Continuity Insights speaks with Ed Gleason, Regional Director with the Department of Homeland Security's Protective Security Advisor (PSA) program, about the security products and services available to private businesses, the "very real" cyber threat, critical infrastructure and the shift from "protection" to "resiliency."
Continuity Insights: What was the genesis of the PSA program? Was it a response to a need you saw or was there a groundswell of interest from the private sector?
Ed Gleason: Back in 2004, the U.S. Department of Homeland Security (DHS) wanted to set up a program that facilitates information sharing between the private sector and the DHS. There was also a need to better coordinate the delivery of homeland security training and access to the other services the department was offering after it was formed in 2003.
The other part of our work is to perform vulnerability and security assessments and/or surveys for local critical infrastructure when requested by owners and operators. A significant number of critical infrastructure assets are privately owned and are not subject to security regulations. The DHS recognized that our infrastructure protection mission could only be accomplished if we worked in partnership with the businesses that own these assets. We realized early on that we also had to work with the state and local governments where these assets are located.
So the PSA program was created to build these partnerships between the state and local governments, as well as the private sector, and to deliver the department’s infrastructure protection resources and capabilities in order to make our nation’s infrastructure safer.
CI: What is your role within the PSA Program?
EG: I am now a Regional Director but I did spend five years as the PSA for the state of Wisconsin. Then in 2010 I became the regional director for the Great Lakes region, so I now have 11 PSAs in the six states that comprise this region from Minnesota to Ohio.
CI: What kinds of experience or background do PSAs have?
EG: All PSAs are federal employees with experience related to risk reduction, physical security and counter terrorism. Some are from the military, law enforcement, emergency management or even the private sector. We undergo continuous training to enhance our vulnerability assessment skills and ability to work with all 18 critical infrastructure sectors.
CI: Two of the goals of the PSA program are to improve regional resilience and protect critical infrastructure. These are also the goals of regional groups such as ChicagoFIRST and the Lake Cook Regional Critical Infrastructure Protection (LCRCIP) group. Do PSAs work with these local/regional groups and, if so, how do they work together?
EG: We regularly work with federal, state, local, tribal and private-sector organizations such as ChicagoFIRST and the LCRCIP group. We perform security assessments, provide outreach and participate in tabletop exercises with these and other groups.
Over the last seven years we’ve created about 125,000 individual relationships with local, state, federal, tribal and private sector groups. A lot of PSAs are members of critical infrastructure groups as well as groups like InfraGard, ASIS and other business continuity organizations.
CI: There are also other government agencies working on regional resilience and critical infrastructure protection, the Secret Service through their Electronic Crimes Task Force, InfraGard and the FBI, and FEMA, for example. Are there any efforts to coordinate efforts across these groups?
EG: We recognize the importance of working together. We all have our mission range but there are so many places where those mission ranges intersect. We worked closely with the secret service during the recent NATO meeting in Chicago by plugging in and helping them with their critical infrastructure challenges.
We also work with our intelligence counterparts in federal government to prepare joint intelligence briefings and conduct outreach to stakeholders. The FBI, Secret Service and Coast Guard are great partners for us and we work closely with them in our locality to get the job done.
CI: Can private sector business continuity/disaster recovery managers expect to work directly with a PSA, either during normal operations or a crisis? If so, how can they best work together? If not, what do they need to know about the roles and activities of PSAs?
EG: One of the things we’re recognizing is the need to work with business continuity professionals. We often reach out to private-sector businesses to help them understand the DHS and the PSA program, and the products and capabilities that we have available to help them with their business continuity needs.
As a PSA in Wisconsin I worked closely with the Business Recovery Professionals of Southeastern Wisconsin and spoke at their engagements at least once a year. By doing so I think it helped them to connect some of the dots that they had not otherwise connected.
CI: Is there confusion as to whom the PSA should engage with in a private sector company? I would suspect risk management, business continuity, facilities and security are all logical touch points.
EG: It really depends on the company. We may work with all or one of those positions. Our normal plug-in point is the security director, but in some companies it’s the risk management or business continuity professional. It also depends on the particular protection issue that is being raised.
CI: A recent proposal suggested that the DHS should enforce cybersecurity at the nation's critical infrastructure. How real is the threat of a cyber attack against critical infrastructure and how will DHS help to mitigate these risks?
EG: With respect to critical infrastructure, the cyber threat is very real. We work with many of the 18 critical infrastructure sectors and private sector to ensure key systems are being reviewed. To do this we share threat information as it comes, help companies identify vulnerabilities before a cyber incident occurs, and provide forensic and remediation assistance to help response and recovery after we hear about a cyber incident.
Last year the United States Computer Emergency Readiness Team (US-CERT) conducted 78 assessments on control systems to help companies discover their security gaps and prioritize the mitigations steps they may need to take. We also developed a cybersecurity self-evaluation tool that was used by over 1000 companies last year.
We’ve realized that we can’t address the cyber threat on our own.
CI: How do you think the PSA program has progressed overall?
EG: Over the past seven year we’ve seen a very positive response to the PSA program. Many entities in the private sector have benefitted from the products and services we provide. When we do these assessments and/or surveys the owner/operator gets value because it’s a fresh look at their security practices and how they compare to others.
CI: What’s next for the PSA program?
EG: We will continue our efforts to promote business continuity and point people to helpful resources. There are many companies that are still probably not as well developed in this area as they would like. They are the ones that will be looking to us and we’ll try to help them connect the dots.
The direction we’re going is resiliency rather than protection alone, and business continuity is definitely a hallmark of any resilient company.