Strategic Security and the Facilities Manager

Mar 1, 2004 12:00 PM, By Jim Crumbley


         Subscribe in NewsGator Online   Subscribe in Bloglines

Corporate America has realized the strategic importance of the security function and has taken great pains to fully integrate risk mitigation into business operations. This has occurred because business realizes that reducing risk and controlling loss have a positive effect on the bottom line.

Additionally, the past decade has seen a tremendous flattening of the organizational structure with many facility managers taking on responsibility for security operations. Managers who were previously responsible for one area now have management oversight of two to three areas and more. While a manager might have previously overseen a department that fell within his or her core of expertise, he now has responsibility for areas about which he has little, if any, professional knowledge and experience. This lack of experience can create problems. To offer assistance, this article will define strategic security, explain the concept of layered security and trends analysis, outline the role of security focus teams, and review the benefits and strategies of working with consultants.

What is strategic security?

Security is often seen as a necessary evil. In many organizations, the security department acts as a gofer. Security is used to “go for this and go for that.” But is this an effective use of security manpower? If security officers are off campus on a run or delivering mail or supplies, security is not patrolling and otherwise fulfilling its basic roles.

These basic roles include, but are not limited to:

  • Service — Security is often the first face seen on campus. They provide directions, assistance and can create a lasting positive — or negative — impression;

  • Prevention of Incidents — The primary difference between security and law enforcement is the fact that security is proactive in nature while law enforcement is reactive. Many administrators make the unfortunate mistake of viewing security as “glorified cops.” If there is not an incident, many think that security has little do. As a result, security's time is filled so that they are at least perceived as being productive. However, through posting, patrols, education, and controlling access, security prevents many incidents from occurring. While difficult to quantify, the tested truth is that security can play a key role in reducing liability; and

  • Crisis Response — While security's primary role is proactive they still must maintain a readiness to respond to a crisis. Crisis response includes thefts, threats, assaults, and both man-made and natural disasters. Additionally, in this era of heightened terrorism concern, security should play a key role in preparing for acts of terror.

By combining three roles together, the security department evolves from a traditional security role to a strategic role. To be strategic implies a deliberate effort to integrate security into daily business operations. Security should be involved in risk management, supply control, emergency preparedness, workplace violence prevention and intervention, safety and investigations.

How much security is enough?

While strategic security provides an actual return on investment (ROI), the fact remains that a budget has to be set. To set the budget, a manager has to determine how much security is necessary to protect the facility. A manager needs to conduct a risk assessment and understand the concept of layered security and its components.

Layered security

Security is layered like an onion. Each layer peeled away reveals yet another layer. Risk constantly pushes against these layers looking for vulnerabilities. If risk, whether the criminal element or some type of crisis, makes it through one layer, the model places another roadblock in its path.

Layered security works from the outside in. The asset being protected is at the center of the layers. Typical layers include:

Perimeter — Perimeter protection should deter or prevent those with criminal intent from entering the campus;

Exterior — The exterior layer typically includes the parking area, walkways, and access points into a facility;

Interior — Interior security consists of compartmentalizing departments and areas according to their security sensitivity; and

Procedural — The procedural layer involves, as a whole, the security management plan and specific departmental policies.

Each layer has one of more components. Some of these components consist of:

People — Personnel should be the first and most important component of every layer. The people component includes security personnel as well as vigilant staff, volunteers, and even visitors.

Technology — To include CCTV, duress alarms, access control, communication and other devices.

Perimeter Barriers — Patrols, fencing, shrubbery, sidewalks, access control, and other physical and psychological barriers.

Exterior Barriers — Patrols, doors, windows, locks, lighting and reception stations.

Interior Barriers — Patrols, departmental compartmentalization, asset protection and office security.

Security Awareness — Focused security awareness programs modeled after crime prevention and community-based policing.

Management Oversight — Being involved and seeking feedback, and proactively checking for program implementation and effectiveness.

Every layer of security has associated costs. If looking to determine the suitability of a security program and develop a budget plan, the manager should first look at the layers of security beginning with the perimeter of the campus and working the way in. Asset or assets to be protected must be defined.

Assessing vulnerability

Conducting a risk assessment is a three-phased exercise that involves defining the criticality and vulnerability of the asset being protected and the probability of a loss. While most assets can be viewed as a whole, consideration within this exercise has to determine when an asset is best viewed independently of others. Some assets, such as people, proprietary information, and electronic equipment, are more critical and deserve a more thorough review of their individual vulnerability. Determining criticality and vulnerability are relatively straightforward missions. The concept of probability can be more difficult to determine.

