Wednesday, December 28, 2011

Difference Between A Security Assessment and A Risk Analysis

The security assessment process is a common method used to determine specific security needs for a specific business based on the issue of foreseeability – the standard that Courts will use to determine if security was adequate and sufficient when security is legally challenged as a result of some incident that has occurred (something bad happens, someone gets hurt, you get sued). Pretty basic.

The security assessment process takes into account 4 specific issues: The inherent nature of the business (every place has its own inbuilt problems and vulnerabilities); the history of problems at the business (while not an exact predictor, past problems at any given place demonstrate the potential for future problems, all else being equal); history of problems in the area surrounding the business (problems which occur in the neighborhood have a tendency to affect everything within the neighborhood; nothing is immune); and industry standards/guidelines/best practices (what has been determined to work in similar places under similar circumstances is at least a good starting point to identify potential security strategies and tactics as related to identified threats and risks). Pretty straightforward for determining foreseeability – that which may occur.

But the concern for being sued shouldn’t be the only reason why a good security program should be part of a sound business plan – it’s just plain good business to maintain a place where assets are protected and employees and customers are safe.

So before a strategy to prevent and mitigate problems is formulated, perhaps we should first remember why security is important in the first place. And that determination can be accomplished by a risk analysis.

Before we begin figuring out why security is important, there are two basic premises that must be clearly understood:

1. There is no such thing as absolute or perfect security: No security program can ever totally assure that bad things will not occur or that a legal challenge will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation and persistence of a bad guy; the inexplicable failure of a protective measure at a crucial time; or even the whims of a jury – the best security measures may sometimes fail. So the best that can be hoped for is to control as many facets of the security strategy as possible, and to monitor the strategies sufficiently to assure that unanticipated failures can be best and most expediently mitigated.

2. There are always alternatives to how security measures can be implemented: Because the practice of security is both science and art – the science being the body of knowledge used in protective efforts; the art being the most appropriate application of that knowledge to a given circumstance – there will always be alternate ways to blend the stuff and the applications into a sound, workable and efficient protective strategy.

So here’s what we know thus far:

· Every business and its stuff needs to be protected.

· Every business needs to be concerned about liability.

· Since every business and its stuff is different from everyone else’s business and stuff, efforts to protect anyone’s business and stuff will necessarily be different from the efforts to protect anyone else’s business and stuff.

If we accept these enumerated hypotheses, it becomes obvious that some formal or at least conscious consideration must be given to the development of a security program – if I want to adequately protect my stuff and my liability, I need to consider my situation and develop a security plan accordingly. So how do I do that?  Here’s the outline for our risk analysis:

· If I need to protect my business and my stuff and my liability, I need to know exactly what my business and my stuff and my liability is (these are my “assets” and they include not only my building and equipment but my employees and customers and vendors and my reputation and my business practices and anything else that is valuable to me).

· If I need to protect my business and my stuff and my liability, I need to know all of the potential problems and threats I might encounter (these are my “risks” and they include all the manmade and natural problems, both deliberate and inadvertent that pose a threat to my business).

· If I’ve identified all my potential problems and threats, I need to know how likely it is that each of those problems and threats might occur (all of the bad things that can potentially happen at my business do not all have the same potential for happening – an assault is more likely than a tornado, employee theft is more likely than an armed robbery, etc. – so we need to figure out what is most likely to occur so that we can determine which security measures will be most appropriate).

· If I’ve determined the likelihood of occurrence of each of my potential problems and threats, I need to know what the impact would be to my business, stuff and liability if any of those potential problems or threats occurred (even if/when something bad occurs the impact on business will be different – the loss from an employee caught stealing on his first day of work has less impact on the bottom line than the loss from an employee who has been stealing for the past 3 years, an attempted robbery in which an innocent bystander is seriously injured has greater impact on a business’s reputation than a loud disagreement about incorrect change – so we need to figure out which of the bad things most likely to occur will have the greatest negative impact if/when they do occur so that we can determine how best to allocate the limited resources for security measures) .

