Category Archives: Budgeting for Security

RISKAlert Report # 840, Man Shoots Neighbor, Takes Body to His Lawyer

Dateline:  February 17, 2016

A Florida Man Shot his Neighbor to Death, Put the Body in the Back of his Pickup Truck
and Drove Dead Body to his Lawyer’s Office

A Fort Myers, Florida man shot his neighbor to death during a struggle before loading the body into the back of his pickup truck and driving it to a lawyer’s office, according to the News Press of Fort Myers, Marshall claimed he shot the neighbor in self defense.

Lawyer Robert Harris, said that John Marshall (the shooter), walked into his Fort Myers law firm claiming he had shot and killed neighbor Ted Hubbell in self-defense and had the body outside in the bed of his pickup.

The shocked attorneys called 911 and Marshall spent hours at Harris’ office before finally leaving
for the hospital around 10:30 p.m. that night.  Marshall had a swollen lip, missing tooth and what
appeared to be two broken thumbs.

According to attorney Robert Harris, JohDeath Investigationn
Marshall wrestled a gun away from neighbor
Hubbell and fatally shot him earlier Wednesday.
Harris said late Wednesday that Marshall will
not be arrested, because he shot in self defense.

Lessons Learned:

1.   Avoid fights with neighbors.

2.   If a fight seems unavoidable, call 911 and wait for police in a safe area.

3.   Do not transport a body to your lawyers office in the bed of your
pick up truck!

 

RISKAlert® is a publication of Risk & Security LLC
To subscribe to RISKAlerts® – write to:  info@riskandsecurityllc.com

Why We Need to Switch to a Risk-Based Security Model – School Stabbing at Franklin Regional, Active Shooter Incidents at Fort Hood (twice), LAX, and The Washington Navy Yard.

When I turned on the news today, I was in the middle of writing an article on the 2nd Shooting
at Ft. Hood from last week, and then saw that there had been a violent knife attack at a
Pennsylvania high school, with 20 casualties and at least eight injured critically, the next day,
there was a hate crime shooting at the Jewish community center in Overland Park, Kansas.

Once again, we see violence on a mass scale, the FBI has been brought in, and next will come
information on the victims.   With two major events, in two weeks, what can we deduce about the
security in place at both Franklin Regional High School, Pennsylvania, and Fort Hood, Texas.

        NEWS FLASH:   THE CURRENT SECURITY MODEL IS NOT WORKING!

CURRENT SECURITY MODELS

Disaster preparedness is improving,  Emergency Management is working, but security is
still not where it needs to be.  It is a systemic problem based on the fact that security around
the U.S. is still locked in a REACTIVE mode, not a PROACTIVE mode.

The main reason for this reactive mode in security organizations, is because most security
officers come from a law enforcement background, with a model which is based on crimes
and arrests, and it is totally REACTIVE.  A crime happens and police officers go into action
and arrest the perpetrator(s).

CRIME HAPPENS    =    PERP IS IDENTIFIED    =   PERP IS ARRESTED

Unfortunately, this reactive model does not work for preventing security incidents and mass violence
because it is INCIDENT DRIVEN, not Risk-Driven.  It focuses on individuals, not on a more holistic,
generalized view of Threats, and it totally leaves Solutions (Controls) out of the equation.

After studying pages of after action reviews, post-incident analyses and media sources, the one
recommendation that makes sense is that organizations need to switch to a RISK-BASED,
PROACTIVE mode for security to work
.

This was highlighted in a remark made by a Pentagon official, commenting on the 2nd Fort Hood
Shooting on April 2, and the fact that new DOD recommendations for security, had just been released.

“After the Navy Yard shooting in September 2013, another round of recommendations were made
to improve security at all DOD installations, however, a  Pentagon official said that the new
recommendations had not yet been put into effect at Fort Hood.
 At Fort Hood, very little 
had
changed from 2009
regarding security procedures for soldiers at the entrance gates.”

The question for the Department of Defense is “how could this happen again at the same military
base?  
I took extra time to study the 89-page document called An Independent Review “Protecting
the Force
”, one of 3 reports created after the initial Fort Hood Shooting, whene 13 were killed, and
43 injured.

If you look at the recommendations, they are very bureaucratic and procedural.  They could have
been written by an efficiency expert, not by anyone with a background in security, and covered things
like policy changes, and having screening for clergy and psychologists, and improved mental health
programs.   These are all important, but they do not provide a secure environment.

The LAX after action analysis’ Number One recommendation was to change
the security focus to a Risk-Based approach
.

 


RISK-BASED SECURITY

The problem with a reactive approach is that you can’t screen and lock down everyone. At Fort
Hood, for example, there are 80,000 individuals living on the base, and probably hundreds of
visitors who go in and out every day.  It’s impossible to assess the mental health, and the
‘intentions’ of all of them.

FortHoodAmbulances-Medium

That’s why a Risk-Based Approach works – because it focuses on the potential threats and then evaluates the existing controls to see whether they offer the required amount of protection based on the likelihood of the threat occurring.

You stop violent events by controlling access and by controlling weapons.  No matter how unpopular they are, you use metal detectors at certain points, you use security officers at key entrances, you control entrances and exits.

