Use your imagination and picture two shopping malls across the street from one another, one on the left and one on the right. Or if you prefer, picture two apartment complexes across the street for one another, one on the left and one on the right.

Let’s assume that the property on the left side of the street is not well kept. There are a few broken windows, there is trash blowing about the parking lot some of the exterior lights are burned out. Let’s also assume that the property on the right side of the street is clean, it is well lit and burned out lights and broken windows are immediately repaired. The property is well landscapes and bushes are regularly trimmed.

Security is not just about guards, CCTV and alarm systems. It is also about behavior modification, security awareness programs and good housekeeping. If a warehouse or property looks unkempt and is poorly maintained, the odds are that crime will increase, both internally and externally. The disheveled storeroom sends the message that: “If you steal something from here it will go undetected.” Good housekeeping as a security device may also be applied to landscaping, lighting and graffiti eradication programs.

At Security Management Services International (SMSI) we often suggest to our clients that these CPTED (Crime Prevention through Environmental Design) principals should be applied early in the security program enhancement process, in part, because many of these remedies do not come with a big price tag. The application of CPTED principals will positively enhance the deterrent impact of more traditional approaches such as surveillance systems, access control systems and uniform security officers. In fact, in the absence of the techniques, the application of more traditional security methodologies will actually be diminished.

William H. Nesbitt, CPP

President

Security Management Services International, Inc.

When security challenges turn up, how do you decide what mitigation strategy to apply? How do you decide how much of one remedy to apply as opposed to an alternative remedy? When you uncover threats, how do you know how serious the threat is on a scale of one to ten? What is the predicate on which your security budget is based upon and what is the targeted return on investment for that budget commitment?

The answers are that security decisions must be data driven. This means that risks and threats must be quantified in a manner that expresses the probability of occurrence. Proposed mitigation strategies must be framed in quantitative terms that define risk reduction. Back in the old days, one of the measures retailers applied to measuring the effectiveness of their theft abatement program was to compute the total dollar value of recovered merchandise through the shoplifter apprehension program. I remember hearing a retail security director proudly telling me that he had increased his recoverables by more than 15% over the previous year. However, it is very likely that this number was an expression of increased thefts and a reflection of a failed theft prevention program.

The point is, with a little creative thinking, those charged with making security decisions must do so predicated on factual data, and more importantly, a combination of data. Going forward, it is important to track the effectiveness of your program and to have the capacity to apply analytics to that data.

This process should be embodied in as many decisions as possible. If your company is contemplating hiring a contract guard service, will you be looking for the lowest bidder? That may or may not be an acceptable criterion. If the guard company you hired performs in a negligent manner and your company is on the losing end of a multi-million dollar lawsuit, maybe the low bid decision isn’t the best way to go.

When doing business with any security vendor, you should be trying to determine which vendor with provide your organization with the best value, not necessarily the best price. This means that you must develop a multidimensional matrix that allows you to score each vendor on a set of common criteria. Consider this: It may be that the vendor with the highest price provides the highest return on investment.

At some point in time, an objective baseline security/risk assessment is a must. This is one way to avoid compounding the mistakes of the past. Risk assessment will utilize incident history, police data and data from organizations such as the CAP Index. Moving forward all security activity must be tracked in a manner that facilitates statistical analysis and trend project. The usage of products such as Perspective from PPM 2000 is well advised.

The suggestions mentioned herein are rapidly becoming normative.

 

 

 

 

 

 

 

When one begins the process of determining how the security program has evolved to the point that it has, the picture is not always clear. However it can be said that in a majority of the cases, we find that security programs are front-end driven.

Let me give some examples of front-end driven decisions. Consider the use of CCTV. As we undertake the security assessment of a Shopping Mall for example, we note the use of closed circuit television cameras throughout the facility. When we try to determine the decision process behind the placement of each camera, we are told, “we want to watch exterior doors” or we want to watch the loading dock & parking structures” or “we want to watch fire exits.” First, we often find that these CCTV images are not actually being watched by anyone on a live basis. Consider this; Cameras providing surveillance of common areas such as hallways, parking lots and walkways that are not being watched by a security officer may potentially increase liability.

