Thursday, November 14, 2013
There has been an effort over the past several years to change the titles of persons who perform security functions within an organization: I have seen such persons in various industries called “asset protection specialists,” “loss prevention associates,” “protection officers,” “doormen,” “ushers,” even “ambassadors.” But regardless of a company’s job title nomenclature, these persons all perform, to some degree, the function of security: namely, protecting the assets of that company. And the function is more important than the title.
Perhaps companies believe that the word “security” has somehow taken on a negative connotation, that the presence of “security” somehow implies an admission that problems exist (the PR department’s nightmare). But in reality – especially in our post-9-11 world – the very concept of “security” should be embraced as a comfort. So maybe the root problem is that there is a misperception and misunderstanding of what “security” really is.
I think that most people’s primary exposure to and perception of what “security” is comes from the uniformed guards that they see wherever they go (it’s getting to be the Holiday Season, so perhaps the armed guards at the front door of Toys-R-Us will be back!). And because the guards in uniform look like police officers in uniform – whose primary job (people think) is patrolling and responding to problems – they equate the two types of personnel to that similar job function. But just as there is so much more to law enforcement work than the visible patrol officer, so too is there much more to “security” than observe and respond (which is amazingly ironic, since a good percentage of security personnel are only supposed to observe-and-report as opposed to observe-and-respond). And to compound the confusion, since police officers are usually seen in the aftermath of a crime that has already been committed, that ascription of similar function makes people believe that “security = problems.” But those in our profession know that the opposite is really the truth – that the foundation and raison d’etre of security is finding ways to identify and prevent (or at least mitigate) problems before they occur. The underlying principle of security should be to create a safe, inviting environment for all the persons who visit a company and have dealings with it.
So for those companies that have tried to be politically correct by re-branding the persons who try to keep them safe and to try to convey the impression that problems do not exist, that is certainly your choice. But I for one am comforted whenever I visit a place that proudly announces that it has good and strong “security.”
Wednesday, August 28, 2013
From the first tower of a toddler to the most sophisticated building in the world, no structure can be put together properly without a firm foundation of building blocks. And if we equate the infrastructure of a business to a building and presume that part of that infrastructure is a sound security program to make sure that the business doesn’t collapse, the same holds true – we need a firm foundation of building blocks.
Here are the building blocks that will result in a sound security program:
· If I need to protect my business and my stuff and my liability, I need to know exactly what my business and my stuff and my liability are.
· If I need to protect my business and my stuff and my liability, I need to know all of the potential problems and threats I might encounter that might put them at risk.
· If I’ve identified all my potential problems and threats, I need to know how likely it is that each of those problems and threats might occur so that I can prioritize them.
· If I’ve determined the likelihood of occurrence of each of my potential problems and threats, I need to know what the impact would be to my business, stuff and liability if any of those potential problems or threats occurred so that I can prioritize them.
· If I’ve gathered all the information about my business and stuff and liability and prioritized them, and prioritized all the problems and threats that may occur, I need to determine if a security plan is needed.
· If I already have a plan to protect my business and stuff and liability, I need to know if any safeguards I currently have in place are adequate and sufficient.
· If I don’t already have plan to protect my business and stuff and liability, I need to develop one based on the information I’ve gathered, and I need to implement the appropriate safeguards.
· If I have a plan and safeguards to protect my business and stuff and liability, I have to assess and adjust them regularly to assure that they remain adequate and sufficient in relation to changing circumstances.
A firm foundation usually assures that what is on top of and around it is strong.
Tuesday, July 16, 2013
From the never-ending hunt for terrorists to the George Zimmerman/Trayvon Martin criminal case, the term “profiling” is much in everyday news and media. But do we fully understand the concept?
If memory serves me correctly, “profiling” was initially intended to connote an unwarranted singling out of a particular group for excessive or intense scrutiny. The term was primarily focused on law enforcement practices, and was usually translated to mean the surveillance of persons of color by white police officers for no particular or specific reason other than the color of their skin. The term was then expanded: “surveillance” was expanded to include practices such as stopping, questioning, detaining, and harassing; and “color of their skin” was expanded to include certain names, ethnic groups, religious affiliations and neighborhoods. Used in that narrow and straightforward context, “profiling” is not a good concept or effective law enforcement strategy.
HOWEVER: With the advent of sophisticated data collection practices and tools, information-gathering has become the norm rather than the exception, so the “simple” concept of profiling is no longer so simple and straightforward. Now there are empirical ways to gather and analyze data to single out and categorize specific groups for specific reasons – the perpetrators of every type of crime or terrorist act can be specifically identified and correlated to specific kinds of incidents. This categorization of individuals who are undeniably linked to particular kinds of crimes and incidents creates groups who need to be more intensely scrutinized than groups who have little if any relationship to those crimes.
