What can an organization do to integrate security into its culture? They can begin by adopting the following strategies:

-  Create the position of (CSO) Chief Safety Officer and grant that individual access to the Board of Directors.

-  Ensure that those assigned responsibility for security receive adequate and ongoing training.

-  Make security an agenda item at every Board Meeting and senior staff meeting.

-  Include articles on safety and security in corporate newsletters.

-  Develop reward incentives for employees reporting safety and security breaches.

-  Sponsor safety-and-security-related programs within your organization’s community.

-  Develop disaster plans capable of addressing today’s unique challenges.

-  Post signs and information relating to safety and security throughout your organization.

-  Develop policies addressing safety and security and enforce them fairly and consistently.

-  Conduct ongoing and challenging table top drills.

In too many cases, proactive security strategies get objected to on the basis that they cost too much money. Ironically, as the strategies above demonstrate; successful security actually costs more time than money.

The time to integrate security into your corporate culture is now. Leaders have a choice to make — they can continue to underestimate the importance of security and pay the price down the line, or they can make a conscious decision to incorporate security into their culture and protect their human resources, capital investments, and intellectual properties against the challenges we face in the 21st century. It’s time to make the right decision!

Michael G. McCourt is a partner at Principal Security Advisors.

Dollars aside, the real challenge for most organizations is the ability to integrate security into their corporate culture. To marry the two concepts effectively, executives must be able to define their organizational culture in concrete terms, and security must be seen an integral part of that culture, supported by senior management, and practiced on a daily basis!

Every organization has a culture, whether or not it is purposefully defined. Culture is the glue or set of unspoken guidelines that dictates employee behavior, guides the daily decision-making process, influences discipline, supports (or fails to support) customer service, and ultimately, impacts the organization’s productivity and profitability. It’s not found in any corporate document and rarely discussed in boardrooms, but its impact is felt in every interaction, at every level of the organization.

What then determines corporate culture? Generally, the CEO and the senior staff of an organization define culture. It is based on their personal beliefs, behaviors, operating standards, and core ethics. If personal safety, respectful and open communication, honesty in reporting, and a belief that every person has value and contributes to the success of the organization are among the leadership’s core values, then safety and security flourish. If, on the other hand, the values listed above are not seen as critical to the success of the organization, then safety and security will take a back seat to programs more directly related to the technical and operational side of the business.

Organizations that successfully weave safety and security into their cultures do so by factoring security into every project and every decision. This occurs at all three levels of the organization; tactical, operational and strategic. These organizations have learned that without the support of senior management, security is doomed to become a part-time program, subject to the “issue of the month” methodology of management.

Tragedies such as September 11th, Anthrax attacks, school shootings, incidents of workplace violence, cyber attacks and recent natural disasters have forever changed the landscape of security in our country. Before September 11th, we thought ourselves invincible; now, we recognize our vulnerability. Over the past eight years, our nation has scrambled to create an Office of Homeland Security, called upon the National Guard to provide support in disasters, increased the visibility and budgets of law enforcement agencies across the country and devoted significant resources to developing medical remedies for diseases once thought to be extinct.

Corporations too, have joined the race to develop disaster plans, increase security technology, add security personnel, develop policies, and rethink their allocation of resources. These “quick fix” strategies have cost billions of dollars. Despite the phenomenal increase in the cost of safety and security, industry reports indicate the general public does not feel any safer. (This is also true of employees) Why hasn’t this increase in cost translated into an overall greater sense of security?

The answer is deceptively simple and has been overlooked for decades in all but the largest of corporations. In order for security to be successful, it has to be viewed as a cost-effective function, woven into the fabric or culture of the organization in which it exists.

The first element, cost, is easily defined but challenging, nonetheless. Companies allocate financial resources based on return-on-investment (ROI). Today’s declining economy has placed more attention on ROI than at any other time in history; therefore, the ability to justify the cost of security has become paramount for Chief Security Officers in virtually every industry.

ROI utilizes a set of varying metrics to measure success, and the measure of success in security is “nothingness.” (Nothing happened yesterday, nothing is happening today, and hopefully, nothing will happen tomorrow.) Chief Executive Officers do not as easily embrace the “nothingness” concept widely accepted and understood by security professionals. It is critically important for senior management to become more aware of, and comfortable with, this unusual metric.

