This article is intended for non-security professionals who are looking for advice on how to get a physical security program started.
OK, you’ve gotten to the point where your organization needs to employ some physical security measures. Now, for most small companies, startups, VCs, foundations and family offices, having to deal with security isn’t the most fun thing in the world. But just like you have to deal with such things as facility maintenance, insurance and HR, once you reach a point when security becomes relevant, there’s no use in ignoring it.
Over the years, I’ve worked with dozens of companies that tackled their security issues from every-which-way, some successfully and many not so much. So let me help you navigate through what really doesn’t have to be a difficult and painful process. (Believe it or not, it can even be quite interesting)
Not to denigrate my own profession, but it’s not exactly rocket science. If you do things properly, you can get where you want to go while saving yourself a lot of hassle and tons of money. I can write an entire book about this (in fact, maybe I should at some point), but for now, let’s just get you started with the basics.
Before we delve into the actual components, there are some important points you should know about security. Bare with me on this because much of the money and hassle savings are contained in this segment.
How Do You Create Security?
Short answer: By minimizing risk. This is why the term Risk Management describes things much better than the vague umbrella term Security.
Risk is primarily reduced by means of control. For this, you’ll want to define and control your property, set boundaries between your property and the outside world, and control/filter the access of people into the property.
Keep in mind that there are no formulas for achieving a desirable level of control/risk management. Every organization balances things according to their own level of concern, comfort, risk tolerance, importance of assets, operational requirements, budgets and organizational identity.
The only ratio you should keep in mind is that the level of security is usually inversely related to the level of comfort, convenience and openness. As one goes up, the other goes down. It’s just a fact you’ll have to accept as you move forward.
Who Should Manage Security?
The first thing you’d want to do is figure out what parts of security you’d like to manage in-house, and which parts you’d like a vendor like me/HighCom (hint, hint, shameless plug…) to handle for you.
Larger, more established companies usually have their own physical safety and security departments that take care of a larger percentage of their needs. Smaller companies, VCs, startups and family offices usually use vendors for most, if not all, their security needs.
In these cases, security vendors usually report to a facilities and/or workplace services manager. In other situations, HR managers or IT security managers are put in charge of physical security. My favorite setup (and what I’d like to recommend here) is that physical security be managed by the legal department. Physical security is by definition a form of risk management, one with legal and liability implications. For this reason, your legal department is ideally positioned to understand and manage it.
Security Questions—Security Solutions
This one is a bit long, but it’s the most important point in this section so pay close attention.
One of the most common—and most expensive—mistakes companies make is to leap to security solutions before they properly identify what they need.
Security might not be rocket science but if you leap straight into installation and implementation, you’re very likely to miss certain things and waste quite a bit of money on others. I can’t tell you how many times I’ve seen companies with gaping security holes after they’ve wasted hundreds of thousands of dollars on badly planned and executed security solutions.
Yes, you have security concerns and you want to address them as soon as possible. But for your own sake, start with a security assessment. Trust me, this doesn’t have to be a long process. I’d recommend going with a professional security consultant but in all honesty, you can also do much of the work yourself.
Your first step is to identify and prioritize the assets you want to protect. In almost every case, your most important asset is your people. Next on the list are things like: confidential information, property, reputation and work environment/atmosphere.
You then want to identify and define your concerns—what are you worried might happen to each asset. We always try to calculate the combined value of two important factors: Threat and Risk. Threat is the potential harm to your asset, risk is the likelihood of that threat/harm being realized. Once you’ve defined things in this way, you’ll be much better positioned to look for security solutions.
In general, security solutions that mitigate risks (lowering the probability of harmful incidents) are your preventive measures. Security solutions that mitigate threats (decreasing the severity of harmful incidents once they’ve started) are your reactive/emergency measures. You’ll want to have both.
The key to finding good security solutions is to ask:
- What am I trying to protect?
- What am I trying to protect it from?
- How do I want to protect it?
- How does each security solution answer question #3?
A solution, by definition, is a means of solving a problem. If a security provider can’t frame the solutions they offer in a way that answers a security question (Question #3), consider going with a different provider.
The Main Components of a Security Program
OK, so now we get to the actual stuff you’re going to implement. There’s a huge range to these categories, and you might not want, or need, every single one of them, but here are the basics:
Electronic Security Systems
This covers your burglar alarm systems, security camera systems, access control system and intercom. Larger properties often have some type of Enterprise Solution that integrates various safety and security systems. And well established companies often have their safety and security systems centrally controlled in a Security Operations Center (SOC, or GSOC if the company operates globally).
