Many security professionals started learning early as they flocked to the numerous preseminar sessions held on Saturday and Sunday, before the official launch of the ASIS International 58th Annual Seminar and Exhibits.
Many security professionals started learning early as they flocked to the numerous preseminar sessions held on Saturday and Sunday, before the official launch of the ASIS International 58th Annual Seminar and Exhibits. ASIS President Eduard J. Emde, CPP, surprised attendees at the Philadelphia Marriott by stopping by each preseminar session to personally welcome the participants. The sessions covered a variety of topics including protecting houses of worship, detecting deception in written and verbal statements, starting a consulting service, preventing armored car robberies, designing an integrated system, creating organizational resilience, developing open source intelligence.
HOUSES OF WORSHIP
Scott Watson, CPP, of Houston Private Bank and Trust Company in Boston, Massachusetts, moderated a Saturday session on “Securing Houses of Worship: Best Practices for 21st Century Protection.” In the session, speakers acknowledged that houses of worship face unique security problems and that convincing church leadership that security is a legitimate concern can be a significant challenge.
“We are dealing with profound issues of life, taking position on controversial topics,” said Watson. “Add this to perennial security concerns and churches become vulnerable targets.” For example, Watson noted that vandalism and theft are issue houses of worship face, as well as protecting participants in educational programs, such as vacation bible school.
However, securing houses of worship is not as easy as securing an office building. Securing assets with traditional security methods is not appropriate. “We have an open environment and this can invite a criminal element,” said Watson. “But you can’t lock your doors. It defeats your entire mission.”
Attendees at the session asked the speakers for assistance in selling security to their own religious organizations. Watson noted that this is often difficult because people who are leaders in houses of worship don’t know they need security. “The goal is to include safety and security as part of the agenda no matter what issues are being discussed,” said Watson.
Another session speaker, Dave Benson, director of security and safety for The Crossing Church in Tampa, Florida, noted that finding out what security challenges a particular organization faces is a critical step. When Benson began keeping statistics on safety and security incidents at his church, it shifted his focus. “I found out that at our mega-church, we usually had two medical response incidents each Sunday,” said Benson. “So our security awareness changed so we are on the lookout for medical safety. Other churches might have other issues.”
Donald Knox, director of safety and security at St Paul Baptist Church in Peoria, Illinois, agreed. Knox, who also helped present the session, pointed out that churches involved in missionary work must focus on travel security. “Because of the travel missionaries undergo, they can become victims of terrorism, or natural disasters.” But, churches that do not do missionary work can cross this item off of their security list.
The most critical thing to for security professionals to remember, according to the speakers, is that houses of worship have a unique mission and that security must fit into that culture. To illustrate this point, Watson shared a story from his own experience about helping out during a church event for young children. A man who clearly was not part of the group approached Watson. Instead of turning him away, Watson engaged the man in discussion and found out that the man was primarily looking for food. Watson got the food and the man went peacefully on his way. “The lesson I took from that incident was that security should reflect the values of the organization it represents,” said Watson.
John Dietz, CPP, president of Dietz and Associates, in Austin, Texas, and David Lewis, a retired U.S. Treasury investigator presented a session on Saturday and Sunday titled “Detecting Deception in Verbal and Written Statements.” The session covered an investigative technique that allows security professionals to analyze statements and recognize when witnesses are being deceptive.
Dietz emphasized that the technique is simply to use and accessible to any security professional. “When you walk out of here today, you will be able to use this technique,” he said.
Dietz explained that statement analysis consists of two separate techniques. The first technique is the analysis of an open statement, which is the suspect’s narrative statement regarding the incident being investigated. The second technique is the directed question interview, which is the written form of an interview designed to eliminate suspects from the investigation.
An open statement is taken when there are a limited number of suspects, and the investigators are attempting to identify whether the suspect is telling the truth or is being deceptive. “When we take an open statement, we ask the subject to tell us everything that they know about the incident or crime. We give no parameters. We ask them to ‘begin at the beginning and end at the end.’ This ensures that we obtain a statement that has not been influenced in any way.”