· If I need to develop a plan to protect my business and stuff from liability, I need to know if any adequate safeguards are currently in place (we need to determine if existing security measures are adequate to protect all identified assets and meet all identified risks, and to determine what additional security measures might need to be implemented).

So there you have it – we’ve come full circle: We know how to implement appropriate security strategies that will protect our businesses and do so in a manner that is legally defensible (by determining foreseeability via a security assessment); and we now know how to determine why we need a security program (as identified via a risk analysis).

Thursday, October 06, 2011

Private Security / Law Enforcement Partnerships

There are probably a few readers who are wondering why this issue is even being discussed, since there are still a few security practitioners who do not (or cannot) see the importance and value of developing good working relationships and partnerships with our law enforcement counterparts. While it may not be the most current trendy management philosophy, I can state categorically after more than 30 years in private security that having good relationships with public law enforcement is not only desirable, but it is absolutely necessary to the success of a security or loss prevention program. Without belaboring the issue, let me illustrate just a few salient points:

· There will undoubtedly come a time when some type of criminal act occurs at the organization for which you have security responsibility; and there will undoubtedly be a time when that criminal act requires, for whatever reason, some form of law enforcement involvement. That type of incident should not be the first time that you have had communication with the appropriate law enforcement agency. Knowing each other beforehand will go a long way towards a satisfactory, timely and successful resolution to your problem. (And this relationship will prove even more important if the problem becomes complicated or difficult.)

· There will undoubtedly come a time when some form of emergency situation occurs at the organization for which you have security responsibility (a fire; a bomb threat; a power outage; a lost child; a domestic dispute involving an employee; etc. etc. etc.). Knowing who to contact and what to expect from the appropriate law enforcement agency will prove essential to successful problem resolution.

· There will undoubtedly come a time when a company investigation in which you are involved requires more information or resources than you have internally. Having a good working relationship with the appropriate law enforcement agency will provide at the very least a sounding board for discussing your situation and getting an informed second opinion; and may even provide the information and/or resources that you are lacking to continue or complete your investigation.

These are only a few obvious examples of the practical need for sound working relationships between the private security sector and public law enforcement. But the benefits of such relationships go beyond the boundaries of an individual security practitioner’s needs for his own organization. As far back as the 1970’s, there has been a realization that public law enforcement cannot do its job alone: increases in criminal activity and public outcry against continually-rising taxes has created a situation in which public law enforcement is spread dangerously thin. It is unrealistic and unreasonable to expect that law enforcement can immediately respond to every citizen’s – or every business’s – wants and needs. So, along with the increased necessity for a business organization to be more self-reliant with regard to its own security needs, so, too, does that necessitate a sound partnership with involved law enforcement agencies so that both sides know what to expect from the other, to insure proper strategic and operational planning. And this concept was dramatized and heightened even more after the tragic events of 9/11.

And then there is the altruistic reason. We in the security and LP industries frequently don’t give ourselves enough credit for the importance of our role (perhaps because we are all too often held in relatively low esteem by our employers – but that is another topic for discussion). Maybe it’s time to view ourselves from a different perspective. Since business and industry is the backbone of the American economy and culture, doesn’t it seem crucial for business and industry to be protected? Isn’t the protection of our business places (corporate citizens) as important as the protection of our individual citizens? So...from this viewpoint, maybe our role is a little more important than we have heretofore realized or given ourselves credit for. Perhaps there is not significant importance individually, but certainly collectively. And our role is becoming ever more important because of the myriad of threats that the American businessplace is experiencing in today’s social and economic reality – the stability of the American economy is unquestionably a target; and the economy goes as its individual components (i.e., our organizations) go. Whether we admit to it or not, and whether we like it or not, we are part of the overall criminal justice system. And, as such, we play a vital part in the protection of our society via the protection of our companies; and we must learn to work with other protective agencies to assure that we can successfully do our jobs.

I hope I have at least provided some sound arguments for the need for good working relationships and partnerships with public law enforcement.