Important: ‘Electronic security systems do not a secure property make’. Don’t just expect, say, a security camera system to magically protect you. It’s not just about the hardware, it’s about how you use it.
The general categories here (in frequency of use) are:
- Day-to-day facility/campus security guards.
Dedicated to property management, access control, people management and incident response.
- Special event security.
Higher-level services for special events, shareholder meetings, conferences, parties and more.
- Unconventional special operations.
Very high-level, specialized operators who provide things like covert protection, surveillance detection, investigations and more.
As with most other goods and services, you get what you pay for. I’d obviously recommend you spend more rather than less on protective services, but if budgets don’t allow for this, it’s important to set your expectations right. If you only have the budget for a Hyundai, don’t expect it to perform like an Aston Martin.
Executive Protection (EP)
Though this often gets lumped into the protective/guard services category, it’s worth considering executive protection as its own category. This is because an executive protection program (if properly applied) is a multi-disciplinary category that incorporates electronic security systems, protective intelligence and guard services that may cover the executive’s residence, office, travel and more. Additionally, EP often covers the executive’s family members, and will therefore also include family trips, spouse activities, children’s schools and much more.
You can find some excellent articles that explain executive protection on the AS Solution blog.
This applies both to executives and non-executives while they travel.
Travel security in its simplest form is just general travel safety advice (dos and don’ts when you’re away). One step above that are written company policies on employee travel (dos and don’ts with policies on where to stay, how to get around, etc.). An even higher level will include advance logistical arrangements (hotel, transportation, etc.), area-specific intelligence briefings and emergency communications and response procedures. And an even higher level should give you dedicated security operators who physically take care of all of the above.
A key component to any level of travel security is a connection with a local security provider at the travel destination. This provider can be an on-call resource in case of emergency or can provide full security coverage, depending on the need. Even when high-level travel security operators travel with the employees, it’s still important for those operators to have security resources that are local to the destination.
Any company with ten employees or more is required by the Occupational Safety and Health Administration (OSHA) to have a written emergency plan. Most people already know the basics here (in case of fire, in case of earthquake, etc.), but larger organizations should have more comprehensive procedures. This doesn’t mean that the written plan should be book-length, just that it should cover more than just fire and earthquake. In fact, you should keep it as simple and short as you can.
For best results, you should hire a professional emergency planner for the project, but if you don’t have the budget for this, don’t despair. There are local, state and federal government resources, and some great non-profit organizations like the Red Cross, that can help you with this—free of charge.
Don’t try to invent the wheel when it comes to a written emergency plan. The resources mentioned above have very good and free templates you can get right off the internet. Adapt a template to your own specific situation, let someone look it over to make sure you got it right and you’ll probably be good to go.
By this I mean security training for non-security personnel.
The basics you’ll want to cover are emergency response (mentioned above) and general security awareness. It’s also useful to cover things like verbal compliance and verbal management of aggressive behavior.
As for drilling, make sure to follow the correct order of: 1) Security plan. 2) Security training. 3) Security drilling. Don’t just drill something you haven’t trained on first, and don’t train on something that isn’t part of an established, written security plan.
Policies & Procedures
No, I didn’t save the most boring thing for last, I saved perhaps the most important for last.
Policies and procedures are what will direct your employees/workers to implement everything we’ve just covered. You can have the best electronic security systems, solid travel security plans and great guard services, but if employees don’t use them, they won’t be worth much.
In theory, this might not make much sense. Why would people work against their own security interests? But in reality, people very often find security measures to be uncomfortable and inconvenient. We naturally go along the path of least resistance, and if given the opportunity, take short cuts. Strong policies and procedures are the glue that will hold your whole security program together.
Lastly, though not a category on its own, networking with other companies is also very important. No one needs to go it alone or invent the wheel when it comes to security. If you reach out to another company’s security department, ask for advice, offer to share resources, etc., they’ll almost always agree to help. Even among rival business competitors, it’s very common to find security departments cooperating and helping each other out.
There are a few more categories, like protective intelligence and investigations, that organizations should implement once their security programs are up and running but we can get to that a bit later.
I hope you found this article useful. If so, or if you’re interested in more information about any of what was discussed here, please let me know in the comment section below.
Learn more about this subject—and many others—in my master class on Hostile Activity Prevention. Utilizing Israeli know-how and delivered by me, Ami Toben, this online course teaches actionable, time-tested methods of prevention, detection and disruption of hostile attacks.