This module will take you through Space and Territory: Creating a Secure Organisation.
- Creating A Secure Organisation
- Total Security Management
- Two ‘Best Practice’ Organisations
- Security is About the Management of Territory
- The Attributes of Territory
- ‘Total Cover’
- ‘Tight Management’
- Territory Equals ‘Security in Depth’
- Security in Depth
- Total Cover Means That Everyone is Responsible for Security
- Tight Management Is ‘Sensitive Systems’
- Main Points
- Further Work
- Exercise 1:
- Exercise 2:
- Exercise 3:
The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’
Creating A Secure Organisation
‘The purpose of security is to create safety, not respond to danger’.
One of the most effective ways of developing security management systems is to look at how other organisations manage their security programmes, and to learn from how they have managed to balance the various aspects already covered in previous chapters. This chapter introduces two organisations that are widely accepted to have developed world class Best Practices for dealing with widely differing threat profiles: one is tasked with managing mass-access but low-threat amusement parks, whilst the other has developed its own security management practices in the face on international terrorism for over forty years. The principles that they have developed to create security management capability across their organisations will be of value for anyone involved in any aspect of security management.
Total Security Management
Although the ‘Creation of a Safe Organisation’ is the ultimate objective of any security manager, there are still many differing (and in some case, conflicting) ideas of how that can be achieved.
One of the common models of security management has been ‘Threat-Based Management’ which was covered in the three-stage Risk Assessment – Risk Control – Contingency Planning model introduced in Unit 1, which is based on the idea that if you identify all possible threats, and then develop methods (‘protocols’) to prevent them from happening, you will then have created a safe organisation. The problem is, of course, that you will never run out of possible threats, and the likelihood is that however many threats you think of, the world will throw a new one at you that you hadn’t taken into consideration.
However, another method is to approach the problem from the other side, namely by concentrating on creating security as an integral part of the organisation, and then trusting that any potential problem that might become threat to the organisation will be identified early enough to manage and deal with that potential threat before it has the opportunity to escalate into an actual danger. One phrase used to describe this approach is ‘Total Security Management’. Although TSM was originally coined to describe the management of vertical risk – that is, through the different levels of supply chain management, so that the end-user was not dependent on the effective management of the previous links in the supply chain that were outside of their control, it can be equally used to describe the total control of territory that comes under a security manager’s responsibility. In this way, security management can be seen as a proactive measure designed to create safety, rather than a reactive system that responds to risks, threats and dangers only after they have been detected.
Two ‘Best Practice’ Organisations
There are two organisations that are widely recognised to have integrated best-practice security and risk management into every aspect of their wider management operations, one dealing with the issue of normal, daily low impact high-likelihood scenarios, and the other dealing with potentially more serious low-likelihood-high impact threats.
The first is Disney World, which has created a self-contained Kingdom within which one of the main selling-points for potential visitors is its safety. Although Disney World is designed to deal with a massive amount of people with the freedom to choose to do a massive amount of different things (apparently…), the underlying management system is one based on total control of their territory, so that once you are inside Disney World you are actually experiencing a totally managed experience.
The second organization is El Al, the Israeli national airline, which since the first political hijacking of a plane on 21st June 1967 of an El Al plane from Rome to Tel Aviv airport (following the end of the 6-Day War), has maintained security in its airports and planes across the world for 45 years (despite a couple of notable exceptions, specifically the killing of 26 people in an attack on Lod Airport (now Ben Gurion) in 1972 by members of the Lebanese-trained Japan Red Army). El Al is still considered as perhaps the most effective security management system in the world, and its methodologies are widely accepted as setting the bench-mark for securing mass access public areas. Although the Disney World and El Al are seemingly faced with radically different threats, the methods they have devised to manage them are remarkably similar.
Security is About the Management of Territory
The first concept common to both systems is Territory. Territory is that space over which you have control, and for which you take responsibility. For both Disney World and El Al, their territory begins a long way before you reach any actual buildings. In Orlando, Florida, there are signs welcoming you to Disney World from 30 miles away, telling you what documents you will need, informing you of what attractions are available, telling you what radio station to tune to for Disney world information. In Israel’s Ben Gurion airport, the first check points are 2Kms from the actual airport, and are designed to give you the positive feeling that you are entering a safe zone, one where possible threats and problems have been identified and effectively mitigated. This First Point of Contact has two purposes. The first is to clearly mark the territory where you accept responsibility for creating and managing a safe space. The second is to allow the FPoC to act as an initial filtering system, allowing the initial security team to identify people who will not move through the system smoothly, who can then take be taken to the side and dealt with on an individual basis, without disrupting the main flow of business.