Thursday, August 18, 2011

Security Standards and the Question of Liability

There has recently been much rhetoric over the issue of security standards. Organizations such as UL (Underwriters Laboratories), NFPA (National Fire Protection Association) and ASIS International have undertaken projects to develop standards. And the process and even advisability of developing standards have both supporters and detractors. But with all the discussion and debate that has taken place, little has been said – at least publicly – about the issue that will have significant impact on the implementation of security standards: liability.

The reason that liability will be such a significant factor is because liability in and of itself is a controversial topic. While in theory there could probably be almost universal consensus that liability exposure should be avoided at all cost, the reality is that since virtually nothing can be done to guarantee the elimination of all liability (at least not until we cease to be such a litigious society), there has to be a recognition of the difference between trying to eliminate all risk and liability, and accepting or at least managing reasonable risk and liability.

As a quick reminder of Liability 101, “getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about total liability avoidance in the business world – the bean counters and corporate attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability. And the addition of security standards will be another factor in muddying the liability waters.

Security is not an exact science, and thus is not readily adaptable to the “cookie-cutter” or “one-size-fits-all” mold. And that is why developing security standards will be a formidable task, especially as related to the issue of liability. Once the factor of liability is brought into the security standards equation, the forensic interpretation of adequacy and sufficiency of security as determined by the Courts must be considered. And it will be in this legal arena that the full impact and importance of security standards will ultimately be determined.

From a practical perspective, the implementation of any security standards that may be developed will have mixed results. While some may see such standards as a “no-brainer” way to implement a security program, others will be more cautious. And both will be correct in their own limited ways: If developed properly, a set of standards will be a guide for building a basic security program; but since adequacy and sufficiency of any given security program is related to reasonableness vis-à-vis the risks at a given place, standards may not be appropriate in certain situations.

Moving forward to Security Liability 101, Courts across the country have long and consistently held that security measures must be commensurate with reasonably foreseeable threats and risks at a given place – the operative words being “foreseeable” and “given place.” This means that security programs will necessarily be different at different places (perhaps even at different places within the same organization) because the threats and risks might be different. So trying to find a set of standards that will be applicable to the myriad of potential scenarios will be difficult (at best) if not impossible to achieve.

The main value that I see to security standards is a compilation of strategies and best practices from which any organization can choose those which best suit its particular needs. And again, since security is not an exact science and there are almost always multiple ways to solve any given problem, such a compilation will allow any organization to pick and choose from a variety of strategies from which a sound security plan can be developed. This will meet the needs of organizations looking to maximize their security posture while also providing a framework for liability avoidance.

Wednesday, July 06, 2011

The Real Essence of Trials

The variety and disparity of feelings and opinions on the Casey Anthony verdict offers a timely opportunity to review the real purpose and conduct of trials.

As I state in the lectures on courtroom testimony and demeanor that I present to security officers,  a courtroom is not necessarily or unequivocally a place where justice is served; rather, it is a stage where situations and words are manipulated and where attorneys use the tools of credibility and persuasion to attain a desired result (hopefully with justice as a product).  A trial is basically and primarily a process of credibility vs. non-credibility – the side that is most believable usually wins, because every word uttered in court is subject to interpretation, analysis and impeachment.  A somewhat cynical description, but accurate.

As has been demonstrated in mock trials and moot courts, cases tried with the same basic sets of facts and evidence but presented by different litigators using different strategies and techniques can produce completely opposite verdicts.  And in the real world, we all know that the “quality” and/or intensity of prosecution and/or defense representation can have a profound effect on trials.

The moral:  While the facts of a case are undoubtedly important, the manner and style of case strategy and presentation is also of great importance.  This is a crucial concept to remember for security professionals who become involved and/or testify in legal matters as case principals, consultants and/or experts.

Sunday, June 26, 2011

Living In “Relaxed Alertness”

Prevention of inappropriate acts, both criminal and terroristic, surely depends on good intelligence which includes (in overly simplistic terms): identifying the bad guys, learning about their plans, stopping the bad guys. But let’s not forget that bad acts are also thwarted by the hardening of potential targets.

