I have found that Security is defined in many ways, and often misunderstood. Most will agree that Security is about the protection of people and assets. Many will see Security as primarily a proactive discipline dedicated to the effective prevention of losses, threats and other compromises; with a response component to properly react to and mitigate the short and long-term harm of actual loss incidents.
Furthermore, Security is often considered that which:
- Provides a reasonably safe place to those who enter and use the facilities, including customers, employees, vendors, students, patients, visitors, tenants, etc.
- Reasonably minimizes risks of security-related litigations and negative publicity
- Adequately deters and monitors those who may wish to do harm
- Prudently and effectively responds to the actions of intruders, thieves and other wrongdoers
- Fosters a feeling of safety and security among those who legitimately use the facility
- Maintains a level of awareness, ownership and integrity among employees
- Reduces shrinkage and increases profitability by reducing losses
- Addresses governmental and/or industry-specific security procedures and systems
- Provides a degree of protection without excessive cost or disruption
While there can never be a guarantee that there will be no losses or attacks, good security planning, implementation and management can substantially reduce the likelihood that a particular firm or organization will be a victim. Likewise, good security can go far toward mitigating or minimizing the harm caused by a loss incident. Loss incidents can include thefts, violence and threats, sabotage, intrusion/trespassing, terrorist attack, bomb threats, contamination, counterfeiting, activist actions, labor disruption, abduction, loss or compromise of information, arson, etc.
It is important to understand the concept of Deterrence. Deterrence essentially involves making your facility, people and assets less attractive as targets. Adding even a small chance of being seen, apprehended or otherwise interfered with will go far toward deterring most would-be wrongdoers. The example I use is, if your house has a dog that barks, lights in the yard and deadbolt locks on the doors, and your neighbor's home has none of those measures, and I am a burglar, which home will I attack? Your particular types and degrees of deterrence measures will depend upon your own risks, vulnerabilities, threats, location and history.
On the reactive/response side, I often see organizations that had fairly robust and comprehensive emergency and crisis response plans and procedures for the accidental sort of emergencies such as natural disasters, fires, spills, floods, etc., but did relatively little for the purposeful or man-made emergencies and crises such as workplace violence, bomb threats, terrorist attack, civil or labor disruption, sabotage, contamination, abduction, etc.
Security, then, is ideally about:
Balance: In most facilities there is a fine balance between, on one side, an appropriate level of control and protection and, on the other, a reasonable degree of accessibility, convenience, and flow. The challenge is to achieve a workable and effective balance between apparently conflicting priorities and needs.
Another aspect of balance is that a good security program should be a balance of physical and procedural countermeasures. If your program is composed mostly of physical measures such as cameras, card readers, security officers, locks, etc.; and procedural measures such as security policies and procedures, awareness training/communications, workplace violence process, background screening, etc. are weak or lacking; then your program is not balanced.
Perception: No matter how extensive and comprehensive your security program is, if people perceive they are not safe or secure then something may need to be adjusted. See "Ownership" below. Cost Effectiveness There can be a point where physical security can become prohibitively costly and disruptive. Firms and organizations should determine what their most significant risks are and focus upon those.
Rationalization and Justification: We, as humans, rationalize readily, and that must be considered in your security planning. The good people, for example, will fail to speak up or act by thinking, "It's not my job," "I'll get in trouble by speaking up," or "Maybe I'm overreacting." Potential wrongdoers may think, "Everybody does it," "He/they have it coming," "The company won't miss it," or "My cause outweighs the safety and lives of others."
Synergy: Many security programs are fairly random blends of physical and procedural measures that were implemented in response to incidents and losses. Often the result is a program that doesn't address the true risks, vulnerabilities and threats. Ideally, a security program should be a synergistic and strategically planned whole in which all measures, both physical and procedural, logically complement and support each other in protecting people, assets, value and reputation.
Risk: Risk is essentially vulnerability as a function of criticality, or, how probable or likely is a loss or compromise incident to happen, against how serious to the organization will be the incident if it occurs. The more serious and likely the incident is, the more focus should be placed upon its prevention and response. On the other hand, potential incidents that, while highly unlikely to happen, could be catastrophic if they did occur (e.g. terrorist attack, infant or child abduction, major sabotage or contamination, etc.) may deserve some level of planning and preventive and response measures.
Escalation: Most wrongdoers don't start out committing the major crime or violation, but tend to start small and, facing little deterrence or consequence, move to more impactful actions. This especially applies to internal theft and workplace/school violence.
Layers: It is usually ideal to design a physical security program by which those who are attempting to do harm must cross at least two layers of protection. Typically, the outer layer is the property perimeter with related countermeasures such as fencing, lights, signs, etc. The middle layer is often the perimeters of the buildings and measures such as doors, windows, locks, card readers, etc. The inner layer is typically internal controls around the particular target or asset such as card readers, cages, etc. Addressing all layers would be CCTV cameras and procedural measures.
Opportunity: Most criminals and those who wish to do harm, and even terrorists, are opportunists. They typically look for the opportunity that will afford them the best chance to get in and do their harm. They look for the easiest, most approachable and vulnerable target. That reinforces the importance of deterrence and hardening the target.
Ownership: I have found that, in most businesses and organizations, employees, and even entire departments, make the assumption that security is the responsibility of others. There is little sense of ownership, of duty to be protective of one's workplace and fellow employees. I believe that the most powerful, least costly and most neglected security measure is security awareness, or each employee's sense of protectiveness for and ownership of his or her work area, fellow employees and other people legitimately in the workplace.
The bottom line is that security, if well planned and implemented, does work and can be much more than the "necessary evil" or "non-productive expense." A well conceived and managed security program can add substantially to an organization's reputation, value, morale and productivity.