The concept of Control of Territory is continued once the visitor is ‘inside’. There is nowhere within Disney World, or within an Israeli airport or airline section, that is not under the control of someone who has the specific responsibility for maintaining the safety of that area. One writer told how his daughter developed a blister during a visit to Disney World and removed her shoes and socks. She was immediately identified and confronted. When told that this was not allowed ‘for the safety of visitors’, and that failure to replace her footwear would result in them being escorted from the grounds, she decided that the she would undergo the pain in order to be allowed to remain within the funfair.
The Attributes of Territory
Territory is defined by a Boundary. This is where the First Point of Contact is made. Access Control allows easy entry to that territory for those who pose no problem, and gives the security system the opportunity to identify potential problems before they are able to make an approach to higher-risk areas deeper within the system
The second concept common to both organisations is the fact that ‘Everyone is involved in security’. It is reasonable to presume that a small security team cannot maintain control and ‘eyes on’ to every possible situation that might develop. However, if everyone within the organisation is security aware, then the likelihood is that someone will become aware of a potential problem before it escalates into an actual threat, and that information can be passed on to the security team, who can then intervene in the most appropriate manner. This is not only relevant to traditional security threats, but is valid for any actions that could threaten the organisation.
Although it seems that this is a simple principle, you only need to read the papers each day to see how organisations are putting themselves into danger because simple problems are allowed to develop into major threats, because although people are aware of them, no-one has taken the responsibility to inform someone in authority.
The question therefore, is how can we adapt the lessons learned from these global security leaders, and introduce these highly effective security management models into our own organisations?
The third principle of security management that both systems are based on is that of ‘Tight Management’. Writing security manuals and lists of protocols is easy. Maintaining them at an effective level over time is almost impossible. The truth is that most security programmes fail because the policies that have been put into place are not adhered to, and then a culture of laziness or ignorance becomes embedded into the organisation. Both of the organisations that we have discussed here have a very strong management system in place, so that there is a clearly-defined organizational culture that security management is important, everyone understands what they have to do, and control systems are in place to ensure that they do so. If you want to test the system, drop a chewing gum wrapper on the floor at Disney World, and see how long it takes for someone to pick it up, and then inform you that littering is not allowed.
Territory Equals ‘Security in Depth’
Territory is not just ‘Space’. For example, if you were the manager of a factory with an attached car park, but you had no information about what was happening within that car-park, it could not be considered your ‘Territory’. Even if you had information about the car-park – for example, through use of CCTV monitored from a central Control Room – but could only observe what was happening without being able to do anything about it, you would still not be able to consider that area your territory. So, one definition of Territory is ’That area over which you have both information and control’.
Once the concept of Territory as a function of information and control is accepted, the next question concerns exactly where our territory starts. This is a critical question in the process of developing an effective security management capability.
Any Territory is defined by Boundaries. It should be clear to anyone coming into your territory that they are now coming under your control – though that should be done in a friendly, welcoming way, rather than an officious, impersonal way. The Boundary is marked by the First Point of Contact. Although the First Point of Contact might be overtly security-based, as in a government building or military base, depending on the general threat environment it can also be seen in terms of ‘Meet and Greet’. This form of security as ‘customer care’ can be seen in hundreds of different situations where security managers want to clearly mark the beginning of their territory, such as bars, where there is a Door Supervisor outside the door, 5-star hotels, where there is a doorman waiting to greet you, corporate headquarters, where there are security personnel who will show you to the reception desk, or shopping centres, where there are (or at least, should be!) security personnel at the main entrance.
As we established in Unit 1, there is always a balance between Freedom and Security. One way that we can calibrate the level of security is the distance between the First Point of Contact and the thing that we are securing, and the number of barriers you need to pass top get there. As a basic rule, ‘The greater the distance between the FPoC and the target, and the greater the number of barriers, the safer you are’.
Security in Depth
Additional security can be created by increasing the distance from the First Point of Contact and the main area that is being protected, and by the introduction of additional barriers. The basic principles behind Security in Depth are the same whether it is limiting access to the backstage area at a concert, the VIP room of a club, the Chairman’s office in a major corporation or the research laboratories in a technology company.
Total Cover Means That Everyone is Responsible for Security
One of the fundamental principles of both Disney World and El Al is that security is not just a single event – you show your pass to someone, and then the security checks are finished – but that security is in-built into every aspect of that organisation’s functions.
For example, whilst the security teams in both systems are highly-trained, extremely professional and well-resourced, they are not the only people responsible for security. The car park attendants, the toilet cleaners, the peanut-sellers, the people taking the rubbish out of the kitchen are all considered to be part of the security management programme. In this way, it is possible to have total cover of an organisations’s territory, where someone will be bound to spot any potential problem before it becomes an actual danger. The role of that person is then to inform the security team that something is not quite right, and they will then be able to respond in an appropriate manner, assess the situation and take the necessary actions.