We have heard the term “soft targets” used quite a bit lately. “Soft targets” generally refers to those places which traditionally attract little evil intent and which consequently do not prepare very well security-wise for the worst-case scenario. (Examples of soft targets include churches, shopping malls, hospitals, daycare centers, sports/entertainment venues, ground transportation systems and the like – places which attract large numbers of persons who are not immediately or primarily focused on security issues.) So “soft targets” become attractive to the bad guys because of the potential for a high-yield event with relatively little effort.

I certainly do not advocate making our society even more of an armed fortress than it currently is – the terrorists have already accomplished part of their goal by disrupting and changing our everyday way of life. But on the other hand, we have to stop being a reactive culture – we have to realize that bad people do bad things, and that we have some personal/corporate responsibility to do what we can to prevent and mitigate those bad people and things. All individuals and businesses should do some self-assessment of their particular security needs: determine what is important (their “assets”); determine what bad things can reasonably be anticipated to happen to those important things; and initiate an appropriate and commensurate security strategy. In other words, everybody should pretty much always be in a state of “relaxed alertness,” aware of surroundings, understanding that something bad could possibly happen, understanding that reasonable efforts have been taken to avoid those bad things, and being prepared to deal with the bad things if our proactive measures have not been totally adequate. This is not paranoia, it is simply being conscious of what could happen and being reasonably prepared for it.

(In fact, isn’t this a realistic and pretty good way to look at life in general??)

Friday, May 13, 2011

“Old School” vs. “New School” Security

There is definitely a distinct difference between “old school” and “new school” security philosophy.

While I understand and (sometimes) even appreciate and (sometimes) even utilize facets of “new school” thinking, I am basically an “old school” kind of security professional – maybe even a dinosaur. But my “old school” philosophy has been honed from over 40 years in this profession, in a great variety of activities and circumstances and situations. And my “old school” philosophy has resulted in significant successes at the 3 organizations for which I was Director of Security: no significant losses, no significant incidents, no significant problem trends, and NO successful lawsuits against my organizations. (In fact, the losses and incidents and trends and lawsuits increased substantially at those 3 organizations after I left them and was replaced by “new school” devotees.)

While there are many major differences between “old school” and “new school” security philosophy, here is what I see as perhaps the most significant: I have always spent more time planning security strategies than researching the metrics (see – “metrics” – a “new school” term). After I had built credibility in my organizations with those who counted – senior executive management, corporate attorneys and bean-counters – I was able to convince them of the efficacy of my strategies/programs without the need for the pretty charts and the myriad of footnotes and references and the 6 numbers after the decimal point. I had been there and done that and gotten the T-shirts so successfully that my word was sufficient. And then you can’t much argue with success. So I basically used my personal experience and knowledge, added a little intelligence-gathering (kept abreast of the news and the trade publications and watched and listened and observed), and then spent the majority of my time developing and refining my already-successful strategies and actually doing the things that protected my organizations.

Yes, it was a different time. Managers were selected for their abilities and were actually allowed to manage. As an experienced and credentialed security professional, I was expected to provide quality security services, and I didn’t have to reinvent the wheel every time I wanted to do something because it was presumed – in fact demanded – that that was my function as the responsible executive. Today is different, and today’s security executives rarely have the authority and responsibility (which just may equate to credibility?) to do the things that really should be done to adequately protect their organizations.

Yes, there is a big difference between vulnerabilities and threats. But until I have been convinced otherwise, every vulnerability is at least a potential threat that I have to assess and prioritize and act on. With the vast majority of my business now being involved in litigation as a Court-recognized expert witness, I continually observe organizations whose security programs are of the “it-can’t-happen-to-me” or “it-didn’t-happen-to-me-yesterday-so-it-won’t-happen-to-me-tomorrow” schools of thought; and those organization almost always lose more in the lawsuits which transpire after it does happen to them and they didn’t plan accordingly than if they had been proactive. In security, the adage of “an ounce of prevention is worth more than a pound of cure” is almost always spot-on.