Once the event starts, you can improve security by having faster notification (panic alarms), ability
to block, or disable weapons and attackers, adequate transport, better emergency response, but to
avoid the violence, you need to have strong access control.

The Risk-Based approach makes use of annual risk assessments that are holistic in nature. They
are not done in stovepipes, they include the entire organizations, they include input from staff
members, visitors, students, vendors, soldiers, patients on how they see security from their point
of view, which is always dramatically different from management or administration.

A risk-based approach requires an organization to:

  • Define potential security risks.
  • Develop standardized risk assessment processes, for gathering and
    analyzing information, and use of analytical technology
  • Risk-Based Security focuses on PREVENTION OF NEW INCIDENTS
    whether they are active shooter, general violence, etc.
  • Enhances security’s ability to rapidly respond  to changes in the threat environment.

MORE BANG FOR THE BUCK

According the LAX (LAWA) after action report, “Simply adding more security does not
necessarily provide better security.
  Determining priorities and where to achieve great
value for the dollars invested requires regular, systematic assessment of the likelihood
and consequences (risks) associated with a range of threat scenarios that morph and
change more quickly now than ever before. 

Collaborative engagement in a security risk assessment process across the community builds
the buy-in needed to develop and sustain a holistic security program over time. Leaders must
be open to challenging established practices and demonstrate a willingness to change direction”
.

Making the switch to a Risk-Based security program is the best recommendation for those who
want to protect their staff, students, patients, vendors, clients, soldiers, and visitors from a mass
casualty event, or for all the organizations who don’t want to have a terrible incident happen in
the first place!

 Caroline Hamilton, friend of Patty Garitty (Soup Kitchen voluteer)

Caroline Ramsey-Hamilton

President, Risk and Security LLC

Caroline@riskandsecurityllc.com

 

www.securityinfowatch.com/blogs

www.riskandsecurityllc.com

Chemical Security Programs Affected by Government Shutdown

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol.   Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters.  The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials  was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

 

 

 

Tragedy at the Boston Marathon – What Went Wrong?

Looking at the CNN footage of the Boston Marathon finish line yesterday, I was struck by the shock of the bystanders and the chaos that followed the blasts.

Having just giving two seminars on security controls, I pulled out my list to see what could possibly have been done differently to prevent this devastating outcome, and there was the first word on the list ACCESS CONTROL.

After thirty years as a security expert and risk-threat analyst, I am about 85% sure that this was a lone wolf attacker who made his crude bombs to address some personal perceived problem, whether it was fear of gun legislation, spillover from the Israeli-Palestinian conflict, the Neo Con torture initiative, or something else.

Putting the attacker aside for a moment, the tragedy happened because SOMEONE WAS ABLE TO WALK RIGHT UP TO THE FINISH LINE AND PUT AT LEAST 3 BOMBS right near the finish line!   THiS IS NOT RIGHT.

There has to be SCREENING and ACCESS CONTROL PROCEDURES IN PLACE!  You can’t have security if you have open access to a major event like the Boston Marathon.  For year, security experts have cautioned that large crowds make a great target, and so events have paid lip service to this concept, without staying on the task, and making sure that SECURITY CONTROL NUMBER ONE –  ACCESS CONTROL  is ALWAYS in place.

But people don’t like access control, it’s too much trouble, they say.  They don’t like metal detectors, too expensive, too much trouble, too intrusive.  Well, it’s not as intrusive as having a major injury.   There are ways to secure these high profile sites, but the security community has to lead on this.

Yes, it is very sad and depressing that the world has come to this — but it has.  And it will happen again.  As long as security is perceived as too much trouble, too expensive, too tough to do, and too intrusive, there will be more tragic events like this one.

 

 

Wondering Which Security Controls Offer the Highest Protection for Less Money?

Security Controls can be incredibly cost effective or astronomically expensive.  And when you’re faced with a facility or a school campus, or a system that has to be secured, but you also have a budget to keep in mind – what do you do?

The simple answer is ROI – Return on Investment.  This simple calculation compares the Cost of the Proposed Control to the Protection is Provides and that creates the magic ROI Number.

Here’s an example:   A hospital near the New Jersey shore wants to create a new emergency ops center.  They have the space,
but it would cost about $250,000 to build it out.  Here’s what we look at – how often would they use an emergency ops center?

Threat data shows that they would need to use it about 3-6

Operations Center (OPS)
Operations Center (OPS)

times a year, including severe storms, thunderstorms and hurricanes.

(After Hurricane Sandy, the hospital was closed for two days because they were not able to resume service right away.  As a result, the hospital lost about $2,000,000 per day because it could not bill for any services, none could be provided.)  

So we take that lost $2,000,000 per day and say that if we could keep the facility open because we had a better operational center, we could easily save 2 days of revenue which is $4,000,000 for the 2 days, and if it cost us only $ 250,000, and saves us $ 4,000,000, that’s a Return on Investment of SIXTEEN to ONE, 16:1.

Say it saved us 3 days of revenue a year – that’s a ROI of TWENTY-FOUR to ONE, 24:1!

You can get more info by writing to me directly at caroline@riskandsecurityllc.com and requesting a webinar invitation,
or a copy of the video.

 

Will the Risk of the Sequester Affect Security Budgets in 2013?

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!