Tight Management Is ‘Sensitive Systems’
David Veness, the former head of Metropolitan Police Special Operations Unit, who was later a Special Adviser to the United Nations Commission on Security, used to have only one sign on his desk. It read ‘Security is the management of complacency’. Any effective security management programme has to be one which can be maintained over time, without any loss of capability. Although this is a simple idea to put into words, it is possibly one of the hardest aspects of security management to actually control.
People are lazy, systems that are considered too intrusive are switched off, good practices are left to wither, systems are not maintained, and often after a certain amount of weeks or months, things return to how they were. It is well recognised that to create genuine organisational change is one of the hardest things to achieve, and yet to a large degree that is the purpose of the security manager. After all, if everything was OK, there would be little need for the security manager in the first place.
Although there are often limits in what a security manager can achieve (it is often true that the security manager is relatively low in the organisational power chain), there are a number of basic rules that will make it easier to achieve organisational change, and introduce an effective security management system that will at least move towards the creation of a safe organisation.
The first is that it is better to have a few rules that everyone follows, rather than many rules which are mainly ignored. The purpose of the security management programme is to support the overall activities of the organisation, so any rules that are introduced should be simple, easy to adhere to and understood by everyone. If there is a system of access passes, that should be used by everyone. If there is a rule that lone workers should log where they are going to be, and then confirm that all is well in a final call before they go home, that should be adhered to.
The second rule is that the security management system needs to be supported by everyone, from the Chairmen to the toilet cleaner. Security is not just the responsibility of the security team, but is one of the basic functions of everyone who works within that organisation.
And the third rule is that security is for ever. It is the role of the security management to ensure that the level of security awareness and readiness is maintained, and that standards are not allowed to slip. The Second Law of Thermodynamics (also known as Entropy) states that unless extra energy is put into a system, it will tend to slow down, lose effectiveness and generally come to a halt. This is equally true of security management. Effective security management is not a natural state. It is the role of the security manager to ensure that the necessary protocols are adhered to, just as much as writing the initial security management programmes in the first place.
Having taken two examples from American and Israeli organizations, we can finish off this Module with another concept, this time from Japanese management systems. Kaizen is the idea of ‘Continuous Improvement’, and has become one of the leading general management theories in the last twenty years. In its simplest terms, Kaizen is built on the principle of incremental improvement – identify a weakness, find a way of improving it, implement it. It is a philosophy as much as a method, and believes that everyone has expert knowledge of their own field – the car-park attendant is as expert at being a car park attendant as the chief scientist is as being a research manager. They might also be aware of ways in which the security of the car park might be improved which no one else in the organisation has. Arsene Wenger, the Arsenal manager, put it another way. ‘If you improve a hundred things by one per cent, you get a hundred per cent improvement’. Whilst this may not be strictly true from a mathematical perspective, it is an excellent way of managing security kaizen.
Security has to begin and end somewhere, and that point is decided by how we define the territory that we accept responsibility for. Security in Depth describes the way that we can utilise our own resources in order to create progressively more secure environment. These simple principles of security management are used by two of the most well-respected organisation in global security management, each of which is facing completely different potential threats.
These principles are easy to understand, simple to implement, and can be adapted to almost any security situation.
- Total Security Management allows you to be proactive in developing a safe organisation, rather than responding to individual risks / threats
- TSM can be Vertical – as in Supply Chain Management – or Horizontal, through control of Territory
- Territory is Space which is defined by Boundaries, and for which you have Information and Control
- Safety is increased by Security in Depth
- Everyone in an organisation is part of the Security Management Programme
- Kaizen allows for a culture of continuous improvement across the organisation
(Although the exercises below do not constitute part of the assessed course work, they are offered as a suggestion as to how students can utilise the principles covered in each module in a practical, task-orientated manner. Your tutors will be happy to give you feedback on any work you do, though it will not carry marks for course assessment).
An organisation has been identified as being involved in an oil spill in Alaska. The Board have decided that the security system around its HQ offices on the 13th-20th floors of an office block in Canary Wharf need to be reviewed, and if necessary improved. Using the principles covered in this module, what recommendations could you make to the Board?
Your Chairman has returned from a visit to Japan, where he has heard about Kaizen. He has requested you give a presentation to the next Board meeting, identifying how Kaizen can be of use to the overall security management of the organization. Put together a PowerPoint briefing (about twenty minutes), that could be given to the Board, together with notes that could be distributed to the Board at the meeting.
Your company has taken over a production factory in Ukraine. It stands in its own area within a larger industrial park. As Head of Security EMEA, you are going to visit the facility to assess the level of current security, and to identify possible areas that might need improvement. Put together a checklist of points that you would need to cover during your visit to the facility.