Why Security Fails

The questions often arise after a serious loss or act of violence, "What more could we have done?" "Why did it happen to us?"  "We never thought it would happen here." 

I've worked with dozens of organizations following major acts of violence and other significant losses, including sixteen hospitals and clinics following deaths by shootings or stabbings, as well as served as expert witness in litigations where security and workplace violence programs are under question. 

The following are some of the reasons why I’ve seen security programs fall short:

The Boss Doesn't Get It   Management and the administration at varying levels, including the highest, may think of Security as a necessary evil or nonproductive expense. It may take an Act of Congress to get another security officer or camera. The Security program is among the least of priorities until the Big One happens and then it rises to the top for a short while.

In fact, more than half of my clients are competent and knowledgeable Security Directors and Managers who know what they need but can't always get the Executive Committee, or even Board, to listen or understand. You're not always seen as a prophet in your own village.

When I interview client CEO’s I use this argument to further justify the cost (and wages) of the security officers: Murphy’s Law states that the major Crisis won’t happen at 3 PM when all the decision makers are present, but at 3 AM when they’re asleep. Then who makes those essential decisions in those critical few minutes and who most directly takes action to protect people, assets and reputation? It often will fall to your night shift Supervisor and your security officers. Your reputation and ability to continue doing business will depend on their judgment, dedication and quick decisions.

The Mish Mosh     The physical and procedural Security program has existed for years and is mostly composed of measures and tasks added in response to incidents and losses over the years. Here's a camera installed when some computers were missing. There's a security officer post placed when an intruder tried to get in. The end result is a Mish Mosh of measures accumulated over the years which may not address the real and present risks and vulnerabilities.

The People Are Not Part of the Security and Safety Team  Often, when Security fails, it was not a failing of the Security program or staff but a failing of general employees to take personal responsibility and be protective of each other and their workplace. Doors get propped, strangers are allowed through restricted doors, badges are not worn or shown, suspicious or threatening behavior is not reported, confrontational behavior is escalated, etc., etc. Employees feel that Security is not part of their duties – it’s someone else's job. The most powerful, least costly and most neglected security measure of all is fostering a level of ownership, engagement, involvement, awareness and protectiveness by all employees. They should all know they are essential parts of the Safety and Security Team.

It Couldn't Happen Here  The first thing I almost always hear following active shooter incidents is, "We never thought it would happen here." The assumptions are often made, "It never happened before," "We don't have much crime around here," "None of our people would ever do that," etc., etc.  Violence and other significant losses can and do happen anywhere, even in the nicest neighborhoods and where it never happened before. Perhaps above all else, the most effective Security program is the Proactive and Anticipatory one, far above the Reactive one. See more on that below.

We Don't Really Know What Our True and Present Risks, Vulnerabilities and Threats Are     What harm is most likely to happen to your business or organization?  What can most impact your people, assets, reputation and ability to continue business? What do comparable facilities in your industry do?  How do your area crime rates and trends affect you? How does your history affect what you should be doing? Who or What is most at risk? How do you prevent, mitigate and respond to purposeful harm?  How does your Security program relate with your Human Resources, Risk Management/Legal, Safety, Facilities, Operational and Emergency Planning programs and processes? Is your Security program as cost effective and appropriate as it can be? It is best to periodically conduct comprehensive and objective security and workplace violence risk and vulnerability assessments to reasonably assure your Security and Workplace Violence plans and program are still on-track.

Security is Just Guards, Cameras and Card Readers   I sometimes encounter Security programs that are mostly limited to the traditional measures such as security officers, video, access control, alarms and lighting and little else. While these are usually essential components, they are only pieces of the Security Pie. Sometimes even security managers sell themselves short and focus almost exclusively on those traditional measures. Other measures may include employee training, background screening, fostering employee security awareness, visitor and contractor management, law enforcement liaison, violence mitigation and response processes and tools, threat management and assessment, crime analyses, internal and external communications systems and processes, security and violence vulnerability assessments and analyses, internal reporting channels, worn identification, environmental and facility design, drills and table-top exercises, support of smaller outlying facilities and staff, etc. 

Security should always be creative and innovative. There are few "cookie cutters" in Security. As I like to say, in Security planning there is always more than one way to "skin a cat" depending upon the many variables.