To be effective, security requires a budget equal to or slightly greater than the level of threat faced by the organization. Depending on the industry, that number can be significant. Companies have to resign themselves to the fact that effective security comes at a price. Negligent security however, comes at a much higher price.

Research indicates that the average out-of-court settlement for a negligent security case is in excess of $500,000 dollars, with the average jury award exceeding 1.5 million dollars. The insurance axiom, “it’s not a question of whether you can afford it, it’s a question of whether you can afford not to have it,” applies to security as well.

In this global age, when the future is less predictable than ever before, the question of whether or not an organization can afford security should be a non-negotiable, easy question to answer. Corporations have always spent significant amounts of money on programs and technology viewed as being intrinsically tied to the bottom line; until the time comes when security is viewed as sharing that same level of importance, companies will continue to expose themselves to unnecessary risk by providing sub-standard security. However, money alone is not the answer.

The process of training teachers, administrators, students, managers and employees to manage incidents of workplace violence has always been challenging and controversial. Many organizations have been reluctant to approach the subject based on the “Field of Dreams” myth; if you talk about it, it will come! While there has never been any reliable evidence that the discussion of violence perpetuates the act, organizations have been historically reticent when it comes to teaching their associates to recognize, intervene, and manage individuals exhibiting inappropriate behavior. The process has been further complicated by the concept of denial. Organizations believe that bad things happen to other people. At virtually every workplace violence incident, someone makes the statement; “we never thought it could happen here.” Lastly, in all too many cases, the training provided is woefully inadequate. A yearly one-hour lunch-and-learn is hardly sufficient to prepare a even the most experienced emergency responder to mange a traumatic and life-threatening event.

The workplace violence training provided to date has focused on the administrative process associated with preventing and managing acts of violence. Organizations have invested in developing workplace violence policies, management communication protocols, and disciplinary actions designed to control those who engage in inappropriate behavior. What has been noticeably absent however, is street-wise realistic training focused on surviving a life-threatening attack. Using Virginia Tech as our model, we saw how traditional training failed to protect students who found themselves in the path of an attacker determined to take as many lives as possible. Had students been trained to recognize the sound of gunfire, understand the difference between cover and concealment, or taught to recognize and respond immediately to threatening behaviors, the outcome might have been different. The issuance of warnings without ongoing survival training is not sufficient to change the outcome of multi-victim acts of violence. It’s time to change the training paradigm from prevention to survival. Organizations have to start asking themselves what they will do when prevention doesn’t work.

This proposed shift in training will require organizations to take a fresh look at their culture, their view of security, and the content of their training programs. Theory and administrative process will need to be replaced by reality and topics including; the psychology of violence, understanding the victimization/retaliation syndrome, the ROI of “nothingness” in security, building the resilient enterprise, and surviving lethal attacks. Lunch-and-learns will be replaced by ongoing, comprehensive tabletop drills. The challenge of providing a safe and secure working and learning environment will never be any less than it is today; the time to adjust training to accomplish that goal is now!

Recovery is a process…not an event.

Last on our list of overlooked topics is the process of recovering from traumatic events. What happens once the bright lights of the media have faded? What are organizations to do once the final funeral has taken place? How do employees or students ever return to a normal, functioning and productive life?

We live in the MTV society. We experience life in thirty-second sound bites, but that model doesn’t bode well for victims of tragedies. It takes time to accept and recover from personal loss, and that journey is a very personal one. Organizations have to be prepared to engage in a prolonged recovery process; one that allows for grieving, progress and regression, slowed productivity and empathy on the part of teachers, administrators, managers and supervisors. Aside from the immediate psychological support required after an incident, organizations have to be prepared to alter, reconstruct, or if necessary, demolish structures that become the final resting place for victims of workplace violence. They have to be prepared to deal with challenge of subsequent anniversaries, or perhaps manage the process of establishing appropriate symbols, structures or services to memorialize their fellow students, employees and co-workers. They have to understand the deep and very personal emotions associated with traumatic loss. While no one can accurately predict the impact of a specific incident in advance, the process of planning and anticipating such events is critical to recovering and moving on from such tragedies.

It’s sad that organizations have to consider these morbid and challenging topics, but we live in a world of increasing threats and ignoring these challenges will not make the go away. We can’t prevent every incident from occurring, but we can do out best to be prepared to deal with such events. We owe it to ourselves, to our students, employees, and to the thirty-two brave young men and women of Virginia Tech to learn from the past and prepare for the future!

