In the wake of Sept. 11, anthrax attacks and terrorizing snipers, how should facilities executives approach building security? Clearly, their preparation has to include some planning for terrorist attacks. However, facilities executives also don’t want to overlook the more mundane, although still serious, risks from such sources as workplace violence and vandalism.
While the final security plan will vary with each facility — measures that are likely to be effective for an urban office building probably won’t work for a suburban health care facility — the process of developing a plan is the same. As a starting point, facilities executives will want to identify the assets housed in the building that merit protecting. The next step is listing the threats to which the facility is vulnerable and estimating the likelihood that each may occur. Then, they’ll want to assess the security measures already in place and decide what additional measures, if any, are needed.
While it’s tempting to skip steps and rush to implement a technical solution, doing so can be expensive and ineffective. “When there’s a problem, someone will say, ‘We should have a camera system,’ or ‘We need a guard,’ ” says Ron Libengood, chief executive officer with Securacomm Consulting Inc., a Pittsburgh-based firm that specializes in risk assessments. However, these tools won’t be effective if no one has determined exactly what assets need protecting and which threats are of highest concern.
“To understand the real security needs, we start by looking at the assets,” says Dave Aggleton, a member of the International Association of Professional Security Consultants (IAPSC) and president of Aggleton & Associates, a security consulting firm in New York. Security experts define assets a bit differently than do accountants. In addition to items such as machinery and computer hardware, assets include employees, customers, patents and trade secrets, and image.
Thus, in addition to knowing the physical structures, facilities executives need to understand what goes on within the buildings they oversee, says Kevin Murray, a member of the IAPSC and director of Murray Associates, a security consulting firm based in Oldwick, N.J., that focuses on intellectual assets. “Facilities executives should protect the brains of the organization, as well as the physical property,” he says.
The intellectual assets may not be obvious. To identify the information that should remain confidential, the facilities executive probably will work with individuals in charge of information security, employee safety and contingency planning, says Sanford Sherizen, Ph.D., president of Natick, Mass.-based Data Security Systems Inc., a security consulting firm and a member of IAPSC.
In that process, the facilities executive must call upon his or her knowledge of the building’s systems. For instance, knowledge of the electrical system can be key to thwarting attempts by potential wrongdoers to use the system to get at an organization’s computers.
Once the assets are identified, they need to be classified as either primary or secondary, says Rich Grassie, principal consultant with Techmark Security Integration Inc. in Boston. Primary assets are critical to operation; employees fall into this category. Secondary assets — a company’s delivery vehicles, for instance — are important, but won’t merit the same level of protection.
Identifying possible threats and the ways in which they might endanger assets requires detailed analysis. The facilities executive and others from the organization — including those from the business, legal and financial functions — need to assess the organization’s mission and location, the security measures already in place, and the operations of the organization’s neighbors.
“Some organizations would be well advised to be aware of their exposure to terrorism because of the nature of operations of co-tenants,” says Jack Case, a member of IAPSC and president of John Case & Associates, a security consulting firm in Del Mar, Calif. “Terrorism comes in several forms, from international militant groups to anti-abortion, animal rights and environmental organizations. The effect is the same in that the safety of people is at risk.”
High-profile buildings are more likely to be targeted by terrorists or those trying to make a political statement. The more recognizable the building, the higher the risk. “If a terrorist wanted to make a statement, that’s where they would go,” says Steve Kaufer, an IAPSC member and president of Inter/Action Associates Inc., a consulting firm in Palm Springs, Calif. “You could flash the building on TV, and everyone would know it.”
Facilities executives also need to consider the operations of nearby organizations, especially ones in a politically sensitive area. If that organization faces a greater risk of being attacked, so do its neighbors.
Finally, facilities executives want to keep in mind the risk that individuals from within an organization may want to harm it. About half of all corporate espionage cases come from internal sources, says Murray. Why would employees spy on their coworkers? The reasons can range from power struggles between the board of directors and the executive team, to employees planning competing ventures, to squabbles between family members in family-run businesses.
How likely is it that a threat will become an act, whether of espionage, terrorism or theft? Although it’s possible to come up with some general estimates, it’s unrealistic to expect anyone to come up with a precise number for some of the most high-profile threats, says Aggleton. “Unfortunately, our discipline is not quite so easily quantifiable.” Despite the horror of the terrorist attacks on Sept. 11, such attacks in the United States have been few and far between, making it difficult to extrapolate from current data.
When it comes to other threats, such as theft or workplace violence, facilities executives can look at police records that show crime patterns in different areas, says Jim Andrews, an IAPSC member and president of Securico Inc., a security consulting firm in Burnsville, Minn. They also can ask others, especially peers, about steps taken to deter criminal activity.
