Posted on Tue, Sep 07, 2010
Last week we gave you advice on how to increase the ROI of security by minimizing the risk and impact of critical system failures. We also published a new white paper on how to prepare for and prevent system failures. All of this content was written and waiting for publication when, on August 21st, a thief used a box cutter to remove a van Gogh painting worth approximately $55 million from the Mahmoud Khalil Museum in Egypt. I swear we didn’t plan this.
But it does make a perfect example of what we have been talking about. According to the Wall Street Journal and Egyptian prosecutor general Abdel-Meguid Mahmoud, “None of the alarms and only seven out of 43 surveillance cameras were working at a Cairo museum where a Vincent van Gogh painting was stolen.” To add insult to injury, this isn’t the first time the painting has been stolen from that museum.
According to a security official interviewed by Agence France-Presse, security cameras and alarms at the museum had long been out of order. "The cameras had not been working for a long time, and neither had the alarm system," he said. "The museum officials said they were looking for spare parts (for the security system) but hadn't managed to find them.”
When securing the assets of an organization where a single incident can have such disastrous consequences, a massive security system failure shouldn’t be an option. But by failing to maintain adequate security measures and technology, even unknowingly, you might as well be mandating that failure. Of course, there’s always an excuse, right? How about…
“We haven’t noticed any problems before.”
Of course not. You can still see the video on your monitor and you haven’t had any alarms. That must mean the system is still working, right? Not necessarily. Recently we performed a security audit for a client with more than 20 locations throughout the Pacific Northwest. During the system inspections, we found that more than 40% of the locations had equipment that had either failed and gone unnoticed or would fail in the event of a security breach.
Frankly, that’s not abnormal. We encounter this every time we perform a security audit for a client without a scheduled maintenance program.
Or…
“We always fix our system right away when it breaks.”
Just like how you always rebuild your office after it burns down? If you’re not currently aware of the return on investment that security maintenance provides, you should look into it. As the Mahmoud Khalil Museum learned, the most expensive part of poor security is the cost of lost assets and brand equity when security is breached.
Or maybe…
“I have a Service Agreement with my Security Contractor.”
That’s great! You’ve at least made the first step in protecting yourself by creating a proactive maintenance program. But do you really know if that Service Agreement is worth the money you’re spending on it? Does your contractor perform maintenance on a regularly scheduled basis? Does your contractor provide you a report of the work they have done and the current state of your system every time they do an inspection or maintenance? Does your contractor notify you of system components that should be replaced or could be upgraded before they fail, not after? If your answers are no, then are you really getting any protection at all?
And of course…
“We just don’t have the budget right now.”
This one is the killer. You always think it’s out of your control. If your boss doesn’t understand the importance of security or your executive management team views security as an expense rather than a contributing business unit, you’re likely to get hamstrung by your budget.
There are ways to take control of this issue, though. You can improve your chances of getting the budget you need by making your case to management in a compelling way. Of course, if the security system ever does fail, you know you’ll be in the same boat as Mohsen Shalaan and her four security guards who were arrested last week on suspicion of negligence. (Okay, you probably won’t actually be arrested since you don’t work for the Egyptian government, but you’ll definitely be in hot water.)
So what’s your excuse?
If you’re not currently working to actively prevent this kind of debacle, what is your excuse for mandating failure?
Posted on Tue, Aug 17, 2010
Marie Waldrop is the principal of Irmo Middle School in Irmo, South Carolina. Besides being a lot nicer than the Middle School principal I remember, Marie is also the reserve deputy sheriff for the Richland County Sheriff’s Department. You might say that having a law enforcement background gives her a unique perspective on security in the school system. She certainly knows where security fits into her school’s plan.
Recently, Ken Trump, a national security consultant for K-12 education, interviewed Marie on his blog www.schoolsecurityblog.com. Ken's interview with Marie gives some good food for thought about the importance of security and how it can support the organization in more ways than just locked doors and cameras. I recommend reading the article and watching the interview on Ken's YouTube Channel (embedded below for your convenience).