The rhetorical question I would like to pose, for consideration, is prior to deciding where to place a camera, a card reader, a cipher lock, a floodlight or a barrier is: What is the outcome this action is likely to produce? The best way to avoid the pitfalls of the “law of unintended consequences” is to consider the outcome you wish produce before you make the decision to go forward. When applying security technology, It is all too easy to get caught up in making decisions regarding the assumed benefits of applying a particular technology or procedure. How often have we all heard the utterance, in the wake of a theft, “we need a camera.” This comment implicitly assumes that a CCTV camera, in of itself, would have prevented the theft. Cameras that are not monitored have diminished deterrent value and may actually encourage theft.

It is important to remember big picture. Security programs are all about behavior modification. The use of security technology and/or the use of security officers are all intended to modify behavior by way of deterrence. Security cameras and card access systems are intended to modify behaviors with ultimate intended result of protecting people and property. The role of security is to anticipate and deter. The success or failure of any security program can be measured, in part, by how well that program changes behaviors. The effectiveness of security devices to positively affect behavior can be greatly enhanced by strong security management, workplace violence prevention programs and robust security awareness programs. Whether considering security technology or security officers, the decision making process should remain constant.

Effective mall security programs must reinforce Security Awareness as a positive value system. This program must foster a partnership between mall employees, security officers, tenant and the local police jurisdiction. These actions will increase the benefits to be derived from the application of security technology several times over.

So next time you have a security problem to solve, ask yourself: What will be the intended outcome of my proposed solution? What are the metrics that will support your decision?

 

 

 

 

 

When one begins the process of determining how the security program has evolved to the point that it has, the picture is not always clear. However it can be said that in a majority of the cases, we find that security programs are front-end driven.

Let me give some examples of front-end driven decisions. As we undertake the security assessment of a hospital, for example, we note the use of closed circuit television cameras throughout the facility. When we try to determine the decision process behind the placement of each camera, we are told, “we want to watch the front door” or we want to watch the loading dock” or “we want to watch the pharmacy.” We also often find that these CCTV images are not actually being watched by anyone, live, 24 X 7. Cameras providing surveillance of common areas such as hallways, parking lots and walkways that are not being watched by a security officer may potentially increase liability.

Many of the facilities we consult with use access control cards to largely control ingress to certain doors. We are told that the security department wants to track who accesses any door as well as the date and time they gain entry. Yet, 80% to 90% of all employees can access 80% to 90% of all the access controlled doors. In about 98% of the cases there is no restriction for the time or day that access is granted. In hospitals access is more usually tightly controlled for doctor lounges, the C-Suite, the pharmacy, the business office and labor & delivery, including nurseries. With non medical facilities there are far fewer restrictions unless mandated by regulatory agencies such as DOD and NRC.

The rhetorical question I would like to pose, for consideration, is prior to deciding where to place a camera, a card reader, a cipher lock, a floodlight or a barrier is: What is the outcome this action is likely to produce? The best way to avoid the pitfalls of the law of unintended consequences is to consider the outcome you want produce before you make the decision to go forward. It is all too easy to get caught up, when applying technology, to make unsubstantiated decisions regarding the benefits of applying a particular technology or procedure. How often have we all heard the utterance, in the wake of a theft, “we need a camera.” The comment implicitly assumes that a CCTV camera, in of itself, would have prevented the theft. Cameras that are not monitored have diminished deterrent value.

Let me give you an example that turns this assumption upside down: Several years ago when conducting a security assessment for a large healthcare facility. I noted an auto-pan camera mounted on the roof of the hospital that was ostensibly surveilling surface parking lots. Despite the use of this camera (remember it was an auto pan camera) theft from vehicles was not abated. I proceeded to determine where the camera was being monitored. I eventually found the monitor in a closet in the basement of the hospital. Obviously, this hospital did not have a control center. One of my recommendations in my final report was that a control center was justified and that an unwatched camera providing surveillance of common areas might be a liability.  

Here comes the rule of unintended consequences for the good: The security manager told me that when they took the unwatched camera down, the car break-ins ceased. The only logical explanation was that the bad guys probably thought we hid the camera. Sometimes unintended consequences are for the good.

