On March 17, Security Director News Managing Editor Amy Canfield (a media colleague I respect) wrote a blog post, “Journalists 'surprise entries' to schools draw criticism. Why?”
And as much as I like and respect Ms. Canfield, I have to totally disagree with her take about media people showing flaws in security, especially at schools, by walking into unsecured buildings and areas.
As I told Ms. Canfield, in my opinion they had no right to do this, it was dangerous, and frankly I think they should have faced charges.
I know that sounds harsh, but here are some points:
1. With the climate of heightened awareness of what is happening in our schools, an untrained person should not be the one testing security at a place like a school. As a former cop, FBI-trained SWAT member and chief security officer who worked in an armed capacity, I know this could have turned out very bad. Imagine I am the armed officer in the school and see this person enter a bathroom. I confront the person, and they make a move that I perceive as going for a weapon—I am going to shoot. I have had the unfortunate experience of seeing fellow police officers shoot and kill suspects who made moves perceived as threatening only to find out that they were not armed—it happens and is very bad when it does.
2. Putting school children in a panic is just uncalled for, no matter what point you are trying to make. I remember an incident when I first started in security and was working for a pharmaceutical distribution company outside of Chicago. It was high risk and security was tight. A security vendor I was considering using to supplement my security decided one day to make unauthorized entry into the building and run out a fire exit into a waiting car, setting off all types of alarms. They were proving the point that there were "gaps" in our access control, however, as pointed out above, they were almost shot, and they really didn't enter into any secure area except the office and scared the heck out of office personnel. If traumatic to adults, I can't imagine, in this day of tragic events we have witnessed in schools, how traumatic it would be to children. (As a side note, that vendor never got work from me or anyone else I told about what they pulled.)
3. Lastly inducing panic is pretty plain and simple by definition. No one should be doing this, period.
Now to Ms. Canfield’s point: how the heck does this happen in any school given what we have experienced, and where is the security? I totally agree; if a reporter can penetrate the school, what would a bad guy be able to do?
But this comes down to several points (below) about what an effective security plan entails, which I think a lot of people do not understand, and I would guess a lot of organizations do not practice: penetration tests of their own security.
1. Security is never 100 percent and never will be, but untested security is 100 percent vulnerability—you are guessing it will work.
2. Security is not "things" you just put in place for peace of mind. Alarms, CCTV, etc., are parts of overall security (physical, electronic and procedural), but the object is to create layers to make it harder for the bad guy to penetrate. “Things” cannot be put in place and left untested, and that goes for people as well as technology.
3. There are ways to do controlled penetration tests without panicking people. I have personally completed many at various institutions around the country without inducing panic, and as a chief security officer I have hired people to test my own security and security personnel. Typically, I would do four to six penetration tests a year (not an alarm test, but a person physically gaining entry into a protected facility or area). There are safe ways to do this and afterwards, pass or fail, make adjustments and let your staff know how they did.
Unfortunately, many organizations spend resources on security but never actually test its effectiveness, and this is a big mistake.
There are ways to do controlled, unannounced penetration tests, but they need to be done by professionals, before the media shows up or, worst, a tragic incident occurs.
Jeffrey A. Hawkins, B.S., M.S. is a senior public safety/security professional with over 30-years of diverse experience working for profit, not-for-profit and government organizations on a local, regional, and global level. He currently serves as Manager, Strategic Initiatives for the Private Security Sector at American Military University. His full bio may be found on LinkedIn at: http://www.linkedin.com/in/jeffreyhawkins/