Securing critical infrastructure: portfolio based approach

are you referring to? Can you elaborate on that a bit more?

BW: When I say tools, I think of ways that businesses can manage all of their critical infrastructure, the information about threats to that critical infrastructure, how prepared they are, and where the gaps in their preparedness are. When I think of that, I think of software tools. This has to go from an ad-hoc meeting driven and speech driven discipline into part of day to day operations. Think of enterprise resource planning (ERP), every business and critical infrastructure operator has core systems for managing the enterprise. We need to make this critical infrastructure protection a part of that in its own way. It is like having ERP for risk management and ERP for homeland security.

There has certainly been a lot of investment that has been made at DHS with this system as a tool, but they are very much internal and they are kind of fractured. I think exposing them, trying to figure out how to leverage industry practices, and tie DHS and industry together more closely would be a very exciting development.

HSNW: At the Government Security conference in March, you outlined a very interesting approach to risk management and infrastructure protection, likening it to managing a shifting portfolio of risks. Can you elaborate on that?

BW: When you think about a big piece of critical infrastructure, it is easy to imagine sending some guys out, doing a security assessment, and having a plan for that particular asset that says what you are going to do in the case of a particular event. What is challenging though is when you have a lot of assets that you are supposed to protect. Take for instance, the chemical sector or the financial services sector as a whole or a particular business if their assets are distributed around the country or the world – that is a lot of assets and when you think about all the threats that could yield some kind a catastrophic event. These threats range from natural hazards like hurricanes, earthquakes, and tornadoes – and we are seeing plenty of those in the Mid-West – to terrorism scenarios.

When you look at all of those different threats and hazards against all those different types of assets and you look at the combinations and scenarios – which ones are more likely to happen, which assets are more vulnerable to different