Ultimately, deciding how best to protect against potential threats requires assessing the damage that could result. The more costly the potential damage, the more it warrants protection. “If something is worth $1 million, you don’t want to spend $12 million to protect it,” says Sherizen. On the other hand, if a security breach – say, a hacker breaking into the organization’s computer system – could cost a firm its top customers, the facilities executive will want to make protection a priority.
Once the assets and threats have been identified, it’s time to examine the effectiveness of security measures already in place. A quality security program combines deterrence, delay, detection and response, says Libengood. Features such as night lighting and signage help deter criminals, while locks and access control measures hinder their attempts to get inside a facility. Detection tools, such as alarms and cameras, identify trespassers, while sirens and other response mechanisms should prompt a human reaction to intruders and security breaches.
In addition to technology, facilities executives will want to consider the physical layout and amenities within their buildings, says Grassie. Changes here also can affect security. For instance, more facilities executives are considering the location of the air intake grille, with some opting to put them on the roof rather than at ground level, where they’re more vulnerable to tampering.
Having reviewed the security measures already in place, it’s easier to determine whether additional tools are warranted. No single security measure or tool can accomplish the entire job. Instead, facilities executives need to combine both physical and electronic measures with security policies. “A security program should consist of many small measures that add up to a total program vs. one big measure that costs a lot of money and is expected to do a complete job,” says Libengood.
It’s also important to understand how a given technology fits into an overall security plan. Consider closed-circuit-television systems. “So many people feel that it’s the solution to every problem,” says Bill Mattman, president of Mattman Security Management Consultants LLC in Murrieta, Calif., and an IAPSC member. However, the systems themselves aren’t enough. Although they provide a way of watching many locations and of recording events, they won’t prevent an intrusion unless someone is monitoring the screen at the time.
Another key to effectively implementing additional measures is having enough information about them so you can make an apples-to-apples comparison. This type of comparison will help justify it through the budgeting process, says Andrews of Securico. For example, it helps to budget several years into the future, rather than just concentrating on initial costs. Electronic systems tend to require substantial up-front capital expenditures, while hiring additional security staff typically results in an ongoing expense.
In addition, before making any purchases or policy changes, it’s important to consider the corporate culture, says Aggleton. In some organizations, employees would object if they were forced to wear identification badges. While this doesn’t mean that security should always take a back seat to culture and image, employees’ attitudes should be considered. If employees are likely to oppose changes, extra communication is likely warranted.
Critical to effective security planning is obtaining truly independent analyses of the assets within a building and the types of threats to which they’re most vulnerable. “Most salespeople are trying to sell equipment, not solutions to the issues at hand,” says Andrews. To be sure, most facilities require some equipment to support their security efforts. However, the overall security plan should be driven by the needs of the organization, not by any specific tool or system recommendation by a vendor.
Security systems can be a significant investment. For instance, the base security system on a 25- to 35-story high-rise office building can run between $500,000 and $1 million — not including any security systems installed by tenants — making it imperative that a facilities executive knows how such a system will help, says Grassie.
Not every security measure is costly. Modifying procedures and communicating with employees are low cost but crucial elements of effective security. For example, letting employees know to what risks the company is most vulnerable and how they can help reduce the risk can dramatically boost security without setting an organization back, says Andrews. Once they know what is at stake, employees are more likely to take the time to shred documents or turn off their computers.
Policies and procedures also can help protect intangible assets. For instance, conference rooms should be checked regularly for eavesdropping systems and communication systems for bugging devices, says Murray.
Securing a facility requires a mix of technical systems, physical barriers and prudent policies. Looking for a single solution will prove fruitless. Instead, facilities executives should take the time to identify assets, assess potential risks, and develop clear, thorough response plans.
Contributing editor Karen Kroll is a business writer who covers real estate and facilities issues.
The International Association of Professional Security Consultants (IAPSC) was established in 1984 with the purpose of maintaining the highest possible standards in the security consulting profession. Its 150 members from nine countries have held executive and management positions in such organizations as the Secret Service, the CIA, the National Security Agency, the U.S. military, Scotland Yard and major metropolitan police departments.
IAPSC members can offer their expertise in securing a range of facilities, including high-rise buildings, airports, hotels, and medical, educational and nuclear facilities. They have experience in terrorism and counter-terrorism, espionage, competitive intelligence, international risk and threat assessments, and all aspects of security consulting.
Equally important, each IAPSC member is independent. All prospective members are thoroughly investigated to verify that they are not affiliated with any products or services that might create conflicts of interest as they work with clients. As a result, IAPSC consultants offer unbiased advice and work toward the solutions that best meet their clients’ security needs. For more information, visit their Web site.