Thursday, December 27, 2012

Sandy Hook Tragedy - Response, Part I


Once again a tragedy involving a firearm has struck the U.S. (Sandy Hook Elementary School in Connecticut); and the aftermath brings the usual spate of comments and solutions to avert such tragedies in the future, most of which deal with additional regulation of guns.  But let’s not forget that most of the rhetoric related to guns and gun laws is spouted by both individuals and media who have little if any true knowledge or experience with either.  Cases in point:
 
Many/most of the current diatribes make frequent use of the terms “assault rifle” and “semi-automatic” and paint them with the same negative brush. In reality, an “assault rifle” (as available to civilians) is nothing more than a cosmetically-different rifle (configured to resemble a military weapon), most of which are “semi-automatic” which simply means that 1 bullet is fired with each pull of the trigger and the next bullet is fed into the firing chamber without manual manipulation (strictly speaking, even a revolver operates in a “semi-automatic” manner!).
 
There are literally tens of thousands of gun-related laws in the U.S., ranging from Federal law to local/municipal law. Virtually every facet of owning, carrying, transporting and using a gun is either directly regulated in some way or is covered under the umbrella of some related law (e.g., a general law relating to disorderly conduct would encompass the act of unnecessarily brandishing a gun).
 
Deliberate gun violence (crime) and inadvertent gun harm (accidents) are not the “epidemic” that might be expected due to the civilian ownership of approx. 300 million guns in the U.S. – approx. 8% of all violent crimes are committed by a person known to have a gun, and approx. .5% (1/2 of 1 percent) of all fatal accidents involve guns.
 
Guns are used approx. twice as often for self-defense as they are to commit crimes; and crime and murder rates are generally lower in states with established concealed-carry laws.
 
Two of the cities with the strictest regulation of gun ownership and possession in the U.S., Washington, D.C. and Chicago, IL, have crime and murder rates involving handguns significantly higher than the national average for the same offenses; and both cities had significant increases in their crime and murder rates after the more stringent gun laws went into effect.
 
There is no way to predict anti-social or psychopathic behavior (the root causes of the vast majority of gun misuse); and there is no way to assure that a person unfit to own, possess or use a gun will never do so.
 
So…guns are not inherently evil, they are simply tools for a variety of purposes; there are sufficient gun laws on the books if they would be administered/enforced strictly and consistently (the vast majority of gun-related crimes are diminished or pled down during criminal proceedings); the vast and overwhelming majority of guns in the U.S. are owned and used lawfully and responsibly.
 
Here is a rhetorical question for the anti-gunners: If guns are so inherently bad, why do you immediately want a gun on scene (in the hands of a trained professional) to respond to and mitigate some evil action?   It would seem that that in itself is a tacit admission that it is not the gun itself that is inherently bad…

Tuesday, November 13, 2012

The "Environment Conducive to Criminality"


In most states in the U.S., landlords/proprietors have some basic obligation to provide a reasonably safe and secure environment for tenants, patrons and other invitees.  This obligation may arise from specific laws/statutes, or from general laws/statutes relating to negligence, or from case law. 
 
In any event, the obligation to provide a safe environment virtually always uses the concept of reasonable security based on foreseeability as the test for adequacy and sufficiency of security when some incident occurs.  In simple terms, this means that a landlord/proprietor must take the precautions that a reasonable person would take under the same/similar conditions and circumstances after giving due consideration to factors affecting the premises (namely:  the inherent nature of the premises; the history of problems at the premises; the history of problems in the area immediately surrounding the premises; and any industry standards that may exist relating to the premises).  This definition thus presupposes that some “one-size-fits-all” approach to security will usually not be adequate or sufficient since circumstances are different at every premises.  But the single factor which exists in the majority of times when some security incident occurs at some specific place is what I refer to as the “environment conducive to criminality.”
 
Let me here make a disclaimer:  There is no such thing as absolute security (meaning continuous, constant, total, complete and unqualified protection and safety of a given asset) – any security system or strategy can be compromised given sufficient motivation, opportunity and resources.  So, since security breaches can occur even when adequate and sufficient security exists, then the primary purpose of any security strategy is to control as many variables as possible to limit the opportunity for criminal acts to the extent reasonably possible, i.e., make it as difficult as possible for crime to occur successfully. 
 
