Well, this seems to be the season for “major” security breaches. There seems to never be a week in the last few months some retailer or government entity isn’t revealing how it’s been penetrated. Along with those revelations comes the torrent of critics who ask “How could this happen?” and proclaim “This is the worst thing ever!….Incompetence!….This is epic!” Please, note the heavy amount of snark and sarcasm there. As one of a few people who sort of gets security, I often find myself getting increasingly frustrated about the growing number of amateur critics who have in some way implied “expertise” on a topic few professionals in the industry actually get. So in an effort to educate everyone and to vent (okay, mostly to vent), I’ve decided to do a piece on the myths surrounding security. Bear with me. If it feels like I’ve kicked you in your stomach, good – that’s why I’m doing it.
- Physical security is easy. Sigh. This is the most upsetting and doggone frustrating statement a security professional could hear. Contrary to popular belief, security is not easy. It’s pretty hard, actually. There’s a lot more that goes into security than just bag searches, menacing guards, cameras, and alarms. It encompasses multiple disciplines which contribute to the security mission. They range from everything from the information security to operations security to risk management to executive protection to physical security to personnel security to personal security. All of them bring something unique to the table. Each is an integral part of the total security package. It takes a professional versed in all of them to be able to deploy the package seamlessly.
- Anyone can do security. Ugh. Wait, no. Double – ugh!! Not everyone can “do” security. As I stated before, it’s hard. It’s not rocket science but if the only thing you’ve ever protected in your life was a bike in a bad neighborhood, you may not be as qualified as you think to speak expertly on matters such as the security surrounding rather complex and sensitive facilities as the White House or military bases. I know I just made a lot of folks in the DC press conglomerate very unhappy. So let me explain. You can have all of the facts on an issue but still not get the nuances behind how to properly execute an effective security plan or understand the stark realities those facilities face. As a matter of fact, there are people in the job who barely get some of these concepts which explains why so many security plans fail.I’ve been in this industry for 14 years and there are things I’m learning every day. I am no “expert” and I often eschew any effort to attribute me to that title. It is also my suggestion, given my background, if I admit to knowing far less than most “experts” with less experience are willing to, then maybe you should be questioning their “expertise” as well. Think you can “do” security? I’d happily place you in charge of physical security at the White House which receives MILLIONS of visitors every year and hosts the most targeted human being on the face of planet Earth. Good luck.
- There’s entirely too much security for this. Another sigh. Seriously, folks. Unless you’ve walked in the shoes of the person who designed the security apparatus for that facility or worked in a similar post, you may not understand the thought-process behind how security is set-up there. In order to better educate most folks who are not familiar on this topic, I’ll take a moment to digress and speak on the mission of security and how it is often set-up.Security’s primary mission, no matter the discipline, is pretty much the same minus some semantics. It is to detect, deter, delay, and destroy. There are professionals who will undoubtedly find issue with my choice of words here. My message to them is clear – I get it but let’s think more figuratively. While it is optimal in security to see the threat before he arrives, that may not always be the case. In fact, there is very little empirical data to suggest much of what is done in physical security actually deters the truly dangerous threat. However, what is quantifiable is delaying and subsequently disrupting or destroying the threat’s ability to continue their actions.
|A great example of classic defense-in-depth
Finally, let’s examine what drives most security plans. Much earlier, in another post, I wrote extensively about risk management which is a process by which security professionals and their stakeholders ascertain the level of risk they’re able to maintain and the mitigators they plan to deploy minimize the risk. As you can imagine, this process is what most security plans are derived from. Within those plans, therein lies the basic outline of how most modern security is implemented – defense-in-depth. This is best explained by asking you to imagine an onion. As you peel the skin on any onion, you’ll note the various layers contained. Security is much like that. Every protected resource has an outer layer of protection which supports the inner layers. The close you get to the resource, the more intimate the security. Imagine the White House. The far most outer layer of security there could be the scores of CCTV systems found all over the DC area. From there, the security mechanics become more intimate with their resource. Stop laughing. I hear the jokes. Serious. Stop it. The inner layers encompass a new level of protection more closer to the resource than the next. See, I cleaned it up for you.
- The security guys just need to do a better job. Really? Like seriously. What qualifies you to make statements like that? Have you examined the actual, no-kidding threat intelligence or data to understand the nature of the adversaries those “security guys” may face or the countless attacks which get thwarted. A great example of this is a conversation I had recently with a political website editor regarding how the United States Secret Service would be better served by doing a “better job of managing its fence” rather than deploying checkpoints further from the ones already at the gates closest to the White House. I strongly disagreed not because I love checkpoints (I don’t – see my thoughts on crowds) but because I understand (because I’ve actually done executive protection and physical security versus offering critiques about something I only read about) what drove the US Secret Service to acknowledge they were considering checkpoints. You would be remiss as a professional not to consider them as an option. I think we would all do a lot better to understand the difference between a consideration and an implementation.
