Security and safety are not synonyms, despite what the dictionaries say. For all practical purposes, security and safety are fundamentally different. By using those terms interchangeably, organizations open themselves to attack. This isn’t as heretical as it sounds.
Take an inherently dangerous job, such as working in a nuclear plant. By carefully and consistently following all safety-rules, employees can work all day long in a relaxed and well-protected environment. Accidents may happen; but they would not be caused by a vicious attack of a revengeful robotic arm. They will occur because of either employee or management errors and neglect. Essentially, safety is about painting a yellow line on the floor. As long as we don’t cross it, we shall stay safe.
On the other hand, an employee could still get hurt inside the safety-zone if a deranged colleague attacked him. Would you then still consider your workplace as secure? Of course not. This is where security most violently peels away from safety as two sides of the same kind. Security is elusive, because it relies on what others can do to us and where their motivations arise from. By applying security measures, we need to consider not only the unpredictable factors of human nature and character, but also the social layers and undercurrents of every community. Money can buy safety, in fact total safety, but even the massive defense budget of the US government could not buy you total security.
During my more than 25-year career in counterterrorism I came across too many ill-conceived security arrangements that conflated safety with security. Most of those protective set-ups were initiated after the results of threat assessments and translated into simple color- or numbers-based “alert systems.” Think the Department of Homeland Security’s terror alert system. Those “traffic-light” alerts may be easy to communicate but represent a problematic simplification. They may work for certain bureaucratic protocols but cannot instruct front-line personnel to take specific actions in fluid situations. If terrorist threats cannot be read like the control-gauges in a nuclear plant, why would an organization take measures that could only defeat ill-tempered bits of machinery, but not the complex minds of extremists? By attempting to provide security, professionals are more often than not taking insufficient account of a terrorist’s determination and ingenuity. If you are up against humans, safety-style measures are ineffective. Here’s why.
Action vs. Reaction
Action always beat reaction. An exercise illustrates my point. Ask someone to hold a crisp dollar bill by one of the smaller edges between the thumb and forefinger of your strong hand. When the other person lets go off the note, you will find it near impossible to catch it with your thumb and forefinger – even if you try to prepare yourself for the moment. After playing this for a little while, the time will come when you will catch the note more frequently because your brain learns and reprograms its response. Nevertheless, the dollar will get through sometimes. The same phenomenon plays out in the field of security, where criminals and terrorists often slip through law enforcement’s fingers despite good intelligence and training. The recent hotel bombings in Jakarta, Indonesia, illustrate the point. Despite significant security upgrades after a 2003 suicide car bombing outside its doors, the J.W. Marriott in Jakarta was once again attacked this July. This time the bomber checked in as a guest, strapped the bomb to his chest, and strolled through the lobby where he detonated himself.
As an entirely “human product”, security is a dynamic entity and as volatile and diverse as the community in which we seek protection. Security is governed by an infinitive number of variables, which can change entirely just by shifting location by only a few miles. Protectors of overseas facilities of multinational corporations have developed a greater sensitivity towards security threats as extremely variable locations give them a higher awareness of changing risks. Security protection for stationary facilities, such as buildings and manufacturing plants, often concentrate on potential threats from the surrounding areas, but familiarity breeds complacency. So how can companies protect location-bound facilities? If action regularly beats reaction, how can facilities go from being a sitting duck to being prepared and ready for the “dropping banknote”? Before organizations can come up with answers, they need to look at a couple of other realities.