The Horse is Out of the Barn Syndrome  While many law enforcement professionals have moved into Security Management and embraced the concepts of good Security and business essentials, some organizations mistake the primarily reactive nature of law enforcement with the primarily proactive and preventive nature of Security. A Security program focused primarily upon investigations or reacting to incidents is not a true Security program.  While there needs to be a responsive component to a Security program, it is always better to prevent the bad stuff from happening than dealing with the painful and costly after-effects. And key components of that preventive nature is deterrence, or making yourself less attractive as a target and threat management.   

The Shoe Bomber Theorem  Governmental agencies sometimes plan their security measures as reactions to the most recent attack.  We take our shoes off in the airports in reaction to the Shoe Bomber. Again, Security is ideally anticipatory. For example, in security vulnerability assessments we determine what, in addition to people, are our most critical assets. What of those could be the most likely or vulnerable targets?  How might someone most likely compromise those assets, including our reputation and ability to continue doing business? And do our current and planned physical and procedural security measures truly prevent and mitigate those risks and threats?

Security Does Not Reflect or Support our Special Culture and Values  When I interview CEO's and presidents I sometimes hear the perception and concern that Security measures interfere with the customer centric, welcoming and family friendly culture. "We don't need a Police State/Fort Knox here."  But the truth is that a well-planned and implemented Security program will support and reflect that welcoming, customer and family satisfaction and service oriented and respectful culture and values. In fact, where I see a high level of civil and respectful management and leadership as well as a strong culture of customer service and satisfaction I usually see a safe and secure facility.  The most powerful five words in Security are, "How may I help you?" This is especially important nowadays with the increase, magnified by the pandemic, in disrespectful, confrontational, threatening and even violent behavior by much of the public. How can we create a culture and environment in which such behavior is clearly unsuitable?

Dilution   When I perform security and workplace violence assessments I look carefully at the range of tasks assigned to the security managers and officers. I often find that many ancillary, often non-security, tasks have been “dumped” on the officers over the years including, in the case of healthcare, off-site errands, morgue duty, patient observations, shoveling snow, parking enforcement, shuttling, etc. One medical center had six officers on duty at any time, but I found and reported that they only had two true security officers because of the diluting effect of the ancillary tasks. Over the years I’ve learned that most employees expect four things from their security officers: Competence, Visibility, Engagement and Responsiveness. Visibility and responsiveness often suffer with the non-security tasks, and ultimately there is less security than administrators may believe.

Security Misunderstood    Too often the security program and staff are seriously misperceived by management and employees. “Why don’t they have guns? – They’re useless without guns.” “Do we really need security? Nothing really happens here.” “We don’t need guards, we need police officers.” “Their police look scares away customers.” Frequently this reflects a need for better education of stakeholders and a more collaborative approach by security leadership. The average employee and manager will confuse security with law enforcement and need to understand the differing roles and values. On a related note, it can be problematic if the security department reports to a manager who does not understand or appreciate the program and its concepts.

Metrics    Security, like any business process and department, should be measured to objectively determine performance and value. Without such measurements, decisions on the program are little more than guesswork and budgets are far more difficult to justify. Such measures can include tracking of related incidents and responses, training, retention, staff reporting, etc., etc.

Siloism  Every organization has its politics, but sometimes things are so siloed that little gets done. If Security falls within a silo that’s not on the upswing, there may be suffering. The security department, being in one silo, may face challenges supporting and influencing other silos. I’ve seen separate siloes within a security department which weakened the overall program. Because Workplace Violence Programs touch various functions, it is not unusual for other departments to create their own WPV policies and plans. Therefore I often recommend that the healthcare system fall under centralized security leadership and that the workplace violence program development and management fall under a multi-disciplinary committee that could include at least Human Resources/Employee Relations, Operations, Security, Safety, Risk/Legal and Corporate Communications.   

____________________________________________________________

Dick Sem, CPP is President of Sem Security Management based in Wisconsin. He provides workplace violence and healthcare security consulting services to organizations across North America. He has fifty years’ security management and workplace violence leadership experience and served thirty organizations following shootings and stabbings and derived lessons learned. 

Dick Sem, CPP

President

Sem Security Management

Burlington, WI

262-862-6786

[email protected]

www.Semsecurity.com