- I have a PhD so I have the magic ability to know all things related to security, though, my PhD is in an unrelated field or I’ve written books non-security professionals think is dope. I won’t waste a lot of time and space on this but this is a growing issue throughout social media. Stop it. There are few things more irritating than to be dismissed by an academic or author who thinks their degree or books written provide them with omnipotent ability to know everything they need in order to criticize security. As I’ve stated before, you’re probably extremely smart in your area of expertise. This does not lend itself to transference into what I’ve done for 14 years. Sorry. But that’s the truth. Again, I don’t know a whole lot and there are guys in my field who are far more impressive than me. That being said, read this and #2.
- You say tomato and I say TOH-MAH-TO. Same difference. No, it’s not the same. In security, certain terms do matter. They really do. For example, I had a very good conversation with a national security pundit I follow on Twitter, Joshua Foust. Joshua is smart when it comes to matters of national security and almost ties John Schindler in trolls except Joshua doesn’t have a parody account yet and his and John’s tweets are thought-provoking. That being said, our discussion this morning was about the efficacy of passport revocations. Joshua intimated revocations made jihadi terrorists stateless people. I find that most people confuse revocation of passports with revocation of citizenship. The two sound the same but are vastly different both in mechanics and impact. However, because they sound the same they are often confused. We saw this when Snowden’s passport was revoked. People claimed he had been stripped of his citizenship, although he never formally renounced his citizenship nor did Congress or the President revoke it. In fact, the passport revocation is nothing more than a travel restriction. You’re allowed to travel to other countries as long as your country provides you with a valid passport. If your country revokes your passport, you’re no longer able to travel and can only come back to your home country.Joshua would later admit the semantics were different and we both agreed there were mechanisms already in place with respect to fugitive warrants and the Foreign Terrorist Organization designation. Neither, from my limited knowledge, have been integrated when it comes to jihadi foreign fighters. Something, I’m sure the President and other leaders are seeking to change because the inherent value of Western foreign fighters for groups like the Islamic State is their passports. Western travel documents can gain you access to a variety of countries, if they’re not revoked or cancelled.
- I could take down security anywhere and I could break in there if I wanted to. Okay, that sounds very cool. I’m sure you could. However, taking down an unarmed security guard because he’s 75 years old with a bad limp is vastly different than being faster than his radio and being tougher than the eight burly deputies who will respond. You might also be able to break into a facility. That’s also great and amazing. However, keep this in mind – sometimes breaking into a facility has more to do with luck rather than skill or technical acumen – remember one of the latest White House fence-jumpers was a toddler. In other words, the sun shines on a dog’s rear every now and then. You also may not be as lucky as you think.
- OMG, this breach was the worst breach EVER!! Stop. Full-stop. Don’t move. Breaches happen all over physical security for a variety of reasons. Some are preventable, sure. Some are not. Some occur in ways professionals never thought of. Some occur because the security manager and his/her stakeholders accepted too much risk. All I ask is that before you roll up a physical security breach as the worst ever, analyze not only the breach but the totality of circumstances. Some people are making a big deal about the recent White House fence-jumper who made his way “into the White House”. I’ll take a moment and explain why this is wrong.Yes, the White House fence-jumper recently made his way to an inner layer of the mansion. Keep in mind what I said about layers. Here’s something most critics won’t acknowledge mostly out of ignorance. The doors, which I have pictured below, are actually an entrapment area. Wait. What? Yes, the North Portico doors are indeed an entrapment area. What does that mean? Simply put, the exterior doors remain unlocked so exterior personnel (security and non-security) can enter through them and gain access through the second set of doors which remain locked and more than likely, guarded by on-duty US Secret Service Uniformed Division personnel. In other words, someone or something would need to verify your credentials before allowing entrance into the interior.
|The diagram of the White House showing the doors.
|The North Portico doors UNLOCKED. But do you see the doors behind them?
Scriven, how does this change the fact that he should have never gotten that close? It doesn’t. However, it’s always best to remember while this is the first time someone has made it to those doors, there have been other more egregious breaches. Thirty-three others, to be exact. Remember when the airplane crashed in the White House lawn? I digress. Did the USSS accept too much risk by keeping the doors unlocked? Sure, but I’m also aware these doors were probably unlocked more for convenience for certain non-USSS personnel. How do I know that? Because I’ve done something similar in a variety of security situations. So what does this little exercise tell us? First, it tells you I have entirely too much time on my hands and I spend a lot of time on Twitter. Second, it tell tells you exactly why layers exist and whether they function properly. In this case, a few layers were breached but the resource was secured by one. Third, a lot of people are making wild assumptions without having read the official report nor has there been an accurate articulation from which direction the jumper entered or whether he had been observed (my guess is he was). Also, some of these same people make all kinds of weird guesses about the nature of security at the White House based on rumor and what television and the movies convey. No, the President will not firing an RPG at multiple jumpers next time.
