Seen some old reruns of Magnum PI or VIP and suddenly being an investigator seems like a great career. Well it can be, but not for any reason that may be found in these TV shows. Investigations - private or public - tend to be a lot of legwork, thinking, talking, and most of all listening.
There are all kinds of investigations and investigators. On the public side are those in law enforcement, inspector generals, background investigators, and the like. Out in the world of private employment there are many different types of investigators; however each of these various jobs require nearly identical skills. So how does one become an investigator and how do they become an exceptional investigator?
For the most part, it really doesn't matter whether you are investigating a theft, an arson, or someone's background because the foundation skills are pretty much the same.
Think of it this way: An investigator is responsible for telling a story, as factually as possible. According to Sennewald there are two kinds of investigations. One attempts to reconstruct an event and explain it factually and the other attempts to uncover illegal activity. Clearly the first one is purely reactive; a homocide is committed and it is investigated. The second may be somewhat reactive but it may also be proactive; much like the efforts of Anti-crime police units or integrity shops in retail environments. So that's the big picture, but what kinds of skills does it take?
A good memory, notetaking skills, strong observation skills, and reasoning abilities (deductive and inductive). Inductive reasoning? Well it's the opposite of deductive reasoning. Deductive reasoning is often explained as the moving from the general to the specific. Inductive would be from the specific to the general. For a few examples to better describe this go here, here, here, and here.
How do you get these skills? There are many ways. Clearly the best known way is probably to work for the government and attend an academy - local or state police, FLETC, or the FBI Academy. However it is also possible to get there other ways, especially if you have no interest in being a police officer. Some companies offer training - formal or on-the-job - and some states require specific training before allowing licensing as a private investigator. But if you just want to drive yourself to being better - that is always striving to keep the edge sharp - there are training programs available.
Quite possibly the most important skill of an investigator is the interview, either the informational or the admission-seeking interview. The Reid technique is taught by Reid Associates and Wicklander-Zewlawski, and Wicklander is quite likely the standard for retail interviews. I am, however, biased since that's where I learned to interview (special thanks to Shane Sturman whose advice and guidance over those two days were invaluable). There are other methods and there are a large number of books available on the topic. Investing time in these books - and lots of practice - will pay off.
There are other helpful programs. You know I'll mention those by the IFPO. They offer the Certified Protection Officer, Security Supervision and Management, and a new program - Crime and Loss Investigations. There are other programs out there and it never hurts to do a little, dare I say, investigation to help you get what you need. There are also many books on the general topic of investigations such as Chuck Sennewald's The Process of Investigation and Dempsey's Introduction to Investigations.
You can also begin to build your skills by seeking employment (part-time can be as helpful as full-time) with private investigators, retail security departments, forensic accounting firms, or even investigative reporters.
The key to investigations is knowing what the "standards of evidence" are for whatever you are looking into at that time. The government has rules for what information is needed to "prove" a crime, and companies have rules as to what is acceptable for disciplinary actions. Know what information you need. Just keep these three questions in mind: What do we know? What don't we know? What do we need to know?
More later..
Monday, December 5, 2005
Tuesday, November 22, 2005
Security Technology - tools and trends
Religious Product News technology issue is out and with it a short article I put together..
I know the entire basis of my security philosophy is the "Security is what you do and not what you have," and it is. However, that is not to say that technology is some sort of evil that should be shunned. What can it do for you?
Technology cannot create exceptional security. It can make exceptional security easier, apparently seamless, and less noticeable. After all, we all want better security but we don't want to tilt the "Security v. Convenience" scale too far, right?
No one wants to be inconvenienced; least of all me. I'm a bear at the airport. Why? Because that security is an illusion. I've been inconvenienced at many facilities and, as annoying as it might have been, it was effective. I remember one jewelry manufacturer out West. No one told me it was a no-metal facility so I had to conduct my survey without a belt or any other bits of personal possessions. Losing the belt was particularly difficult since I had just lost a little weight and the pants were a from before that time. Effective security makes some things bearable, but illusionary stuff is just annoying.
So once you start with a well designed security program that's built around processes and engineering the environment the technology becomes a creature comfort. It makes the other stuff easier. Now you no longer need a guard at a door to identify you (or maybe you still do). Now you no longer need to patrol your property with a quality alarm and response system (and maybe you still do).
All this article is meant to do is provide a snapshot into where technology is right now and how some of that can be of help to you and your congregation. Creating a Safe Sanctuary should make "God's House" more secure and not turn it into "God's Fortress."
I know the entire basis of my security philosophy is the "Security is what you do and not what you have," and it is. However, that is not to say that technology is some sort of evil that should be shunned. What can it do for you?
Technology cannot create exceptional security. It can make exceptional security easier, apparently seamless, and less noticeable. After all, we all want better security but we don't want to tilt the "Security v. Convenience" scale too far, right?
No one wants to be inconvenienced; least of all me. I'm a bear at the airport. Why? Because that security is an illusion. I've been inconvenienced at many facilities and, as annoying as it might have been, it was effective. I remember one jewelry manufacturer out West. No one told me it was a no-metal facility so I had to conduct my survey without a belt or any other bits of personal possessions. Losing the belt was particularly difficult since I had just lost a little weight and the pants were a from before that time. Effective security makes some things bearable, but illusionary stuff is just annoying.
So once you start with a well designed security program that's built around processes and engineering the environment the technology becomes a creature comfort. It makes the other stuff easier. Now you no longer need a guard at a door to identify you (or maybe you still do). Now you no longer need to patrol your property with a quality alarm and response system (and maybe you still do).
All this article is meant to do is provide a snapshot into where technology is right now and how some of that can be of help to you and your congregation. Creating a Safe Sanctuary should make "God's House" more secure and not turn it into "God's Fortress."
'tis the season... For evil holiday ELF's
This Washington Post article reminds of the radical environmentalists. Now that may not be a bad thing if you're a supporter of the movement, but the those who thought their house would be completed soon it's definitely a disappointment.
So there may be an active Earth Liberation Front (ELF) cell in the western Maryland area or maybe one that has migrated here. We'll just have to wait and see how the investigation progresses...
If you want a better idea why this sort of thing happens read this document, or at least the philosophy section at the beginning.
The Earth Liberation Front is the newest re-radicalization of the environmental movement. There's a nice little history piece here, and another piece here. I tend to lead folks back to my own paper on the topic because it's just not healthy to try and understand today's environmental movement separately from the animal liberation movement.
Back to this issue, though. The largest issue in dealing with the ELF, or Earth First! for that matter, is the anti-organization design of leaderless resistance. For those that don't know about it it works like this. Someone, or someones, write a set of guidelines, manifesto, rules, mission statement, or similar ideological document that spells out what is acceptable conduct. Sounds like any other organization right? Now it gets sticky. Then these someones say that anyone that does stuff (legal or otherwise) that forward the goals, while abiding their conditions on conduct, can claim to be members. That's it. No leader - just an ideology. Now there's quite a bit of discussion as to where this all started and some put the beginning with the white supremacists after the American Civil War. I don't know when it started but I know it is extremely popular now. Wanna know why? Consider this. The easier it is to track people and activities to establish criminal wrongdoing then the more likely a leader will be arrested, killed, or otherwise destroyed from a credibility standpoint. Once you take away the leader you eliminate two things. One, the "Cult of Personality" that tends to exist around this sort of movement. Once that personality is removed the movement crumbles - so no leader = no target - but an idea can live on and on and on. Especially, it seems, the bad ones. The second thing that is removed is a clear definition and understanding of the adversary. How big is it? Who is in it? Etcetera, etcetera... Poof! We now have the makings of an underground guerilla army, or at least a core cadre of high-energy folks that are able to present the image of a larger force.
You see this organizational model works well against a democracy (or a republic in our case) that prizes its freedom of speech, but despises criminal acts of property destruction. It works well because it allows the "aboveground activist" to talk the talk and make veiled threats while not committing any clear criminal act. The "underground activist" then carries out acts of destruction to follow-up on those threats. What makes this pretty neat is the real lack of direct communication between to the two elements. The abovegrounders tell us how morally reprehensible we are and the undergrounders attack us. Sound familiar? Anyone British here? Sounds far too much like the old Sein Fein - IRA (Irish Republican Army) model. Maybe it's time we called it what it is, the way it is.
Maybe we are all too afraid of sounding callous and insensitive. Are we? If so, we as a society will ultimately lose. We must be prepared to say that regardless of how much we might like to see the environment left the hell along, it is wrong to commit acts of property destruction. Period. End of story. If we were all so environmentally concerned then we would donate tons of money to groups to buy the land that we won't protected. Maybe PeTA would have been better off not spending nearly $50,000 dollars on the criminal defense of Rod Coronado (Earth First! and ALF operator) rather than on showing people better ways to care for animals. There I said it. I'm a security guy by trade and by belief. If you don't think homes should be built somewhere then get out there and generate support and take legal action. If an eighteen year-old can be elected Mayor by write-in vote then many well intentioned activists can stop a construction project.
I'll step off the soapbox now. It's important to understand how these groups work as well as what they really want from you. Americans like the rebel, but this is the wrong rebel to cheer.
So there may be an active Earth Liberation Front (ELF) cell in the western Maryland area or maybe one that has migrated here. We'll just have to wait and see how the investigation progresses...
If you want a better idea why this sort of thing happens read this document, or at least the philosophy section at the beginning.
The Earth Liberation Front is the newest re-radicalization of the environmental movement. There's a nice little history piece here, and another piece here. I tend to lead folks back to my own paper on the topic because it's just not healthy to try and understand today's environmental movement separately from the animal liberation movement.
Back to this issue, though. The largest issue in dealing with the ELF, or Earth First! for that matter, is the anti-organization design of leaderless resistance. For those that don't know about it it works like this. Someone, or someones, write a set of guidelines, manifesto, rules, mission statement, or similar ideological document that spells out what is acceptable conduct. Sounds like any other organization right? Now it gets sticky. Then these someones say that anyone that does stuff (legal or otherwise) that forward the goals, while abiding their conditions on conduct, can claim to be members. That's it. No leader - just an ideology. Now there's quite a bit of discussion as to where this all started and some put the beginning with the white supremacists after the American Civil War. I don't know when it started but I know it is extremely popular now. Wanna know why? Consider this. The easier it is to track people and activities to establish criminal wrongdoing then the more likely a leader will be arrested, killed, or otherwise destroyed from a credibility standpoint. Once you take away the leader you eliminate two things. One, the "Cult of Personality" that tends to exist around this sort of movement. Once that personality is removed the movement crumbles - so no leader = no target - but an idea can live on and on and on. Especially, it seems, the bad ones. The second thing that is removed is a clear definition and understanding of the adversary. How big is it? Who is in it? Etcetera, etcetera... Poof! We now have the makings of an underground guerilla army, or at least a core cadre of high-energy folks that are able to present the image of a larger force.
