Conducting Emergency Preparedness Drills

There is increasing awareness and understanding of the need for adequate and proper planning for emergencies.  Preparedness for any type of emergency (natural or man-made, accidental or deliberate, criminal or terrorist) really requires not only the development of an appropriate strategy and plan with commensurate policies and procedures, but 2 additional, separate but equally important activities:  a desktop exercise, and a live/physical drill.

 

The desktop exercise will be of significantly longer duration than the live drill (because activities will be discussed consecutively rather than occurring concurrently) and should include all stakeholders, all of whom should participate in all aspects of the exercise.  The agenda should include verbalization and visualization (maps, charts, etc.) of all steps that would be taken during each phase of an actual emergency.  Key decision-makers and responders for each phase should take the lead in the discussions, but the discussions should also include immediate analysis, feedback and critique from all participants to assure that as many nuances and potential problems as possible are brought to light (the different perspectives from persons usually not directly involved in a particular aspect can be very helpful and insightful).

 

To be effective and a true learning and preparedness experience, a live/physical drill must include everyone that would normally be involved at the time of a live incident (and that includes random types of non-employees who would normally be present at the scheduled time of the drill) and should be conducted in real time – some organizations erroneously believe that only certain employees need to participate in an emergency drill and those only need to slowly act out or verbalize their motions during the drill.  But such is not productive, since it is important to learn/know what the scope of chaos and extent of time will be during an actual event, both of which are critical for successful mitigation of a real emergency.

 

As in any facet of real life, theoretical knowledge is important; but actual hands-on participation is a key component of assuring that emergency plans are truly workable.

What Is “Success” In Security?

There is one unequivocal certainty in the world of security:  There is no such thing as absolute security (defined as some strategy or system that will fully protect everything against everything all the time) – given sufficient resources, motivation and opportunity, any/every security strategy and system can eventually be breached.

 

So…since we know that even the best security may be breached, how do we measure success?

 

For purposes of this commentary, we have to re-define some terms that are usually pretty straightforward – “success” and “failure.”

 

Let’s begin with “failure.”  In the world of security, we can have occasional “failures” (independent, isolated incidents in which the security plan was not fully effective), without having “FAILURE” (a complete and continuing collapse of protection due to an ineffective security strategy). 

 

The same holds true for “success.”  We can have recurring “successes” (times during which protection efforts are adequate and sufficient to meet extant security needs), even while realizing that we can never achieve “SUCCESS” (the continuous state of everything being adequately and sufficiently protected against everything).

 

When trying to assess whether security has been a “success” or a “failure” based on these definitions, we must also add another component to the mix: "legal defensibility" (a security strategy that includes the elements that a reasonable person would utilize to provide reasonable security at a particular place and time under a given set of circumstances).  The addition of this concept raises another interesting conundrum:  Even when security efforts are occasionally “successful,” they may not be "legally defensible" (because the security strategy may not withstand legal scrutiny when an incident occurs).  

 

So back to the original question: What is success in security?   The answer is really not that difficult:  Success in security is the existence of a strategy which protects most things most of the time; and which will endure legal/forensic analysis during challenges which result from short-lived “failures.”

 

As always we should hope for the best, but we must plan for the worst.

Challenges To Effective Security

Here are some facts that I have found to be unequivocally true during my 30+ years of providing security service and counsel to a wide variety of organizations:

 

We ARE a reactive culture.  For a variety of reasons, primarily economic, we do not do the things proactively that would make us less attractive targets; and we naively believe that “it can’t happen to me.”

 

There ARE bad people in this world, bad for a variety of reasons, who do bad things; and many of those bad people are not recognized preemptively because we again naively believe in the inherent goodness of all people and tend to and want to overlook anything that deviates from that rosy perspective.

 

There is NO SUCH THING as absolute security – nothing can be done to assure that nothing bad ever happens.  The best that can be achieved is security that protects from most bad things most of the time – and even that level requires continuous attention.

 

People intent on doing bad things WILL find a way to achieve their objective – they WILL find the resources and opportunity to perpetrate bad things, regardless of what stumbling blocks – i.e., good security – are imposed.

 

Those are the downsides; here are the upsides:

 

Even being reactive is BETTER than ignoring security problems completely and continuously.

 

IF we stop always trying to be politically correct and IF we make informed, judicious, prudent use of tools like “profiling” we WILL be more able to proactively identify more bad people.  And after my lengthy experience in this business,  I totally despise the currently-in-vogue concept of “profiling” – if empirical data suggests that 95% of my problems are caused by xxx people, then watching for xxx people is NOT profiling, it is good, reasonable security practice which I would be remiss to ignore.