Except for crimes of passion (which generally occur spontaneously), criminals usually seek 2 conditions when deciding how/when/where to commit a crime:  environment/circumstances which allow greatest probability of the criminal act succeeding; and environment/circumstances which allow greatest probability of committing the criminal act without being stopped, caught or identified.  This means that criminals generally choose the circumstances and places which provide the greatest opportunity for successful accomplishment of the crime – they choose a place which has an “environment conducive to criminality.”

As noted above, every place is different and has different conditions to consider when determining security needs.  But regardless of place or conditions, an “environment conducive to criminality” usually has some common traits:
  • no formal or careful consideration has been given to security needs (nothing has been done to assure that appropriate security measures have been implemented commensurate with foreseeable threats)
  • no formalized security plan exists (security measures, if any even exist, have been chosen and applied haphazardly with no formal strategy or objective)
  • area has easy access (a place which has a perimeter which cannot readily be secured or which has access controls which can be easily defeated)
  • area is unkempt (making it difficult to determine if something is missing or providing places to hide or move furtively)
  • area is dark (a place where crime can occur undetected and persons cannot be readily seen or identified)
  • area is not routinely surveilled either by technological means (such as cameras) or persons (a place where crime can occur undetected and persons cannot be readily seen or identified)
  • area has no regulatory or warning signage prominently displayed (information is not provided to advise patrons of proper or prohibited behaviors, to publicize security measures as a deterrent to inappropriate/criminal activity, and/or to warn of the penalties for engaging in inappropriate/criminal activity)
  • there is no ready security response when problems occur (no plan is in place or competent personnel available to deal with inappropriate persons or activities)
  • employees, even those ostensibly having security responsibilities, are not selected or trained properly (personnel are not competent to identify suspicious persons or respond to inappropriate/criminal activity)
  • records/documentation related to security are not maintained (history of security issues is not kept or reviewed to ascertain that security measures are adequate and sufficient)
  • security is not given adequate management attention (nothing is routinely done to assure that security measures are adequate and sufficient for current or changing security needs)
In summary and conclusion:  When a place fails to identify its security needs and fails to take reasonable steps to provide reasonable security, the result is usually a place where persons go to engage in inappropriate and criminal activities with little concern for being stopped, identified or caught  – a place with an “environment conducive to criminality”.

Thursday, October 11, 2012

The Lesson from Benghazi


The tragic – and apparently avoidable – death of an Ambassador and 3 other officials is another grim reminder of both an endemic and systemic problem:  the United States is a reactive country.  And this is a significant problem for both national security strategy and business security.  Loss of life is certainly far more important than the loss of physical or intellectual assets, but the underlying principle is basically the same:  we fail to provide adequate security.
 
As a nation and in the business sector, we tend to be more reactionary than proactive – we have a long history of “not closing the barn door until after the horse has run off.”  We believe that bad things can happen, but only somewhere else or to somebody else;  and even when we recognize that something bad may happen, we rarely expect the worst-case scenario to occur.  We tend to look only at the immediate past for the information with which we make our decisions regarding the immediate future.    So when there are few actual, everyday problems or incidents, security becomes an afterthought and again becomes relegated to the status of “necessary evil.”
 
We fail to recognize that the law of averages and the intent of our enemies will ultimately affect everybody. We rely on our God or Lady Luck or whatever to keep us safe from “the big one.” The security assessors and planners are always viewed as the naysayers,  the ones who bring negativism to the table because, while everybody else is talking about peace and détente and political correctness, the person charged with looking for the bad things will raise his hand and ask “...But what if...?”  And all the shaking heads will turn in that person's direction and his views will be looked on as the ramblings of someone who isn't really with the team or on the bandwagon because "...those things just won't happen to us." But they can...and they will...and they usually do happen.
 