You see this organizational model works well against a democracy (or a republic in our case) that prizes its freedom of speech, but despises criminal acts of property destruction. It works well because it allows the "aboveground activist" to talk the talk and make veiled threats while not committing any clear criminal act. The "underground activist" then carries out acts of destruction to follow-up on those threats. What makes this pretty neat is the real lack of direct communication between to the two elements. The abovegrounders tell us how morally reprehensible we are and the undergrounders attack us. Sound familiar? Anyone British here? Sounds far too much like the old Sein Fein - IRA (Irish Republican Army) model. Maybe it's time we called it what it is, the way it is.
Maybe we are all too afraid of sounding callous and insensitive. Are we? If so, we as a society will ultimately lose. We must be prepared to say that regardless of how much we might like to see the environment left the hell along, it is wrong to commit acts of property destruction. Period. End of story. If we were all so environmentally concerned then we would donate tons of money to groups to buy the land that we won't protected. Maybe PeTA would have been better off not spending nearly $50,000 dollars on the criminal defense of Rod Coronado (Earth First! and ALF operator) rather than on showing people better ways to care for animals. There I said it. I'm a security guy by trade and by belief. If you don't think homes should be built somewhere then get out there and generate support and take legal action. If an eighteen year-old can be elected Mayor by write-in vote then many well intentioned activists can stop a construction project.
I'll step off the soapbox now. It's important to understand how these groups work as well as what they really want from you. Americans like the rebel, but this is the wrong rebel to cheer.
Monday, November 14, 2005
Bad (domestic) Intelligence
Let me begin by saying that from this article we just can't know the whole story, but it certainly sounds bad for the FBI. For those of you that haven't been around this blog before I've posted on both Eco-terrorism (here, here, and here) and Intelligence operations (here). I have also presented a background piece on Eco-terrorism in the U.S. that discusses the philosophy of the environmental and animal liberation movements and traces their development and tactics over the years. If you're more interested in Intelligence then I have a paper for you as well that discusses intelligence operations in the private sector.
Since these topics are near and dear to me let's discuss this a little. The FBI arrested the wrong person, released him, and will be paying for their mistake. There must be more to the argument, because it's generally rare that damages are paid when the wrong person is arrested. Why it sounds as though they may not have had probable cause. So how then did they decide that this was the right person to apprehend? I generally do not criticize law enforcement if I wasn't right there (I dislike those that tend to second-guess my efforts without realizing they weren't there); however this doesn't seem to be a decision that had to be made in the heat of the moment - so why the mistake?
It looks like the error was with bad intelligence or at least a poor interpretation of the available intelligence. Concerns from civil liberties groups over the Patriot Act and domestic intelligence gathering have been on-going for many years. These concerns predate the Patriot Act with the COINTEL (Counter-Intelligence) activities of the FBI from years past. We in the U.S. do not take too kindly to being spied on by our own government; however it is necessary whether we like it or not. Another recent episode in this matter deals with the Denver PD intelligence files which were found to have a couple of serious flaws. First they were never purged - that's right files were maintained for indefinite periods of time, and second they information on activities that are protected under the first amendment - things like legal protests.
One may have thought that an important lesson was learned from the COINTEL days... Maintaining extensive dossiers is inefficient and often counter-productive. I know from a very limited experiment. These files are cumbersome, time-consuming, and just don't provide much predictive information. Sure you feel like you 'know' your target, but you really don't know them. Anyway, it appears that a decision may have been made based on a similar "belief of knowledge."
So the FBI screwed up. Is there a threat posed by the Eco and animal liberators? Absolutely. Read my paper on the movement. The important thing to remember is that each new generation builds their beliefs where the last generation left off. What this means is that the Sierra Club wanted to preserve park land, but today's Earth First! and Earth Liberation Front want to restore the world to how it looked before the industrial revolution. While I find it intriguing to consider a time when we lived in greater harmony with the environment, I recognize that without excess agricultural capacity and the ability to store and preserve this excess we would be living one year to the next - just like the real old days. Regardless of my own beliefs on environmental impact, I find the use of violence, or the threat of violence, to reach one's goals to be reprehensible, and worthy of our efforts to defeat it. Will mistakes be made? No doubt. Should remuneration be made? When it is appropriate. Why?
To answer that we need to consider the writings of Carlos Marighella's Mini-Manual of the Urban Guerilla." While avoiding a discussion on why his techniques ultimately fail, it is important to understand one very important concept. The insurgents act against the government only. The government, being unable to discern between guerilla and general population, cracks down on the general population. This in turn drives support to the insurgent movement. Rinse and repeat! Eventually the government's oppressive actions destroy their legitimacy with the population. So will mistakes be made? Yes. Should the government try to make those wrongfully caught up in the process whole again? Yes. We as a population must not forget that the target is, and must always be, those that use violence or the threat of violence to attempt to achieve their goals.
Thanks for persevering to the end.
Since these topics are near and dear to me let's discuss this a little. The FBI arrested the wrong person, released him, and will be paying for their mistake. There must be more to the argument, because it's generally rare that damages are paid when the wrong person is arrested. Why it sounds as though they may not have had probable cause. So how then did they decide that this was the right person to apprehend? I generally do not criticize law enforcement if I wasn't right there (I dislike those that tend to second-guess my efforts without realizing they weren't there); however this doesn't seem to be a decision that had to be made in the heat of the moment - so why the mistake?
It looks like the error was with bad intelligence or at least a poor interpretation of the available intelligence. Concerns from civil liberties groups over the Patriot Act and domestic intelligence gathering have been on-going for many years. These concerns predate the Patriot Act with the COINTEL (Counter-Intelligence) activities of the FBI from years past. We in the U.S. do not take too kindly to being spied on by our own government; however it is necessary whether we like it or not. Another recent episode in this matter deals with the Denver PD intelligence files which were found to have a couple of serious flaws. First they were never purged - that's right files were maintained for indefinite periods of time, and second they information on activities that are protected under the first amendment - things like legal protests.
One may have thought that an important lesson was learned from the COINTEL days... Maintaining extensive dossiers is inefficient and often counter-productive. I know from a very limited experiment. These files are cumbersome, time-consuming, and just don't provide much predictive information. Sure you feel like you 'know' your target, but you really don't know them. Anyway, it appears that a decision may have been made based on a similar "belief of knowledge."
So the FBI screwed up. Is there a threat posed by the Eco and animal liberators? Absolutely. Read my paper on the movement. The important thing to remember is that each new generation builds their beliefs where the last generation left off. What this means is that the Sierra Club wanted to preserve park land, but today's Earth First! and Earth Liberation Front want to restore the world to how it looked before the industrial revolution. While I find it intriguing to consider a time when we lived in greater harmony with the environment, I recognize that without excess agricultural capacity and the ability to store and preserve this excess we would be living one year to the next - just like the real old days. Regardless of my own beliefs on environmental impact, I find the use of violence, or the threat of violence, to reach one's goals to be reprehensible, and worthy of our efforts to defeat it. Will mistakes be made? No doubt. Should remuneration be made? When it is appropriate. Why?
To answer that we need to consider the writings of Carlos Marighella's Mini-Manual of the Urban Guerilla." While avoiding a discussion on why his techniques ultimately fail, it is important to understand one very important concept. The insurgents act against the government only. The government, being unable to discern between guerilla and general population, cracks down on the general population. This in turn drives support to the insurgent movement. Rinse and repeat! Eventually the government's oppressive actions destroy their legitimacy with the population. So will mistakes be made? Yes. Should the government try to make those wrongfully caught up in the process whole again? Yes. We as a population must not forget that the target is, and must always be, those that use violence or the threat of violence to attempt to achieve their goals.
Thanks for persevering to the end.
Weak Assumptions + Overconfidence = Poor Security
Here's an article that I found recently that illustrates an interesting point.
Security is a process; not a product. Our security is determined by what we do and how we do it much more so than what we have.
September 11th is another example - and a very painful one at that - the airport screeners were not required to identify and remove small knives. We all know what this resulted in. We failed to manage the threat, and recognize that a hijacker, or hijackers, might seek alternate methods beyond a firearm or bomb.
We must manage our threats and not simply operate equipment if we are seeking real security.
Incidentally, if anyone is offended by the article topic, I apologize, it's merely an example to illustrate a point.
The last statement is important. We failed to build appropriate countermeasures for the threat on 9/11 and the results were disasterous. When we accept that our security today is adequate for the threat tomorrow then we create opportunities for our adversaries. We must continually question our own methods, countermeasure effectiveness, and what our threats actually are, if we wish to create real security.
Enough said for now...
Security is a process; not a product. Our security is determined by what we do and how we do it much more so than what we have.
September 11th is another example - and a very painful one at that - the airport screeners were not required to identify and remove small knives. We all know what this resulted in. We failed to manage the threat, and recognize that a hijacker, or hijackers, might seek alternate methods beyond a firearm or bomb.
We must manage our threats and not simply operate equipment if we are seeking real security.
Incidentally, if anyone is offended by the article topic, I apologize, it's merely an example to illustrate a point.
Tuesday, August 30, 2005
Harry Potter and the half-assed security
In the latest Harry Potter book, we see Hogwarts implementing security precautions in order to safeguard its students and faculty.
One step that was taken was that all the students were searched – wanded, in fact – to detect any harmful magic. In addition, all mail coming in or out was checked for harmful magic.
In spite of these precautions, two students are nearly killed by cursed items.
One of the items was a poisoned bottle of mead, which made it onto school grounds and into a professor's office.
Of course, since everyone knew everything was checked on its way into the school, no one felt the need to take any special precautions.
The moral of the story is, inadequate security can be worse than no security at all.
The last statement is important. We failed to build appropriate countermeasures for the threat on 9/11 and the results were disasterous. When we accept that our security today is adequate for the threat tomorrow then we create opportunities for our adversaries. We must continually question our own methods, countermeasure effectiveness, and what our threats actually are, if we wish to create real security.
Enough said for now...
Friday, November 11, 2005
Veteran's Day 2005
Please take a moment and consider the sacrafices over the years that have secured our blessings of liberty.
Here are a few interesting links in no particular order:
From the Department of Veteran's Affairs
From Wikipedia
Voice of America
Information from the Census Bureau
From the U.S. Army
From About.com
Here are a few interesting links in no particular order:
From the Department of Veteran's Affairs
From Wikipedia
Voice of America
Information from the Census Bureau
From the U.S. Army
From About.com
Veteran's Day 2005
Please take a moment and consider the sacrafices over the years that have secured our blessings of liberty.