This brings up a great question: do you know what your principal or CEO thinks about security in your organization? Is it one of his or her highest priorities? If not, how can improved security help accomplish those goals?
Video courtesy of www.schoolsecurityblog.com.
Posted on Tue, Aug 03, 2010
If you’ve never sat down and read a published research study, 
you’re missing out on a fascinating way to broaden your knowledge. Recently, I ran across a research paper published in Security Journal titled "Super controllers and crime prevention: A routine activity explanation of crime prevention success and failure". The question addressed by the study is: “Why does crime prevention fail? And under what conditions does it succeed?”
For those who enjoy reading this kind of thing, go read the article. But if scientific research isn’t really your thing, read on for a simplified analysis of how to use this knowledge in a real-world situation.
What Is a Super Controller?
To explain what a Super Controller is, it’s necessary to give a brief explanation of why crime happens. According to Routine Activity Theory, in order for crime to occur, three elements must come together: offenders, targets, and the places where the crime is committed. Each of these three elements has a set of Controllers that influence or exercise control over the element (hence the name Controller). These Controllers might include a security guard who roams a particular place and protects vulnerable targets, or a store manager who determines the type of security system installed to protect a place, or a neighborhood watch group that confronts strangers loitering in a neighborhood.
So what then, is a Super Controller? Quite simply, a Super Controller is anything or anyone that controls a Controller. People or groups that create the incentives or motivation for Controllers to prevent crime are Super Controllers. Super Controllers do not have a direct affect on the elements that create crime; instead they indirectly influence crime through the Controllers. For instance, a Super Controller might be a state alcohol control board or other regulatory agency, a company’s Board of Directors, or the CSO of an organization. None of these things actually prevent crime themselves, but they do influence those that do.
How Do Super Controllers Prevent Crime?
Routine Activity Theory states that crime happens when offenders meet targets at places that do not have effective Controllers, so crime prevention boils down to mobilizing Controllers and getting Controllers to be more effective at preventing crime. This makes sense from a real-world perspective.
According to the study, Controllers make decisions to prevent crime based on five elements: effort, risk, reward, excuses and provocations; so Super Controllers can also manipulate these five elements in order to change the Controllers’ incentives and prevent crime.
Basically, this means that you can become a Super Controller by influencing one or more of these elements to motivate Controllers to prevent crime. This one insight can be used to provide a host of real-world applications for improving security.
Motivating Controllers
The study points out that motivating Controllers isn’t just about providing money or other rewards. As stated, there are five elements that can be influenced to motivate Controllers: effort, risk, reward, excuses and provocation. Let’s take a look at some examples:
Effort
Effort is the cost or exertion of intervening to prevent crime. When intervention is cheap or easy, Controllers will provide more crime prevention. Super Controllers can influence this by making prevention easier or by making it more difficult or costly for a Controller to avoid prevention. One example is installing emergency phones on a campus. By making it easier for students or workers to report crime through the emergency phones, they will be more likely to do so, and also more likely to provide direct or indirect prevention rather than ignoring the incident.
Risk
Risk is the penalty for not taking preventative action. Controllers can be motivated by the negative consequences of allowing crime. These negative consequences are not limited to monetary or legal consequences, but could also include social ostracism, loss of status, criticism from peers and other factors. Super Controllers can motivate Controllers by either imposing additional risk or creating awareness of the risk involved in failing to take preventative action. One example is the public posting of security failures. This creates the risk of a loss of status or prestige through embarrassment, which can be very motivating to some individuals.
Rewards
Rewards are direct positive benefits received by the Controller for preventing crime. Rewards are the easiest way that Super Controllers motivate Controllers. While monetary rewards are quite common, other rewards exist. You should not neglect the power that social rewards can have. Public praise and recognition can be very motivational to the right individuals.
Excuses
Excuses are the justifications Controllers use for not taking preventative action. This could include a lack of training, lack of oversight, or lack of clear procedures. One way to remove these justifications is to provide documented, formal security policies including clear instructions and methods of operation. Training programs, industry best-practices, and awareness campaigns can also be used by Super Controllers to remove excuses.