Probability is a matter of an experienced review of trends. To conduct a trend analysis requires collection of data from a variety of public and private sources. The key to assessing this data is to begin locally, at the facility, and proceed to national trends. It is important to note that there is no way to accurately predict an incident. The manager's goal should be to look for trends that might identify an increasing probability of a particular risk. By using focus teams, discussed below, the manager can identify risks more readily.

The following guide can be used to as a tool to determine the probability of a security incident.

  • Campus — Review incident report trends for at least 18 months. It is helpful to create a graph looking at incident types, days, times, and actual losses. It is also a good idea to question staff and physicians for information involving incidents that might not have been reported through official channels. An anonymous survey form can be an excellent means for obtaining previously unreported security information.

  • Area and City — Review crime data from local law enforcement for the surrounding neighborhood and city. If this data is not readily available, an alternative is to review crime data from private sources. CAP Index (www.capindex.com) can provide organizations with a detailed violent crime report for a particular address. The report includes a color-coded map and risk score.

  • Industry — Associations often provide information that can be used to quantify the probable risk associated with a particular facility by studying national trends.

  • Screening Procedures — How is hiring conducted? Are employees screened for criminal records and drug use? Are vendors controlled and contractors screened at the same level as employees? Each negative response to these and similar questions increases both the risk and probability of a security incident.

How can focus teams help?

Security, by its very nature, is intrusive and expensive. The best way to reduce the negative attributes of a security program is to involve staff in the process of developing and reviewing a security management plan. A focus team is also a key tool in identifying risks and their probability.

One only has to imagine the problems associated with implementing a comprehensive access control upgrade without carefully studying the impact on a department's operation. Through the development of a security focus team, management will better understand the security challenges faced by the institution, can more accurately gauge the impact of security upgrades, and, through creative brainstorming, look for alternatives.

Here are some rules for a successful focus team:

  1. Risk environments are fluid and the team must adapt to changing circumstances

  2. Include line staff as well as management

  3. Encourage free flowing creativity and a safe environment

  4. Comments and conversations should remain confidential

  5. Start by identifying and defining the assets to be protected

  6. Bring in outside experts

  7. Report to the safety committee

  8. Conduct walking tours of problem areas

  9. Meet at least quarterly

  10. Divide the campus into four zones and review a different zone each quarter

  11. Any attempt to reduce the risk must be ongoing

GOOD ADVICE

Choosing a Security Consultant

Security consultants are valuable assets that are often overlooked. An experienced security consultant can be an effective resource in reducing risk. Consultants bring the experience of other organizations to the door, are better suited to see the big picture, and often provide a variety of cost-effective options designed to reduce risk.

While the benefits of using a consultant are many, the questions remain of how to choose and work with a consultant.

Choosing and working with a consultant:

  • Look for someone with specific experience in an industry. A consultant with little or no experience in a specific environment, no matter their level of qualification and experience, will have a difficult time developing sound recommendations for enhancing security.

  • Look for someone who has managed a departmental budget. A consultant should understand that budgets are tight and that creativity, not just money, should be used as a tool to reduce risk.

  • Interview a consultant and check references thoroughly.

  • The consultant should work well with teams and have a philosophy of involving staff in the consultation project.

  • Look for a report that will outline not only findings and recommendations but also the rationale for these recommendations. These reports can be an effective tool when it comes to allocating security funding.

RISK ASSESSMENT

Criticality

  • Asset Protection
  • People Protection
  • Liability Protection
  • Reputation Protection

Vulnerability

  • Exposure Levels

Probability

  • Industry Trends
  • National Trends
  • Historical Trends

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Today's New Product

Product 1 Image

B.I.G. Parking Control/Guard Booth

Manufactured for Louisiana State University, The Estate parking control/guard booth from B.I.G. Enterprises was built to strict hurricane codes due to Hurricane Katrina. The booth features a copper standing seam roof, gutters and downspouts. It comes factory-prepared for on-site installation of architectural brick and has extensive electrical, high-output HVAC, data and communication lines, shelves and cabinets.

To read more...


Govt Security

Cover

SUBSCRIBE

This month in Access Control

Popular Stories

Quick Links

Webinar

Mass Notification Systems

Join AC&SS and ADT as they discuss the crucial role of mass notification systems before, during, and after emergency situations.
March 26 at 2pm ET

Register Now!

Back to Top