Security Considerations: Questions & Summary
he Fighting Stance
Security Awareness
Abstract
One of the first things that a new karate student must learn is the proper stance. This is the key to maintaining footing and being able to deliver the powerful punches, blocks and kicks as he improves.
In any organization, the cornerstone to building a safe workplace, or the proper stance and footing, is awareness of security issues. Security risks do have an impact on companies whether or not that impact is understood or even if leaders are not aware of the impact. Understanding how security integrates into the business is an ongoing process that should be part of all operational decisions. Increasing the focus on security starts at the top with the board of directors and at the C-level, stressing and emphasizing the importance of dealing with security risks and setting a good example.
Keywords
Business functions ; Business karate ; Loss prevention ; Monthly reporting ; Security awareness ; Security education
What is Business Karate?
Several years ago, I had a brilliant thought. That is not a very common occurrence, so of course it stands out in my mind. I realized that the whole concept of protecting a business or organization (in my case at the time a large urban hospital) was not that different from a form of self-defense—self-defense on a larger scale. The steps involved in learning a martial art for defense actually did have some comparable real life aspects that translated to how an organization or enterprise could, or should, go about protecting itself. Martial arts students have to learn to block, kick, punch, and even how to break out of holds or fight after being knocked down to the ground.
Karate students have to learn what parts of their bodies need the most protection and are vulnerable to different attacks. Enterprises have to learn what parts of its businesses need the most protection and are the most vulnerable to different threats. Both have to learn how to protect themselves from those attacks. Karate students learn how to defend against attacks from several different directions, even simultaneously. Businesses as well can be attacked on several different fronts at the same time. Threats can come from inside, such as employee thefts, or from outside, such as burglary, or even farther away if foreign politics affect supply chains.
Throughout this book, I have outlined concepts or methods that any organization can implement to better protect its interests and more importantly, its employees—from building awareness about potential, real concerns; to learning how to block; to how to kick and how to recover when knocked down and nearly out. These are all topics covered throughout this book.
Of course, part of learning karate or other martial arts is the periodic testing and the belt levels, including a black belt for the experts of the sport. The same could be said of all organizations. How well protected is it? Does the business have a black belt or does it have a white belt and is early in learning and development? Each chapter concludes with several pointers that help determine your own organization’s belt level. There are examples or criteria based on the ideas covered in every chapter for all belt levels from white (beginner) advancing up to black belt. If a business meets all the criteria listed for the black belt and each of the other belt levels, it can consider itself well protected, at least in regard to that specific chapter.
Martial arts come in many different styles and formats. Some, such as a more traditional form of karate, including Shotokan karate or tae kwon do, are more aggressive and meet force with force. Other martial arts, such as aikido, use an opponent’s motion and attacks against them by deflecting or redirecting an attack. Every organization must balance its security needs with the right level of protection. What works for a nuclear power plant will be very different from what works at a retail outlet. Many businesses thrive on attracting customers to their premises, not discouraging them or driving them away. Finding the right level of protection is very much like finding the right martial arts class that fits your style or learning objectives.
In addition to the security management benefits, there is one other key benefit: fun. I’ve loved studying martial arts. It has become a key part of my workouts, keeping them fresh and interesting. It has also helped me deal with tough situations, encountered as a police officer, with confidence and self-assurance. Certainly, as you read this book and take away ideas that will help you create a safer workplace, I hope you also have some fun. Enjoy the process as you work toward your enterprise’s black belt!
Welcome to Karate Class
If you’ve ever taken up a new skill or tried to learn a new way of doing something, you probably remember how awkward and difficult it was at first. As adults, we often do not spend much time learning something new, but think back to a time you did. Maybe it was learning how to swing a baseball bat or developing skills to ride a mountain bike. More recently, think about the last time you got a new cell phone—there was definitely a learning curve.