The major cause for having inadequate security is readily apparent:  the people who do the security assessments and create the security plans (in other words, the people who are the most likely to know what to expect) are never the ones in complete control of security. Responsible and accountable and scapegoat-able, yes. In control, no. Why? Because someone else always controls the decision to implement the plans and policies, the money and the resources. Some bureaucrat or executive always has to look at what the security readiness plan will entail and cost and determine – usually in a completely uninformed way – if the imposition of inconvenience and expenditure is really worthwhile, and if the funds and other resources are really most wisely spent on something that may never happen.  So with this fiscal attitude, bolstered by our naïve and erroneous belief that it can't happen to us, the will and the money and the resources we need for truly adequate security are never in place when we need them most – preferably before, but at least at the beginning of some disaster.  And we suffer again.  Needlessly.
 
Both our nation and the business world need to recognize the importance and value of security.  Our post-9/11 world,  coupled with the realities of today’s economy, makes the practice and implementation of adequate security a virtual necessity.  No longer can the protection of our people and our assets be relegated to good fortune and happenchance.  Rather, a systematic approach to assure that everything reasonable is being done to guarantee our nation’s and our business organizations’ safety and financial well-being is of vital and strategic importance.  And the marketing and selling of the concept of adequate protective efforts is a job that must be continually and relentlessly pursued by security professionals, since bureaucrats and executives are most often concerned only with the things that undermine the ability to provide good security.

Wednesday, September 05, 2012

A Lesson from the Past


I think the adage “If no order, chaos” is truly applicable in the security world – not necessarily to the security function per se, but to the overall concept of security, loss prevention and asset protection within business organizations.

I am old enough to remember the days when order and discipline was the rule of thumb in the business world:  Executives set goals and broad strategies; management made policies and rules to support and implement the strategies; and employees were expected – nay, REQUIRED – to follow and implement the rules and procedures and policies.  Each of those three tiers had its inherent authority, responsibility and accountability.  If a particular person in a particular tier did not properly exercise his role, he would be disciplined – formal discipline on his record, or demotion, or termination.  Everybody clearly understood his particular defined role in the organization, its concomitant responsibilities, and the penalties for failure.  Supervisors and managers were responsible for assuring compliance – they actually supervised and managed.  This was the very concept and essence of ORDER.

In those days, there was far less opportunity for internal security problems within a business organization because there was a defined system of checks and balances, and there were people in place to assure that the system functioned properly and successfully.  The thought and belief was “Even if Big Brother (i.e., Security) was not watching, my boss was.”  I had to perform and behave, or I’d be gone.

Today, that scenario does not exist.  Everybody does everything, so nothing really gets done thoroughly or correctly (another true adage:  “When everyone is responsible, no one is responsible”).  Executives don’t have time to formulate sound goals and strategies because they’re too busy and worried about what is now the end-all and be-all of business: next week’s profits.  So management muddles along, trying to support the executives’ “goal” of next week’s profits.  And the employees do whatever their job-of-the-day happens to be.  EVERYONE gets frustrated.  There is NO sound management or supervision.  So there is lots of time and opportunity to devise devious schemes for “getting my fair share” and doing things in the easiest, simplest way possible, which results in errors and mistakes and an I-don’t-care attitude.   This is the very concept and essence of CHAOS.

Some organizations still focus primarily on “old” security ideas like preventing, mitigating and managing external problems.  But that is because there was a time when focusing on external problems (like theft, trespassing, vandalism, bad checks and credit cards, etc.) was pretty much the sole extent and focus of the security function because there just weren’t that many other issues for Security to be concerned about, because when there was ORDER the internal systems worked and resulted in efficiency, correctness…and low levels of loss.

But now in the land of CHAOS there are many more things to be concerned about in terms of protecting an organization, many (most?) of which are internal, because Security has been charged with cleaning up the mess created by the broken systems that were broken by someone else.  And in order to fix this pervasive problem, we have to first repair the broken windows before we can make sure that they don’t get broken again.

Oh for the simple life of the past……

Friday, July 13, 2012

Value of a Diverse Background

When selecting an organizational security executive, an independent security consultant or a security expert witness, the nature and diversity of the individual’s background should be given thoughtful and careful consideration.