The perils of privacy…

Much has been written about the background of the shooter; stories regarding his violent nature, removal from class and a court ordered assessment that found him to be a danger to himself and others. How could such a person legally purchase a handgun? The answer, quite simply, is privacy…a concept we hold dear in this great nation of ours, and a concept for which our forefathers fought and died. Every citizen has a right to privacy, even that small percentage of citizens who ultimately engage in acts of violence. Most states require a criminal background check to obtain a license to carry a firearm, but that background check does not generally include a person’s medical history. Would we really want it any other way? The same individuals and entities that complained about not knowing the history of this angry young man would be quick to criticize any educational institution for violating his right to privacy by expelling him or exposing his medical history to public review. While our Constitution is generally willing to forego the rights of the individual for the overall safety of the nation, it is not very good about identifying where those two concepts intersect. The fact is living in a free society comes with a price, and that price at times can be extraordinary. No loss of life is ever acceptable, nor should it be. This is especially true of young innocent students with their entire life before them. But the question of exposing our most personal histories, strengths and weaknesses to governmental agencies or the general public is a question that deserves more than a thirty-second sound bite from the editor of a magazine. If we learn anything from this horrible incident, it should be that we need to have ongoing in-depth discussions about these serious issues, absent the stress and emotional impact of such a senseless act.

A warning about warnings…

Perhaps the second most hotly debated aspect of this tragic event was the alleged failure of the college to warn, on a timely basis, the twenty-six-thousand students and ten-thousand employees about the initial attack and shootings that occurred that morning. The assumption has been made that warning these two groups of people sooner might have prevented further loss of life. We will never know the definitive answer to that question, but we do know something about warnings based on past experience, and it’s this…they don’t always work.

Research has shown us that people only pay attention to warnings when they come from a trusted resource and occur on a repeated basis. Even when those to criterion are met, the results can be questionable at best, as witnessed in the run-up to Hurricane Katrina. This is not to say that warnings should not be issued, and issued as quickly as reasonable and possible; but we have to use caution in assuming that warnings will always preserve life or stop violent acts from occurring. Companies and educational institutes alike should be collecting personal contact information in as many different formats as possible. In times of crisis, it is critically important to be able to push and pull life-saving information. We have the technology to do this, as was pointed out during several interviews…what we need now is the behavioral changes required to make employees and students alike believe that bad things do happen to good, and totally innocent people. Future school or workplace violence trainings should emphasize the importance of sharing as much information as possible, as quickly as possible and teaching students and employees alike to act on warnings immediately. There will always be time to analyze the credibility of the information once the immediate threat has passed. Most, if not all students in this day and age are carrying cell phones, and virtually all of them are attached to some social media platform…it’s time we start using technology to save lives!

One of the most basic of all home protections is a carefully selected or constructed “safe room” within the home to hide in case of a home invasion or intrusion. The presence of this room could make a life-and-death difference while the family awaits arrival of police during a violent episode in the home. This room should provide reliable communications to law enforcement, food, water and other provisions in case of extended occupation and must be located in a remote but accessible section of the home. The purpose of this room is to provide immediate protection to a family unit or executive while awaiting the arrival of first responders. Safe rooms should be hardened facilities with passages constructed with the thought of providing impenetrable protection from intrusion. They should not look any different from other rooms and can serve as a functioning room during times of inactivity. For instance, a safe room could be utilized as a laundry room but have a reinforced doorframe, special locks and no windows. The construction of a safe room can be accomplished in almost any home and often without exorbitant expense, depending on the level of protection required.

During family discussions with executive protection professionals, children’s routines should be discussed at length to develop sound procedures for travel to school and activities outside the home. Some of these issues will surround the usage of carpools, chauffeured cars, or family vehicles driven by the parents. Routines as well as school schedules should be examined to provide as much irregularity in the daily schedule as possible. Arrivals and departures at school should be varied. Vehicle route awareness is paramount to the safety of students. Changing schedules, routes and routines will greatly enhance a family’s ability to keep potential attackers off-guard and contribute significantly to a family’s security on a daily basis. Requesting regular patrols from local law enforcement will further enhance such security.