Finally, it teaches us the value of relativity and complexity – this was bad but was it the worst? It’s all relative. Seriously, can you imagine managing the security of POTUS and his/her staff and guests AND the most iconic tourist attraction in the Western world? It poses some SERIOUS security challenges which are countered every single day, mostly with zero incidents. If this was the “worst”, then the Secret Service did an excellent job of containing the threat.
- Security is pretty simple. I can’t even.
- The Israelis do it better.
Social media can be a great thing at times. It can connect you with other professionals, allow you to sound off on things in our industry, advertise your services, and even give you new insight into security matters. However, it can also be a very dangerous tool. Countless times, I’ve seen security professionals realize this inherent truth much too late. In every social interaction, there is an implied trust with our fellow netizens they will abide by certain unspoken “rules”. Often, they do but more than often, they do not. I’d like to share a few rules that can help mitigate the risks associated with combining your personal and professional social media personas.
- Be humble and listen to everyone’s opinion. There seems to be a rash of security professionals who believe the best way to interact with those who disagree with them is to be brash and rude regardless of the interaction. Sometimes, it calls for being a bit brash and rude. However, I find it often does not. Don’t make being adversarial a part of who you are on social media. You could potential “scare away” potential clients or employers. Don’t be “that” guy. Seriously. If you don’t want discourse, then social media is not the place for you. Chances are just because you’re awesome in what you know doesn’t mean you’re awesome in all things you claim to know. Sometimes, other folks have legit ideas we can learn from. You don’t always have to be right. A simple “I never thought of it that way” goes a long way.
- Keep your “circle” small. A while back, I went to “private” on all of my social media accounts. Why? Am I talking secret stuff I don’t want others to know? No. I just realized how much better my social media experience is by keeping my audience relatively small. Think of it like how you rate schools based on student-to-teacher ratios. Do you really want to have to interact with 90,000 people you don’t know? Also, by keeping your “circle” small, you pick the people you want to interact with. There’s a danger here, though. By being selective, you run the risk of limiting the amount of data you receive and it can enable subjectivity to some extent. With that being said, I’ll add my next rule.
- Interact with people who provide value and not an ego boost. When I went “private”, I noticed I was far more selective and I tended to interact with people who “liked” my comments less and interacted more. There’s a trap by having loads of people “like” everything you post. It can lull you into a false sense of security that you’re a “big deal” and immune to legitimate criticism. Remember, this is the Internet. Just because you say awesome things does not mean people think you’re awesome. You will make people upset sometimes. That’s life. Some attacks will be personal. That is also life. Deal with it. My mother provided me with the best sage advice I’ve ever heard and will never forget – “Not everyone that smiles at you is your friend and not everyone who frowns at you is your enemy.”
- Don’t say or do anything on social media you can’t tell your mother or boss about. Seriously, you can limit half the drama that comes your way by just abiding by this simple rule. More professionals get involved in more drama online than they should because they forgot this. What does this mean? Don’t write checks with your status updates your career and personal life can’t cash.
- Keep it real. I’ve written in the past about “experts” and how often it is easy to confuse real expertise with implied expertise. If you’re really knowledgeable about something, feel free to talk about it like you do. If you’re not, then take it easy and try to “stay in your lane”. Many people find themselves in trouble when they forget to do this. Why? Everyone wants to be popular on social media and you don’t get to be popular by staying in your lane all the time. Remember what I said about getting too many followers and “likes”. Again, don’t be “that” guy. When I’m talking to people on social media, I try my hardest to be upfront about what I know based on my experiences and from other sources. If you follow me on social media, you’ll often read me telling people what’s in my lane and what is not. I find when I do that, I receive much better interaction with professionals and I learn quite a bit more than I preach.
- Don’t make your social media persona to be something you are not. The downfall of many professionals on social media can be traced back to forgetting this rule. Quite a few security practitioners seem to believe in order to have value, they have to inflate who they are or what they’ve done in the past. More often than not, they’re found out and revealed without prejudice. You don’t have to fake a degree or have an awesome job title to provide value in your social media interactions. I’m more impressed by a person who is totally honest about being a janitor and knows a lot on a topic versus a janitor who pretends to be an “expert” security “guru. As I always say, “Game recognizes game.”
- Use your manners. My advice to son is always, “I get more from pleases and thank-yous than I have ever gotten with a frown on my face.” A simple “Thank you for the discourse” or an apologetic private message for an overly snippy comment has provided me with more value than my stubborness to concede a point ever has. With that in mind, as with everywhere you go in life, there will always be jerks. Try not to be one of them if you don’t have to. Sometimes, a situation online may call for you to be one. I suggest resisting the temptation to do so and simply either ignore the other party or “block” them. This is the Internet and there are tools available wherein you can choose to be a jerk or not. At one point, my mother was a preacher’s wife which is position replete with jealousy. She always told me, after an encounter with someone who she knew didn’t like her, “Baby, sometimes, you gotta kill them with kindness.”
