2. Don’t be penny-wise and pound-foolish. A large corporation wanted to identify hypothetical security threats and vulnerabilities for its corporate headquarters. A proper risk assessment involves gaining an understanding of the facility through a tour, an introspective examination of technical security (e.g., cameras and access control), physical security (e.g., building siting, locks, door hardware, and lighting), and operational security (e.g., security staffing, policies and procedures, and response plans), as well as a robust set of interviews.
This type of study should involve an assessment team that has at least two people, to support multiple views, and to allow a “divide and conquer” approach that limits the assessment’s intrusiveness and impact on the organization.
This analysis uncovered a significant amount of opportunities for enhancing security. One of the key concerns was a lack of compartmentalization for the lobby that led to executive offices. The executives desired an open, inviting environment for the corporate facility without the obtrusiveness of security. Therefore, the only security between the lobby and executives was a 65-year-old woman, Grace, who had worked at the company for 25 years. Grace had no duress button and no training, and she indicated that the only step she could take to control an aggressor would be to say “Stop.” What if the aggressor did not stop? “Well, I guess I would say ‘Stop’ again,” she said.
The risk assessment also uncovered tensions with the union workforces, tensions that appeared to be escalating. The report suggested that Grace receive training, multiple methods of communicating a hostile situation(i.e., the duress button/phone), detection of aggressors, de-escalation, and personal safety training and a way to control access to the executive area (e.g., access-controlled door, barrier-type turnstile).
The assessment was very well received, and the document landed on someone’s desk for implementation. But for cost reasons, the organization elected not to proceed with recommended improvements in the main lobby.
One day, multiple union representatives rolled up in buses, walked by Grace as she repeatedly yelled “Stop!” and entered two executives’ offices while chanting on bullhorns.
The access-controlled doors, compartmentalization, training, and duress buttons were added the following week at 160 percent of the original price, due to the urgent need.
The moral of the story: Being proactive is less expensive than being reactive.
Security Vulnerabilities Exposed in Facilities
‘Penny-Wise and Pound-Foolish&lrquo;: What Corporation Learned in Using Risk Assessment
Organization Hurt by Poorly Maintained Technology, Untrained Staff
Security Measures Must be Designed for the Specific Problems