For someone new to martial arts or a self-defense class, it can be just as demanding. Suddenly, you are in a situation that is unfamiliar with new challenges, struggling to get your body to learn new movements and trying to do something completely foreign.
One of the basic building blocks in the martial arts is stance. The different stances are among the first things taught to new students. The stances help teach a newcomer how to maintain his balance and how to set his body in the right position to perform blocks, kicks, or punches. The stances become the foundation for everything else to be learned.
In karate, different stances are used for different circumstances. One is the front stance. The front stance is very stable, balanced with a slightly lower center of gravity. It is an aggressive stance, one used for several kicks and for punches.
Another stance is the back stance, which is used for quick blocks or fast attacks, generally on a close threat. This is also closest to a traditional fighting stance, ready to move quickly in any direction.
The last stance is a side stance with the feet spread and knees bent, the body ready for a powerful sidekick attack.
Each stance prepares a new student for the attacks and blocks that they will need to learn as they progress. By practicing and learning the basic stances, the student builds awareness of their capabilities, the positioning of their bodies, and the readiness to respond.
So what does this have to do with business? Virtually everything. The new white belt is using the stances to become aware of his foot placement, his balance, and learning how to position himself in new ways. In the workplace, or even in our personal lives, the foundation of organizational self-defense or security is awareness. Awareness is the base needed to develop any program of protection.
A business, school, church, hospital, or any organization interested in implementing a security plan needs to become aware of its footing or posture. By that, I am referring to the understanding of exposure to risk, understanding the possible problems, and developing a focus on security.
Think of it this way. One of the main reasons you or I would sign up for a karate class would be to learn self-defense. There could be other factors as well, such as fitness, but generally protecting one’s self is a key interest of new students. New white belts learn about footing and balance, not because those things alone will offer protection but because they provide the foundation for more practical applications as students become proficient and advance. Then the karate students can begin to realize the goal of self-defense, namely to protect their number one asset—themselves.
So, one of the first steps of organizational self-defense is to recognize that security is an integral part of the business and identify what needs to be protected and develop a view of what the current footing is in regards to the security or protection of key areas. At this point, you don’t need to conduct an in-depth risk assessment. But think about your critical functions, your key assets—the things that make your workplace tick. For a teacher or school principal, the answer may be very straightforward. The goal of the program would first be to protect students and teachers, and second, to protect the school property, both the building and the contents. With a closer look, you might think of the school’s reputation; what would be the media and parental response to a critical incident, especially for private or charter schools?
For other managers, the identification of key assets may not be as easy. If you are a manufacturer, your business may depend on a wide variety of processes, each of which could be a key asset that needs some level of protection. For example, you produce the infamous widget, each of which is made with 10 parts that you order from different suppliers. An event at a supplier location could stop you in your tracks. Perhaps part number four of your widget is shipped from overseas and the dockworkers at the port where your parts are exported go on strike. Can you continue to operate and produce widgets minus one part?
Maybe you run a small office. You might have typical office equipment, computer, important information, or client lists. From my experience in law enforcement, I knew that every night or weekend I could park my patrol car in an office park or group of buildings and find unlocked doors within a few minutes. Would you want to hassle with replacing computers or printers or re-creating missing data or files because no one locked the door?
No matter what type of organization you work for, there are common functions. Each area has potential ties to security, and just being aware of some of the associated risks can help manage and reduce those risks ( Figure 1.1 ).
Every company will vary to some degree. You may have a legal department, for example, something that could be considered part of the overall leadership and management in this model. The idea here is to reinforce that security is, or should be, a vital element of the overall organization and its functions ( Table 1.1 ).
FIGURE 1.1 The security program plays a vital role throughout an entire organization.