Here are a few interesting links in no particular order:
From the Department of Veteran's Affairs
From Wikipedia
Voice of America
Information from the Census Bureau
From the U.S. Army
From About.com
Here are a few interesting links in no particular order:
From the Department of Veteran's Affairs
From Wikipedia
Voice of America
Information from the Census Bureau
From the U.S. Army
From About.com
Tuesday, November 8, 2005
Hurricanes, earthquakes, mudslides, flooding - Natural Disasters - and contingency planning
Mother Nature has a nasty, nasty temper as was clearly demonstrated by the last few months around the world. So what does all this mean for security? Business Continuity Planning? General preparedness? LOTS!!!
We, that is our industry (and probably most every business planner), learned a lot about how mass evacuations - or the lack thereof - affect BCP and Disaster Recovery (DR) plans. Your plan might have been great, right until it ran into everyone else's plan (and the odd hundred thousand without a plan).
Fundamentally speaking, it's no longer good enough to have a plan, rehearse the plan, improve the plan, and keep it current. Now you have to coordinate your plan with the plans of the local and state governments. Will you still try to shelter in place? Or, will you shift operations to another regional center and just pack up and go as early as possible. It's all about cost, right? Well consider the cost of if you tried to stay in New Orleans. It took quite some time before fuel and food arrived... How much do you plan to store? How will you deal with any looters and vandals that might remain behind?
It may just be better to contract the services of a remote hotsite provider such as Recovery Point Services. There are many others and there other options similar to this as well. In some instances, funds permitting, it may just be best to "get out of Dodge." Other times it may not be possible to do so - or to continue operations remotely. Then it may just be best to be sure your Business Interruption insurance is up to date and that you have coverage for natural disasters; not to mention how much coverage that actually is.
Plan carefully and make sure your plan blends with those around you.
Don't neglect to also develop a return to normal operations plan. How will you go about getting back to your old location, or when will you start looking for a new one? What has to moved first and when is the best time to do that? Etc. ad nausium.
Good luck.
We, that is our industry (and probably most every business planner), learned a lot about how mass evacuations - or the lack thereof - affect BCP and Disaster Recovery (DR) plans. Your plan might have been great, right until it ran into everyone else's plan (and the odd hundred thousand without a plan).
Fundamentally speaking, it's no longer good enough to have a plan, rehearse the plan, improve the plan, and keep it current. Now you have to coordinate your plan with the plans of the local and state governments. Will you still try to shelter in place? Or, will you shift operations to another regional center and just pack up and go as early as possible. It's all about cost, right? Well consider the cost of if you tried to stay in New Orleans. It took quite some time before fuel and food arrived... How much do you plan to store? How will you deal with any looters and vandals that might remain behind?
It may just be better to contract the services of a remote hotsite provider such as Recovery Point Services. There are many others and there other options similar to this as well. In some instances, funds permitting, it may just be best to "get out of Dodge." Other times it may not be possible to do so - or to continue operations remotely. Then it may just be best to be sure your Business Interruption insurance is up to date and that you have coverage for natural disasters; not to mention how much coverage that actually is.
Plan carefully and make sure your plan blends with those around you.
Don't neglect to also develop a return to normal operations plan. How will you go about getting back to your old location, or when will you start looking for a new one? What has to moved first and when is the best time to do that? Etc. ad nausium.
Good luck.
Sunday, November 6, 2005
CRASH!!! - Auto accidents
Just a little deviation from the normal sorts of posts.
On Saturday night I, once again, witnesses a car accident. Not a bad one in terms of injuries, but an accident. My wife and I had just left a restaurant and were in the upper left section of a "T" intersection preparing to turn right - down the "T". The car in front of us turned right but the vertical section of the "T" had three lanes, two heading toward the intersection (up the T) and one heading away (down the T). The car in front of us turned into the middle lane, which is the left-hand turn lane, and hit a car coming toward the intersection head-on. I parked on the shoulder and got out to help. So here are a few thoughts on handling vehicle accidents...
First, it is important to follow your local laws and the direction of your insurance company's and/or attorney's direction and guidance. With that said remember that personal injury and health are the most important issue immediately after the accident. Make sure you are ok, and then worry about others. Keep yourself safe whenever you attempt to check-on or help others. It's the same way with professional rescuers - there's no point in getting yourself hurt and making yourself another casualty. So assess the situation quickly and determine if anyone is hurt and call for help. Try to get the contact information from not only the others involved parties but witnesses as well before they wander away - and no doubt they will.
Anyway, keep a few key things in your car like flares, a first aid kit, a disposable camera, pen/pencil and paper, insurance card, and any seasonal items that are appropriate - like a blanket in winter. As for the disposable camera, don't hold back; if you have 26 exposures then use 26 exposures. It's not like you want you vacation on that roll too.
If you're a witness - and you're civic-minded - make sure everyone is ok, get the tag numbers as quick as possible (and tag numbers of vehicles that have stopped briefly before leaving), call for help if no one else has, and then offer your assistance. Keep in mind that the involved parties probably have no idea what to do - take the lead. Offer to lay flares, get names and contact information, and take pictures.
Just a few thoughts on something off the beaten path.
Rob
/
On Saturday night I, once again, witnesses a car accident. Not a bad one in terms of injuries, but an accident. My wife and I had just left a restaurant and were in the upper left section of a "T" intersection preparing to turn right - down the "T". The car in front of us turned right but the vertical section of the "T" had three lanes, two heading toward the intersection (up the T) and one heading away (down the T). The car in front of us turned into the middle lane, which is the left-hand turn lane, and hit a car coming toward the intersection head-on. I parked on the shoulder and got out to help. So here are a few thoughts on handling vehicle accidents...
First, it is important to follow your local laws and the direction of your insurance company's and/or attorney's direction and guidance. With that said remember that personal injury and health are the most important issue immediately after the accident. Make sure you are ok, and then worry about others. Keep yourself safe whenever you attempt to check-on or help others. It's the same way with professional rescuers - there's no point in getting yourself hurt and making yourself another casualty. So assess the situation quickly and determine if anyone is hurt and call for help. Try to get the contact information from not only the others involved parties but witnesses as well before they wander away - and no doubt they will.
Anyway, keep a few key things in your car like flares, a first aid kit, a disposable camera, pen/pencil and paper, insurance card, and any seasonal items that are appropriate - like a blanket in winter. As for the disposable camera, don't hold back; if you have 26 exposures then use 26 exposures. It's not like you want you vacation on that roll too.
If you're a witness - and you're civic-minded - make sure everyone is ok, get the tag numbers as quick as possible (and tag numbers of vehicles that have stopped briefly before leaving), call for help if no one else has, and then offer your assistance. Keep in mind that the involved parties probably have no idea what to do - take the lead. Offer to lay flares, get names and contact information, and take pictures.
Just a few thoughts on something off the beaten path.
Rob
/
Thursday, November 3, 2005
When surveillance may be necessary
http://www.thedailyitemoflynn.com/news/view.bg?articleid=10246
http://www.thejewishadvocate.com/this_weeks_issue/news/?content_id=447
It looks like someone, or someones, may have a problem with the Jewish congregation of Chabad Lubavitch. First vandalism and then a little arson – I’d say they have a problem.
Preventing these attacks may be difficult at best since the miscreant is willing to target materials outside the facility and to increase the destructiveness of the effort. You just can’t protect everything. No doubt the doors are now locked, being the access point for the first attack, but how can you protect vehicles and other items on the outside?
Regular patrols (police, contact security, or congregation members) through the property can be both a deterrent and a method of detection. It may also be worthwhile to get in tough with a local investigator with strong surveillance capabilities to arrange surveillance of the property. It won’t be cheap but if someone does come back, and how can you expect this person to stay away, there should be video. Not just video but video that can be used to ensure a conviction.
Just a thought…..
Rob
/
http://www.thejewishadvocate.com/this_weeks_issue/news/?content_id=447
It looks like someone, or someones, may have a problem with the Jewish congregation of Chabad Lubavitch. First vandalism and then a little arson – I’d say they have a problem.
Preventing these attacks may be difficult at best since the miscreant is willing to target materials outside the facility and to increase the destructiveness of the effort. You just can’t protect everything. No doubt the doors are now locked, being the access point for the first attack, but how can you protect vehicles and other items on the outside?
Regular patrols (police, contact security, or congregation members) through the property can be both a deterrent and a method of detection. It may also be worthwhile to get in tough with a local investigator with strong surveillance capabilities to arrange surveillance of the property. It won’t be cheap but if someone does come back, and how can you expect this person to stay away, there should be video. Not just video but video that can be used to ensure a conviction.
Just a thought…..
Rob
/
Sticky fingers, or something like that anyway.
http://www.nydailynews.com/front/story/359770p-306402c.html
Come on. This is pretty ridiculous.
A literally sticky-fingered bandit who used a stick and double-sided tape to fish cash out of an upper East Side church collection box was busted by a cop posing as a parishioner, authorities said yesterday.
Police believe Gilbert Alicea, 41, was ripping off the St. Vincent Ferrer Church for months before a 19th Precinct plainclothes cop nabbed him on Oct. 19, sources said.
Since the summer, Alicea spent hours at the Lexington Ave. church, kneeling in prayer and schmoozing with priests, while his female accomplice pretended to pray the rosary and act as a lookout, sources said.
When the church was relatively empty, Alicea dipped a stick with double-sided tape into the donation box slot - labeled "For the Poor" - and snared cash, authorities said.
What more can be said. It can happen to you. I’ve known individuals that could use tape and a pen to steal bills through holes not much bigger than the pen in tamper-evident bags. That would be those bags that seal up for one-time use, typically for bank deposits from commercial locations.
Since these poor boxes are generally not accounted for at the time of collection this type of theft would be relatively hard to detect. So be aware.
Rob
/
Come on. This is pretty ridiculous.
A literally sticky-fingered bandit who used a stick and double-sided tape to fish cash out of an upper East Side church collection box was busted by a cop posing as a parishioner, authorities said yesterday.
Police believe Gilbert Alicea, 41, was ripping off the St. Vincent Ferrer Church for months before a 19th Precinct plainclothes cop nabbed him on Oct. 19, sources said.
Since the summer, Alicea spent hours at the Lexington Ave. church, kneeling in prayer and schmoozing with priests, while his female accomplice pretended to pray the rosary and act as a lookout, sources said.
When the church was relatively empty, Alicea dipped a stick with double-sided tape into the donation box slot - labeled "For the Poor" - and snared cash, authorities said.
What more can be said. It can happen to you. I’ve known individuals that could use tape and a pen to steal bills through holes not much bigger than the pen in tamper-evident bags. That would be those bags that seal up for one-time use, typically for bank deposits from commercial locations.
