It’s not enough to conduct a security assessment of your facility without acting on the results. Having the data about security gaps, equipment needs, and policy updates is only half the battle; you’ll often need to convince senior management as to the validity of your report and the need to implement the most critical priorities.
Site assessment reports should serve as a description of a “moment in time,” meaning that changes may have taken place to the security posture since the review, and they will certainly take place as other future building improvements or policy changes occur.
A site security survey report is not a predictor of future crimes, threats, or violence; it should serve as a current and future road map for the safety of the stakeholders and occupants of the facilities. Too often, we trade security for convenience and cost containment over peace of mind. We are either driven by events that force us into action or when nothing bad has happened over a substantial period of time, we create the false sense that there are no security problems. This concept, called the “Myth of No Past Problems” by Hollywood security consultant and author Gavin de Becker, is flawed because we aren’t predicting what will happen today based on whether or not anything bad happened yesterday. A balance between under-reaction and over-reaction, as discussed in the report, for all issues related to safety and security is prudent and possible.
Based on an assessment of the current level of security, the report should suggest both general, specific, and site-focused improvements as potential options. Note that these are not listed in any specific order; we shouldn’t create a higher need for one security option over another; each is worthy of discussion and possible implementation, but each must be weighed with these four factors: the agreed need, the feasibility, the cost, and the fit into the current organizational culture. If the employees won’t wear ID badges and it’s not stressed by management as an important part of the culture, that suggested change will not go forward. Not every single security option must be put into place or practice in order to improve the overall sense of security and safety at the location. But that also doesn’t mean that just because an event has not happened before, the security idea is not valid for the future.
One obstacle to implementing the suggestions found in a security assessment report may come from the company’s legal advisors. There is a perception that the contents of the report somehow “puts us on notice” for any security gaps, recommended new equipment, or missing policies or procedures. Every organization with employees, visitors, vendors, customer, clients, students, patients, and taxpayers is already at a high liability position, each day it opens its doors. As an example, on average, Disneyland in Anaheim, CA, and Disneyworld in Orlando, FL, have a serious-injury accident involving paramedics taking a park visitor to the hospital, every day. Those theme parks don’t close down; they recognize their risks and manage them through vigilance, employee training, insurance, and risk management protocols. Better to be forewarned about potential security problems and demonstrate due diligence toward fixing them, than to wait for a breach or event.
Most site security assessments created by outside security vendors tend to be long on capital equipment improvements and short on the reasons for those often expensive purchases. “Put in more cameras and alarm systems” is the usual response from security vendors who provide these reports. Not surprisingly, since their goal is to sell and install more equipment, their reports tend to suggest physical improvements almost exclusively.
However, physical security equipment installations and suggested improvements can create an economic model that senior management will not approve or fund. The report should focus on solving the obvious and more covert security problems from both a physical equipment and a “psychological self-defense” perspective. What can we fix by creating new policies (“Always keep these doors locked.”) or more employee awareness training (“Pay attention to any strangers who photograph or videotape our properties, buildings, or perimeters.”) instead of just buying equipment? Since security is a human–driven issue, the solutions often come from training employees to pay attention to their intuition, helping them know when to notify the facility stakeholders, and having the courage to tell the security professionals when there are safety and security issues that need addressing.