TABLE 1.1
These are All Simple Examples to Get You to Think with a Security Filter or Mind-set
|
Process |
Security Connection |
|
Human resources |
People are credited as the most valuable assets by most decent companies. People truly make the difference between failure and success. Before or during hiring, background screening should be done to protect the organization’s interests. When things go wrong, investigations into threats or other wrongdoing are vital to that continuing protection. |
|
Manufacturing |
All the equipment and goods that are used to create your product are valuable assets that need protection in order to protect the overall business. |
|
Facilities |
Obviously, each site and building will have specific issues, from neighborhood crime patterns, to video surveillance, alarms, lighting, and hours of operation. |
|
Customers and visitors |
The safety of everyone on the premises is crucial, as is the protection even if their presence is “virtual” such as an online shopper. While it is not typically a conscious concern, if customers do not feel safe at your site, they will go somewhere else. |
|
Vendors |
Like employees, vendors and contractors have access to facilities and often with less in the way of training, screening, or other checks and balances. |
|
Supply chain |
Any interruption in critical supplies can have a huge negative impact on the business. A well-rounded risk assessment can help identify potential problems, even from foreign suppliers. |
|
Proprietary information |
It is hard to imagine any organization that does not have valuable information on hand, whether customer files, credit card information, or precious trade secrets. Information comes in both physical as well as electronic formats, and this is an area in which physical and IT security need to coordinate to best protect that information. |
|
Management |
Leadership is responsible for the normal daily decisions but also must be able to evaluate risks created by security events and make strategic decisions on how to best manage and reduce those risks and the exposure to issues such as liability. |
|
Accounting |
Accounting or finance is responsible for the overall funding of the firm. There may be cash on hand to protect, as well as financial assets. This is also an area with a higher risk of internal embezzlement. |
Increasing Awareness
The main point of awareness is to develop an understanding of the impact of lax security. Once you or your organization has that basic understanding, you can begin to take the right steps to create a safe workplace.
Awareness alone, however, is not quite enough. To become an effective foundation, awareness needs to be converted into action—an ongoing state of alertness. For the new karate student, the instructor would not just say, “Balance and footing are important.” No. The student actually practices so it becomes a routine matter to be aware of balance and stance in order to acquire the building blocks for later, more advanced, moves.
In business, security concerns should be taken into account and risks considered as a regular part of any decision-making processes. Ideally, this would become an automatic thought process or consideration whether expanding, contracting, or implementing new processes or operations, including changing hiring practices.
In reality, this does not always happen. For example, one hospital was planning to add a day care service for employees. Staff retention is important in any organization and can be very competitive in health care. Older hospitals in urban areas may be competing for clinical staff against new hospitals with the latest medical equipment, located in suburban areas with lower crime and other perks, such as easy or free parking. So staff satisfaction is very important. From a strictly business perspective, the idea looked attractive. The impact on staff morale was considered as was the potential usage, locations were discussed, and budget issues were reviewed. However, the security department was overlooked and potential safety issues were not taken into account. There was no discussion of any security concerns. Family custody disputes, physical security of the premise, policies, and procedures to ensure against abductions or screening out sexual predators from the hiring process are all some basic issues to address. Any failure in one of these key security areas could have resulted in loss of life or serious injury, plus a huge impact on the hospital’s reputation. A serious incident would also undo any improvement to employee satisfaction.
This is an example of how security awareness was not even a part of the business process or decision. There was no underlying foundation or level of alertness even in an environment where there are security compliance issues and in a high-crime locale where there had been past crime concerns.
Think of your own organization. When was the last time that security concerns were discussed in depth? Or even considered at all? For that matter, who in your organization is responsible for security issues? For many companies, there is no one in the role of security director.
Many organizations are not large enough to have a full-time security director on staff. However, there should still be one person who is responsible for security issues, even if it is part of the overall job description. Has someone been assigned that role or responsibility? Have they received any training regarding security matters?
There have been studies by the United States Chamber of Commerce that show nearly one-third of businesses declare bankruptcy due to employee theft. One out of every three business bankruptcies! As a former police officer, I’ve had business owners explain how an employee embezzled or stole money, in some cases, taking enough so the owner could not meet payroll obligations. If a business cannot pay staff then there is no one to handle customers, and without customers, there is no more income. You can see how this becomes a vicious cycle in a worst-case scenario.