Since these poor boxes are generally not accounted for at the time of collection this type of theft would be relatively hard to detect. So be aware.
Rob
/
An even better Embezzlement story…
http://cbs13.com/topstories/local_story_306200258.html
A fiction writer would be creative to come up with this one…
So the Pastor forged documents and sold the church without anyone knowing. Where do you start with this one?
A fiction writer would be creative to come up with this one…
So the Pastor forged documents and sold the church without anyone knowing. Where do you start with this one?
Expansile Significance - "The Tip of the Iceberg" and how solving large losses often means addressing the insignificant ones
What the hell is Expansile Significance you ask? So did I, though the problem wasn’t with the term but with the fact that our industry never bothered to create one for a time honored concept. To better explain it consider combining the idea of the “tip of the iceberg” and the “Broken Window” Theory (here, here, and here, with dissenting view here).
We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.
In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.
Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.
Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.
Rob
/
We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.
In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.
Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.
Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.
Rob
/
Embezzlement – just a little more (no pun intended)
http://www.gmtoday.com/news/local_stories/2005/October_05/10262005_01.asp
In a recent story out of Wisconsin a church business manager was convicted for theft from the church. Here are a couple of germane quotes from the article:
Anderson was the business manager of the church from 1986 to 2003, the last three years of which she wrote checks to herself from church coffers, a criminal complaint said.
Other documents chronicling her history showed that she received a $450,000 inheritance after her mother died in 1998, but it was gone in two years as her family’s debt mounted. Anderson and her family took annual skiing trips to Colorado and annual golfing trips to Florida, the documents showed.
There are a few key things that clearly were not done in this situation.
First, the position of Business Manager at this church clearly had too much power. There can be no argument to this when someone was able to write checks to them self from a corporate account – period. The person authorizing disbursements should not be the person that signs the check. Dual control and effective auditing is essential to all financial controls
Second, only one person was “minding the store” and that’s just unacceptable. Forget the concern about theft (only for the next sentence). Accounting errors are all too common. So having a second person review records periodically is not just to avoid theft, although it’s a great by-product of the effort, but to prevent mistakes. These mistakes can be costly. How long would it take to find out that a vendor had been overpaid? How willing are they going to be to returning funds two or three years later? I know, I know, where is their ethical obligation in this, but that’s not the point and arguments can be made all around on the whole returning money after a year or two.
Third, background checks should be done ROUTINELY on individuals in positions of trust and not just upon hiring. There is nothing wrong with asking for consent to get a credit report on an annual basis. If this feels inappropriate (and I can understand your thinking if it feels that way) then you have got to tighten your controls way down. Lots of “dual control” throughout the process to ensure that one person is not able to manipulate the entire system. And a little more on this… Everyone talks to each other in a workplace. Salaries are known (at least the general ballpark usually is) so you just have to wonder where all the money comes from and how it goes. Living beyond their means is a COMMON cause of embezzlement. Let me say that one more time. Living beyond their means should be a key indicator of employee theft. They steal, and learn a new level of comfort, and then they have to steal to support this new level. No doubt they rationalize it with the thought that they’ll pay it back but it’s still gone.
Fourth, these thefts went on for years. Where was the auditing? Were checks matched to expenses, vouchers reviewed, and so on? Not likely, but if so then their auditor is practically negligent for not raising questions about cash disbursements to employees.
If you’re unsure whether your controls are adequate then contact AP Innovations, but at least speak with someone experienced in these loss opportunities.
Rob
/
In a recent story out of Wisconsin a church business manager was convicted for theft from the church. Here are a couple of germane quotes from the article:
Anderson was the business manager of the church from 1986 to 2003, the last three years of which she wrote checks to herself from church coffers, a criminal complaint said.
Other documents chronicling her history showed that she received a $450,000 inheritance after her mother died in 1998, but it was gone in two years as her family’s debt mounted. Anderson and her family took annual skiing trips to Colorado and annual golfing trips to Florida, the documents showed.
There are a few key things that clearly were not done in this situation.
First, the position of Business Manager at this church clearly had too much power. There can be no argument to this when someone was able to write checks to them self from a corporate account – period. The person authorizing disbursements should not be the person that signs the check. Dual control and effective auditing is essential to all financial controls
Second, only one person was “minding the store” and that’s just unacceptable. Forget the concern about theft (only for the next sentence). Accounting errors are all too common. So having a second person review records periodically is not just to avoid theft, although it’s a great by-product of the effort, but to prevent mistakes. These mistakes can be costly. How long would it take to find out that a vendor had been overpaid? How willing are they going to be to returning funds two or three years later? I know, I know, where is their ethical obligation in this, but that’s not the point and arguments can be made all around on the whole returning money after a year or two.
Third, background checks should be done ROUTINELY on individuals in positions of trust and not just upon hiring. There is nothing wrong with asking for consent to get a credit report on an annual basis. If this feels inappropriate (and I can understand your thinking if it feels that way) then you have got to tighten your controls way down. Lots of “dual control” throughout the process to ensure that one person is not able to manipulate the entire system. And a little more on this… Everyone talks to each other in a workplace. Salaries are known (at least the general ballpark usually is) so you just have to wonder where all the money comes from and how it goes. Living beyond their means is a COMMON cause of embezzlement. Let me say that one more time. Living beyond their means should be a key indicator of employee theft. They steal, and learn a new level of comfort, and then they have to steal to support this new level. No doubt they rationalize it with the thought that they’ll pay it back but it’s still gone.
Fourth, these thefts went on for years. Where was the auditing? Were checks matched to expenses, vouchers reviewed, and so on? Not likely, but if so then their auditor is practically negligent for not raising questions about cash disbursements to employees.
If you’re unsure whether your controls are adequate then contact AP Innovations, but at least speak with someone experienced in these loss opportunities.
Rob
/
Expansile Significance - "The Tip of the Iceberg" and how solving large losses often means addressing the insignificant ones
What the hell is Expansile Significance you ask? So did I, though the problem wasn’t with the term but with the fact that our industry never bothered to create one for a time honored concept. To better explain it consider combining the idea of the “tip of the iceberg” and the “Broken Window” Theory (here, here, and here, with dissenting view here).
We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.
In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.
Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.
Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.
Rob
/
We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.
In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.
Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.
Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.
Rob
/
Tuesday, November 1, 2005
The Latest - Congress and the "SHAC" attack on the NYSE
For the best on the current high-profile happenings in the Animal Rights/Liberation head to Animal Crackers.
Here's the short version... Huntingdon Life Sciences has been trying to be listed on the NYSE. On the eve of this listing the President of the NYSE blocked the listing, after being targeted by SHAC and friends. As a result, the U.S. Senate has had more hearings on Eco-terrorism including a guest appearence from Dr. Jerry Vlasik. There's some great video from this. The saga continues...
Once again, for more background information on Eco-terrorism, including Animal Rights/Liberation and the Environmental Movement try this.
Here's the short version... Huntingdon Life Sciences has been trying to be listed on the NYSE. On the eve of this listing the President of the NYSE blocked the listing, after being targeted by SHAC and friends. As a result, the U.S. Senate has had more hearings on Eco-terrorism including a guest appearence from Dr. Jerry Vlasik. There's some great video from this. The saga continues...
Once again, for more background information on Eco-terrorism, including Animal Rights/Liberation and the Environmental Movement try this.
Friday, October 28, 2005
You say you're unhappy with your security service providers? Here's why!
I spoke with a gentleman recently that expressed some 'unhappiness' with their security service provider. And why do you think might have been? There are only two possible reasons... Here they are and how to avoid them…
First, I want to clarify a quick point of misconception. A security system is a lot of things, or it can be a lot of things, but its presence or absence does not necessarily mean an organization is secure or has security. Electro-mechanical systems require procedures in order to be effective. They work within specific parameters and everything outside those parameters must still be met by additional effort. So now what makes you unhappy with your current service provider…
As I said, there are only two reasons why you are unhappy, and both stem from not getting what you want. The first reason is that the service provider is simply not providing the service promised. The contract or service agreement is clear and concise but the vendor cannot meet their obligation. Hopefully your contract either has a non-performance (punishment) clause or if this is unsatisfactory then a means to find another vendor without penalty. The written agreement you have with your vendor should state what you can do them for non-performance; maybe a fine/refund of fees each time a specific service is not performed. Sometimes it’s just not appropriate, or dangerous, to allow this condition to continue – fine or no fine – your just aren’t getting the protection you want. In these instances it is important that your agreement have a means of escape. Unfortunately, the uninitiated tend to sign agreements with vendors (provided by the vendors in a standard format) that actually penalize them for terminating the relationship early. It really doesn’t matter how “standard” their printed service agreement is or their insistence that they cannot make alterations. It’s your service and if one vendor won’t meet your needs then another will. It’s real simple. Security is not magic – security providers and security professionals do not have wizardly abilities that make them special – and there are enough service providers that someone will do what you want the way you want it. Count on it. You just need to find them. Think of all the angry moments you’ve had because of false alarms, missed patrols, or rude service; was it worth the convenience of the vendor or to save a few bucks?
Have you figured out the other likely reason for your unhappiness? It’s tucked into the paragraph above. Your vendor is performing just as the service agreement dictates, but you as the customer entered into an agreement that is inappropriate to your needs, or maybe just your wants. And for that, there is likely to be a penalty for terminating the agreement early. This is not the vendor’s fault – it’s yours. The truth hurts, but it’s not necessarily the end. Many times these agreements can be renegotiated. Why would a vendor do such a thing? Well, hopefully they appreciate your business and want to provide service that you’ll refer to others or at least speak well of whenever the opportunity presents itself. Word of mouth business referrals can’t be beat – and every vendor knows it – because it’s free marketing.
So how then do you avoid these errors and correct them after they happen? Naturally, I’d say find a reputable security consultant to assist you. While we can certainly help you with this, so can many others, and the results will change your view of security providers. Can you do it without a consultant? Sure you can, but you’re already unhappy (or rightly interested in avoiding that heartache) so why expose yourself unnecessarily.
Here’s why it works. A salesperson for the provider is focused on making as sale and preferably getting you to fit a pre-designed format of service. Their questions are focused on getting you into this mold. Your consultant, on the other hand, is focused on your needs and wants; all industry jargon aside. These can then be translated into service requirements. It’s a subtle difference. Typically, you don’t know what these services look and feel like until you experience them, but your consultant does. They have probably had to contract with guard services, alarm services, and courier services; so they know what hurts and what makes the relationship comfortable.