Provocation
Provocation refers to disputes or conflict between Controllers. Increased provocation between Controllers limits their effectiveness in controlling crime elements. If the Security Department and the IT Department have conflicts over the maintenance of the security technology, both will have a limited ability to prevent crime through that security system. Conflict resolution and dispute avoidance are common ways for Super Controllers to reduce provocation between Controllers.
To wrap it all up, the question posed at the beginning of the study is: “Why does crime prevention fail? And, under what conditions does it succeed?” The answer appears to be crime prevention fails when Controllers are not properly motivated by Super Controllers. So if you want to create a successful security plan, the best way to do so is not by focusing on specific technology, but to focus on being a Super Controller and effectively motivating the individuals and groups that will influence the outcomes you desire.
What are you doing to motivate your Controllers?
Posted on Tue, Jul 27, 2010
When was the last time you agonized over a new security policy launch? You’ve just implemented a new solution, or changed a policy, or have developed new guidelines to improve the security of your organization or the safety of your employees and customers. Now you have to put out a memo or schedule a training class or get the word out about what you’re doing and how things are changing. Do you find your memos being ignored, or maybe people don’t quite understand the instructions? How can you get better adoption of your policies or training programs? Try video. It’s not just for surveillance anymore.
If YouTube is any indication, people are obsessed with making and watching amateur videos on the Internet. Video is an extremely easy and effective way to capture interest and convey information. And with technology that’s easily available today, it’s pretty simple to do. You can make a video with a hand-held camcorder, a webcam, even a smart phone. If you plan to use screenshots, try a screencast instead. There’s plenty of free or low-cost software if you need to cut, clip, splice or rearrange your footage, too.
There are plenty of benefits to using video in your security training program such as:
• Keep the attention of your audience longer
• Create real-world examples of proper procedure
• Appeal to visual learners
• Quickly train a large number of individuals
• Provide a unique way to deliver your information
If you’re interested in letting loose your creative side, here are a few tips to help you put together an effective training, orientation or instructional video.
#1: Don’t Get Too Fancy
Oh sure, you can spend thousands of dollars on a professionally made video and even win an Emmy like Denver Public Schools did with their Getting to School Safely instructional video. But what’s important is not how much you spend, but the relevance of your information to your audience. Even a simple video made with a screen capture tool or webcam can be effective if you focus on telling your viewers what they need to know as simply as possible – and them show them how it’s done.
#2: Prepare Your Script – Don’t Just Wing It
If you think you can just sit down in front of the camera and “wing it” to create your video, you might want to think again. Take the time to write out what you want to say and what order you’re going to say it in. This will help keep you on track and keep things simple and easy to understand. Plus, if you’re afraid of how you’ll look in the video, working from a script will make you appear much more relaxed, prepared and knowledgeable.
#3: Lights, Camera, Action!
While sitting down and talking to your audience is good, nothing is better than a little show and tell. Video is the perfect opportunity to show your viewers how to act and what to do, not just talk about it.
#4: Keep it Short
3-7 minutes is the perfect length of time to get the maximum impact from a video without losing your viewer’s attention. If you need more time, consider recording the video in multiple parts or episodes that work together.
#5: Don’t Forget To Wrap It Up
Start your video by telling the viewers what they are about to learn, then demonstrate the tutorial and finally, summarize what you’ve just told them to wrap it all up. Not only does this summary help future recall of the information, but it cues the viewer that the video is ending and creates a smooth transition that feels complete.
Now that you know a little about making a good video, start brainstorming about how video could help you. What could you do with video to improve your security measures? What about recording emergency drill procedures, or how to follow correct access control measures? You could even record an instructional video for your security technicians on how to use the new Video Monitoring System. As well, if you would like help, please feel free to call us at 800-547-9988 to discuss how to create, store and distribute your security documentation and optimize your user experience. This is part of our Security Process Optimization practice. The possibilities for video are endless.
Share some of your ideas with us. In what ways have you used or would like to use video? We will attempt to publish your ideas and share them in future posts!