It is important to remember that security programs, the use of security technology and/or the use of security officers are all about behavior modification. Security cameras and card access systems are intended to modify behaviors ultimately aimed at protecting people and property. The role of security is to anticipate and deter. The success or failure of any security program can be measured, in part, by how well that program changes behaviors. The effectiveness of security devices to positively affect behavior can be greatly enhanced by strong security management, workplace violence prevention programs and robust security awareness programs.

So next time you have a security problem to solve, ask yourself: What will be the intended outcome of my proposed solution? What are the metrics that will support your decision?

 

 

 

 

 

 

 

 

 

 

It is difficult to impose a security program on an apartment complex and/or a condo complex. The point we are trying to make is that no matter how many cameras are installed, no matter how sophisticated the access control system is and no matter how many security personnel are on duty, the security program may still be mediocre. The missing ingredient is the full participation of the residents. Without something akin to a Neighborhood Watch Program with involved residents, the security program could be rendered impotent. This means that security needs to be sold as a positive value and one of the prerequisites of just being a good neighbor.

The security programs for residential complexes must be multidimensional and need driven. Apartment complexes and condominium properties should be aware of how to best apply CPTED (Crime Prevention Through Environmental Design) Principles. When the security design is not predicated on a sound risk and vulnerability assessment, lawsuits loom on the horizon. Residential complexes represent a significant portion of all premises liability litigation where the adequacy of security is called into question. We have even seen swimming pool accidents credited to the lack of sufficient security. A little mitigation in the short-run can save major financial hits in the log-run.

We have testified in hundreds of these kinds of lawsuits over the past 30+ years. We think prevention is the way to go.

If the hospital has a good computer-based system that tracks daily security activities and security incidents, some answers to the previous question may be forthcoming. If the computer-based security management system has sophisticated analytical capability and is able to predict trends, even more answers may be forthcoming.

However, there is one area that many hospital security programs fail to properly leverage: asset protection.  Unlike the security programs of most enterprises, healthcare facilities tend to ignore, or at the very least, deemphasize the protection of property, including, but not limited to: patient property, employee property, hospital property and even cash.

Think about this; hospitals are loaded with thousand of goods and equipment anyone could use around the home or even in the operation of a business. Hospitals are loaded with food products, cleaning supplies, office supplies and equipment, linens and yes, even medical equipment, supplies and drugs.

Think of the hospital as your neighborhood department store, except for one minor difference, there is no checkout counter. One of the reasons for a checkout counter, excepting the obvious (a place for customers to pay) is to track everything going out the door through the use of scanning so there is some basis for inventory control and a means for measuring shrinkage. Hospitals tend to use less precise measurements such as cost-per-patient-day ratios as means to identify red-flags. The problem with this measure is that it is imprecise and it is not sensitive enough to identify shrinkage problems when they are still in the incipient stage.

Here is one example to make the point. When doing a total hospital security assessment a few years ago, we were anonymously tipped off that there was a cashier in the cafeteria that was “suspected” of till-tapping. This tip did not come from the food service manager who detected declining revenues and/or inconsistent over/under reports from the cash register. It came from another cafeteria worker. With the help of the security manager it was decided to go into the cafeteria at night and install a pinhole camera over the register in question. After several days of observation it was determined that our cahier was knocking the hospital down to the tune of about $150.00 to $175.00 per day. This amounted to between $700.00 to $800.00 per week and $36K or more per year, tax free. By the way, she admitted as much.

The point this: There tremendous opportunities for security program to affect the bottom-line in a positive way. There is an often missed opportunity here. Asset protection programs, often referred to as “loss preventions programs,” can be set in motion with very little additional expenditures, if any at all. There just needs to be an adjustment of focus and mission. There also needs to be proactive focus and less reactive. There is no single strategy for beginning such a program. The first task is to do a vulnerability-risk assessment. Whatever is being spent on security programs today, why did get some more bang for the buck?

Going back to our department store analogy; can you imagine a department store with no universal cash handling protocol? How, many hospitals have a universal cash handling protocol?