A consultant, or an in-house security manager, can also make for a better go-between. We have professional associations, peer groups, and, of course, our own jargon. It goes right back to the whole referral process. A service provider that takes care of a consultant or security manager can count on good words with other industry peers. And so….
Take a minute and consider what you don’t like about your service providers – and don’t forget what you like as well. Are you being serviced to your expectations?
Rob
/
First, I want to clarify a quick point of misconception. A security system is a lot of things, or it can be a lot of things, but its presence or absence does not necessarily mean an organization is secure or has security. Electro-mechanical systems require procedures in order to be effective. They work within specific parameters and everything outside those parameters must still be met by additional effort. So now what makes you unhappy with your current service provider…
As I said, there are only two reasons why you are unhappy, and both stem from not getting what you want. The first reason is that the service provider is simply not providing the service promised. The contract or service agreement is clear and concise but the vendor cannot meet their obligation. Hopefully your contract either has a non-performance (punishment) clause or if this is unsatisfactory then a means to find another vendor without penalty. The written agreement you have with your vendor should state what you can do them for non-performance; maybe a fine/refund of fees each time a specific service is not performed. Sometimes it’s just not appropriate, or dangerous, to allow this condition to continue – fine or no fine – your just aren’t getting the protection you want. In these instances it is important that your agreement have a means of escape. Unfortunately, the uninitiated tend to sign agreements with vendors (provided by the vendors in a standard format) that actually penalize them for terminating the relationship early. It really doesn’t matter how “standard” their printed service agreement is or their insistence that they cannot make alterations. It’s your service and if one vendor won’t meet your needs then another will. It’s real simple. Security is not magic – security providers and security professionals do not have wizardly abilities that make them special – and there are enough service providers that someone will do what you want the way you want it. Count on it. You just need to find them. Think of all the angry moments you’ve had because of false alarms, missed patrols, or rude service; was it worth the convenience of the vendor or to save a few bucks?
Have you figured out the other likely reason for your unhappiness? It’s tucked into the paragraph above. Your vendor is performing just as the service agreement dictates, but you as the customer entered into an agreement that is inappropriate to your needs, or maybe just your wants. And for that, there is likely to be a penalty for terminating the agreement early. This is not the vendor’s fault – it’s yours. The truth hurts, but it’s not necessarily the end. Many times these agreements can be renegotiated. Why would a vendor do such a thing? Well, hopefully they appreciate your business and want to provide service that you’ll refer to others or at least speak well of whenever the opportunity presents itself. Word of mouth business referrals can’t be beat – and every vendor knows it – because it’s free marketing.
So how then do you avoid these errors and correct them after they happen? Naturally, I’d say find a reputable security consultant to assist you. While we can certainly help you with this, so can many others, and the results will change your view of security providers. Can you do it without a consultant? Sure you can, but you’re already unhappy (or rightly interested in avoiding that heartache) so why expose yourself unnecessarily.
Here’s why it works. A salesperson for the provider is focused on making as sale and preferably getting you to fit a pre-designed format of service. Their questions are focused on getting you into this mold. Your consultant, on the other hand, is focused on your needs and wants; all industry jargon aside. These can then be translated into service requirements. It’s a subtle difference. Typically, you don’t know what these services look and feel like until you experience them, but your consultant does. They have probably had to contract with guard services, alarm services, and courier services; so they know what hurts and what makes the relationship comfortable.
A consultant, or an in-house security manager, can also make for a better go-between. We have professional associations, peer groups, and, of course, our own jargon. It goes right back to the whole referral process. A service provider that takes care of a consultant or security manager can count on good words with other industry peers. And so….
Take a minute and consider what you don’t like about your service providers – and don’t forget what you like as well. Are you being serviced to your expectations?
Rob
/
Tuesday, October 25, 2005
Eco-terrorism - in the news and in front of Congress - again
Brian Connor over at Animal Crackers has offered us information on the recent postponing of LSR (Life Sciences Research - otherwise known as Huntingdon Life Sciences) listing on the New York Stock Exchange (he draws from here, here and here). Further, it looks like there will be more hearings concerning the radical Animal Rights movement.
For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.
So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.
The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.
This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.
For additional information concerning Eco-terrorism in the U.S. check out this document.
Rob
/
For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.
So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.
The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.
This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.
For additional information concerning Eco-terrorism in the U.S. check out this document.
Rob
/
Monday, October 24, 2005
Looks like a plan
I would like to draw your attention to something I bumped into on the web while doing a little research that demonstrates a sincere effort in protecting kids. However, it goes much further than this alone by showing some important points in just a few words. Most importantly it appears to effectively blend procedures with technology. In other words, the technology only serves to enhance an already worthwhile process.
Consider these points:
Again, I am not saying that this document is perfect or that the system they have in place is even effectively maintianed, because that was not my point. I have never been to this organization or observed their activity, but given the presentation of the information on the web I thought it only fair to share it.
Keep in mind that good security comes from good procedures - what you do - and not necessarily from expensive equipment - what you have. Consider the "Security System" page just once more and realize that you could replace every mention of technology on that page with much more mundane tools. Consider cypher locks instead of a thumb reader and some other token rather than wristbands - the procedures still appears effective. So it would appear that there is a good marriage between technology and the operating procedures.
Sincerely. Kudos to the folks at Jersey Village for their efforts...
Rob
/
Consider these points:
- First is the acknowledgement that not system is "foolproof." This is essential in avoiding misconceptions of impenetrable security. Too many people like to tell people just how perfect their methodology, techniques, and systems are, but this has more to do with the speaker's ego and puffery than real security. Being honest is far more useful, especially because knowing that a system is not foolproof and being told that is the difference between telling people to relinquish their concerns and asking them to remain alert or aware.
- Second is a request for cooperation with the established procedures. This also acknowledges the contribution that the legitimate user makes to the overall success. Most systems of controls are built on an assumption of compliance, and without general compliance the process will FAIL. Consider the enforcement of speeding on the roads - nearly everyone exceeds the speed limit - creating a lack of general compliance and overwhelming the enforcement capability. Asking for the cooperation of the participant can go a long way toward getting it. Think carrot first, stick second.
- Third there are routine procedures and contingency procedures noted. I am not saying that these procedures are all encompassing, but they are considerably more thorough than I often see. Most importantly is the lack of legalese or technical language. The procedures are clearly written and simplistic (but not overly so). There is even direction should the wristband be lost, which helps to avoid the argument should this happen without a publicized procedure.
Again, I am not saying that this document is perfect or that the system they have in place is even effectively maintianed, because that was not my point. I have never been to this organization or observed their activity, but given the presentation of the information on the web I thought it only fair to share it.
Keep in mind that good security comes from good procedures - what you do - and not necessarily from expensive equipment - what you have. Consider the "Security System" page just once more and realize that you could replace every mention of technology on that page with much more mundane tools. Consider cypher locks instead of a thumb reader and some other token rather than wristbands - the procedures still appears effective. So it would appear that there is a good marriage between technology and the operating procedures.
Sincerely. Kudos to the folks at Jersey Village for their efforts...
Rob
/
Friday, October 21, 2005
A special note to my new "friend" - Some people make crime easy
Hey Steve! I'm calling your name so that you know this is about you - I gave you my card at the bookstore.
For everyone else, here's how it went...
I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?
Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.
Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.
This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.
Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.
This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.
For everyone else, here's how it went...
I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?
Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.
Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.
This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.
Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.
This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.
Thursday, October 20, 2005
Quick advert for a friend
My best friend has started a new blog.
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
Quick advert for a friend
My best friend has started a new blog.
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
Tuesday, October 18, 2005
Rest in peace - or so we hope...
In light of some recent news concerning the recent sentencing of a few cemetery vandals, let's consider this issue of protecting cemeteries.
I can’t say I understand why anyone would damage a cemetery or any part of it, but apparently there are many who think it’s entertainment. Cemeteries and memorial gardens have little in the way of assets - in a traditional sense. What you find in a cemetery generally has little resale value or ability for reuse. I’m certain, without a doubt, that there are exceptions to this; possibly gold trim, or ornaments, or something like that. Anyway, what is being protected has more to do with the idea that the dead should “rest in peace" than protecting assets - at least in my opinion.
Typically cemetery vandalism has to do with tipping headstones - defacing or rearranging them - and similar acts of mischief. On rare occasions there is the grave robbery. One notable recent occurrence is the grave robbery at the Newchurch Guinea Pig Farm in the UK where animal liberation extremists (including this group) stole the remains of a family relative (see here and here). The goal was to drive the farm owners to shut down the guinea pig operation. And, it was successful. There have been arrests but the damage is done.
So how then do you protect a cemetery? These are places that are often left quiet and unoccupied (at least by living souls) for considerable amounts of time. Oh, and dark - cemeteries are not generally illuminated at night. The other issue is to allow legitimate users access - as is the norm anyway.
Since most acts of vandalism occur during the hours of darkness, and there are generally fewer (if any) legitimate users, it's probably best to focus efforts on this time period. How then is the best way, generally speaking, to manage access during the hours of darkness?
We'’re right back at the 4D's -– Deter, Detect, Delay, Deny. Let's face it, vandals are not typically professionals. I mean there are professional thieves, robbers, and burglars, but have you ever heard of a professional vandal? Assuming this to be the case, it becomes an issue of making it more difficult to gain access -– delay. This does not mean that deterrents are ignored or that an attempt is made to detect intrusions.
Cemeteries generally have a fence or wall around them. The size and construction of this barrier can have real merit. Wrought iron fences are common and they create a worthy obstacle for climbing over. With few, if any, cross bars it is difficult to use the legs to assist with the climb. So there is a barrier that provides a delay - which in and of itself provides a further deterrent value since it's far easier to lose interest after a little unsuccessful effort.
Now it's also worthwhile to consider a few other features depending on whether the threat warrants them - and this is purely a judgment call. Like motion activated lighting, motion activated sprinklers, and a detection system - either a traditional alarm system or a monitored video system. There are many factors that may affect these potential options. One relatively simple option at this point might be to have a motion activated CCTV system to work in conjunction with motion activated lighting. There is some deterrent value in this - especially if signage is also used - but the additional CCTV system will assist with any investigations as well.
There can be little down doubt that an interactive monitored CCTV system would be an ideal application of technology in this environment. There are a couple of key reasons for this: One is the power of speaking to vandals - it can be very distracting to your activities when you here someone explaining to you that you're being videotaped and the police have been notified - and the site would not generally need a very high level of involvement. It would much like having a security officer on call.
For the really bad locations it may be best to use several options including onsite manned security posts. By far this is the most expensive but it also provides puts a lot of capability at the hotspot.
