Editor’s note: This article was originally published by on LinkedIn and has been reprinted with the permission of AS Solution.
It is ill-advised to be a Monday morning quarterback after a hostile event. From experience, I can say that only people who were there can know how it all went down, what all the factors influencing decisions on the ground were, and why things happened as they did. If you were not on the scene, it is unfair and often inaccurate to critique what security personnel, law enforcement, hotel or event owners could have or should have done.
Still, what happened in Las Vegas earlier this month is causing a lot of people to ask us in the security industry a lot of questions. The main line of queries I’ve received from hotel operators and event managers is, “What do we do now? What can we all learn from what happened, and how should we adapt our strategies to best protect life in the future?”
Before we jump to tactical conclusions, let’s face some strategic facts
What we are seeing now are predictable tactical responses such as installing metal detectors, enforcing TSA-style searches for hotel guests, enacting no-gun rules in hotels, and so on.
So, what can be done in the face of seemingly random, unthinkable and indiscriminate hostile human behavior?
We in the security industry have a duty of care to our clients and the public to best protect them, their loved ones and their properties. To do this, we must urgently join together to drive a much-needed shift in the security paradigm, one that reassesses the threats and design of our mitigation, containment and control strategies.
But before we adjust our security tactics, we must first face up to a handful of hard facts. If we start with a clear-eyed understanding of our situation, our tactical responses are much more likely to succeed. Here are five points that are often neglected in the days right after such a horrible attack. I call them facts because experience tells us they are true. I call them hard because they don’t lead to easy solutions.
1. Security Decisions Must Be Threat-Based
Every decision we take concerning any facet of security must be threat-based. If we do not have reliable threat analyses, we have no chance to mitigate, contain or control them.
Threats should be analyzed in terms of probability and criticality. How likely is a threat to occur, and how critical is it if it does?
The probability of Stephen Paddock’s heinous act was not high. Yes, there is always the possibility of some sort of hostile incident in Las Vegas. But no one saw it coming in the form of a single gunman, with no previous indicators, who pre-meditatively booked a suite on the 32nd floor, got the needed weaponry, set up cameras, brought what he needed to smash the windows and shot consistently and accurately for 11 minutes. That threat was not on anyone's radar – until it was on everyone’s television screens.
Had I suggested to hotel security managers two weeks ago that that could be a threat, I would have been told that I have an overactive imagination.
While active shooters are a threat that we are unfortunately seeing with more and more frequency, the sophistication of this attack coupled with the tragic result is at a level we have not yet witnessed. Just as we have responded to other emerging threats, we need to respond to this. Vehicular attacks, in which the vehicle is used as a weapon, have proved to be an emerging threat over the last three years in the West, and for much longer in countries like Israel. So have terror-related stabbing attacks and suicide bombing in crowds, as we saw in Manchester. Measures have been taken to mitigate and respond to these methods of attack and we must continually develop and adjust our security strategies to meet the emerging threats.
It is possible that there could be similar attacks in the future, and we should be planning to proactively mitigate them. However, what we are likely to see now is metal detectors and searching of guest's bags, which will probably last for a while, and then fade away as everything returns to “normal.” Remember: If Paddock couldn't shoot from that hotel at that time, he most likely would have shot from somewhere else.
I am not suggesting we do nothing. I am suggesting that we need to carefully assess the threats we face, then respond, prepare and invest our resources in correlation to the probability and criticality of those threats.
2. A Concert Was Attacked, Not the Mandalay Bay
The hotel was where the attack was launched, but it was not the target. No guests inside the hotel were injured or threatened. The only injury reported on the premises, apart from the suspect, was that of an incredibly brave security officer who placed himself in harm's way.
This is an important distinction when considering how this event should influence the way hotels do security. At least 95 percent of the articles I have read since the attack (and, admittedly, have written myself) have the words "hotel security" in their titles. But if we are to effectively deal with this kind of threat in the future, our focus needs to be much wider than hotel security alone.
We need to discuss comprehensive event security. This discussion must include actual threat assessments of events and event locations as well as effective and implementable emergency procedures. We must also understand that anywhere and everywhere are not potential targets. Since we cannot mitigate every possible threat, we have to ask, "what if?" and then ask, "if it happens, then what?" We need to plan, down to a very fine resolution, regarding the containment of damage and our ability to rapidly neutralize the threat. At the end of the day, once a hostile incident begins, the most effective way of keeping people safe is to neutralize the threat as quickly as possible. Neutralize means creating a situation where the threat is no longer a threat.
3. The "How Did He Get All Those Guns Up to His Room?" Discussion is Not Entirely Relevant
An improvised explosive device, a semi-trailer, 23 guns, one gun…there is always a weapon. Had the suspect had one semi-automatic rifle with 1,000 rounds as opposed to 23, would that have prevented the attack? The suspect had 30 pounds of explosives in his vehicle and could have rigged a vehicle-borne improvised explosive device (VBIED) and detonated it in the parking lot. He could have driven an 18-wheeler through the crowds as they arrived or departed. The modalities of lethal harm are endless.
Had the hotel had a "no guns" policy, the suspect could have rented an apartment or booked a room on Airbnb, fired from his vehicle or employed any one of myriad other options.
A no-gun policy might well make hotels safer from a targeted attack on their property. It would not necessarily, however, have prevented this specific attack from occurring. The suspect could simply have chosen a different location from which to shoot, or another way to do harm.
4. We Need to Understand the Causes of All Casualties
All the articles I have read thus far have discussed the hotel and changes that need to be made in hotel security. Very few discuss the event’s emergency procedures.
Any casualty is a tragedy, and the perpetrator is responsible for all of them; about this there can be no argument. However, to learn the needed lessons, it is important to know how many of the injuries and fatalities were a result of people being knocked down and trampled during the panic that ensued once the shooting began.
It is essential to analyze what happened at the music festival once the shooting started. Before jumping to tactical conclusions, we might need to re-examine emergency evacuation procedures for public events of this type and scale. Are there enough emergency exits, are they checked before and during the event to ensure they are free of obstructions? Is the signage good enough? There are many other considerations. To date, we have primarily looked at emergency exits as they relate to fire and the NFPA 101 code. Maybe it's time to reconsider the criteria for emergency evacuation plans in light of the new threats we face.
5. There is No Magic Formula, and No One-Size-Fits-All Approach
Yes, it’s complicated. There are no cookie-cutter security solutions for hotels or event facilities. There is no "how to" manual that covers all situations. It would be absurd to think that you can provide effective security by checking off boxes. That is tantamount to suggesting that there is one guide book for every country in the world.
Security is site-specific, and every site has its own challenges, vulnerabilities, threats, environment, population, budgets and resources. These factors and many more must influence how we design our security strategies and tactics. Of course, we do need manuals and guidelines as tools, but anyone who thinks that you can use a standardized checklist or software to protect people is mistaken.
We in the security industry have a duty of care that goes beyond business interests.
We need to share ideas, best practices and methodologies across sectors and across borders to better ensure the well-being of those we keep safe. To do that, I think we need to face up to some hard facts, such as admitting that there are no simple solutions. We have an obligation to continually push for fact-based threat mitigation, and for tactics that are as good as they can be with the resources we have available today.
About the Author:
With over 25 years of experience as a hospitality and fixed site security expert, Mac Segal, head of Hotel and Fixed Site Security Consulting at AS Solution, brings real-world knowledge and expertise to his security assessments of hotels and business facilities all over the world including C-TPAT (Customs-Trade Partnership Against Terrorism, US Customs & Border Protection) audits. His practical, international perspectives on protective security has been referenced in articles and news segments from USA Today, New York Times, and BBC.
