Tuesday, October 26, 2010

The Conundrum of Security

Here is a question for the ages: Why is it that – by and large – security has not been as widely accepted and embraced into corporate culture as virtually every other business operation discipline?

If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??

While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:

· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?

· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).

· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.

So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?

Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:

· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?

· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?

· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?

· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?

· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?

So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.

Thursday, September 09, 2010

Developing an Emergency Plan

There is unfortunately no magic template that will help an organization develop an emergency plan because there are so many variables such as size and location of business, nature of business, types of employees and invitees, internal resources available, external resources available, etc. etc. etc.

That being said, here are a few thoughts that might be helpful:

· There is no such thing as AN emergency plan. Different plans must be developed to address a variety of potential emergencies (this should be obvious but is not always – for example, a weather-related emergency is totally different from an active shooter scenario).

· A team approach to plan development is good, bringing to the table not only the persons/functions responsible for crisis management but other representative stakeholders as well (both internal and external).

· Good emergency planning deals with issues related to emergency prevention/mitigation, response during the emergency, and aftermath response to include business continuity planning.

· A good emergency plan is as complex as needed yet as simple as possible.

· Having someone knowledgeable in emergency plan development is of paramount importance, to help the team focus on not only the major issues to be considered but the subtle nuances as well. This key resource person might be internal or external, might be an independent security consultant, or might be a local law enforcement or fire service representative. Public safety agencies need to be involved in planning and testing, but keep in mind that public safety agencies may not have the expertise and/or resources to serve as the key plan development resource (this is especially true in public safety agencies in smaller communities).

· Emergency plans, once formulated, need to be formalized via company policies, with appropriate sanctions for non-compliance.

· Emergency plans need to be tested on a regularly recurring basis, with both tabletop and practical drills, to include all entities that will be involved during an actual emergency. Things that look good on paper do not always translate equally to application. The purpose and ultimate value of drills is to not only look for the things that are right with the plan, but to actively seek out the things that are deficient so they can be modified/remedied.

· Emergency plans need to be reviewed on a regularly recurring basis. As organizations change (facilities, assets, resources, etc.), plans need to be modified accordingly.

Emergencies can and do occur – that is a basic fact of life. How well an organization copes with those emergencies is a function of sound planning and preparation.

Friday, July 16, 2010

The Security Return on Investment

If looked at solely from the perspective of immediate dollars-and-cents ROI, most security programs would be quickly eliminated, because they are almost always a “cost” center as opposed to a “profit” center – that is, they seldom generate enough revenue to at least pay for themselves. But this is a very narrow viewpoint that does not take into account the value of asset retention.

Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.

As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.

The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.

Monday, March 15, 2010

Security's "Cycle for Failure"

Here in simplistic terms is my perspective of the basic cycle that causes many of the problems that are faced throughout the security industry – what I have termed the “cycle for failure:”

1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.

2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.

3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.

4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.

5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.

6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.

I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.

Saturday, January 16, 2010

Political Correctness and Security

Like it or not, political correctness – loosely defined as being consciously cautious of doing or saying anything to minimalize or denigrate any particular group – is here to stay. And like it or not, political correctness is an impediment to good security.

As a career security practitioner, I have had to deal with a great diversity of persons and ideas. And even if I do say so myself, I am one of the least biased persons I know – I believe I am tolerant of just about everyone and everything...until I have some reason to not be tolerant. And therein lies the problem with political correctness.

Perhaps – I hope – it’s just a matter of our not finding a more appropriate term in our American-English language. But I think that we sometimes confuse political correctness with a legitimate response to facts; and when we deal with facts, political correctness should take a back seat. Let me illustrate:

Retail establishments frequently utilize security personnel to guard against thievery. When a review of theft incidents over a lengthy period of time factually determines that 83% of apprehensions for theft were of black (or white or yellow or brown) females between the ages of 15 and 24, why should it be considered politically incorrect to focus surveillance activities on the persons of that particular demographic? In fact, wouldn’t a store security agent be remiss in his duties if he ignored such documented facts and trends?

The groups “offended” by acts of political incorrectness have become so outraged and vocal that some of us have become overly cautious in our interactions. We choose our words and our actions so carefully that we almost never say what is really on our minds or say what we really mean – even when it is the truth. In fact, it is almost impossible to say or do anything that will not “offend” someone’s sensitivities.