I can’t say I understand why anyone would damage a cemetery or any part of it, but apparently there are many who think it’s entertainment. Cemeteries and memorial gardens have little in the way of assets - in a traditional sense. What you find in a cemetery generally has little resale value or ability for reuse. I’m certain, without a doubt, that there are exceptions to this; possibly gold trim, or ornaments, or something like that. Anyway, what is being protected has more to do with the idea that the dead should “rest in peace" than protecting assets - at least in my opinion.
Typically cemetery vandalism has to do with tipping headstones - defacing or rearranging them - and similar acts of mischief. On rare occasions there is the grave robbery. One notable recent occurrence is the grave robbery at the Newchurch Guinea Pig Farm in the UK where animal liberation extremists (including this group) stole the remains of a family relative (see here and here). The goal was to drive the farm owners to shut down the guinea pig operation. And, it was successful. There have been arrests but the damage is done.
So how then do you protect a cemetery? These are places that are often left quiet and unoccupied (at least by living souls) for considerable amounts of time. Oh, and dark - cemeteries are not generally illuminated at night. The other issue is to allow legitimate users access - as is the norm anyway.
Since most acts of vandalism occur during the hours of darkness, and there are generally fewer (if any) legitimate users, it's probably best to focus efforts on this time period. How then is the best way, generally speaking, to manage access during the hours of darkness?
We'’re right back at the 4D's -– Deter, Detect, Delay, Deny. Let's face it, vandals are not typically professionals. I mean there are professional thieves, robbers, and burglars, but have you ever heard of a professional vandal? Assuming this to be the case, it becomes an issue of making it more difficult to gain access -– delay. This does not mean that deterrents are ignored or that an attempt is made to detect intrusions.
Cemeteries generally have a fence or wall around them. The size and construction of this barrier can have real merit. Wrought iron fences are common and they create a worthy obstacle for climbing over. With few, if any, cross bars it is difficult to use the legs to assist with the climb. So there is a barrier that provides a delay - which in and of itself provides a further deterrent value since it's far easier to lose interest after a little unsuccessful effort.
Now it's also worthwhile to consider a few other features depending on whether the threat warrants them - and this is purely a judgment call. Like motion activated lighting, motion activated sprinklers, and a detection system - either a traditional alarm system or a monitored video system. There are many factors that may affect these potential options. One relatively simple option at this point might be to have a motion activated CCTV system to work in conjunction with motion activated lighting. There is some deterrent value in this - especially if signage is also used - but the additional CCTV system will assist with any investigations as well.
There can be little down doubt that an interactive monitored CCTV system would be an ideal application of technology in this environment. There are a couple of key reasons for this: One is the power of speaking to vandals - it can be very distracting to your activities when you here someone explaining to you that you're being videotaped and the police have been notified - and the site would not generally need a very high level of involvement. It would much like having a security officer on call.
For the really bad locations it may be best to use several options including onsite manned security posts. By far this is the most expensive but it also provides puts a lot of capability at the hotspot.
Thursday, October 13, 2005
When you must share the house - or borrow it
I had an interesting conversation recently with someone that felt that they could not benefit from consulting services because, not having their own facility, they held their worship services at a nearby school. We did not go into details as to whether they would have a building anytime soon, and, quite frankly, it doesn't have a significant impact here. There are several safety and security issues that crop up in relation to sharing a house of worship - or borrowing one temporarily. I'll spend a little time on a few here...
Access: It's still about Access Management. Who has it, who needs it, and how do you know. How many access points does a school, or community center typically have? Quite a few in my experience, so how can you be sure who is in or out of a facility. What about hygiene facilities? At any given time, how do you know they are safe? In other words, who may be lurking in a restroom? How are collections processed and safeguarded? Who has access? How do you know. There are probably more keys floating around for those buildings than anyone can know. As a periodic user of the facility it is unlikely that you can change this fact, but you can manage the subsequent risks.
What are just a few thoughts to take away?
Keep a closer eye on children particularly when they head into the restrooms. It's also a good idea to ensure that these areas are searched by responsible adults prior to use. This could be done by those that arrive to set up.
Segregate the area to be used from the facility in general. Many schools, at least the ones I remember, had fences that were pulled across specific hallways as the school was closed. If these exist, and it DOES NOT create an evacuation hazard, then they should be used. Be sure that school officials are the ones to actually close and lock these to ensure that doing so keeps the occupancy within local code.
Any area in which cash is to be processed or stored should be adequately protected. It is my opinion, that when this is done within an uncontrolled location, like a school or community center, then a cash-in-transit provider should be used whenever possible - and please choose a reputable one (email me for some guidelines to use when evaluating vendors). Either way, I would not bother to count or process the funds on location; instead I would work with a bank that would provide a counting room and process it there. Otherwise, just pass it on to the bank and let them process it. I know it is important to give credit to those who use checks or donation envelopes and this service can be done by a CIT service; or this can be done in a counting room at the bank. There are other options but the bank is convenient since the funds will end up there anyway.
Nursery areas should also be carefully selected and searched since they are more likely to have a dangerous objects present (at least objects dangerous to young children).
Just a few thoughts. I'm sure this will be revisited again.
Rob
/
Access: It's still about Access Management. Who has it, who needs it, and how do you know. How many access points does a school, or community center typically have? Quite a few in my experience, so how can you be sure who is in or out of a facility. What about hygiene facilities? At any given time, how do you know they are safe? In other words, who may be lurking in a restroom? How are collections processed and safeguarded? Who has access? How do you know. There are probably more keys floating around for those buildings than anyone can know. As a periodic user of the facility it is unlikely that you can change this fact, but you can manage the subsequent risks.
What are just a few thoughts to take away?
Keep a closer eye on children particularly when they head into the restrooms. It's also a good idea to ensure that these areas are searched by responsible adults prior to use. This could be done by those that arrive to set up.
Segregate the area to be used from the facility in general. Many schools, at least the ones I remember, had fences that were pulled across specific hallways as the school was closed. If these exist, and it DOES NOT create an evacuation hazard, then they should be used. Be sure that school officials are the ones to actually close and lock these to ensure that doing so keeps the occupancy within local code.
Any area in which cash is to be processed or stored should be adequately protected. It is my opinion, that when this is done within an uncontrolled location, like a school or community center, then a cash-in-transit provider should be used whenever possible - and please choose a reputable one (email me for some guidelines to use when evaluating vendors). Either way, I would not bother to count or process the funds on location; instead I would work with a bank that would provide a counting room and process it there. Otherwise, just pass it on to the bank and let them process it. I know it is important to give credit to those who use checks or donation envelopes and this service can be done by a CIT service; or this can be done in a counting room at the bank. There are other options but the bank is convenient since the funds will end up there anyway.
Nursery areas should also be carefully selected and searched since they are more likely to have a dangerous objects present (at least objects dangerous to young children).
Just a few thoughts. I'm sure this will be revisited again.
Rob
/
Wednesday, October 12, 2005
Valuable lessons from the USS Cole attack
Let's all take a minute and remember the 17 dead and 42 wounded in the attack on the USS Cole five years ago today - that would October 12, 2000. See the Stars & stripes tribute many of the other news outlets.
Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.
I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.
Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.
Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism
Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.
Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces
This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.
Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility
This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.
Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks
Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.
Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)
Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.
Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces
This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.
Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit
This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.
Just a few comments on what every security professional/practitioner can learn from a tragic event.
Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.
I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.
Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.
Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism
Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.
Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces
This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.
Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility
This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.
Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks
Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.
Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)
Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.
Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces
This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.
Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit
This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.
Just a few comments on what every security professional/practitioner can learn from a tragic event.
Monday, October 10, 2005
Dangerous persons - "One for you - two for me"
And a couple of quick words on employing - or allowing to volunteer - persons with violent backgrounds. Who's at risk, who's responsible, and maybe some ideas for managing the issue.
There is a great deal of discussion on the value of background checks (which typically just amount to a local criminal records check) on potential employees. Well, I'll here to say that there is a great deal more to this topic - for so many reasons. At their root, though, is how your organization looks to its stakeholders. That would be the congregants, potential congregants, surrounding communities, trustees, clergy, and any affiliated institutions (schools, other churches within a denomination, etc.). How these individuals perceive your organization - church, synagogue, mosque, temple, sanctuary, coven, or any other title used - will impact many things. Will membership or attendance grow, will members leave, will the community (and the press) look favorably on you should something happen? Ok, so there are lots of people to keep happy or at least calm, but we are leaving out another category of constituents - the victims. As we've all seen on the news concerning the Catholic Church's unfortunate sex scandals, we will be held accountable to make the victim whole again (or at least try too - see this article on a quick resolution).
With all that said, we can make a concerted effort to eliminate one class of constituent - you got it - the victims. And, we can use the same Deter, Detect, Delay, Deny concept of security. We deter would be miscreants by making it known that we screen all applicants (and the includes volunteers). I had a professor that owned a security firm and used to call to a room of applicants, "We'll start the polygraphs in five minutes," only to find the room nearly empty in half that time. As humorous as this maybe it is also very sad... It shows that far too many wolves attempt to infiltrate the ranks of the sheepdogs. None-the-less making it clear that these backgrounds will be conducted is a useful pre-screening tool. Are they expensive? Not all pre-screening tools/services are the same, but try and find one and multiply it by say 200 and see if it has reached amount of one significant lawsuit (plus legal fees, lost wages, lost revenue/donations, and lost TRUST). From my own experience this doubtful, even at almost $150 each - and you most certainly can find a solution for less. Need help or don't believe me then call and we'll get you the right solution provider.
So we've publicized that we pre-screen, but what do we check for? This is where price comes in - sort of. Start with the local criminal record check, sex offender registries, and heck throw in a Google search for good measure. If the person is performing community service then there should be a way to inquire through official channels as the why they were sentenced to this service. Someone doing this for a Shoplifting charge should not be left alone in say a thrift store. Again, we don't want to set anyone up to fail - do we?
Besides criminal checks, it may be worthwhile in some cases to do civil records, bankruptcy/public filings, and so on. The civil records can be useful for the odd instance when someone is sued for theft, but not criminally charged, or domestic violence (battery), or similar instances where the victim chose a route other than criminal charges.
Incidentally, pre-screening efforts would fall under the Detect segment of the paradigm.
For more information on what is available in background investigations - see this article by Joe Labrozzi.
We'll continue on next with a look at delay and deny.
There is a great deal of discussion on the value of background checks (which typically just amount to a local criminal records check) on potential employees. Well, I'll here to say that there is a great deal more to this topic - for so many reasons. At their root, though, is how your organization looks to its stakeholders. That would be the congregants, potential congregants, surrounding communities, trustees, clergy, and any affiliated institutions (schools, other churches within a denomination, etc.). How these individuals perceive your organization - church, synagogue, mosque, temple, sanctuary, coven, or any other title used - will impact many things. Will membership or attendance grow, will members leave, will the community (and the press) look favorably on you should something happen? Ok, so there are lots of people to keep happy or at least calm, but we are leaving out another category of constituents - the victims. As we've all seen on the news concerning the Catholic Church's unfortunate sex scandals, we will be held accountable to make the victim whole again (or at least try too - see this article on a quick resolution).