- Some things are better said in-person. This is too easy to explain. Keep private things as private as you can because once it leaves your computer, you have lost complete control of it. If I’m in charge of human resources at a company you applied to or I’m a prospective client and I noticed your social media accounts are chock full of indiscretion, you’re probably not a person I want to hire and for good reason. Whatever your intent was will not matter to someone who decides your fate with the click of button without having to ever talk to you.
- Never trust people to keep things private online. Salient advice I received from a friend once – “This is the Internet, nothing is as it appears.” People are inherently untrustworthy. Why? Because they can always make disadvantageous decisions regarding you online without your knowledge and consent. There is very little you can do about this except following this rule. As the old adage from hip-hop goes, “Never trust a big butt and a smile.”
- You don’t have to be first to speak during a crisis to have value. The first time I became popular on social media was during Christopher Dorner’s rampage through Los Angeles. I made a few points which were re-shared a lot. After that, it seemed like every other crisis, I was being called on to give my opinion. Not too long after that, I did some introspective thinking and realized I was being wasn’t always being called on to give my opinion or insight – I was seeking it out. I had fallen into the trap. Why is this bad? The reason I took the time to think on this topic was I noticed I was sharing incorrect and highly subjective information. In other words, I was misinforming people. My “circle” was kind and quietly called me on some of it. Here’s what I learned: Being first, often, means being first with the wrong information and relying on firsthand accounts. Anyone involved in the intelligence community will tell you how this leads to a degradation of analysis and eventual disregard of the analyst responsible. Take your time and give your insight when it’s helpful.
Day after day, on social media and elsewhere on the Internet, there are lots of folks who are seemingly shocked every time a bad guy shows up and acts like a bad guy. Seriously, how many times have you read or seen “I can’t believe Suspect A was able to murder all of those people” or “If only they (security) did XYZ like I thought of during a conversation with my veterinarian who may have been in the military, that bad thing wouldn’t have happened”? I see it quite a bit and frankly, I’ve decided it may be time to finally add my .02 about it.
Those of us in security who have spent some time studying “the threat” (insert whatever scary bad guy you’re dealing with) understand what few who haven’t studied it don’t. No matter how awesome your protective measures are, they do little to mitigate (and certainly not “prevent”) the attacker unless you start thinking a bit like they do. Herein lies the fatal flaw of most “white hats” and even some “grey hats”.
- You think of attacks in ways that you would conduct them. No offense but if you’re protecting yourself against robbers but know relatively little of them, you may be looking to deploy solutions which don’t work against that threat. One of the most painful things any security professional can hear when doing a site survey with a client from the client is “If I were the bad guy, this is how I would do it.” More often than not, it is not how the bad guys would attack. Think security cameras in homes. Most people will deploy a camera at home with the thought the camera provides an extra layer of protection when in fact it doesn’t. I have known several victims of home invasions who either had cameras installed or had an alarm sign out front. These are two commonly deployed deterrence tools that we know don’t work. Instead, focus on the problem as if the bad guy would ignore the deterrence measures (because he will because we have little proof he won’t) and proceed with the attack and use things like cameras as after-incident mitigation tools to catch the perpetrator later.
- You think of your threat as one-dimensional. Most good guys see their threat based on commonly accepted precepts of what the threat is and how he has attacked in the past. Just because the bad guy only hit you or the other guy using one vector doesn’t mean he won’t try something different later. A great example of this is 9/11. Prior to the second World Trade Center attack, there were common beliefs that terrorists were only capable of performing certain kinds of attacks. What no factored in was changing realistic threat capabilities. In other words, we assumed the threat wasn’t evolutionary in his tactics. Seriously, who could’ve imagine having to protect a building against two near-simultaneous aircraft crashes? Perhaps we could have had we accepted the idea that as we change so does the threat.
- You think the threat is omnipotent and omnipresent. It’s easy to get caught up in the hype of a threat. I do it sometimes. This is a natural defense mechanism after an attack has occurred. Why? No one likes to have their vulnerabilities exposed. After every mass shooting or act of violence that makes the news, we assume every venue that is like the one that was attacked is also vulnerable and being selected as the “next” target for another perpetrator.
I remember fondly working on 9/11 on a small Air Force base on a perimeter patrol. What I recall the most are the initial attitudes people had of al Qaeda. We believed this one attack displayed a level of sophistication unseen by them before on US soil could be replicated on a massive scale. Every Muslim, ignorantly, was assumed to be a sleeper agent waiting for cues from “Muslim HQ” to attack us wherever and however they chose. The months and years ahead showed how far from the truth that was. Imagine how many countless resources were expended before we realized the fallacy behind this assumption.