In general, security professionals should have practical rather than (or at least in addition to) theoretical experience. While a knowledge of security concepts and theories is helpful and necessary, it is generally more valuable for a person who will manage or review security operations to have “…been there, done that.” In other words, a professional who has actually worked with the principles he is expected to administer or review (a practitioner) generally brings a more comprehensive perspective than someone who has only studied the principles in theory (a researcher or academician).

In addition, many organizations feel that a person with public law enforcement experience will necessarily make a good security executive, but then do not take into account the nature of the law enforcement experience. With the inherent difference between law enforcement and security – a reactive mindset vs. a proactive mindset – it is important to assure that the law enforcement candidate being considered has some practical experience with the kinds of activities most likely to be encountered in the business setting. This concept holds true in the selection of an independent consultant or expert witness.

As an example, my professional background is unique because it brings a practical knowledge of my field from 3 distinct perspectives: I have served as a Director of Security for 3 organizations, assessing security needs from a subjective standpoint, developing, implementing and managing security programs; I have served as an independent Security Consultant to a wide variety of private and public sector organizations assessing security needs from an objective standpoint, recommending strategies for risk mitigation; and I regularly serve as a court-recognized Security Expert, evaluating adequacy and sufficiency of security programs and operations from a forensic standpoint.

Diverse experience guarantees both broad knowledge and analytical insight.

Friday, June 15, 2012

Process for Conducting Security Assessments

I don’t believe in using anyone else’s form or template for conducting security assessments – each consultant or manager who conducts such assessments has a unique style coupled with his own knowledge and experience; so, as with many things related to security, a “one-size-fits-all” approach usually doesn’t work. But other groups (such as ASIS International and the Federal protective Service) do have some great ideas, so I have incorporated some of those ideas into the forms and procedures that I personally developed for my own use.

In general, I use several background/ “inventory” forms to generate basic information about the grounds/campus, physical facilities, administrative/operational business components, and policies/procedures of the organization for which I am doing the assessment. I have these filled out to the extent possible by organizational representatives prior to my physical inspections/interviews. I then personally conduct a site inspection (to verify all information developed via the background/ “inventory” forms and to assure that nothing important was overlooked), conduct personal and focus group interviews, and review all relevant policies/procedures for adequacy and sufficiency. Finally, I compile all information along with my analyses and recommendations into a narrative report which is the final work product.

During my career this process, along with my experience in serving as a Court-recognized Expert Witness, has confirmed by belief that every place has to be assessed and analyzed separately and independently to fulfill the legal standard for adequate and sufficient security – namely, reasonable security at a particular place and time, under a particular set of circumstances, based on reasonable foreseeability; and thus my process which combines self-developed tools for gathering information along with objective analysis according to the needs and culture of each particular project assures that my assessments are personalized for each client.

I have been using this process for the past 25+ years, and it has served me well.

Sunday, April 22, 2012

Preparing for Testimony

Practitioners in the security industry may occasionally be called on to provide testimony in some legal proceeding (either a criminal or civil case; during a deposition or at trial; as a fact witness or an expert). While those practitioners who have served as case consultants and/or expert witnesses will probably have had testimony experience, other security personnel may be faced with giving testimony for the first time. Regardless of the inherent knowledge or expertise of a witness, he/she still needs to be credible, effective and persuasive to the Judge and/or jury. To this end, preparation of the witness is very important.

Each attorney has a unique style and strategy and will undoubtedly have an established procedure for prepping witnesses. But here are a few issues that should be considered by anyone preparing to testify:

(1)  One issue that is sometimes overlooked in the preparation of a witness is the fact that he can only respond to the questions asked (a good witness can sometimes find a way to include additional information, but not always). So close collaboration with counsel is very important, not only to prepare for testimony expected during direct examination at trial, but for anticipated cross-examination. There needs to be a clear understanding and agreement of what information needs to be conveyed, the best manner to convey it, and the best manner to counteract aggressive cross examination, including attacks on both personal credibility and the credibility of testimony.

(2)  Even if not specifically demanded in the deposition or trial subpoena, availability of any relevant case materials/files is a good idea. Specific information such as dates, times and/or other technical information is likely to be a subject at issue, so it is better to refer to notes than to give erroneous information which may later be challenged or used to impeach the witness.

