|
After 30+ years as a security practitioner and after having reviewed hundreds of security and loss prevention programs, I find a great deal of disparity in the quality of those programs from marginal to excellent. As both a security consultant and as a forensic security expert, I am often puzzled as to how the security program evolved to the point it is at when I find it. In some cases it is apparent that the evolution has been the result of a logical linear process. In other cases the process seems less clear and it often appears that the program has been generally crisis management driven.
When one begins the process of determining how the security program has evolved to the point that it has, the picture is not always clear. However it can be said that in a majority of the cases, we find that security programs are front-end driven.
What do we mean by "front-end driven?"
Let me give some examples of front-end driven decisions. As we undertake the security assessment of a hospital, for example, we note the use of closed circuit television cameras throughout the facility. When we try to determine the decision process behind the placement of each camera, we are told, "we want to watch the front door" or "we want to watch the loading dock" or "we want to watch the pharmacy." We also often find that these CCTV images are not actually being watched by anyone, live, 24 X 7. Cameras providing surveillance of common areas such as hallways, parking lots and walkways that are not being watched by a security officer may potentially increase liability.
Many of the facilities we consult with use access control cards to largely control ingress to certain doors. We are told that the security department wants to track who accesses any door as well as the date and time they gain entry. Yet, 80% to 90% of all employees can access 80% to 90% of all the access controlled doors. In about 98% of the cases there is no restriction for the time or day that access is granted. In hospitals access is more usually tightly controlled for doctor lounges, the C-Suite, the pharmacy, the business office and labor & delivery, including nurseries. With non medical facilities there are far fewer restrictions unless mandated by regulatory agencies such as DOD and NRC.
The rhetorical question I would like to pose, for consideration, is prior to deciding where to place a camera, a card reader, a cipher lock, a floodlight or a barrier is: What is the outcome this action is likely to produce? The best way to avoid the pitfalls of the law of unintended consequences is to consider the outcome you want produce before you make the decision to go forward. It is all too easy to get caught up, when applying technology, to make unsubstantiated decisions regarding the benefits of applying a particular technology or procedure. How often have we all heard the utterance, in the wake of a theft, "we need a camera." The comment implicitly assumes that a CCTV camera, in of itself, would have prevented the theft. Cameras that are not monitored have diminished deterrent value.
Let me give you an example that turns this assumption upside down: Several years ago when conducting a security assessment for a large healthcare facility. I noted an auto-pan camera mounted on the roof of the hospital that was ostensibly surveilling surface parking lots. Despite the use of this camera (remember it was an auto pan camera) theft from vehicles was not abated. I proceeded to determine where the camera was being monitored. I eventually found the monitor in a closet in the basement of the hospital. Obviously, this hospital did not have a control center. One of my recommendations in my final report was that a control center was justified and that an unwatched camera providing surveillance of common areas might be a liability.
Five years passed, when the hospital contacted me and told me it was time for another assessment. When I arrived to proceed with the consultation, I immediately noted the roof mounted auto pan camera was gone. When I met the security manger, I said "I see you didn't get the control center." The manager responded, "How did you know?" I related that the removal of the roof camera was a clue.
Here comes the rule of unintended consequences for the good: The security manager told me that when they took the unwatched camera down, the car break-ins ceased. The only logical explanation was that the bad guys probably thought we hid the camera. Sometimes unintended consequences are for the good.
It is important to remember that security programs, the use of security technology and/or the use of security officers are all about behavior modification. Security cameras and card access systems are intended to modify behaviors ultimately aimed at protecting people and property. The role of security is to anticipate and deter. The success or failure of any security program can be measured, in part, by how well that program changes behaviors. The effectiveness of security devices to positively affect behavior can be greatly enhanced by strong security management, workplace violence prevention programs and robust security awareness programs.
So next time you have a security problem to solve, ask yourself: What will be the intended outcome of my proposed solution? What are the metrics that will support your decision?
Submitted by:
William H. Nesbitt, CPP
President
Security Management Services International, Inc.
805-499-3800
|