Hypothetical case in point: I am the Security Manager for a store with a significant theft problem. I have competently performed my due diligence and gathered and analyzed information from 5 years worth of theft statistics including surveillance video and apprehensions and investigations and interviews, and the resulting empirical data shows that 95% of my theft problems have been caused by well-dressed white women over the age of 50. Is it not then good practice to pay special surveillance attention to well-dressed white women over the age of 50 who come into my store? And if so, then watching for those women is NOT “profiling” in the bad sense, it is good, reasonable and appropriate security practice which I would be remiss to ignore. But have I singled out (“profiled”) a particular group for enhanced observation? Certainly.
Profiling is not inherently a bad practice. It is bad only when used in a haphazard, uneducated, unsubstantiated manner. So the intensified scrutiny of young Middle Eastern men by those concerned with terrorism detection and prevention, or the focused scrutiny of an unrecognized young black man by a neighborhood watch volunteer are not intrinsically bad things.
Friday, June 28, 2013
You can probably read and understand the title of this post, but that doesn’t make it right…
I currently belong to a number of online professional forum groups; and I’m active in the groups, so I see many posts from persons with lots of letters after their names including those denoting professional certifications and Masters Degrees and Doctorates. Yet I continue to be amazed at the quality of communication from many persons who share their thoughts in these posts because, with all due respect, the quality of the written words frequently is not commensurate with what I expect from professionals. Spelling errors (which can largely be avoided with Spell Check), grammatical usage errors, use of incorrect words and terms (“then” for “than,” “there” for “their” or “they’re,” etc.), poor (if any) punctuation, etc. etc. seem to be the norm rather than the exception.
So why is this important, you ask? This is only going to be seen by others on the forum, you say? Maybe!! But I have a hard time believing that the same people who cannot write a coherent sentence to fellow practitioners and professionals take the time and make the effort to do any better when they’re writing “official” documents, reports and memos. And how do we know that the very people who we should be trying to impress – like bosses, clients, professional adversaries, etc. – aren’t also reading what we write?
Habits are difficult to break, especially when it comes to speaking and writing. If someone is used to using colorful, vulgar language in everyday speech, sooner or later one of those colorful terms is going to slip out at exactly the wrong moment – like when having a conversation with a corporate executive or a client. If someone is used to writing careless and sloppy postings on a forum (like texting “shorthand”), sooner or later that same level and quality of writing is going to be used in a document being read by a company president or local District Attorney or Judge. Based on some of the posts on these forums, it’s sometimes difficult to get to and appreciate the content of a post because of all the distractions from poor format. And yes, I realize that many professionals have someone else to do their formal writing. But professionals do – or should – proofread any work done on their behalf, which is hard to do if the professional himself is lax in writing skills (it’s hard to find errors when reading if you can’t write any better yourself). And even those professionals with assistants to do most of their writing occasionally write for themselves (like in these forums) and the deficiencies become glaring.
And one other reason why this is important: Professionals are frequently judged on first impressions, and first impressions are frequently made based on what we say or on something we’ve written. If we communicate well, our actions may not be scrutinized as closely because we will be perceived as intelligent, knowledgeable people. But if we communicate poorly, our actions – even the good ones – can be diminished because of what we have said or written. The quality of communication – either verbal or written – is just as important as the content. And with the proliferation of online forums where everything everyone writes is preserved for posterity, it becomes a simple matter for anyone – like an opposing attorney – to dig up a file full of posted faux pas in an attempt to disparage professionalism and credibility (an avoidable problem, thus inexcusable).
One of the best compliments I have ever received during my tenure as a Director of Security was being told by a District Attorney that the reports written by my security personnel were far superior to those written by the local police. I have seen cases lost because of poor communication (documentation). But in 30+ years, neither I nor my staff have ever lost a case for that reason.
Meant as constructive criticism, and to generate thought…
Tuesday, April 23, 2013
There is increasing awareness and understanding of the need for adequate and proper planning for emergencies. Preparedness for any type of emergency (natural or man-made, accidental or deliberate, criminal or terrorist) really requires not only the development of an appropriate strategy and plan with commensurate policies and procedures, but 2 additional, separate but equally important activities: a desktop exercise, and a live/physical drill.
The desktop exercise will be of significantly longer duration than the live drill (because activities will be discussed consecutively rather than occurring concurrently) and should include all stakeholders, all of whom should participate in all aspects of the exercise. The agenda should include verbalization and visualization (maps, charts, etc.) of all steps that would be taken during each phase of an actual emergency. Key decision-makers and responders for each phase should take the lead in the discussions, but the discussions should also include immediate analysis, feedback and critique from all participants to assure that as many nuances and potential problems as possible are brought to light (the different perspectives from persons usually not directly involved in a particular aspect can be very helpful and insightful).
