Security and safety are not synonyms, despite what the dictionaries say. For all practical purposes, security and safety are fundamentally different. By using those terms interchangeably, organizations open themselves to attack. This isn’t as heretical as it sounds.

 

Take an inherently dangerous job, such as working in a nuclear plant. By carefully and consistently following all safety-rules, employees can work all day long in a relaxed and well-protected environment.  Accidents may happen; but they would not be caused by a vicious attack of a revengeful robotic arm. They will occur because of either employee or management errors and neglect. Essentially, safety is about painting a yellow line on the floor. As long as we don’t cross it, we shall stay safe.

 

On the other hand, an employee could still get hurt inside the safety-zone if a deranged colleague attacked him. Would you then still consider your workplace as secure? Of course not. This is where security most violently peels away from safety as two sides of the same kind. Security is elusive, because it relies on what others can do to us and where their motivations arise from. By applying security measures, we need to consider not only the unpredictable factors of human nature and character, but also the social layers and undercurrents of every community. Money can buy safety, in fact total safety, but even the massive defense budget of the US government could not buy you total security.

 

During my more than 25-year career in counterterrorism I came across too many ill-conceived security arrangements that conflated safety with security. Most of those protective set-ups were initiated after the results of threat assessments and translated into simple color- or numbers-based “alert systems.” Think the Department of Homeland Security’s terror alert system. Those “traffic-light” alerts may be easy to communicate but represent a problematic simplification. They may work for certain bureaucratic protocols but cannot instruct front-line personnel to take specific actions in fluid situations. If terrorist threats cannot be read like the control-gauges in a nuclear plant, why would an organization take measures that could only defeat ill-tempered bits of machinery, but not the complex minds of extremists? By attempting to provide security, professionals are more often than not taking insufficient account of a terrorist’s determination and ingenuity. If you are up against humans, safety-style measures are ineffective. Here’s why.

 

 

Action always beat reaction. An exercise illustrates my point. Ask someone to hold a crisp dollar bill by one of the smaller edges between the thumb and forefinger of your strong hand. When the other person lets go off the note, you will find it near impossible to catch it with your thumb and forefinger – even if you try to prepare yourself for the moment. After playing this for a little while, the time will come when you will catch the note more frequently because your brain learns and reprograms its response. Nevertheless, the dollar will get through sometimes. The same phenomenon plays out in the field of security, where criminals and terrorists often slip through law enforcement’s fingers despite good intelligence and training. The recent hotel bombings in Jakarta, Indonesia, illustrate the point. Despite significant security upgrades after a 2003 suicide car bombing outside its doors, the J.W. Marriott in Jakarta was once again attacked this July. This time the bomber checked in as a guest, strapped the bomb to his chest, and strolled through the lobby where he detonated himself.

 

As an entirely “human product”, security is a dynamic entity and as volatile and diverse as the community in which we seek protection. Security is governed by an infinitive number of variables, which can change entirely just by shifting location by only a few miles. Protectors of overseas facilities of multinational corporations have developed a greater sensitivity towards security threats as extremely variable locations give them a higher awareness of changing risks. Security protection for stationary facilities, such as buildings and manufacturing plants, often concentrate on potential threats from the surrounding areas, but familiarity breeds complacency. So how can companies protect location-bound facilities? If action regularly beats reaction, how can facilities go from being a sitting duck to being prepared and ready for the “dropping banknote”? Before organizations can come up with answers, they need to look at a couple of other realities.

 

 

 Protection From Within

 

Since the beginning of warfare, from Troy to Dien Bien Phu, there has never been a fortification that hasn’t been breached by attacking forces. The problem remains that “defense” is only one of many possible tactical options. Once an organization hunkers down behind barricades, it can only react to actions imposed upon it. Every successful attack exists of two main elements: force and surprise. The surprise part aims to take away the defender’s chance to organize and to scramble together countermeasures. This becomes even harder when the weakest elements of a defender’s security encounter overwhelming force.

 

Imagine: you run security for a major shopping and entertainment center, complete with hotel, restaurants, cinema, and a children’s play park. How will you defend your complex? Attention will first go to dealing with the mundane, such as thieves and pickpockets, punks and hooligans, graffiti artists and lost children. Probably you will put in place similar measures as other premium property owners did around you: CCTV cameras and people with radios and wires in their ears. Since you don’t want to set up screening gates at all entrances and cannot check every shopping bag in a mall, you are resigned to “intervention” when trouble shows up: reaction and defense. After all, you don’t really expect a terrorist bomb-threat.

 

The problem with most of those protective practices is that they are born out of a prevailing understanding of the local security situation. Many of those protections are based on common assumptions – and often include wishful thinking, along those lines:

 

There was never a terrorist attack in this town. Why should we be targeted? Our corporate profile or activities are not controversial or offend anyone. There are more “juicier” potential targets out there.

 

None of those arguments should allow defenders to lower their guard. The whole point of a terror attack lies in the shock to its victims, who believed "it could never happen here.” It is not important what a defender believes can, should, or should not happen. What matters is what potential attackers think.

 

So, what can you do from within your facility?

 

First, remember that you can never discourage a determined, intelligent extremist with a mission. Unlike financially motivated thieves who choose the softest possible target, terrorists like al Qaeda need to make a spectacle and the conquest of a harder target means greater glory. But there are ways of turning a terrorist organization’s planning of the attack against itself.