Larger businesses or organizations may be able to survive without declaring bankruptcy. Losses can have a very real impact on a company, such as lower salary increases, reduced capital for reinvestment, or delayed purchase of equipment.
What is the real cost of loss? Imagine that a $1000 laptop is stolen. What is the real cost to replace that computer? The answer will depend on your profit margin, which varies widely from industry to industry. Say you operate on a tight margin of 2%. That $1000 laptop would require additional gross revenue of $50,000 to make up the replacement cost. The value of the loss divided by your profit margin gives you the gross sales needed to recoup that loss. Looking at it this way, you can see what an impact unbudgeted losses can have on a business. Remember that losses due to theft also don’t bring any value to your business where other expenses do, or should. Buying textbooks for students may be a necessary and planned expense, budgeted into the financial planning process. Ideally, the purchase will show a return, in terms of better education for students. Or take the case of a business that purchases $50,000 in advertising. Advertising expenses bring back a greater return that increases sales. Replacing stolen property does nothing to advance or help your business.
Making It Happen
We have discussed many reasons why security should be important to a business from a basic operating perspective. So far, we have not looked at the impact of violent crime on victims, coworkers, public relations, staff retention, or the related liability. Violence in the workplace will be covered more in depth in Chapter 8 . Hopefully, without dredging up that kind of fear mongering, you can already see the benefit of integrating security into the workplace to make it safer for employees and even protect the very survival of the organization.
EXAMPLES OF SECURITY CONSIDERATIONS
Checklist of security considerations for operational decisions:
1. Will the proposal change access to the facility? Will there be new hours of operation, open doors, or changes in staff hours?
2. Will the proposal move, add, or impact any critical operations? Don’t forget to include the impact of outsourcing.
3. Will the staff, visitors, vendors, or customers have the same expectation of safety, and will the organization be able to maintain that level? For example, for a new building or addition, will the same type of burglar alarm or access control system, video surveillance, etc. be in place?
4. Will there be additional risks in terms of valuables as a result of a change? Cash handling, for example, could lead to a higher risk of robbery.
5. Will critical information, such as customer lists or physical documents, be exposed?
6. Are there changes in the surrounding environment or neighborhood that could change the risk posture? Are there increased crime reports by the local police? For this information, check and see who in your business looks into matters or concerns with the local police department.
There are many, many variations of the types of questions that could be asked. However, there are two critical items to remember: (1) that security and safety could be changed or affected by operational decisions, and (2) any changes must be evaluated in order to maintain a safe workplace.
As an organizational leader, there are a number of ways that you can change corporate culture to make security a key business process. Perhaps the most important step is for leaders to set an example, demonstrating the importance of security practices. Managers should follow basic steps themselves, such as locking doors, safeguarding important documents, and protecting property, such as laptops. Imagine a school or company that has all visitors check in and wear a visitor badge on the premises. If a CEO or a school principal is not willing to stop and talk to a person wandering the halls without a visitor badge, will other employees or teachers do it? Who will then? If you, as a leader, do not practice fundamental security safeguards, then you cannot expect your employees to do any better.
Part of building organizational awareness will be through staff training and education. Key policies should be reviewed by employees and contractors on an annual basis, and new employee orientation should include security topics to introduce important elements of the protection plan to all incoming employees.
Another key component will be to assign security responsibilities to one individual or dedicated group. Official job responsibilities and duties should be listed to ensure that someone in the organization is taking responsibility or acting as the security representative for the organization. The individual should attend training specific to security and keep up to date in the industry, as any employee would do in other disciplines or areas of expertise.
So you may or may not be in a role to authorize or make operational decisions related to security. Then how do you get the powers that be to integrate security and safety concerns?