- You think your attacker “chose” you for a variety of reasons he didn’t. People almost always assume an attacker chose to attack them or others for reasons they didn’t. Rape is commonly thought to be a crime of lust because good people believe sex is the only reason you rape because it’s the end-result. However, most criminologists and psychologists would agree rape is a crime of power. I would argue the majority of crime takes place for this very reason. Terrorism occurs because of this as does murder (what’s more powerful than ridding yourself of someone permanently), drug dealing, fraud, and a host of other crimes. You’re either fighting to obtain it (i.e. steal it from someone else) or committing crime to become more powerful. This confusion could possibly explain why most crime “prevention” measures based on policy fail at alarming rates – we’re clueless on what truly motivates people to attack us.
- You assume because you haven’t seen the threat, he must not exist. Whether we see the threat or not, we should never assume he does not exist. While the threat can’t be everywhere every time, the threat can still be very much. Never assume the absence of threat means he or she isn’t going to show. You still need to adequately protect your assets as if today is the day you’re going to be attacked. Remember, the attacker chooses the time of attack. You choose how well-prepared you’ll be when it happens.
I’m not proposing anyone go out and hire a red team. I firmly believe one of the reasons we, often, fail so miserably at security sometimes is due to our natural inclination to think the bad guy thinks like we do when they don’t. So how can we fix this?
- Study your adversary. Seriously, pour over any open source intelligence you can on your threat. Read the paper and look for crime stories. Pick up a police report or two on similar venues like yours. I’ll leave how you conduct your research to you. Just do it. Stop assuming blindly how the attack will go down or even who your adversary is.
- Consider hiring folks who can think like attackers. I’m not saying you hire criminals but red teams hire specialists who can mimic attackers. Choose folks from a variety of backgrounds to round out your security team. By the way, by “background”, I’m not talking education. I mean pick a team with a variety of specialists.
- Test your systems with exercises. The only way you’re going to learn is by testing how well your security program holds up against an actual attack. Consider doing this with little to no notice and have an after-action or “hot-wash” debriefing with your red team and affected staff right away. Finally, fix the vulnerabilities as soon as possible.
- Reward outside the box thinking. When I was a young boy, I recall my fondest memories were playing games like “hide-and-go-seek” with my friends. The guys who were the most creative were the best at this game. Why? Because they were unpredictable. I’ll leave how you choose to reward these folks on your own. Just do it.
I can’t even begin to tell you how many times I run into stores that have decoy cameras in lieu of real cameras. I also can’t tell you how many countless times these same stores get robbed. Buying a decoy camera, in my opinion, are invitations for criminals. This is not to say most criminals can’t tell the difference between fake and real. This is to say that many of these businesses and homes that utilize decoy cameras don’t quite get what kind of mitigators they need to adequately protect themselves and their assets.
The added statistic at the bottom of this photograph is especially troubling because it dupes customers into believing they have added another layer of “security”. This is correct in some respects. Remember what I said about “security” being a goal and less of an action? The problem lies in exactly the same place issues of semantics in security are – it relies on data that is either incomplete and more than likely, irrelevant to their protection needs.
We all know cameras serve a variety of purposes other than video surveillance. We also understand some vendors and property owners either have poor tools or are so under-trained they may as well not have a camera. However, when an incident happens, the last thing property owners want to tell the police and insurance companies (worse yet, a jury in a civil liability trial) is they thought a decoy or non-operative camera offered better protection.
If you’re a property owner and considering one of these decoys, turn around and invest in a camera system you will monitor and maintain. If you’re a pro, call these out and the dangers behind using them.
One of the toughest and most insightful lessons I learned came during a conversation with a good military buddy about why English is such a difficult language to learn. “You never mean the things you say. You say you “love” your car in Spanish, it means you love it like family. It’s as if you use the words so much they lose their actual meaning.” I was a bit taken aback by this. No one had ever explained the issue of semantics so eloquently before to me.
This same thing happens in security and explains what makes it so difficult for so many professionals and lay-people to be able to comprehend it. The following are great examples:
- Prevention versus mitigation. Prevention is defined by Websters as “the action of stopping something from happening or arising.” Mitigation is defined by Websters as “the action of reducing the severity, seriousness, or painfulness of something.” The words mean something completely different from the other, yet are used interchangeably. In security, getting these two words wrong can mean the difference between a loss of life (yours or an innocent) and victory over an attacker. Having lofty goals of prevention through methods and measures seldom tested with actual bad actors, often leads to failure when they do show up. However, having sound mitigators in place should they attack, could save both life and property and result in the consequential capture of your bad actor. The decision to stop his or her actions is totally dependent upon his or her decisions and plans before and during the attack. Your measures could help persuade them not to attack but I would hardly call this prevention without more quantifiable evidence.