Deception indicators can take several forms. For example, starting the statement several days before the incident in question can indicate deception. Similarly, omitting the “I” pronoun, crossing out words due to stress, and making errors of logic all indicate deception.
When deception is indicated, the next step is for the investigators to interview the subject to determine what that deception means. In this case, it pointed to the culprit but it could have other meanings. For example, an employee may not be guilty, but they might know who committed the crime or they may be hiding something unrelated to the crime.
Dietz noted that the technique works in a variety of security investigations, from petty theft to murder. The method can also be used in any language or culture. “You may know when someone is lying, but you might not know how you know,” explained Dietz. “This technique will save you tremendous time and resources—and make you more successful.”
The demand for security consultants is increasing. This was the message offered by Richard P. Grassie, CPP, principal consultant at PRISM Security, Inc. and Frank Pisciotta, CSC, of Business Protection Specialists, Inc., in a preseminar session Sunday morning. The speakers then outlined what security practitioners should keep in mind when looking to open their own security firms.
Grassie, president of the International Association of Professional Security Consultants (IAPSC), warned attendees that being good at security doesn’t always translate into being good at running a business. “You may be an expert in security, but you actually have to be an entrepreneur,” he said in the day-long course, “Successful Security Consulting.”
Attendees ranged from security directors from museums in Washington, D.C., to former military Special Forces members, to integrators from Pakistan and China, all looking to use their experience to launch the next step in their careers.
Pisciotta, vice president of IAPSC, offered several tips to keep in mind when getting started. One of the best ways to get a new consulting business off the ground is to team with an experienced security professional, Pisciotta says. His practice, Business Protection Specialists, Inc., grew 40 percent by teaming with other consultants. Bringing in other people can help bring more experience to projects and that’s ultimately what clients are looking for, he said.
However, Pisciotta warned that the business aspect of consulting would be difficult. “At least 33 percent of your time is going to be spent on administrative and business matters,” Pisciotta said. That includes taxes, marketing, and having your finances in order from the beginning. He recommends having from six to 18 months of expenses set aside for operational costs before launching a new business. “One of the risks of a start-up consulting practice is that you don’t get clients right away, but the bills still come … If you don’t have that financial backing then that could mean you’re taking engagements that you shouldn’t be taking or you just simply can’t make it and have to go back into the work force,” he said. “If you can’t get those things organized and in order, then you end up spending more time on those issues, and less time consulting for your client, and that can be detrimental to your profitability.”
Ethics and integrity are equally important. Doing what’s best for the client over trying to make a sale fosters good relationships and respect. Consultants shouldn’t be afraid to tell clients the truth about security solutions they may or may not need, even if that means turning down business. Additionally, consultants should be independent and objective about anything they recommend.
“If I’m an integrator and I make recommendations on technology, then I may have a bias toward what I’m selling. You do find people that are consulting that have something attached that they are selling. They need to be able to exercise discipline and integrity and what they recommend,” Pisciotta said.
And from a competitive standpoint, a specialist is much more likely to be retained. “It allows you to compete very effectively in a specific area of expertise. Consultants who try to be everything to everybody are not necessarily successful,” he said.
BANKING AND FINANCIAL SERVICES
Bank security professionals heard about preventing armored car robberies during a presentation by Michael D. Gambrill, senior vice president of Industry and Government Affairs at Dunbar Armored Inc. Gambrill presented at the Banking and Financial Services Council’s preseminar workshop.
Gambrill stressed that armored car robberies include acts of violence more than 50 percent of the time, whereas violence is used in less than 50 percent of bank robberies. Because of that increased threat of violence, armored car robberies can become public safety issues. When a bullet is fired, it doesn’t have an address,” said Gambrill.
The reason banks and other organizations use armored car services, explained Gambrill, is because the money is insured. If it does not reach the bank or the customer due to robbery or another incident, the customer gets the money back. In other situations, such as just hiring a guard to escort the money, such insurance is not as common.
Armored car robberies tend to be planned ahead of time, employ surveillance, and often use insider information, said Gambrill. The robberies are trending down overall. Gambrill added that Maryland and Washington D.C. are the most common areas for armored car robberies in the country.