(3)  Answering questions “yes” or “no,” or at least as briefly as possible, is always a good idea. But when such a brief answer is not sufficient – such as when additional clarification or expansion is necessary – it is often best not to begin the answer with “yes” or “no” (such as “Yes, but…”) because an experienced attorney may not allow the “but” portion. Rather, it is sometimes better to begin a longer answer with a qualifying statement such as “Unfortunately, that question cannot be answered with a simple ‘yes’ or ‘no’, ” then go on with the full answer.

(4)  It is usually helpful for a witness to be advised of the personality and usual strategies/tactics of the opposing attorney. This helps the witness to better prepare for the demeanor and “personality” of the anticipated proceeding (for example, knowing that a particular attorney focuses just as much on the witness’s background as he does on specific case issues). Knowing what to expect from a particular attorney is a great asset for testimony preparation.

(5)  A witnesses should pause briefly before giving any answer, to allow his attorney the opportunity to object before potentially damaging or unnecessary information is inadvertently given.

Testifying in any legal proceeding is often a stressful and challenging ordeal. So having as much information as possible about what to expect, and being as prepared as possible, goes a long way towards doing a thorough, competent and professional job.

Tuesday, March 06, 2012

"Absolute" vs. "Perfect" Security

“Absolute security” and “perfect security” are not one and the same – the terms are not synonymous. And let’s be clear from the outset: There is no absolute security; and while perfect security may be hypothetically possible at any given moment in time, long-term perfect security is also not possible.

First, some working definitions: Absolute security is the theoretical state of total, complete and unqualified protection and safety of a given asset (some specific person, place or thing, including intellectual “things”). Perfect security is the practical state of utilizing the most appropriate security measures and strategies for a given asset at a given moment in time to protect against immediate, specific threats. A subtle but important difference.

From another perspective: Absolute security would protect against any conceivable or possible threat at all times. This condition simply cannot exist: No security program or strategy can ever totally assure that assets will not be lost or that a legal challenge to security efficacy will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation, resources and persistence of an attacker; the inexplicable failure of a protective measure at a crucial moment; or even the whims of a jury – the best security measures may sometimes fail or be deemed to be inadequate. Nothing can be done to assure that nothing will ever happen.

On the other hand, perfect security keeps whoever/whatever is being protected safe right now, from whatever threat is occurring right now. This is attainable, albeit for limited periods of time because situations and conditions change constantly and continuously, and that which is adequate and sufficient right now may not be adequate and sufficient in a few minutes or hours or days. The best that can be hoped for – and what those responsible for security should strive for – is to control as many facets of the security strategy as possible for the longest time possible, and to monitor the strategy continually to assure that emerging threats and unanticipated failures can be best and most expediently mitigated.

As with most issues related to security, one should hope for the best while planning for the worst.

Tuesday, January 17, 2012

The Value Of A Security Consultant

Many organizations – even, or perhaps especially those with in-house security operations – frequently fail to recognize the benefits of an occasional security assessment conducted by an outside, independent security consultant.

A security assessment of a business is conducted to identify factors which create potential risk to employees, customers, guests and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations, ranging from physical security measures to security personnel to security policies and procedures, to prevent and/or mitigate as many potential risks as possible. Many organizations have come to realize the value of an outside, independent, objective security audit process – such a review assures that all issues of potential concern have been identified and addressed.

Smaller businesses which do not have a proprietary security operation rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, but that is not necessarily the case – law enforcement agencies focus primarily on problem response and resolution, and rarely have the knowledge or experience to conduct thorough assessments of a business’s total security program which should focus primarily on development of prevention and mitigation strategies. While both components – prevention/mitigation and response/resolution – are essential for a thorough security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of a security professional is something that should be considered. And in organizations that already have a proprietary security program, an occasional independent security assessment provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely.

A security review of any business or security program by a totally independent security consultant, with no affiliations with equipment or personnel providers, can be invaluable in assuring that all security concerns have been identified and addressed in an objective manner, with recommendations geared to the particular needs and circumstances of a specific business.