- Vulnerability assessment versus reconnaissance. A vulnerability assessment is a process which entails analyzing a client’s assets to determine likely avenues of approach for attackers. It could involve talking to stakeholders, physical walkthroughs of the assets, imagery analysis, and red-team exercises. Reconnaissance is a process which entails some covert surveillance resulting in a report to the target’s adversary to support a plan of attack on the target. These terms are often confused because people assume one means the other. Typically, bad actors do recon and friendly agents do vulnerability assessments. The latter could use the former as part of a red-team exercise or even as part of a walkthrough. However, the methods by which either is done are very different. Keeping this in mind prevents amateurs from thinking by doing reconnaissance, they are in some way doing a complete vulnerability assessment.
- Security versus protection. It grates my nerves to hear people say they are “doing security”. I find most people have no true understanding of what the term means and are therefore, ill-suited for and failing miserable at the task they think they are doing. As I’ve discussed before, security is a mental construct wherein our protective measures are adequate enough in our minds to mitigate bad actors and their attacks to make us feel secure. It’s a subjective term but more of a goal and less of an action than anything else. Protection is what we do to make the environment secure enough to assuage our fears of a possible attack.
- Arrested versus detained. It took me a while to get used to this. They both sound like they should mean the same thing but they do not. Ask anyone who has ever been arrested. Being arrested has an element of detention but it isn’t the totality of the action. You can be detained without being arrested. While this may sound like an issue of semantics, ask your legal counsel to explain what happens in security when you confuse your ability to detain versus your arrest powers.
- OPSEC. OPSEC is one of the latest buzzwords to come into the modern security lexicon. Everyone believes they do it but few actually do to include me at times. Seriously, everyone on social media who is in our industry seems to have a burner cell phone number, 10 fake IDs, wall safes for their wall safes for the wall safes with their encrypted USB, uses TOR to hide from the NSA (as if), etc. The first rule of being good at operations security is to shut up about OPSEC. What’s the first thing people do when they think they’ve done something awesome with respect to OPSEC? They tweet about it on a source they don’t own with people they don’t know or could vet with any realistic degree of certainty, using communication they know very little about on the Internet which was created by some of their adversaries who have actively engaged in intelligence operations here since its inception. So if so few get it, why do they think they’ve adequately protected themselves? See the difference between prevention and mitigation.
- Intelligence versus information. I often hear professionals claim they have “intelligence” on adversary, when in fact they don’t. Most often they have only raw information they haven’t vetted or analyzed. These colleagues suffer from the correlation paradigm where they mistakenly conclude correlating or parallel information to an event is the cause. In the analyst world, this is called “confirmation bias”. You believe the information because it confirms what you believe. Intelligence is the product of taking that raw information, vetting its source, comparing and contrasting that data against previous data and assumptions, peer reviews, and a final reporting of that information with an analysis centered on critical thinking. A newspaper article in and of itself is not intelligence because it says something we already thought was true. That would be akin to treating Weekly World News’ stories on aliens consulting a still-alive JFK on Elvis’ newly proposed welcome-back world tour as intelligence because you’re an Elvis-loving, conspiracy theorist who believes you’re an alien-abductee.
- Guard versus officer. I’m sure to stir up something here. Let me clarify: there is NOTHING wrong with being a “guard”. However, traditionally, that word has gotten a bad reputation. Think “mall security guard”. These guys can be awesome professionals but the title does tend to minimize the extraordinary amount of work it takes to protect the thousands of mall patrons and mall assets against a variety of threats daily. It also does little to note the authority which enables them to perform certain legal actions against those threats such as trespass advisements and in some cases, arrests. “Officer” denotes they are an extension management and not merely someone who stands a post. They represent the extent to which managers are willing to go to protect their assets and their customers.
Recently, during a discussion with another friend from the military, I recalled a conversation about semantics with a person who worked in what was commonly referred to as the “chow hall”. One day, I inquired why the name “chow hall” was such an insult to him. He explained “Do you guard planes or do you protect assets vital to national security? I don’t cook chow. I cook meals which are nutritious as per my training. We’re both professionals. I know people mean no harm but that term implies my food and what I do as a professional are sub-par and unworthy of a professional title, when that’s not true.” Vets, I hear the snickering. Stop laughing. But he had a point. One that wasn’t lost on me.