“Our whole strategy is prevention—anything we can do to stop the bad guy,” said Gambrill. When robberies occur, the car guard’s chances of losing a violent battle are high, he said. Gambrill showed some videos of actual armored car guard robberies that included gun violence.
Some prevention strategies Gambrill recommended are vetting employees, arming guards, having inspections, and using chase cars that will follow the armored vehicle and even possibly have an identification sign on them, so that anyone watching knows the driver is acting as another guard.
Armored car companies try to emphasize to law enforcement that they are small banks on wheels, said Gambrill. “What [law enforcement] doesn’t understand is that the truck may have more money on it than one of your small [bank] branches.” Gambrill said that law enforcement officers understand once he makes that point.
It’s important to note that the armored car guards, though often armed and well-trained, are not police officers. Police confront criminals, while armored car guards are trained to avoid them and are told to seek cover during a robbery.
Gambrill said he is trying to encourage police officers to have uniformed patrols follow armored cars to deter robberies.
Another suggestion to prevent robberies is to have closer access to the bank or ATM for the armored car so that a guard doesn’t have far to go to transport cash. Gambrill said the wave of the future is that banks can take some of the human element out of the equation by having trucks backed in to a vault or ATM area so that guards spend less time outside on foot. It is also recommended that banks ensure that surveillance cameras are working and that the bank has a plan for when the guard shows up. Bank employees must be trained on who the true armored car guards are.
Gambrill said he recently attended the “Bank and Armored Car Robbery Working Group Project Symposium” in Washington, D.C., sponsored in part by the FBI and the American Bankers Association. The symposium took a look at profiles of bank and armored car robberies, which is another step forward in figuring out “what makes these guys tick” so maybe “we can counter that,” said Gambrill.
Attendees at the session “Designing a Functionally Integrated Security System,” learned about the different stages of designing a secure structure. Speaker Randy Atlas, CPP, president of Atlas Safety and Security Design Inc., focused on crime prevention through environmental design (CPTED). Atlas pointed to CPTED as a way of influencing criminal behavior by removing conditions that reinforce crime, reducing opportunities for crime, and creating a sense of safety for those in the area. Atlas said a bottom line of CPTED is to determine the legitimate uses and users of an area.
Some CPTED approaches to mitigating crime use natural surveillance, natural access control, and boundaries. Some strategies are to use guards, police, and capable guardians to deter crime. He pointed to store greeters who say hello and deter shoplifting as an example. Other mitigation strategies include using technology and even design solutions such as circulation patterns.
Mark Schreiber, CPP, design engineering specialist at Fluor Corporation, discussed protection in-depth. He stressed the importance of overlapping methods of mitigation. Rather than just having circles of security one outside of another, he said facilities should have concentric circles that provide redundancy in security operations. For example, if a guard assigned to patrol an area is delayed, the area should be monitored in another way. This approach ensures continuity of operations, said Schreiber.
Schreiber said it is also important to examine the use of personnel as well as technology in security. Operational security, or OPSEC, should be included in the planning of a facility. He added that continuity planning must involve mutual aid and assistance agreements, such as with local and regional law enforcement.
Continuity plans should be clear, said Schreiber, and facilities and companies also have to take into consideration employee’s families, shelter, food, and monetary situations. Schreiber said Hurricane Katrina was an example of employees having to make difficult decisions to continue doing their jobs.
Training is also essential in plan implementation. The planning is “all for naught if you have a plan and don’t train,” said Schreiber. There should also be drills to test plans and training. The steps of mitigation form a cycle that must be repeated, said Schreiber.
A second preseminar program presented by the IFCPP was “Beyond the Basics in Security Management.” Several of the presenters for the two programs were shared with the security officer life safety training session. One of these presenters was Layne, who spoke to the security management session attendees on litigation avoidance.
To win in court, a claimant must prove that an organization violated its duty of care by failing to provide a safe environment. Litigation usually falls into the categories of accusations of negligence, negligent retention, wrongful termination, negligent security, sexual harassment, extreme use of force, and hostile work environment. Layne said that the best defense against any of these is documentation. In his opinion, he stated, incident reporting by security officers is not inclusive enough. Officers should be documenting all verbal confrontations, for example.