It is essential to understand the very human element in executive protection – that any such protection is only truly effective if the protectee is cooperative and buys into the consultant’s program for protecting them and their families. Many VIPs and executives who wouldn’t even dream about walking around without hefty life insurance, business insurance, information security, etc. do not have an executive protection program, because they cannot reconcile the overbearing and heavy-handed nature of most executive protection out there. Intelligent executive protection need not involve major disruptions of your lifestyle or business, permanent staff at your residence, or strangers with guns following you around everywhere you go. As the examples in this article demonstrate, actual close protection is actually the last resort in protecting an executive from a successful attack. A few years ago, former Secret Service Director Brian Stafford was interviewed about Secret Service protocols. He put the same sentiment succinctly when he said that if the Service got to a point during a protective assignment where the guns came out, we had already failed in our mission. If all of our pre-mission protective protocols or advance procedures are carried out properly and with attention to detail, chances are the guns will not have to be taken out.

Executive protection is not about the “beef” or about a (hopefully successful) reaction to an attack on a principal. Rather, it is about preventing attackers from ever getting into a position where they can do harm to the executive, their family, staff, business or reputation. Providing an executive with a secure environment using predictive measures, deterrence and prevention should be the primary goal of any successful executive protection program for senior level executives, VIPs, celebrities and their loved ones. The best security is not necessarily seen, but felt.

John Enright is a former federal agent with 31 years of experience at the Department of Treasury / IRS Enforcement, ATF and US Secret Service, including as Agent in Charge, Protective Intelligence Division, as well as permanent assignments and leadership at the Presidential Protection Division. His positions also include Director of Counter-Terrorism, US Attorney’s Office, RI and Director of Providence Emergency Management Agency. Mr. Enright is a recipient of the ASIS Law Enforcement Officer of the Year award.

Training executives and staff to travel more securely should be strongly considered by executive protection professionals when advising corporations. Prediction, recognition and avoidance of dangerous or high-risk situations should be considered the primary means of protecting an executive from the perils of overseas travel. Recognizing suspicious activity, avoiding high crime areas, awareness of cultural differences and bringing less attention to yourself in a foreign land should be considered paramount. Understanding unique criminal violations of law in certain foreign countries can be critical as well. For example, littering on the streets of Singapore can bring swift action, arrest and detention by police authorities in that country. Other countries have unique sections of their criminal code that should be understood before traveling to foreign lands. Religious and cultural characteristics should be thoroughly understood by the traveler to avoid embarrassing or dangerous situations. Training programs can often offset the cost of expensive security precautions, bodyguard details and other elaborate steps that the executive may not want to employ anyway. The right training can indeed provide the same peace of mind, and often pound-for-pound better safety than expensive security details, if your executive protection consultant is experienced in the protocols suggested.

Office and residence security assessments should also be conducted early on in the executive protection process, since these are the routine locations executives and their families can be found. Employing security protocols before an assessment is conducted is not recommended. The more common security enhancements are often employed in a “I have a hammer and everything looks like a nail” fashion, before conducting the proper assessment. This only leads to a false sense of security. Here’s an axiom any executive looking for executive protection should take to heart: security systems are only as good as their design, the understanding of those using it, and the ability of the system to operate as intended. Inclusion and interview of all stakeholders at these locations is of absolute necessity. Also, professional guidance in employing specific technology and establishing specific, protocols, policies and procedures for each location is essential in building a secure environment.

At the office, robust security plans that stress access control to the building, guest sign-in and vetting, badge issuance and limited access to the executive suite are among the areas that will set the tone for a secure environment. Vehicle control, garage access, parking lot location, employee safety, CCTV technology, and detailed policy and procedures governing security at the workplace are key pieces of an executive security program. If you are going to provide security outside the workplace, it makes perfect sense to ensure that the office environment is the one location that a CEO or executive staff cannot be easily accessed by an attacker. Imagine that after investing a significant part of the executive protection budget to institute a secure environment, a disgruntled employee simply walks into the executive’s office and violently attacks the executive. Was the office suite itself easily secured from people with access to the building? All scenarios of viable danger must be examined using the correct security assessment model when deciding on strategic security enhancements.

Protection of proprietary company information, copyrights, data, products and communications should be considered an essential part of your program. With ever-increasing reliance on information technology and conversion of all critical business assets, processes and communications into the digital realm, IT security becomes key to any executive protection program worth its salt. This area again does not so much involve deployment of permanent security personnel as much as it does the institution of strict policies and procedures governing all corporate information. Compromise of IT security can jeopardize not only the safety of executives but also the security and welfare of the company as a whole. IT security should be considered an always and everywhere affair – not just limited to business hours or to the company’s physical offices. For example, compromise of voice and data communications during critical corporate meetings can also jeopardize a company’s business planning, providing the competition with privileged corporate information and strategies.