With all that said, we can make a concerted effort to eliminate one class of constituent - you got it - the victims. And, we can use the same Deter, Detect, Delay, Deny concept of security. We deter would be miscreants by making it known that we screen all applicants (and the includes volunteers). I had a professor that owned a security firm and used to call to a room of applicants, "We'll start the polygraphs in five minutes," only to find the room nearly empty in half that time. As humorous as this maybe it is also very sad... It shows that far too many wolves attempt to infiltrate the ranks of the sheepdogs. None-the-less making it clear that these backgrounds will be conducted is a useful pre-screening tool. Are they expensive? Not all pre-screening tools/services are the same, but try and find one and multiply it by say 200 and see if it has reached amount of one significant lawsuit (plus legal fees, lost wages, lost revenue/donations, and lost TRUST). From my own experience this doubtful, even at almost $150 each - and you most certainly can find a solution for less. Need help or don't believe me then call and we'll get you the right solution provider.
So we've publicized that we pre-screen, but what do we check for? This is where price comes in - sort of. Start with the local criminal record check, sex offender registries, and heck throw in a Google search for good measure. If the person is performing community service then there should be a way to inquire through official channels as the why they were sentenced to this service. Someone doing this for a Shoplifting charge should not be left alone in say a thrift store. Again, we don't want to set anyone up to fail - do we?
Besides criminal checks, it may be worthwhile in some cases to do civil records, bankruptcy/public filings, and so on. The civil records can be useful for the odd instance when someone is sued for theft, but not criminally charged, or domestic violence (battery), or similar instances where the victim chose a route other than criminal charges.
Incidentally, pre-screening efforts would fall under the Detect segment of the paradigm.
For more information on what is available in background investigations - see this article by Joe Labrozzi.
We'll continue on next with a look at delay and deny.
Wednesday, October 5, 2005
Home care providers and workplace violence
Here's an interesting topic that came up today: Security in home service industries. You know house cleaning services, home healthcare, and all the other services that involve someone being sent to a home to assist the homeowner.
Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.
As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!
What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.
It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.
Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)
A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.
Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.
As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!
What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.
It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.
Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)
A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.
Cash Controls - "One for you - two for me"
And we're carrying on with concerns of mentally disabled and thieving individuals working in religious institution (it's not just churches anymore) food service operations - but it does apply to their thrift stores or anywhere else cash may be handled.
Here's a down and dirty look at cash controls and that includes any monetary instrument including checks, store script/gift certificates, and so on.
In any cash management system there are at least two places from which to reconcile your activities - when the cash is received and when it gets into your account. In some cases the 'receiving' part is a little more vague and uncontrolled - like offering plates - but for now we'll stick to this assumption. The problem isn't whether the money makes it from point A (receiving the money) to point B (arrival in the account), but what happens to it in between. The real problem is how the funds are transferred between parties at different points in the process. (If you're skilled with flowcharts then they can be very handy at this point.) In other words, it's the transfers between parties and the processing done between transfers that create the problem. Common sense, you say? Maybe so, but it's amazing how often a very simple procedure could have prevented an enormous loss - and the accompanying embarrassment, loss of face, distrust, anger, and the rest that comes from a betrayal!
In short, each transfer of cash should include the active participation of two persons. Each party is then responsible for verifying what is transferred. Documenting this is also useful for many reasons and the documentation typically includes the signatures of both parties (date and time, etc.). If the receiving party is unable to verify the total in the presence of the transmitting party then there should be two persons in the receiving party that verify it. This is based on an assumption (sometimes incorrectly - but that's another discussion) that it's harder for two persons to collude on a crime than for one person to commit it alone... So then if we have a loss we are able to see that the proper funds are transferred from party to party until an incorrect amount of funds are transferred. So easy - when done properly - and having clear (and enforced) procedures for transfers goes a long way to preventing losses. Why is prevention better? Especially here? First, proving larceny or embezzlement often requires an admission by the thief - which may not be difficult for an experienced interviewer/interrogator (see Chris' article here, and this website, and this website for more information on interviews) but what house of worship wants to employ these methods? (I think they all should because it's effective and, if done properly, helps the organization make a meaningful loss recovery and aids the thief because they get the feeling of a clear conscience - they don't call it a confession for nothing) Also law enforcement is generally too busy to get deeply involved in an internal loss - it's a property crime, time consuming, and is many times not seen as "real crime," and it costs money to go through an investigation. That means more loss! So prevention, prevention, prevention.
The next concern is what is done between transfers - the processing. Whatever processing that should be done to funds including counting, recording, packaging, and deposit preparation should have clear (and enforced) procedures. It is always preferable that any handling of funds is done under "dual control." This involves two (dual) people that verify each other's work to ensure accuracy. The purpose of dual control is to avoid errors; however a byproduct is an significant decrease in opportunities for theft. Their activities should also be documented - preferably with their signatures.
That is the short form on cash control... I didn't mention issues concerning the verification that it was received in the first place but we can save that for another time. This opens a whole other can of worms since you must now determine whether items were accounted for at the point of sale/transfer and so on... Enough for now.
Here's a down and dirty look at cash controls and that includes any monetary instrument including checks, store script/gift certificates, and so on.
In any cash management system there are at least two places from which to reconcile your activities - when the cash is received and when it gets into your account. In some cases the 'receiving' part is a little more vague and uncontrolled - like offering plates - but for now we'll stick to this assumption. The problem isn't whether the money makes it from point A (receiving the money) to point B (arrival in the account), but what happens to it in between. The real problem is how the funds are transferred between parties at different points in the process. (If you're skilled with flowcharts then they can be very handy at this point.) In other words, it's the transfers between parties and the processing done between transfers that create the problem. Common sense, you say? Maybe so, but it's amazing how often a very simple procedure could have prevented an enormous loss - and the accompanying embarrassment, loss of face, distrust, anger, and the rest that comes from a betrayal!
In short, each transfer of cash should include the active participation of two persons. Each party is then responsible for verifying what is transferred. Documenting this is also useful for many reasons and the documentation typically includes the signatures of both parties (date and time, etc.). If the receiving party is unable to verify the total in the presence of the transmitting party then there should be two persons in the receiving party that verify it. This is based on an assumption (sometimes incorrectly - but that's another discussion) that it's harder for two persons to collude on a crime than for one person to commit it alone... So then if we have a loss we are able to see that the proper funds are transferred from party to party until an incorrect amount of funds are transferred. So easy - when done properly - and having clear (and enforced) procedures for transfers goes a long way to preventing losses. Why is prevention better? Especially here? First, proving larceny or embezzlement often requires an admission by the thief - which may not be difficult for an experienced interviewer/interrogator (see Chris' article here, and this website, and this website for more information on interviews) but what house of worship wants to employ these methods? (I think they all should because it's effective and, if done properly, helps the organization make a meaningful loss recovery and aids the thief because they get the feeling of a clear conscience - they don't call it a confession for nothing) Also law enforcement is generally too busy to get deeply involved in an internal loss - it's a property crime, time consuming, and is many times not seen as "real crime," and it costs money to go through an investigation. That means more loss! So prevention, prevention, prevention.
The next concern is what is done between transfers - the processing. Whatever processing that should be done to funds including counting, recording, packaging, and deposit preparation should have clear (and enforced) procedures. It is always preferable that any handling of funds is done under "dual control." This involves two (dual) people that verify each other's work to ensure accuracy. The purpose of dual control is to avoid errors; however a byproduct is an significant decrease in opportunities for theft. Their activities should also be documented - preferably with their signatures.
That is the short form on cash control... I didn't mention issues concerning the verification that it was received in the first place but we can save that for another time. This opens a whole other can of worms since you must now determine whether items were accounted for at the point of sale/transfer and so on... Enough for now.
Monday, October 3, 2005
New Training Program!!!
The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
New training program!!!
The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
Controls and process management
This will just be a quick post to discuss what I mean when I talk about controls - as they pertain to process management.
Security in the retail sector historically counted on catching the shoplifter; however this is not the most effective means for controlling losses. Another example is having someone that counts the offering plate collections arrested after they embezzle some cash. It's just not effective and it means that you have lost it - and you probably won't get it back. So what is more effective?
Take the shoplifting example. In our instance our thief takes several items into the fitting room where they conceal some within their personal bags. Maybe the loss prevention team is allowed to make fitting room stops, or maybe not. Either way the crime must be committed first. How many will be able to do this without attracting enough surveillance to be stopped (legally)? Far too few compared with the thieves successes. Now how about a fitting room attendant? When the thief enters the fitting room area the attendant counts the garments and provides the thief with a numbered placard that corresponds to the number of garments. When they come out the process is reversed... Voila' magic does not happen in the fitting room and nothing disappears - this time. It's not a foolproof system but it's good enough for this example. If even half the thieves are stopped in this manner it is still more effective that trying catch them after they conceal something.
Back to the offering plate... We have a long-term member of the congregation counting the money and one day someone realizes that all of it didn't make it into the church's accounts. It's a crime, yes, but now an investigation must take place - which costs money - and even if they admit to the theft the cash is probably gone - POOF - into thin air. Now what if we were to have two persons count the money together? Maybe then they could keep each other honest. What you say? They'll just steal some other way! Maybe so, but we can always add controls so that thefts become more visible more rapidly. This is much more cost effective in the long run.
So that is what is meant by controls. Procedures and devices put in place to enforce policies. Our policy says all the funds must make it into the organizational account, so we make it difficult to do otherwise.
Security in the retail sector historically counted on catching the shoplifter; however this is not the most effective means for controlling losses. Another example is having someone that counts the offering plate collections arrested after they embezzle some cash. It's just not effective and it means that you have lost it - and you probably won't get it back. So what is more effective?
Take the shoplifting example. In our instance our thief takes several items into the fitting room where they conceal some within their personal bags. Maybe the loss prevention team is allowed to make fitting room stops, or maybe not. Either way the crime must be committed first. How many will be able to do this without attracting enough surveillance to be stopped (legally)? Far too few compared with the thieves successes. Now how about a fitting room attendant? When the thief enters the fitting room area the attendant counts the garments and provides the thief with a numbered placard that corresponds to the number of garments. When they come out the process is reversed... Voila' magic does not happen in the fitting room and nothing disappears - this time. It's not a foolproof system but it's good enough for this example. If even half the thieves are stopped in this manner it is still more effective that trying catch them after they conceal something.