Because such a large portion of workplace loss and violence is employee related—by either employees, former employees, or relatives and acquaintances of employees, and because a large percentage of these perpetrators is a chronic substance abuser or under the influence of illegal substances when committing the crime, it makes a clear case for companies to limit liability by conducting strong background checks and ongoing screening of employees.
As it stands, “There is no law, per se, ordering background screening but there is significant civil litigation precedent for a reasonable investigation into an applicant’s background and character,” he explained. The depth of the investigation should also be based on the kind of organization hiring the employee. For instance, a cultural property plays host to both underage children and at-risk adults—this dictates a stronger duty of care.
Layne also addressed contract employees, saying that they “should undergo a criminal history check by the contractor. The contractor should have to provide a list of the full names of all contract employees and when they report to the site, they should have to present a government issued ID that matches the name on the list.” If this is not done and it is not in the contract that this will be done, then the organization can be liable if a contract employee commits a crime.
Other speakers were William Powers of the Clark Art Institute, who examined guard force selection, noting that low-bid solutions were dangerous to operational efficiency, providing a high standard of service, and accomplishing the mission of the organization. Fire detection and safety best practices were reviewed by Nick Artim of the Heritage Protection Group and Fire Safety Network. Monitoring of electronic data systems was plumbed by Mark C. Peterson, principal of M. C. Peterson & Associates and Layne Consultants International. The program ended with a panel discussion on all the topics of the day.
One of the toughest challenges security managers face is proving to senior management that security can be a relevant, value-producing asset to the company. In a preseminar session, Tim Janes, managing vice president and chief security officer at Capitol One Financial Corporation, discussed his experience building up his security program from infancy to maturity at one of nation’s largest financial institutions.
It’s more of an art than a science because security managers not only need to determine how sophisticated they want their security program to be but also need to assess how ready the organization is for security. In the early years of any business, the focus for senior management is growing the business. Security, if it’s considered at all, is limited to “gates, guards, and cards,” says Janes. Usually, it’s a “cop shop” where security personnel wait for the phone to ring and then respond quickly and efficiently to manage any incidents reported to them.
In this environment, a chief security officer (CSO) at a young company needs to know when to pick the battles and understand that senior management isn’t too worried about developing a cutting edge security program. Janes calls this a “nudging process,” explaining to attendees that building a mature security program takes years not months. To do this, security professionals “need to speak the language of who they’re working with,” according to Janes. Business people want and need a business justification for spending money on security. Ideally, security should eventually be seen by senior management as a revenue enhancer.
But maybe the most important lesson for security managers is learning how to seize any opportunity given to establish credibility with the company’s leaders. For Janes, this opportunity came on 9-11 when his CEO offered him a blank check to improve the company’s security posture. Instead of taking the money, Janes refused it, explaining that his budget was sufficient to mitigate the vulnerabilities facing the corporation.
That one decision helped make Janes’ career at Capitol One. Now senior management trusts that when he asks for more resources, he really needs them. And since that fateful September day, Janes’ requests have never been denied.
The critical nature of keeping good and reliable security metrics was the focus of a Sunday preseminar session on designing a successful security program. By keeping the right security metrics and using them creatively, security managers can persuasively demonstrate to senior management why security provides a good return on investment for any company, according to presenter Alan Wick, CPP, PSP, chair of the Utilities Security Council and corporate security and business continuity manager at the Tri-State Generation and Transmission Association.
Security managers should be mindful to only record data that’s useful to company decision makers, he said. Wick had three “don’ts” governing security metrics: “Don’t waste time. Don’t grandstand. Don’t collect data no one cares about.”
The only metrics that should be recorded are those that demonstrate security’s value to senior management and justify necessary capital expenditures. When possible, security managers should also opt for metrics that are quantitative rather than qualitative because numbers are more clearly defined and objective.
Wick recommended that security professionals visualize the data they give to senior management, a process known as optics. By creating graphs and charts, security managers can efficiently show executives critical data points in a lively and memorable way that ideally will leave a lasting impression.
