Program and training challenges when 'security' is managed by a non-security professional

April 20, 2020
Ad-hoc security coordinators are seldom given any formal training in security management which creates immediate challenges

Most organizations in the United States do not have the luxury of employing a fulltime security professional to help them identify, manage and mitigate security risk.  So, what typically happens?  Security duties are handed to an employee in such functions as human resources, safety, facilities, IT or maintenance.  We have found that even though someone is named as the security lead, it is rare that the ad-hoc “security coordinator” is given any formal training in security management.  What are the potential consequences of this omission?

Most importantly, there may not be a formal risk assessment performed and presented to management.  This is problematic for a variety of reasons.  First, the OSHA General Duty Clause.  The OSHA general duty clause, Section 5(a)(1) of the Occupational Safety and Health Act, requires that each employer furnishes to each of its employees a workplace that is free from recognized hazards that are causing or likely to cause death or serious physical harm.  Criminal and terrorist events most certainly qualify as hazards that should be recognized; and that identification, recognition and mitigation is an outcome of a formal security risk assessment.  OSHA has issued citations to organizations after workplace violence incidents occur where appropriate mitigation strategies were not put in place.  Unfortunately, the failure to perform a risk assessment leaves a substantial gap that is unidentified until after a serious security incident.  Security professionals understand the value of the risk assessment, but the novice part-timer may not. 

Another typical problem is a lack of key security processes and procedures which help to protect employees, assets and sensitive information.  Examples of common gaps include workplace violence prevention programs.  It is widely known in the security community that the ASIS/SHRM guidance on workplace violence prevention and intervention is the obvious place to start when developing and implementing a program.  However, this guidance document is not as widely known in the facilities, maintenance safety and IT communities.  Click Here to obtain a copy of the ASIS/SHRM guidance document.  Another example of a key process to protect employees would be a commitment to regularly test a duress button which may not be on anyone’s radar screen and which can lead to a negative outcome if an employee goes to use the button and it does not generate the expected response. 

Often the non-security professional does not appreciate the value of a security incident reporting tool.  Security incident reporting is a critical physical security process that helps the risk analyst identify, and facility owners correct unknown vulnerabilities.  Good incident data informs the threat assessment element of a risk analysis. In most cases, we find ourselves having to get incident data through interviews rather than accessing written security incident reports or viewing a frequency distribution from a database.  Getting information this way is an imprecise approach compared with organizations that recognize the importance of incident reporting and have mature processes, trained employees and a proper database repository.

Given the hazard-based approach to the function, safety professionals may have a greater appreciation for having a crisis response plan in place, but will that plan contain the appropriate security-based scenarios such as bomb threat, active assailant or responding to threats by mail?  In our experience, the answer is more often “no” than “yes.”  If security is assigned to someone other than the environmental, health and safety representative, the odds are even lower than the appropriate crisis plans will be integrated into the facility’s plan.  When the response plans are missing from the crisis management manual, you can be assured that the appropriate actions for maintaining readiness for those crisis situations are also nonexistent or at a minimum unenforced.  It is unlikely that a facility will be conducting a drill for a situation that hasn’t even been considered or included in a plan.

Another example of a common security management gap would be security “change management.”   Regardless of which function might be managing security on a part-time basis, security change management requires a laser focus, or business circumstances will change, and an unintended and unknown vulnerability emerges.  The most common example is companies using electronic access control without a robust process to ensure that access rights are terminated when a person separates from the organization.  This is a basic goal to ensure a person cannot return to the workplace and commit an act of violence.   Often checks on this metric during risk assessment reveal substantial gaps which might also include issuing multiple active credentials to employees but not collecting all of them at termination.

There are several potential resources, shown in the information below, that are available to develop competency for persons assigned security responsibility without the benefit of proper security training.  

A physical security online learning management system designed to establish a reasonable level of competency in security management quickly and cost-effectively.  Receive an advanced level of competency in physical security and security systems administration especially designed for persons who are responsible for security but spend the majority of their time performing some other function.  The e-Learning portal also includes a training program on how to handle hostile layoffs and terminations, which may be needed in the current state of skyrocketing unemployment and layoffs. Click Here for BPS e-Learning Portal 

The SIA Center of Excellence will help your organization keep at the forefront of ever-changing market demands by fostering knowledge and expertise among employees, contractors and clients. This online repository of vendor-neutral, vetted information includes on-demand training courses, e-learning modules, webinars and articles. Click Here for SIA     

The ASIS store offers numerous publications and resources, some of which are free to members and others that are available for purchase. ASIS also offers several certifications for the security practitioner. Click Here for the ASIS bookstore

The Physical Security (PHYSEC) Program is that part of security concerned with active and passive measures, designed to prevent the unauthorized access to personnel, equipment, installations, materials, and information; and to safeguard them against espionage, sabotage, terrorism, damage, and criminal activity.  This training material is presented for DoD and Industry.  Click Here for CDSE      

About the Author: Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc., a nationwide independent security consulting firm focused on healthcare risk identification, regulatory compliance and security design services. Pisciotta has managed more than 4,500 security-consulting engagements in his thirty-year consulting career. He possesses a master’s degree in public administration, a bachelor’s degree in criminal justice, and was board certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He is a past President of the International Association of Professional Security Consultants. Pisciotta was the eighth person in the United States to achieve the Certified Security Consultant designation. He is currently leading the IAPSC's technical standards committee. Pisciotta serves as the Vice-Chair on the ASIS Council for Food Defense and Agriculture Security. He was the Chief of Security for Alfred University ending in 1991.