How your customers see a “guard”:
An image the term “security officer” typically conveys:
- OSINT versus unclassified. I’m a huge supporter of open source intelligence (OSINT). This entails gathering intelligence from a variety of non-covert channels. This could include public radio, news broadcasts, social media, etc. I have noticed this word used to excuse what I believe to be gross violations of protecting classified or sensitive information. Let me explain. I certainly understand OSINT by its nature can come from unclassified channels. However, I also realize it does not negate professionals from their responsibility not to divulge information coupled with their “insider perspective” which may be tactically advantageous to an adversary. You can observe this lack of professionalism best on social media, during a critical incident. There’s seems to be a pandemic of sorts when these incidents happen which encourages its victims to feed their egos by talking endlessly about their highly sensitive “insider knowledge”. I, once, observed someone who is widely considered an “expert” tweet the locations of responding forces to a major hostage situation. Another person tweeted security measures at a base they just left. Sure, none of this was classified because it came from a radio scanner and personal experience. It was, nonetheless, highly sensitive and could have placed lives at risk, if the adversary had intercepted these messages. In the physical security, once sensitive information is compromised, we only have a precious, small amount of time to deploy mitigators. As I’m often say during these events, “Don’t let your ego and mouth write checks your a– can’t afford to cash with someone else’s collateral.”
- Active shooter versus mass killing. The best way to explain this is simply stating not every active shooter kills anyone and not every mass killing involves a gun. Yet, whether because of politics or hype, professionals and laymen still confuse these two. This may seem meaningless until you realize how information is gathered to study these two distinct events and the influence those studies have on policy.
- Security theater versus threat mitigation. Look, folks, as professionals, we realize not every threat is going to attack us. We also get some of our measures are extreme. I’m certainly NOT trying to justify any abuses of authority or trust. That being said, just because you don’t see the “boogey-man” doesn’t mean he’s not there. Does this mean security should have authority to do cavity searches on everyone? No. But it doesn’t mean because that’s extreme that someone isn’t trying to do you harm. Do some threats get blown out of proportion? You bet. A vigilant public and other professionals are awesome checks against overreach, though. As every threat isn’t realistic, every threat mitigator isn’t security theater. We’d all do well keeping this in mind.
There are a load of others I would add but I feel as though this list does a great job of illustrating the power of words in our industry. Please use them carefully. If you have more, let me know.
There’s been yet another act of mass violence at a school and, or course, the media has lost its mind. People are wondering how this could have happened and why. As security professionals, these questions are not new and nor is the answer. For those in the field, bear with me, I’m going to over how and why these things happen.
- It has nothing to do with WHO at times and more with WHERE. Let me explain. We always assume people target us because we mistakenly believe the target is “special” to the attacker in some sort of way. This is a common theme in our attempts to understand attacker methodology with respect to terrorism. All over electronic punditry, we’re saturated with folks who proclaim “they attack us because they hate us.” So this has become our mantra for every attack of any variety. What we fail to account for is that it’s not entirely exclusive as to who they attack but where. On Twitter, I have been practically shouting when it comes to mass violence, one of the most key ingredients, if not the key ingredient, is the presence of crowds. Nothing is more appetizing to an attacker but to make his attack seem grand and above-average for a swath of reasons I’m not qualified to adequately explain here. Let’s just say, you should NEVER EVER be surprised by the actions of mentally disturbed people.
Crowds are also, normally, not difficult to get large casualty numbers from. Think about the last time you were at baseball game or major sporting event. Ever notice the large crowd at the ticket or embarkation areas. As a security professional, whether you’re working or not, this is perhaps one of the most precarious chokepoints to be at. A chokepoint is a place where people have no other choice to be at in order to go some place. Everyone working anything from Secret Service to convoy security will tell you to ALWAYS avoid chokepoints. Why? They offer the presence of crowds, very narrow escapes for victims, and the ability of attackers to conceal themselves in the crowd.
- Violence has very little to do with the tools. Think about that for a second. I have made it no secret I enjoys guns. I do. However, I also understand the temptation to want to ban them. I’ve seen the statistics and the simulated models in whitepapers from folks who have never fired a gun or actually witnessed violence. I have a problem with this overly simplistic conceptualization of the problem. Erroneously, we believe the issue is with the mass proliferation of guns. Unfortunately, the discussion rarely acknowledges the socioeconomic, psychological, political, and cultural issues that drive some violence. More importantly, we ignore what mankind has known for decades – you can ban the tool but violence will always remain and the loss of any life is intolerable. Do you think if mankind had no guns he wouldn’t find a better way to commit acts of violence? Think about that for a second. We had no electric chair until Thomas Edison did a proof-of-concept demonstration to show the dangers of electricity. Man will always find ways to commit acts of violence against one another for whatever reason it deems fit. This is not to say we can’t have mitigators in place but we can’t for one second believe we’re getting rid of the problem solely with a ban of the tools or knee-jerk “reforms”.
- People mistakenly use “mitigation” and “prevention” interchangeably. Security professionals understand the difference between the two. Websters defines “mitigate” as “to make (something) less severe, harmful, or painful”. Many people believe we can prevent acts of mass violence “if only we do X,Y, or Z.” There’s a huge fallacy that we can prevent crime. This comes from a sublime arrogance of humans who believe we can stop our fellow man from acting out against us.
