic training is critical to being properly prepared in the event of a disaster. Should we not be similarly prepared for a security breach or threat? I would feel much safer knowing that a security officer is not facing a given issue or event for the first time. Better that he should already have faced it and handled it, if via a drill or test.
The objective of red teaming is not to pass a given test. It’s not about getting a certain grade. The bigger objective is to create and maintain the best possible security system. Yet there have been well publicized examples on a government level where security personnel were tipped off about an upcoming red team or penetration test. Some managers are apparently so fearful that they or their department would look bad if they failed a test, that they are willing to foil it. I well understand the miserable effects of political pressure to say nothing of negative media scrutiny. I feel their pain. But when the stakes are high, we can ill afford politically motivated mischief.
Other security managers express concerns that their officers will be offended by such testing, that it is a punishment or witch hunt. It is true that often the initial response on the part of a guard is to be nervous. He starts to worry, will he pass the test? Will the red team trick him? Is that customer over their a member of the red team? Well, if being nervous results in heightened awareness and higher standards, then even the potential for a red team occurring has already improved security.
No matter what the outcome of a red team, the results constitute an important learning experience. Information brought to light is constructive and can be shared across a security team. The lessons learned yesterday when the red team successfully infiltrated a bomb at Post One, could surely be useful to the officers at Post Two, tomorrow.
In every single instance where we have used red teaming to test security operations for a client, it has produced an excellent result. Recently, we tested a client’s security by deploying an agent who among other things, was loitering near the client’s facility. Note that the security guards had been trained, were aware of potential threats to their given environment and could identify suspicious activity that related to the methods of operation (MO) associated with those threats. The security officers were not aware that a red team was in progress. They reacted in a timely fashion and adhered by the book to procedures. They communicated flawlessly amongst themselves and with other officers on their team as to what was going on. When it was disclosed as a test, they were justifiably proud of their effective response. The success was a boost, for every member of the security team.
Mind you, they did not do nearly as well the first time they were red teamed for this MO. In fact, as I recall, they failed miserably. Which made their success all the sweeter.
Red teaming done correctly can have many positive effects. The security mission is clarified for officers. Awareness is increased, as is a sense of responsibility. Skills are rapidly improved upon. Red teaming is simply a great tool.