Security advances that included complex intelligence gathering, multi-step threat assessment, technical security enhancements, development of countermeasures to potential threats, motorcade route security, and medical emergency precautions were just some of the preliminary advance procedures we would undertake to ensure a safe environment for those under our protection. Many private executive protection companies perform some semblance of an advance security survey, but more often than not, the extent of protection is what we refer to as “load and go” – a driver and a bodyguard accompanying an executive on their normal travel routine, providing convenience of a chauffeured vehicle and a bodyguard / assistant to deal with it all – from carrying a bag to deflecting an attack. Often times an executive’s safety relies solely on the physical acumen of bodyguards to repel physical attacks. In contrast, the US Secret Service as the premier executive protection agency in the world operates on the basis that having to engage close protection against a physical attack already represents a multi-level failure. In other words, if it comes to blows or bullets, you’ve already failed in your mission to provide a secure environment. It is quite rare to find these exacting standards and this degree of know-how in the private executive protection world. Entire areas of concern such as kidnappings, attacks on motor vehicles, medical emergencies, family safety, executive staff security, travel, office security, natural disasters, continuity of operations and crisis management are often paid lip service to, superficially addressed, or simply ignored in establishing protocols for the protection of an executive.

Executives and their families requiring security protocols often reject the thought of having visible protectors at their side. In fact, VIPs who are not well known personalities can actually attract unwanted attention just by the size and look of their entourage. Many would rather enjoy a more subtle mode of protection along with an emergency preparedness plan that both they and their staff can administer. Similarly, CEOs have a vested interest in the safety of their executive staff, other key employees, and their families. The absence of key executives for long periods of time due to illness, injury or family problems can cause great disruption to a company’s business plan and have devastating effects on the bottom line. The selected executive protection consultant should be able to provide an entire array of protective enhancements to executives and their senior staff who require security but not the entourage of a protective detail. The consultant should be able to prepare an executive to deal with emergencies that may occur during travel, and train them to protect themselves from exposure to dangerous situations by changing their behaviors and routines while at home and abroad.

Executive protection starts with raising the level of awareness of an executive, his key staff, assistants and family members. Robust training programs that enable an executive to protect himself and his family by raising awareness of dangers and how to deal with them should be the first approach executive protection consultants take when retained by a client for this specific purpose. Even executives with close protection agents assigned to them will find themselves in situations where they do not have bodyguards close by and must decide for themselves what to do next. Traveling overseas is another area where we often find executives on their own, daily making routine decisions that affect their security in a foreign country. Threat assessments should be conducted on the executive, the family, the staff as well as the company, and should be followed by vulnerability assessments of lifestyle, residence and office environments, travel routines and habits.

Let’s pick one area that is often ignored to demonstrate the depth and breadth you should expect from executive protection: preparation for medical emergencies away from home. Most executives travel often – sometimes by themselves – and fail to consider that they could get seriously injured or become ill at a moment’s notice while traveling in the US or abroad. Imagine the quandary of medical personnel in a foreign country – or even here in the US – trying to treat a patient in an emergency but having no information on that patient’s medical history. Life-saving medical decisions are often made in moments by referring to a patient’s medical history. Without the ability to reference such information, valuable time can be lost or the wrong treatment prescribed. Imagine also waking up in a hotel room in a foreign land with severe headaches, chest pains or some other illness with complex symptoms requiring immediate medical attention. What would you do? Calling the front desk for an ambulance and hospital referral might be your first thought. In many countries, however, the hotel’s hospital of choice may not be yours. Executives should be armed with the right information that provides quick access to their medical information as well as the contact information of a carefully chosen hospital. All of this information should be determined by and prepared for in a detailed plan by an executive protection consultant.

Collection of Your Personal Information

1. Registration-related: name, title, company or organization name, e-mail address(es), phone number(s), fax number(s), work and/or home address(es), birth date, gender, information about your job function, and general information about your company or organization;
2. Transaction-related: shipping and billing information, credit card information or other preferred payment means, history of purchases;
3. Information about use: frequency of use, responses to offerings, types of features used;
4. Customer service information: account information;
5. Aggregated information; and
6. Supplemented information about you received from other companies.

Use of Personal Information Collected

Access to and Ability to Correct Personal Data

Security of your Personal Information

Customized Experience

Links to Other Sites

Changes to this Statement