The issue may seem to be one of semantics but I argue that it’s not. You can’t “prevent” me from speeding. Only I can do that. I used an analogy the other day where I articulated, “Just as Match.com doesn’t make marriages, you can’t “prevent” crime. You can set conditions with good mitigators but ultimately the decision to move forward or stop is on the principle actor(s).” Think about that for a second. No matter what measures you put in place, whether it’s a guard at a school or metal detectors, my ability to accomplish the task of killing a large amount of people at a particular location is solely left to my motivation, intelligence, ability, and imagination.
I have long argued that we have to move away from the idea that we can “prevent” crime to one where we “mitigate” attacks. A while back, I said people mistakenly believe by locking a door that somehow they have thwarted a burglary without seeing any firsthand information a burglar attacked the door and left because it was locked. Yet, everyday, most of us lock our doors anyway thinking we’re doing crime “prevention” when in fact we’re doing crime “mitigation”. Mass violence occurs many times because we mistakenly believe our mitigators can prevent it.
- We rely too heavily on certain mitigation tools. Having an armed guard at a location is a mitigator not a prevention tool. The guard is there to ensure you have the means to adequately respond to acts of violence until police arrive. School administrators have for far too long relied on guards as prevention tools and have stopped doing other things which are more effective in mitigating these acts like deploying good cameras, training personnel on monitoring camera feeds, practicing lockdown procedures with teachers and other staff during non-working hours, talking with local police about their capabilities, training staff on conflict deescalation, and paying attention to warning signs.
- We don’t train staff on attack methodology and psychology in school. Teachers and other staff are often taught how to respond to these events which is great. However, solely doing this ignores how often teachers and staff are the best sensors we have to students who may be a danger. Many times, they may observe a student doing reconnaissance or testing security and not even know it. Imagine how many lives could be saved if teachers and staff had a threat working group chaired with the school safety official and principal in schools where these incidents have taken place.
- We used to do a really good job of being very proactive with mental health incidents in this country. I’m not advocating going back to asylums. Most were wrought with abuse and shoddy practices. No, what I want is for us to become much more proactive with mental health. We can no longer see mentally ill people as “someone else’s problem”. Mass violence has taught us we can no longer think of it like this. Yet, we do. When we removed the ability of doctors and other mental health professionals to intervene immediately and possibly treat long-term issues, we placed our citizens at risk. How? When most seriously mentally disturbed people come to the attention of authorities, it is often too late and the nature for how long and where they can be adequately be treated has greatly diminished. In some jurisdictions, the police can only place you on a “mental health hold” at a local mental health facility for 72 hours or less, in many cases. If you don’t exhibit the behavior further and can be treated, you’re out.
As a former law enforcement officer, I can tell you the most distressful call to go to is a mental health one. Given that most mental health hospitalizations are never found (either because they can’t legally or no measures exists to enable it) on background checks for firearms, the problem grows exponentially worse. Many of those who have committed acts of mass violence had already been diagnosed as being seriously mentally ill but couldn’t be put in long-term care because they hadn’t been deemed a danger and even if they had, I’m unaware if this would have barred them from having firearms (as discussed previously, I’m not sure a ban for them would have been effective in preventing violence in some instances).
I understand this list is not all-inclusive but this is how I see the problem in a more condensed manner than I believe can be adequately addressed on a forum such as this. You may have other solutions or know of other ideas. As always, they are greatly appreciated.
Folks, I don’t claim to be a journalist, though I give unsolicited advice to them on Twitter. I know I shouldn’t. I’m supposed to be in my lane. However, I do recognize when they go about using the law to get official documents about things the government likes to keep secret. I respect this so much that I began doing the same a while back through MuckRock.com. MuckRock is a Freedom of Information Act request clearinghouse where journalists, bloggers, and fellow netizens use FOIA to gain access to documents. I do this mainly to educate myself on physical security issues. I’ve decided to begin sharing my requests and those of others I find worth following.
Here are a few of my pending requests:
Here are a few of the requests where I was successful in getting information:
You can sign up for an account at MuckRock and submit your own FOIA requests through them. The only caveat is whatever you find or get from the government, MuckRock will publish on their site. So exercise due caution with phone numbers, SSN information, etc. Also, as you will learn, if it’s a really good secret, the government will fight you “tooth and nail”. Luckily, MuckRock has a pretty good team that will work with you. Also, don’t worry about staying on top of the government with requests, MuckRock has a nag feature wherein they bug the government almost bi-weekly with respect to your requests. These folks are great at what they do.
You can use MuckRock via the link below
Or you can do your own requests via the official US government FOIA requests. Just be aware, your state and local jurisdictions have their own sites as well. Try them for a more localized search.
I will continue to post more documents and updates regarding what I find. Stay tuned.