IDEAS TO CREATE SECURITY AWARENESS
1. Newsletter:
a. Monthly or even weekly
b. Beware, this takes time and commitment
2. Security training during new employee orientation
3. Process to report and document crimes on the premises
4. Annual refresher on security-related policies and procedures
5. Speaking of, have policies on security topics in place:
a. Weapons and contraband
b. Access control
c. Visitor management
d. Cash handling
e. Robbery prevention
f. Background screening for new employees
g. Lockdown process
h. Security guard force management
i. Crime reporting
j. Workplace violence and employees involved in domestic violence (DV) situations
k. Travel security
l. Security risk assessment (annual)
m. Security management plan and annual review
n. Video and alarm management
o. Alarm response
p. Crime response
q. Threat assessment
r. Bomb threat
s. Active shooter
t. Facility security orders (for security officers)
u. Employee ID badges
v. Drug and alcohol abuse
w. Protection of proprietary information and IT devices
6. Monthly security metrics, such as crime on campus, for senior leaders
7. Quarterly reports to C-level and board of directors on security risks and potential impact on business operations
8. Conduct security drills, such as access penetration, or have a “suspicious” person on premises to test reporting and response of staff
You may not be a decision maker, but you can definitely be an influencer and use persuasion to build focus on security and safety. Many organizations have employee groups or councils that meet to review and address any concerns with management. This could be a great forum to start bringing up issues or questions. Once a complaint has been aired, there are several benefits. One is that it serves as notice of a problem, meaning that there is now foreseeability. This could create liability for a company if the problem is not addressed through reasonable steps. Think of your workplace—who tracks or monitors potential safety issues? Does the company have a way to easily pass on information about defective locks or malfunctioning lights? One simple suggestion would be to set up an e-mail account, such as safey@yourcompany.com for employees to pass on potential problems, whether about lights out or known crime in the area ( Figure 1.2 ).
Another benefit is that once an issue is raised, you’ll find that others have noticed the same problem and had not brought it up. Or better yet, those others have more information. If you bring up that you’ve noticed empty liquor bottles near the back door, you will probably hear from someone who works late or comes in early about a group of transients who have been camping out in the area. You’ve found more information and another witness to a potential problem and can better coordinate with the police to take appropriate enforcement action.
Perhaps the most important benefit of raising security issues is simply that security issues are being raised—that is to say, concerns are evaluated, discussed, and action items addressed. By bringing up issues, you are raising the awareness of security and safety issues within your organization. The National Institute of Standards and Technology (NIST) defines IT security awareness as the focusing of attention on security. That is exactly what has been accomplished by raising issues, questions, and concerns.
FIGURE 1.2 A corporate newsletter on security topics is a great way to keep key stakeholders and employees informed about the risks.
Conclusion
When it comes to creating a safer workplace, whether it is a church, small business, large corporation, school, hospital, or factory, the first step is to increase your security stance. There are many ways to do that, but the main point is to increase awareness of security issues by giving it proper support, importance, and considering security a regular part of the business function. Only then will your company really be safer and ready to move to the ideas in the following chapters.
Business Karate Belt Levels
Each chapter will include a chart to test your business karate skill level. When a karate student obtains a black belt, he has passed all the requirements for each previous belt level. To get your business black belt, follow the recommendations for each color or belt level all the way up to the black belt.
Test your company’s karate belt level in the discipline of awareness/stance. If your organization meets each belt level in Figure 1.3 and all the standards of the lower belts, you have then achieved that color level.
FIGURE 1.3 What is your belt level?
Further Reading
Employee Theft Still Costing Business,. Inc.com; May 15, 1999: Retrieved from: www.inc.com/articles/1999/05/13731.html (accessed 17.06.06.).
Wilson M, Hash J, National Institute of Standards and Technology. Building an Information Technology Security Awareness and Training Program. Gaithersburg, MD: NIST Special Publication 800–50; October 2003.