I guess the reason that I will remain “old school” is because after 40 years I have the metrics to prove that my “old school” way works, while “new school” advocates can only watch and wait and hope that their way is equally as effective – I hope it is, but I do have my doubts.

Monday, January 24, 2011

What Is An "Expert?"

When a technical or specialized issue (like medicine, or ballistics, or security) is raised through a legal proceeding (criminal trial, civil lawsuit/tort, etc.), attorneys for either or both sides will frequently retain/hire an "expert witness" to provide detailed, in-depth information about that technical/specialized issue and/or to render an "expert opinion" with regard to the technical/specialized issue as it relates to a particular case at hand.

There is no magic “standard” by which one is considered an expert. Attorneys generally try to select an individual with extensive experience in the technical/specialized field and who has some “reputation” for his knowledge and experience – in other words, someone who is generally regarded as a “go-to guy” in his field. Then, after being selected by an attorney, appointed as the “expert” for the case, and formally rendering an “expert opinion” in the case, the expert is scrutinized by opposing counsel who usually tries to question and refute the expert’s qualifications. Opposing counsel tries to present evidence to discredit the expert’s qualifications and/or credibility (I have actually been in depositions in which my background qualifications have been questioned for more than 4 hours – and no, I have never been disqualified as an expert). And if and/or when a case finally appears before a Judge, the expert may be formally recognized by the Court as an “expert”. This means that a Court has formally accepted the credentials of the expert and formally acknowledged his status as an “expert in his field.”

The opinions rendered by an expert during a legal proceeding may be presented/used in several ways: They may be used solely as advice/consultation by an attorney to help understand the issue and prepare his case; they may be used as the basis for a written "opinion report" which becomes part of the formal legal proceedings and case record; and/or they may be used as the basis for the expert’s testimony at deposition and/or trial. When an expert formally renders an opinion (via written report or testimony), that opinion is routinely scrutinized by the opposing side in the case; and opposing counsel may very well retain his own expert to review or refute.

Now comes the tricky part, and the part where the issue of “standards” comes into play. When an expert renders his opinion, he is really being asked to opine based on what in his own knowledge and experience is the most appropriate way of handling a particular situation under a given set of circumstances; and then to be able to convince the trier of fact (Judge or jury) that his way is better than the way being promulgated by the opposing side.

Let me digress for a moment to make a statement that I make immediately at the start of the class I teach on courtroom demeanor and testimony: Contrary to popular opinion, a trial is NOT a proceeding in which truth and justice are determined (although that may happen, albeit accidentally); a trial IS a proceeding in which one side’s opinion and testimony is more convincing than the other side’s, to one particular trier of fact, at one particular moment in time. The “winner” is not always truth and righteousness, and the “loser” is not always guilty. PERIOD. THE END.

So back to the issue of “experts.” For the sake of example, let’s say that the issue at hand is the appropriateness of actions taken by a security officer during an apprehension. The attorney for the “victim” (the plaintiff, the person who is complaining about the way that the apprehension was made) will probably have an expert who will testify that the procedure was totally wrong for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). And the attorney for the security officer and his company (the defendant) will probably have an expert who will testify that the actions were entirely appropriate and proper for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). SEE THE CONUNDRUM??????? Because there are no universal “standards” – an across-the-board, common way of doing things – who is to say who is right or who is wrong?? Sure, there are occasionally examples of actions so egregious that they are clearly wrong. But by and large, because there are no standards, it will boil down to whose expert and testimony was most credible and compelling. And this is why almost any attorney can almost always find an “expert” who will find some way to defend almost any action or position.

So…almost anyone in a given field can hold themselves out as an “expert” in that field. But being regarded as an expert in a court of law is a painstaking process that subjects the expert to widespread scrutiny of his qualifications, credentials and prior opinions. Most successful experts do little actual marketing, because their services are usually sought via word of mouth by attorneys or via reputation gained in similar and/or important cases.

I hope this sheds a little light…..