 

Greater chaos requires more careful planning and coordination. That means detailed evaluation and “casing” of possible targets. Carefully designed counter-surveillance techniques can help detect persons who were assigned to check out a facility. Defenders need to train and deploy suitable personnel who have profiling expertise to correctly use the data obtained and to collect relevant intelligence in cooperation with the authorities as an ongoing process. Advance knowledge will strip the attackers, at least partially, of one of their most important means – the element of surprise.

 

Further security considerations should include the layout plans for a given facility. Subtle architectural changes should be considered to allow potential rescue-commandos better access to critical areas. With careful planning and case studies of the dynamics of past terrorist attacks, an organization could draw attackers into certain preferred areas of its property, where their actions can be better contained or neutralized. Particularly, organizations should research new concepts in the design of lobbies, meeting places, and other areas to reduce risk. Security personnel must be trained and motivated and proactive and dependable—not 200-pound obstacles of ridicule.

 

 

The question however persists: Why so many terrorist attacks defeat elaborately arranged security so frequently and in some cases so easily?

 

The answer: Most protectors fall into the “textbook-trap”.

 

Security manuals or textbooks are written in order to formulate a set of procedures, thought to be widely practiced or commonly accepted by most peers in that area. The primary government agencies—with input from the general law-enforcement community, the military, and in some cases major private security-related firms—formulate their standard operational procedures (SOPs), rules, and guidelines. They describe “standard methods” regarding subjects such as VIP and object protection, dealing with IEDs (Improvised Explosive Devices), hostage rescue, hijacked targets, firearms training, investigative techniques, and so on.

 

First, one must understand that the critical policy elements of those manuals are rarely authored by operators or frontline personnel. In order to receive approval from the political hierarchy, senior commanders need to ensure that all operational procedures and training curricula reflect departmental policies. Operating outside the manual bears the risks of being ostracized for violating regulations, even though the operation or measures proved effective. While the principle of covering one’s backside is widely understood, what really makes a “standard” manual against terrorism largely ineffective is the ignorance of its political censors and its inflexible, bureaucratic, and presumptuous approach.

 

In textbooks, every element must take account of our legal principles, prevailing social sensitivities, such as gender, physical abilities, and the individual rights of their personnel. In short, they must stand the test of political correctness, no matter how special those “Special Forces” may be. The key operating elements of terrorism are chaos, shock, and audacity. In combination, these elements, if successfully realized, will produce the headlines terrorists need to thrive. Formulated security-protocols are mostly ineffective against deliberate chaos and do not prepare for total shock and surprise. Textbooks commonly prescribe measures which can be managed, controlled, and packaged in neat reports. Every disastrous incident, every shocking experience has been turned into a “watershed in the field of security” and leads to the rewriting of manuals and SOPs. However, each new edition is rewritten into irrelevance once the next spectacular attack hits.

 

The chaos of terrorist attacks does not equal “irrationality” and “randomness.”  This extreme violence is seen as shocking and meaningless by those who work out of the structured and organized world of government agencies and larger corporations. Chaos can be met successfully, not only by careful analysis of the extremists’ past tactics, but by studying their entire concept, goals, and methods and by getting into their mindset.The more your combined security measures resemble one “inflexible and dumb mechanical apparatus,”  which reflects textbook assumptions and only acts on preprogrammed indicators, the least effective it will be against determined and smart adversaries.

 

The first step is to ensure that equipment helps human resources and not the other way around. Your protective measures should focus on the ability, flexibility, intelligence, and training of the security staff’s actions. You need small and nimble teams of motivated individuals who can think on their feet when faced with unpredictable events and schedules.All team members must receive the same comprehensive training, so they can act independently and without the need to seek approval from a supervisor, if necessary.

 

 

 Progression Through Unlearning

 

The government’s major law enforcement agencies as well as the military’s counterterrorist commandos have immense resources in manpower and materiel to potentially win the war against terrorism. The reasons why those organizations are frequently being defeated by their nemeses lie in their inability to deviate from the textbooks and the confines of political conformity. The predictable formats they employ have always been the Achilles-heel of all disciplined services who had to fight scattered groups of armed rebels since the existence of organized governments.

 

But private organizations have the freedom and independence to develop their own security programs against terrorist threats. Businesses should do their own research and analyzes of existing dogmas from available security manuals and privately published textbooks and then write their own in-house SOPs, instructions, and training manuals. Businesses could have these materials developed with the participation of independent counterterrorist specialists.

 

Another point is that the agencies’ teaching and training methods breed rank-consciousness and blind faith in orders from above. The primary security agencies grew from small nimble departments made-up of highly talented and select elite officers into large, complex juggernauts. Over the last few years most of them have been further fattened to increase their capacities. Unfortunately, their bureaucracies increased over-proportionally and made them prone to becoming political pawns. The large size of an agency also means lower personnel standards. Quantity won out over quality in order to fill planned positions. In my own opinion, today’s foremost counterterrorist agencies—Britain’s SAS, Germany’s GSG9, and France’s GIGN—are now shadows of their former selves, hamstrung by their new complexity, political management, changing policies, inter-agency rivalries and competency struggles. These problems translated into performance lapses, which even plague the gold-standard commandos of the Israelis. Their VIP protection unit did not come off too well during the 1995 assassination of Yitzhak Rabin

 

Finally, private organizations need to take care when choosing their security staff. Most private organizations tend to source their security staff from retired law-enforcement officers or former military personnel. A security department put together from these sources may create the same dysfunctional organizational culture I’ve warned against. Applicants with those backgrounds need to be screened under consideration of my above observations. If they pass your basic selection criteria, they still need additional training.

 

In most cases, more than you may think.

 Col. Thomas Bovet is an active counterterrorism specialist with over 25 years of experience. He is the author of the blog, Alphachamber [1].