Security Culture needs a Change. Now, More Than Ever
You may not be an expert in noticing this, but in my ‘professional preaching’ I reiterate that classic security and risk management programs and solutions do not work. A hybrid and proactive approach works. Working in the Middle East and Africa I have seen private security officers – perhaps out of habit or lack of innovation -- follow the same threat-based methodology. Customers resist to accept change. It is as if the logic that: ‘It has worked for decades; why would it not work now?’ is cemented in stone.
Our teams actively seek engagement. And the notion of engagement isn’t only about responding to an event, but also about being engaged against potential threats with the goal of deterring them. Security personnel should not be hanging around waiting for something to happen, but rather actively hunting for threat indicators.
It is expected that even a security officer makes assessments and decisions in the field, on the fly. They are expected to act autonomously. There is no request for authorization. They understand the job can be dangerous. There is no hierarchy that requires the officer to work up a chain of command. The officer is in command in the field.
This freedom allows them to engage versus being constrained by a policy of observe and report. When situations demand response, security officers trained not to pause but to pounce, run at full speed toward the problem.
Six Changes Needed to Be Done in Security Culture
1. THINK LIKE YOUR ENEMY
Step one is knowing what it is we are securing against. You might be surprised how many security personnel are not familiar with the security mission of the place or people they are meant to protect. Understanding the threat begins with understanding the adversary. Think like the adversary and from there derive the likely targets, methods of operation, the related indicators for your protected environment. Among other things, adversarial thinking provides a context for not just understanding but fully assimilating the security mission.
2. ACT AS IF YOUR FAMILY WAS INVOLVED
When the consequences of inadequate security are personal, we are much more apt to pay attention. If our own home or family is at stake, we engage fully and do whatever it takes to defend our territory. It’s natural human behavior. As employees, we understand that it’s up to us individually to act directly in support of the security of our workplace. For security officers, they too must act as though they are guarding their own homes, for the security to really be top-notch.
3. MAKE A COMMON-SENSE TEST
The biggest liability is lack of common sense. This holds true whether we are talking about the home front or a corporation. Ask two lawyers if you should put a given security measure in place. The first will have an argument supporting the measure, the second would have an argument against. Both attorneys would cite legal liability as the issue. Let’s say for example, a thug is beating someone up in view of your security officer. Is observe and report really what we want the officer to do? Yet Observe and Report is supposed to help avoid liability. But in many cases, it just does not meet the common-sense test. After all, the stated duty of the officer is to secure and protect. What would a jury of his peers conclude as to whether he should have made the decision to take action or, remain passive?
4. BE CLEAR AND ACTIONABLE
Despite good intentions, sometimes instructions given to employees and security personnel, alike, are just too vague. The See Something, Say Something campaign, while is perhaps a step in the right direction, is so broad as to almost render it meaningless. What are we looking to see and when we do, who are we supposed to tell? Better that everyone knows to look for the suspicion indicators A, B and C that refer to methods of operation X, Y and Z. That instruction is concrete and, has context.
Another example are the directions often given for active shooter scenarios. We are supposed to duck and hide or go into lock down. Well, that may not be the best way to go. The primary objective should be to get the heck away from the threat and buy time. And if you can’t get away, then you better fight.
5. COMMUNITY IS YOUR BEST INTEL
As for dealing with internal threats, the best way by far is to maintain a strong community. What does that mean? In a good working human environment, there is less insider threat because employees are less prone to grievances. They have a feeling of belonging to a group and are responsible to it. If there is a bad apple, in a close-knit group the apple is easier to detect and their actions reported. Consider that there are fewer active shooter incidents at private schools versus public ones. The distinction is that private schools (in part by virtue of being smaller) tend to emphasize and nurture a sense of community. Statistically speaking, the most successful way to identify insider threat is through tips, confidential information provided by insiders.
6. MAKE SAFETY FIRST ONLY IF SECURITY IS PRIMARY
We take safety seriously and give it priority; the mechanical components to ensure safety are inspected and measures are taken to prevent accidents, and our response to safety incidents is immediate and serious. In this case, most signs read “Safety First”. Why not treat security the same way that we treat safety? Too often instead, security is the poor relation – poorly funded and viewed as less important.
CONCLUSION
Once you change your security provider, and thus a security culture, you may feel like changing a doctor. Instead of prescriptions being the only solution – and let’s prescribe more just to cover our back – you get a different approach: someone who does not look at symptoms, but roots of problems; someone who does not see you from his specialization only, but accepts you as a complex human being; someone who looks at the family anamnesis; someone who knows that prevention is better than firefighting the most painful troubles. Now you are facing the basic question to ask yourself: Do you only want to have your back covered against lawyers, insurers and bad PR, or do you want to stay secured?