This is particularly important during a time of economic anxiety when companies are looking to trim budgets. Security managers that don’t demonstrate their value and relevance could put their department and personnel on the chopping block. Wick also stressed that security managers should constantly reevaluate their metrics. “There’s always room for improvement,” he said.
The International Foundation for Cultural Property Protection (IFCPP) sponsored the preseminar session, “Are Your Security Officers Safe?” Stevan P. Layne, CPP, founding director of the IFCPP and principal of Layne Consultants International, kicked off the day-long session by trying to define the problem as he sees it.
Layne said that the security role is usually defined as observing, reporting, and providing customer assistance. In reality, this includes duties such as patrolling, signing guests in and out, providing first aid and emergency response, and—most importantly—confronting unruly visitors, customers, or others. These confrontations can and do often lead to assaults. Security officers, Layne said, receive training for their positions that is insufficient in general, but is especially lacking in the area of self-defense and use-of-force. This is usually due to fears of legal liability and training costs by the employer.
Consequently, he said, the subject of self-defense and use-of-force has been avoided by all major security organizations and associations. But Layne proposed that if proper training is given to officers, if it is documented, and if regular practice is undertaken, employer liability can be mitigated and the cost of training recouped.
Layne stated his opinion that “there needs to be a national standard of care for the protection of security officers. And, at the bare minimum, they need to be trained to protect themselves,” because they are placed in a position where self-defense and use-of-force are often necessary. Simple self-defense training, such as how far away to stand and position the body to limit the possibility and severity of being shoved during a confrontation, would go a long way toward ensuring that security officers are not injured.
The IFCPP teaches the Management of Aggressive Behavior method of recognizing and managing angry or violent individuals and Layne maintains that it is an exemplary program that many more organizations should provide to their security officers.
Other program speakers included James H. Clark, CPP, of Clark Security Group, who discussed training security officers to avoid situations that lead to assaults. William Powers III, director of facilities for the Sterling and Francine Clark Art Institute, explored the cost-effectiveness of self-defense and use-of-force training, how much such training can limit liability, and what the training should include. Layne stepped back up to the podium to discuss arming security officers, and Bill Schweigart of the U.S. Department of Homeland Security’s (DHS) Department of Critical Infrastructure made a presentation on active shooter preparation and response that included a look at the DHS’s guidelines on the topic.
Open source intelligence can help organizations protect their reputation and prevent a range of threats, according to Jeff Bardin, chief intelligence officer of the firm Treadstone 71.
Bardin, speaking at a preseminar program on open source intelligence, said organizations may want to use freely available online information to learn more about a suspicious employee, for instance. In certain cases, an organization may also want to do an in-depth search on its own top executives, to look for ways that they could be vulnerable to certain threats.
Bardin showed and discussed some of the many open source tools that can used to conduct investigations. Just a few of the many Internet destinations and search tools include YouTube, Spokeo, iSearch, Pipl, and Google Alerts.
When conducting an online investigation, it can be important to mask one’s Internet Protocol address, he said, so that people do not reveal their identity or their computer’s location. There are many free online tools that can help in this area, he said.
Open source investigators may want to consider creating a fake online presence, he said. This can then be used to make friends with acquaintances and friends of a subject, for instance, or to carry out Internet chats. It can take a considerable amount of time to build a presence that’s credible, however, he said.
Activity such as creating a false online presence is usually legal, he said. There may be some ethical issues that arise, however, relating to areas such as excessive surveillance.
In some cases, executives may want to do searches on themselves to make sure certain information, such as addresses and certain family member information isn’t widely available online, he said.
It can be challenging in an investigation to know just how valid or credible certain information is, he said. It can sometimes be helpful to create charts or systems that rank certain pieces of information based on how likely they are to be true. People may want to take into account factors such as an author’s credibility, for instance, or the reputation of a Web site.
It can be important to use critical thinking when conducting an investigation, he added. Many people may make false assumptions based on the information they find. Sometimes people make assumptions based on their own ways of thinking, for example. But other people can often think and act quite differently based on culture, religion, and other factors.