Step one is knowing what it is we are securing against. You might be surprised how many security personnel are not familiar with the security mission of the place or people they are meant to protect. Understanding the threat begins with understanding the adversary. Think like the adversary and from there derive the likely targets, methods of operation, the related indicators for your protected environment. Among other things, adversarial thinking provides a context for not just understanding but fully assimilating the security mission.
MAKE IT PERSONAL
When the consequences of inadequate security are personal, we are much more apt to pay attention. If our own home or family is at stake, we engage fully and do whatever it takes to defend our territory. It’s natural human behavior. If a security vulnerability is identified in a way that is very real, like as the result of a red team or penetration testing, and the vulnerability is in our purview, again – it’s personal. That is a good thing. As employees, we understand that it’s up to us individually to act directly in support of the security of our workplace. For security officers, they too must act as though they are guarding their own homes, for the security to really be top notch.
LIABILITY CAN GO BOTH WAYS
The biggest liability is lack of common sense. This holds true whether we are talking about the home front or a corporation. Ask two lawyers if you should put a given security measure in place. The first will have an argument supporting the measure, the second would have an argument against. Both attorneys would cite legal liability as the issue. Let’s say for example, a thug is beating someone up in view of your security officer. Is observe and report really what we want the officer to do? Yet Observe and Report is supposed to help avoid liability. But in many cases, it just does not meet the common sense test. After all, the stated duty of the officer is to secure and protect. What would a jury of his peers conclude as to whether he should have made the decision to take action or, remain passive?
CRYSTAL CLEAR PROCEDURES
With good intentions, sometimes instructions given employees and security personnel alike are just too vague. The See Something, Say Something campaign while perhaps a step in the right direction, is so broad as to almost render it meaningless. What are we looking to see and when we do, who are we supposed to tell? Better that everyone knows to look for the suspicion indicators A, B and C that refer to methods of operation X, Y and Z. That instruction is concrete and, has context.
Another example are the directions often given for active shooter scenarios. We are supposed to duck and hide or go into lock down. Well, that may not be the best way to go. The primary objective should be to get the heck away from the threat and buy time. And if you can’t get away, then you had better fight.
As for dealing with internal threats, the best way by far is to maintain a strong community. What does that mean? In a good working human environment, there is less insider threat because employees are less prone to grievances. They have a feeling of belonging to a group and are responsible to it. If there is a bad apple, in a close knit group the apple is easier to detect and their actions reported. Consider that there are fewer active shooter incidents at private schools versus public ones. The distinction is that private schools (in part by virtue of being smaller) tend to emphasize and nurture a sense of community. Statistically speaking, the most successful way to identify insider threat is through tips, confidential information provided by insiders.
SECURITY LIKE SAFETY
We take Safety seriously and give it priority. Mechanical components are inspected. Measures are taken to prevent accidents. Response to safety incidents is immediate and serious. Signs read “Safety First”. Why not treat security the same way we treat safety? Too often instead, security is the poor relation – poorly funded and viewed as less important.
Security operations are not a profit center. Security is an overhead cost that operations managers are forever having to justify. Yet, effective security has many positive externalities. It can result in secondary benefits to third parties. For example, posting security at an office building during evening hours may result in female employees feeling more comfortable or secure working at the office later. Customers in times of heightened risk – a string of store robberies in their neighborhood – may well choose to frequent retailers with security in place, versus not.