Technology as a security solution, used or misused?

As a preamble to this mini-essay, I’d like to let the audience into a bit of my tech background. In my past I’ve worked at a high tech startup which was later acquired by one of the largest multinational tech companies at the time. I then opened Multi Tier Solutions, a company with very cool tech solutions for the security world. Yes, I used to code, and absolutely, I am a proud geek and ardent fan of technology and still advise to some very exciting tech companies. Technology is not only fun, it’s sexy and it can be extremely powerful. It’s this “power” however, that can also be its biggest weakness, when not used correctly by us, the most important factor, the human factor.

To recap, my philosophy of effective and practical security is based on the principle of four pillars, all working together to support the goal, the “umbrella/ceiling” of security over the protected assets, whether people, property or information. 

The pillars are:

  • Physical means

  • Technological means

  • Security and non-security personnel 

  • Procedures

These pillars are not even, each one has undulating impact and functions; to prevent a crisis, to respond to and manage a crisis, to recover from it, and to return to prevention after the crisis. The defined and desired impact of each is the result of understanding what hostile act or crisis is of higher probability and criticality, and mapping that to existing measures and vulnerabilities - then each pillar is designed to plug gaps left open by weaknesses in other pillars. 

CCTV Effect

Of late, however, as technology develops at warp speed, security leadership often places a higher importance on using expensive technology without considering the operational cost. The “CCTV effect” is ever present when security solutions begin with “we’ll put a camera there” but without robust tactics to respond to what is being witnessed on the camera; no tactics to use the camera to monitor a crisis, and perhaps, the most prevalent culprit - monitoring tens of cameras looking for an anomaly.

Then What?

Shortly after the shooting at the YouTube HQ in CA, I was invited to multiple corporate campuses across multiple continents, and came across very similar, and worrying phenomena; weapons detection systems. Some of these are very effective at what they’re designed to do, but were implemented as stand alone solutions. What I saw was great detection technology, with absolutely no thought given to what happens if indeed a weapon is detected. No robust physical barriers, no effective security personnel at that checkpoint, and no procedures to guide the incident management process. So, the system has detected a weapon, how does security categorize the person with the weapon as innocent or dangerous and, if dangerous, what then?

I get it, knee jerk reaction to “do something” and appease the C-Suite, but still, an unbalanced and not thought through solution that will not prevent, limit or stop an attack by a determined attacker.

Recently there was a hazmat scare at a large campus and the entire campus was evacuated. There was clearly a skilled operator and quality equipment in place to identify contraband within mail, but was there a robust plan in place to identify what actions to take once an issue is identified? Perhaps there were, I was not there, but it’s something to consider – if there is a system in place to identify a threat, there must be a system in place to manage the threat right through the lifecycle until end of incident. (Unrelated to the examples above) “Call 911/999” is not an incident management plan.

Texting Syndrome

Now, to the catalyst for me writing this essay, the “texting syndrome”. I’m getting on. I’ve been doing this for a long time and shortly after I was appointed to my first management position back in 1993, was issued a Motorola “brick”, complete with leather shoulder bag. I look at how far communications technology has come since then, how powerful our smartphones are, how useful they are, and how they are making our field protection professionals significantly over reliant on communications by text, and less effective than they should be. This manifests itself in various ways and is a result of a combination of a lack of streamlined communications and a lack of self-confidence, and simply not knowing different. 

  • Lack of Streamlined Communications

    • Not knowing what to communicate results in a flood of information being transmitted by text. 

    • On the ground security needs to know what to communicate and to whom. 

      • If a protectee is arriving at a venue, really the only people that need to know real time are the advance team waiting to receive; and even then, absolutely no text communications should take place at the time of arrival.

    • More details/teams than not, are busy texting when their eyes should be looking for hindrances, threats and potential issues and much of this is driven by a need to “log” these comms. Logging is a tool, not an objective. 

    • Have confidence in your teams and team members or change them. 

  • Lack of Self Confidence 

    • It’s a human trait that crosses all cultures, that when we’re uncertain, or not confident, we look to peers and strangers (social media is built on this) for reassurance and positive feedback.

    • There’s usually no reason to communicate your every move, your every position and everything that the protectee is doing. 

    • If you’re on it, it’s under control, not everyone needs to know and if they need to know, do they need to know real time (Ask yourself what will happen if you don’t communicate that message)? 

      • If yes, why not make a call or use a radio?

The Crutch

Examining the majority of operational mishaps (I’m not referring to hostile acts), the reasoning by the team will most often be the same, and will somehow blame communications or other technology. “We didn’t have the information, we didn’t get the text, there were too many texts, so we ignore them” and “the scanner didn’t pick up on it” etc. If everyone does what they need to do, and worries about doing their own job/task, they will be less concerned with everyone else and there’ll be less communication caused mishaps. Human factor, the most important.

 My advice, old School versus modern marvels

Cellphones have greatly replaced radios during protective operations. This is a gross tactical error. Yes, there are apps to “simulate” a handheld radio, but these don’t work well during routine operations and will certainly fail you during an emergency. Use radios to communicate real time information; only communicate what you need and when you need to, keep your eyes up and keep your cellphones available for phone calls, when and if needed.

Conclusion 

Colleagues, clients and friends, please remember, the human factor is most important, humans make decisions, humans respond to issues and robust with procedures, humans are most effective at using technology. Technology as a solution, is not a solution, it’s a false sense of security. Combined with physical, people and procedures, and implemented correctly, technology is an effective, and often important part of a holistic robust solution that will perform when put to the test. Think of pillars holding up a roof during a storm, if one is weak, the roof will come off or it will collapse on the people inside, but either way, it won’t weather the storm. Develop and maintain a strategy that is inclusive of all the pillars, that is inclusive of all the security functions and avoid the pitfall of “siloing”.

Ivor Terret