 

IF we harden targets appropriately, having adequate and sufficient security will not stop all bad things from happening, but it WILL stop most of the worst things most of the time.

 

Even bad persons usually hope to achieve 2 things: accomplishment of their bad deeds, and concluding the accomplishment of their bad deeds in the way they desire (usually either anonymous escape, or suicide). Good security WILL reduce the“environment conducive to criminality” at a given place so that the bad person might choose to do his bad things elsewhere.

 

A whole other facet of this issue may divert into a discussion of who is best able to provide security guidance and assistance to the places that most need it.  Once again – as usually is the case – economics dictates to many organizations that security planning assistance comes from a little- or no-cost resource, which is frequently the local law enforcement agency.  But with all due respect to my law enforcement colleagues who provide heroic and loyal service on a daily basis,   they are usually not the best source of advice on security matters, if for no other reason than that is not their primary job focus.

 

Better security can be achieved anywhere…but it comes at a cost and requires a commitment.

Sandy Hook Tragedy - Response, Part II

The tragedy at Sandy Hook Elementary School seems to have offended our sensibilities more than other such tragedies because of the ages of the victims.  But in reality, this tragedy was not significantly different or worse than other such events – innocent lives should never be lost at the hands of a crazed or deranged person.  The term “gun violence” is always a prominent part of stories about these events, and the anti-gunners capitalize on that fact to put their emphasis on the wrong word:  the crux of the problem is violence, not guns.

 

While not the warm and fuzzy, politically correct philosophical ideal, it is nonetheless an absolute fact that it is simply and literally impossible to identify all the people who will do bad things and/or to accurately predict what bad things they will do and/or when and where they will do them.  Period.

 

Since bad things will undoubtedly happen regardless of our wishes, intentions and preventive efforts (because there is no such thing as absolute security, meaning some system/strategy that will protect against any conceivable or possible threat at all times), it behooves us to have the best mitigation, response and recovery strategies in place to protect everything important (meaning people, physical things and information).

 

Security must be considered at least as important and necessary as our attitudes and endeavors related to fire, which we have embraced and incorporated wholeheartedly:  While it is nice to idealize that people and things won’t burn and hope that “…it can’t happen here,”  yet we still design and implement (and pay for) reasonable and sometimes mandated fire protection precautions into our buildings; and install fire control systems and have fire response equipment in our buildings; and have regular fire system inspections; and have extensive fire plans that are reviewed and updated regularly; and have regular fire drills; and have internal personnel properly trained to deal with fires; and have Fire Departments to come and put out fires when they occur; and have plans to maintain and/or resume operations after a fire event. Why is the same not so for security?

 

Why are places with adequate and sufficient fire control systems and procedures not considered “fire traps,” but places with adequate security systems and procedures are considered “armed fortresses?” When I walk into a building and see sprinklers on the ceiling and fire extinguishers at key places and evacuation route maps and “No Smoking” signs on the walls and a fire truck parked outside, I get a feeling of comfort – the thought never crosses my mind that this building must pose some grave fire danger.  Why do we not put commensurate emphasis on security?   Why do we not see alarm systems and CCTV cameras and monitors and uniformed – perhaps armed – security personnel as an indication of concern for our safety and security?

 

Logic and consistency do not seem to be traits held in esteem by anti-gun proponents, because in virtually no other situation do they condemn the tool used in a bad consequence as the cause or culprit:  When a porch pulls away and falls from a house killing/injuring partygoers, the hammer is not blamed.  When a pedestrian is killed by a drunk driver, the car is not blamed.  When an editorial or cartoon is written that enflames and angers the masses, the typewriter/computer is not blamed Only when it comes to guns is the tool rather than the actor condemned.

 

We learned (or should have learned) from Benghazi that diplomatic and bureaucratic and philosophic options are meaningless at the time of an attack, because without proper response capability good people die.  When my family is being threatened with grave harm and I am not present to intervene, I do not want a philosopher or psychologist or social worker or a book of social ills analysis there – I want “…rough men (who) stand ready in the night to visit violence on those who would do us harm.”