But even when that is the case, security practitioners should not – and cannot – let the quest for political correctness override their protective responsibilities. No, we should not target or accuse anyone needlessly; but neither should we look the other way when facts clearly demonstrate that someone or some group bears additional scrutiny. We cannot ignore the female customers in the store per the example above; we cannot ignore the black driver cruising the white neighborhood at 3:00 AM; we cannot ignore the young Middle Eastern man buying a one-way ticket with cash at the airline counter. When we have objectively gathered the facts and the facts reveal distinct patterns, we cannot ignore those patterns for the sake of being politically correct. We must continue to use the information available to us to be diligent in the performance of our duties, for to do otherwise is in itself a serious abrogation of our responsibility.

Come to think of it, I guess I’m not being politically correct just by questioning political correctness.

Monday, January 04, 2010

The Dichotomy of Security

We can’t have it both ways:

We want to be safe in our homes and in our everyday lives; but we don’t want to “waste” our free time by joining the neighborhood watch or by calling the police when we see something suspicious.

We want to feel safe in our workplaces, in our offices and parking areas, and we want our business visitors to feel safe and welcome; but we don’t want to have to use an access card or biometric reader to enter our workplaces or parking lots and we don’t want to be surveilled while we work and we don’t want to inconvenience our visitors by having them sign in.

We want to be safe on our streets; but we don’t want “Big Brother” watching us on surveillance cameras or to have police patrols randomly questioning us.

We want good service and low prices at the stores in which we shop; but we don’t want store security personnel watching us on surveillance cameras or following us while we shop.

We want banks to keep our money safe, and to make it available to us at a moment’s notice; but we don’t want to give our fingerprints to make a withdrawal or to have to remember and change our account passwords.

We want to move quickly and easily through airports and we want our flights to be safe; but we don’t want long security checkpoint lines or intrusive body searches or have our bags poked and prodded and inspected by security personnel.

We want to feel safe in our nation and we don’t want terrorists on our shores; but we complain about our taxes and criticize the military for their actions and want to afford terrorist detainees the same rights and protections as we citizens enjoy.

And on and on and on........

In other words – we want to be free and safe, but we want none of the prices that have to be paid to remain that way.

Unfortunately, we can’t have it both ways.

Saturday, January 02, 2010

Security Challenges for 2010 (and beyond)

Based on history and experience, security challenges in 2010 will not diminish – in fact, they will probably grow. Here is my forecast:

1. The economy will continue to play a big part as related to security challenges. As (or if) the economy strengthens, business will focus on regaining that which was lost (sales, market share, profitability, etc.) and will tend to ignore (or at least overlook) maintaining what it still has. This means that security and loss prevention issues will probably remain overlooked until and unless specific and serious problems arise.

2. Strong security leadership will continue to erode. Security executives will be so busy focusing on keeping their jobs and covering their posteriors (the two go hand-in-hand) that they will continue to overlook doing what is really necessary to protect the organizations they serve. Political correctness will abound, usually at the expense of truly good security.

3. Because security is still viewed in many organizations as a necessary evil rather than as a necessary business partner, security functions will remain relegated to lower-level importance and responsibility. This, coupled with #2 above (the erosion of strong security leadership) will continue the seemingly-endless cycle.

4. Because of all of the above, it will be difficult to develop the next generation of competent security leadership. When employees see the difficulties and roadblocks faced by their executives, there is little incentive to aspire to those positions.

So is the future, beginning in 2010, totally bleak? No. These are predictions, not unchangeable destiny. We as both an industry and individual practitioners/professionals must continue to clearly demonstrate and promote the value of our service. We need the few remaining strong leaders to sound the trumpets and beat the drums to show corporate executives that security is part of the fabric that keeps organizations together, healthy and prosperous. We must continue to prove that protecting assets is as important as generating new sales. In short, we must convince our bosses that security is an important, vital and integral part of every business.

The fate of security rests in our own hands. If we practitioners fail in the primary task of the self-promotion of ourselves and our industry, we have no one but ourselves to blame when my predictions become self-fulfilling prophecy.