To be effective and a true learning and preparedness experience, a live/physical drill must include everyone that would normally be involved at the time of a live incident (and that includes random types of non-employees who would normally be present at the scheduled time of the drill) and should be conducted in real time – some organizations erroneously believe that only certain employees need to participate in an emergency drill and those only need to slowly act out or verbalize their motions during the drill. But such is not productive, since it is important to learn/know what the scope of chaos and extent of time will be during an actual event, both of which are critical for successful mitigation of a real emergency.
As in any facet of real life, theoretical knowledge is important; but actual hands-on participation is a key component of assuring that emergency plans are truly workable.
Wednesday, March 20, 2013
There is one unequivocal certainty in the world of security: There is no such thing as absolute security (defined as some strategy or system that will fully protect everything against everything all the time) – given sufficient resources, motivation and opportunity, any/every security strategy and system can eventually be breached.
So…since we know that even the best security may be breached, how do we measure success?
For purposes of this commentary, we have to re-define some terms that are usually pretty straightforward – “success” and “failure.”
Let’s begin with “failure.” In the world of security, we can have occasional “failures” (independent, isolated incidents in which the security plan was not fully effective), without having “FAILURE” (a complete and continuing collapse of protection due to an ineffective security strategy).
The same holds true for “success.” We can have recurring “successes” (times during which protection efforts are adequate and sufficient to meet extant security needs), even while realizing that we can never achieve “SUCCESS” (the continuous state of everything being adequately and sufficiently protected against everything).
When trying to assess whether security has been a “success” or a “failure” based on these definitions, we must also add another component to the mix: "legal defensibility" (a security strategy that includes the elements that a reasonable person would utilize to provide reasonable security at a particular place and time under a given set of circumstances). The addition of this concept raises another interesting conundrum: Even when security efforts are occasionally “successful,” they may not be "legally defensible" (because the security strategy may not withstand legal scrutiny when an incident occurs).
So back to the original question: What is success in security? The answer is really not that difficult: Success in security is the existence of a strategy which protects most things most of the time; and which will endure legal/forensic analysis during challenges which result from short-lived “failures.”
As always we should hope for the best, but we must plan for the worst.
Monday, February 18, 2013
Here are some facts that I have found to be unequivocally true during my 30+ years of providing security service and counsel to a wide variety of organizations:
We ARE a reactive culture. For a variety of reasons, primarily economic, we do not do the things proactively that would make us less attractive targets; and we naively believe that “it can’t happen to me.”
There ARE bad people in this world, bad for a variety of reasons, who do bad things; and many of those bad people are not recognized preemptively because we again naively believe in the inherent goodness of all people and tend to and want to overlook anything that deviates from that rosy perspective.
There is NO SUCH THING as absolute security – nothing can be done to assure that nothing bad ever happens. The best that can be achieved is security that protects from most bad things most of the time – and even that level requires continuous attention.
People intent on doing bad things WILL find a way to achieve their objective – they WILL find the resources and opportunity to perpetrate bad things, regardless of what stumbling blocks – i.e., good security – are imposed.
Those are the downsides; here are the upsides:
Even being reactive is BETTER than ignoring security problems completely and continuously.
IF we stop always trying to be politically correct and IF we make informed, judicious, prudent use of tools like “profiling” we WILL be more able to proactively identify more bad people. And after my lengthy experience in this business, I totally despise the currently-in-vogue concept of “profiling” – if empirical data suggests that 95% of my problems are caused by xxx people, then watching for xxx people is NOT profiling, it is good, reasonable security practice which I would be remiss to ignore.
IF we harden targets appropriately, having adequate and sufficient security will not stop all bad things from happening, but it WILL stop most of the worst things most of the time.
Even bad persons usually hope to achieve 2 things: accomplishment of their bad deeds, and concluding the accomplishment of their bad deeds in the way they desire (usually either anonymous escape, or suicide). Good security WILL reduce the“environment conducive to criminality” at a given place so that the bad person might choose to do his bad things elsewhere.
A whole other facet of this issue may divert into a discussion of who is best able to provide security guidance and assistance to the places that most need it. Once again – as usually is the case – economics dictates to many organizations that security planning assistance comes from a little- or no-cost resource, which is frequently the local law enforcement agency. But with all due respect to my law enforcement colleagues who provide heroic and loyal service on a daily basis, they are usually not the best source of advice on security matters, if for no other reason than that is not their primary job focus.
Better security can be achieved anywhere…but it comes at a cost and requires a commitment.