 

Sandy Hook Tragedy - Response, Part I

Once again a tragedy involving a firearm has struck the U.S. (Sandy Hook Elementary School in Connecticut); and the aftermath brings the usual spate of comments and solutions to avert such tragedies in the future, most of which deal with additional regulation of guns.  But let’s not forget that most of the rhetoric related to guns and gun laws is spouted by both individuals and media who have little if any true knowledge or experience with either.  Cases in point:

 

Many/most of the current diatribes make frequent use of the terms “assault rifle” and “semi-automatic” and paint them with the same negative brush. In reality, an “assault rifle” (as available to civilians) is nothing more than a cosmetically-different rifle (configured to resemble a military weapon), most of which are “semi-automatic” which simply means that 1 bullet is fired with each pull of the trigger and the next bullet is fed into the firing chamber without manual manipulation (strictly speaking, even a revolver operates in a “semi-automatic” manner!).

 

There are literally tens of thousands of gun-related laws in the U.S., ranging from Federal law to local/municipal law. Virtually every facet of owning, carrying, transporting and using a gun is either directly regulated in some way or is covered under the umbrella of some related law (e.g., a general law relating to disorderly conduct would encompass the act of unnecessarily brandishing a gun).

 

Deliberate gun violence (crime) and inadvertent gun harm (accidents) are not the “epidemic” that might be expected due to the civilian ownership of approx. 300 million guns in the U.S. – approx. 8% of all violent crimes are committed by a person known to have a gun, and approx. .5% (1/2 of 1 percent) of all fatal accidents involve guns.

 

Guns are used approx. twice as often for self-defense as they are to commit crimes; and crime and murder rates are generally lower in states with established concealed-carry laws.

 

Two of the cities with the strictest regulation of gun ownership and possession in the U.S., Washington, D.C. and Chicago, IL, have crime and murder rates involving handguns significantly higher than the national average for the same offenses; and both cities had significant increases in their crime and murder rates after the more stringent gun laws went into effect.

 

There is no way to predict anti-social or psychopathic behavior (the root causes of the vast majority of gun misuse); and there is no way to assure that a person unfit to own, possess or use a gun will never do so.

 

So…guns are not inherently evil, they are simply tools for a variety of purposes; there are sufficient gun laws on the books if they would be administered/enforced strictly and consistently (the vast majority of gun-related crimes are diminished or pled down during criminal proceedings); the vast and overwhelming majority of guns in the U.S. are owned and used lawfully and responsibly.

 

Here is a rhetorical question for the anti-gunners: If guns are so inherently bad, why do you immediately want a gun on scene (in the hands of a trained professional) to respond to and mitigate some evil action?   It would seem that that in itself is a tacit admission that it is not the gun itself that is inherently bad…

The "Environment Conducive to Criminality"

In most states in the U.S., landlords/proprietors have some basic obligation to provide a reasonably safe and secure environment for tenants, patrons and other invitees.  This obligation may arise from specific laws/statutes, or from general laws/statutes relating to negligence, or from case law. 

 

In any event, the obligation to provide a safe environment virtually always uses the concept of reasonable security based on foreseeability as the test for adequacy and sufficiency of security when some incident occurs.  In simple terms, this means that a landlord/proprietor must take the precautions that a reasonable person would take under the same/similar conditions and circumstances after giving due consideration to factors affecting the premises (namely:  the inherent nature of the premises; the history of problems at the premises; the history of problems in the area immediately surrounding the premises; and any industry standards that may exist relating to the premises).  This definition thus presupposes that some “one-size-fits-all” approach to security will usually not be adequate or sufficient since circumstances are different at every premises.  But the single factor which exists in the majority of times when some security incident occurs at some specific place is what I refer to as the “environment conducive to criminality.”

 

Let me here make a disclaimer:  There is no such thing as absolute security (meaning continuous, constant, total, complete and unqualified protection and safety of a given asset) – any security system or strategy can be compromised given sufficient motivation, opportunity and resources.  So, since security breaches can occur even when adequate and sufficient security exists, then the primary purpose of any security strategy is to control as many variables as possible to limit the opportunity for criminal acts to the extent reasonably possible, i.e., make it as difficult as possible for crime to occur successfully. 

 

Except for crimes of passion (which generally occur spontaneously), criminals usually seek 2 conditions when deciding how/when/where to commit a crime:  environment/circumstances which allow greatest probability of the criminal act succeeding; and environment/circumstances which allow greatest probability of committing the criminal act without being stopped, caught or identified.  This means that criminals generally choose the circumstances and places which provide the greatest opportunity for successful accomplishment of the crime – they choose a place which has an “environment conducive to criminality.”

As noted above, every place is different and has different conditions to consider when determining security needs.  But regardless of place or conditions, an “environment conducive to criminality” usually has some common traits:

• no formal or careful consideration has been given to security needs (nothing has been done to assure that appropriate security measures have been implemented commensurate with foreseeable threats)
• no formalized security plan exists (security measures, if any even exist, have been chosen and applied haphazardly with no formal strategy or objective)
• area has easy access (a place which has a perimeter which cannot readily be secured or which has access controls which can be easily defeated)
• area is unkempt (making it difficult to determine if something is missing or providing places to hide or move furtively)
• area is dark (a place where crime can occur undetected and persons cannot be readily seen or identified)
• area is not routinely surveilled either by technological means (such as cameras) or persons (a place where crime can occur undetected and persons cannot be readily seen or identified)
• area has no regulatory or warning signage prominently displayed (information is not provided to advise patrons of proper or prohibited behaviors, to publicize security measures as a deterrent to inappropriate/criminal activity, and/or to warn of the penalties for engaging in inappropriate/criminal activity)
• there is no ready security response when problems occur (no plan is in place or competent personnel available to deal with inappropriate persons or activities)
• employees, even those ostensibly having security responsibilities, are not selected or trained properly (personnel are not competent to identify suspicious persons or respond to inappropriate/criminal activity)
• records/documentation related to security are not maintained (history of security issues is not kept or reviewed to ascertain that security measures are adequate and sufficient)
• security is not given adequate management attention (nothing is routinely done to assure that security measures are adequate and sufficient for current or changing security needs)

In summary and conclusion:  When a place fails to identify its security needs and fails to take reasonable steps to provide reasonable security, the result is usually a place where persons go to engage in inappropriate and criminal activities with little concern for being stopped, identified or caught  – a place with an “environment conducive to criminality”.

The Lesson from Benghazi

The tragic – and apparently avoidable – death of an Ambassador and 3 other officials is another grim reminder of both an endemic and systemic problem:  the United States is a reactive country.  And this is a significant problem for both national security strategy and business security.  Loss of life is certainly far more important than the loss of physical or intellectual assets, but the underlying principle is basically the same:  we fail to provide adequate security.

 

As a nation and in the business sector, we tend to be more reactionary than proactive – we have a long history of “not closing the barn door until after the horse has run off.”  We believe that bad things can happen, but only somewhere else or to somebody else;  and even when we recognize that something bad may happen, we rarely expect the worst-case scenario to occur.  We tend to look only at the immediate past for the information with which we make our decisions regarding the immediate future.    So when there are few actual, everyday problems or incidents, security becomes an afterthought and again becomes relegated to the status of “necessary evil.”

 

We fail to recognize that the law of averages and the intent of our enemies will ultimately affect everybody. We rely on our God or Lady Luck or whatever to keep us safe from “the big one.” The security assessors and planners are always viewed as the naysayers,  the ones who bring negativism to the table because, while everybody else is talking about peace and détente and political correctness, the person charged with looking for the bad things will raise his hand and ask “...But what if...?”  And all the shaking heads will turn in that person's direction and his views will be looked on as the ramblings of someone who isn't really with the team or on the bandwagon because "...those things just won't happen to us." But they can...and they will...and they usually do happen.

 

The major cause for having inadequate security is readily apparent:  the people who do the security assessments and create the security plans (in other words, the people who are the most likely to know what to expect) are never the ones in complete control of security. Responsible and accountable and scapegoat-able, yes. In control, no. Why? Because someone else always controls the decision to implement the plans and policies, the money and the resources. Some bureaucrat or executive always has to look at what the security readiness plan will entail and cost and determine – usually in a completely uninformed way – if the imposition of inconvenience and expenditure is really worthwhile, and if the funds and other resources are really most wisely spent on something that may never happen.  So with this fiscal attitude, bolstered by our naïve and erroneous belief that it can't happen to us, the will and the money and the resources we need for truly adequate security are never in place when we need them most – preferably before, but at least at the beginning of some disaster.  And we suffer again.  Needlessly.

 

Both our nation and the business world need to recognize the importance and value of security.  Our post-9/11 world,  coupled with the realities of today’s economy, makes the practice and implementation of adequate security a virtual necessity.  No longer can the protection of our people and our assets be relegated to good fortune and happenchance.  Rather, a systematic approach to assure that everything reasonable is being done to guarantee our nation’s and our business organizations’ safety and financial well-being is of vital and strategic importance.  And the marketing and selling of the concept of adequate protective efforts is a job that must be continually and relentlessly pursued by security professionals, since bureaucrats and executives are most often concerned only with the things that undermine the ability to provide good security.