Back to the offering plate... We have a long-term member of the congregation counting the money and one day someone realizes that all of it didn't make it into the church's accounts. It's a crime, yes, but now an investigation must take place - which costs money - and even if they admit to the theft the cash is probably gone - POOF - into thin air. Now what if we were to have two persons count the money together? Maybe then they could keep each other honest. What you say? They'll just steal some other way! Maybe so, but we can always add controls so that thefts become more visible more rapidly. This is much more cost effective in the long run.
So that is what is meant by controls. Procedures and devices put in place to enforce policies. Our policy says all the funds must make it into the organizational account, so we make it difficult to do otherwise.
One for you - Two for me
Here's a couple of questions from back in August's Embezzlement piece:
When using volunteers or food service firms there is some concern over the screening of persons who have access to cash. Some of the food service firms employ disabled (mentally) persons as well as those on parole. What are some controls that can be implemented?
Houses of Worship routinely operate food services for the poor or economically disadvantaged as well as thrift stores and other types of activities that may or may not involve monetary remuneration for the service. For instance, in some cases persons on government assistance may be given the opportunity to select one or more pieces of clothing from a thrift store each month - a shopping trip for those who cannot afford it.
I think there are really two very broad questions: one concerning cash controls and another concerning liability from employing potentially dangerous persons (or allowing them to volunteer). These are distinct issues with different tools to manage them. We'll break these down into separate blog posts. First we'll discuss an overview of the problems and controls; then we'll look at cash controls followed by managing dangerous persons.
When using volunteers or food service firms there is some concern over the screening of persons who have access to cash. Some of the food service firms employ disabled (mentally) persons as well as those on parole. What are some controls that can be implemented?
Houses of Worship routinely operate food services for the poor or economically disadvantaged as well as thrift stores and other types of activities that may or may not involve monetary remuneration for the service. For instance, in some cases persons on government assistance may be given the opportunity to select one or more pieces of clothing from a thrift store each month - a shopping trip for those who cannot afford it.
I think there are really two very broad questions: one concerning cash controls and another concerning liability from employing potentially dangerous persons (or allowing them to volunteer). These are distinct issues with different tools to manage them. We'll break these down into separate blog posts. First we'll discuss an overview of the problems and controls; then we'll look at cash controls followed by managing dangerous persons.
Thursday, September 29, 2005
ASIS - benefit, cash drain, vanity show, or all three?
Here's another request, and one that hits close to home. What are the benefits of belonging to ASIS? Are there any opportunities for students?
I know I'm not the best person to answer this, but here are my thoughts none-the-less...
ASIS International - formerly the American Society for Industrial Security - is the granddaddy of all security associations (as far as I know). They are and organization that has changed a lot since their beginnings and they are destined to change far more in the next decade.
Once upon a time when I first found my way into security I did not think too much of ASIS - why? Well my experiences were of rather pompous people that believed they knew everything; however they did not seem open to changes (so I figured ASIS were fitting initials). After some time I found that not being part of it could be a little dangerous to a career - at least from the networking and industry update side. I joined other organizations like the International Foundation for Protection Officers, the Academy of Security Educators and Trainers, and was inducted into The Nine Lives Associates, but I eventually realized that ASIS was where these pretty much all came from anyway. I'm still part of all of these as well as being involved in ASIS.
Is ASIS a good ol' boys group? Maybe once upon a time it was - and it certainly was in my perception - but I've noticed in just the last eight years a subtle change away from such an image. Now it could very well be that my perception has changed due to my involvement and interaction with a wider group of members. Either way, I now see ASIS as something very important to our industry and something worth being part of - if nothing else but to affect change for the better.
So what do I get from ASIS? I like training, news, interaction, argument - dissent, disagreement, and conflict - for the sake of getting better. I like to think and ask others to challenge my thoughts - and many are all too willing to do so in an almost unfriendly way. ASIS gives me access to many others within my own industry - saints and jerks alike. We can learn something from anyone, and with that in mind and something like 20,000 members there's a lot I can learn from ASIS.
ASIS also provides the most well known certifications. Why are these important? Consider this... Who do you want to do your taxes? A Certified Public Accountant or an Accountant? Why is that? To me a CPA represents someone that is willing to put their knowledge and skills to greater scrutiny - once for an examination - and continually by meeting the expectations of those that choose a CPA. They also have a Code of Conduct that is spelled out clearly for everyone to see. This means there are disciplinary actions that can be taken outside of the usual criminal and civil paths. Why is this important? It means that a CPA is willing to perform to a standard or be punished professionally. Now take that into the world of security. Who do you look for when you need an answer? A Security Manager or the CPP? Which would you prefer protecting your organization on a day-to-day basis? A security officer or a CPO? Do you expect a certain level of performance? Absolutely. When a standard is not met then 'professional' disciplinary action can be taken. ASIS, IFPO, ACFE, and ISC2 all have expected standards of performance. So the certifications are important by imparting an agreement by the designee, to perform in an acceptable way, the organization, to enforce their rules of conduct to maintain the quality of the certification in the public domain, and the public (or consumers), who expect that level of performance. It is a commitment to professionalism.
So what can students do in ASIS? LEARN! Take notes, train, NETWORK, and drive yourself to a higher standard than your own mentor. Oh yah, find a mentor (or mentors) and grow from their experience - but always think for yourself.
Attending training - when you can afford it - is essential to reaching that next level. Any training is good - even bad training. Bad training (and I've paid for my fair share of absolute crap disguised under the reputation of a "security pro") helps you to know who is full of crap in the industry and what they sound like when they talk. They will be your competition for good jobs. There's a lot to be said for these folks, but they're in every industry so just go out and meet them. Bad training can also get you hurt - think about everything that you are taught - so that the skills you learn do not govern your performance. Ask yourself, "How would I get around this?" or "How could this be defeated?" Sometimes it's worth asking someone who really knows. When I used to catch shoplifters I often asked them about previous fights with law enforcement or security. They'll talk - everyone who wins a fight talks - and this can be beneficial to you. Develop a "Discipline of Training" and stick with it. A little here, a little there. When you can't afford training (and I know how that feels making $5.90 catching thieves) get a book, conduct a free survey, plan a security system, engineer a breakin, and use your imagination to train yourself - it's free. Offer to work with someone on your off-hours; informal internships can be very useful. AND go where the knowledge is - just like salespersons go where the money is - spend time in the circles that your potential mentors will be and be involved. This is where ASIS can be a great help because you can go where the best are - monthly meetings, committees and so on. When you drink beer or otherwise socialize with these folks take some time to get advice on your career direction, opportunities, tricks and tips, and then make sure you don't monopolize the time. DON'T be afraid to offer your opinion on any discussion concerning security. If you're wrong you'll learn, and if you're right then you're contributing. If those with you blow you off and act like you should be a child - seen and not heard - then it's time to find a new group of pro's because there's little reason to waste your time with pompous fools unwilling to drive someone else's success. Your time is valuable - DO NOT waste it. Build your network - nurture your network - expand your network - improve yourself so others want to network with you - and focus on quality and not size. 200 business cards are just a stack of paper - 2 good contacts that you can reach out to and not be a stranger can change your life.
Those are my thoughts on ASIS - for me it is a facilitator for all of this.
Rob
/
I know I'm not the best person to answer this, but here are my thoughts none-the-less...
ASIS International - formerly the American Society for Industrial Security - is the granddaddy of all security associations (as far as I know). They are and organization that has changed a lot since their beginnings and they are destined to change far more in the next decade.
Once upon a time when I first found my way into security I did not think too much of ASIS - why? Well my experiences were of rather pompous people that believed they knew everything; however they did not seem open to changes (so I figured ASIS were fitting initials). After some time I found that not being part of it could be a little dangerous to a career - at least from the networking and industry update side. I joined other organizations like the International Foundation for Protection Officers, the Academy of Security Educators and Trainers, and was inducted into The Nine Lives Associates, but I eventually realized that ASIS was where these pretty much all came from anyway. I'm still part of all of these as well as being involved in ASIS.
Is ASIS a good ol' boys group? Maybe once upon a time it was - and it certainly was in my perception - but I've noticed in just the last eight years a subtle change away from such an image. Now it could very well be that my perception has changed due to my involvement and interaction with a wider group of members. Either way, I now see ASIS as something very important to our industry and something worth being part of - if nothing else but to affect change for the better.
So what do I get from ASIS? I like training, news, interaction, argument - dissent, disagreement, and conflict - for the sake of getting better. I like to think and ask others to challenge my thoughts - and many are all too willing to do so in an almost unfriendly way. ASIS gives me access to many others within my own industry - saints and jerks alike. We can learn something from anyone, and with that in mind and something like 20,000 members there's a lot I can learn from ASIS.
ASIS also provides the most well known certifications. Why are these important? Consider this... Who do you want to do your taxes? A Certified Public Accountant or an Accountant? Why is that? To me a CPA represents someone that is willing to put their knowledge and skills to greater scrutiny - once for an examination - and continually by meeting the expectations of those that choose a CPA. They also have a Code of Conduct that is spelled out clearly for everyone to see. This means there are disciplinary actions that can be taken outside of the usual criminal and civil paths. Why is this important? It means that a CPA is willing to perform to a standard or be punished professionally. Now take that into the world of security. Who do you look for when you need an answer? A Security Manager or the CPP? Which would you prefer protecting your organization on a day-to-day basis? A security officer or a CPO? Do you expect a certain level of performance? Absolutely. When a standard is not met then 'professional' disciplinary action can be taken. ASIS, IFPO, ACFE, and ISC2 all have expected standards of performance. So the certifications are important by imparting an agreement by the designee, to perform in an acceptable way, the organization, to enforce their rules of conduct to maintain the quality of the certification in the public domain, and the public (or consumers), who expect that level of performance. It is a commitment to professionalism.
So what can students do in ASIS? LEARN! Take notes, train, NETWORK, and drive yourself to a higher standard than your own mentor. Oh yah, find a mentor (or mentors) and grow from their experience - but always think for yourself.
Attending training - when you can afford it - is essential to reaching that next level. Any training is good - even bad training. Bad training (and I've paid for my fair share of absolute crap disguised under the reputation of a "security pro") helps you to know who is full of crap in the industry and what they sound like when they talk. They will be your competition for good jobs. There's a lot to be said for these folks, but they're in every industry so just go out and meet them. Bad training can also get you hurt - think about everything that you are taught - so that the skills you learn do not govern your performance. Ask yourself, "How would I get around this?" or "How could this be defeated?" Sometimes it's worth asking someone who really knows. When I used to catch shoplifters I often asked them about previous fights with law enforcement or security. They'll talk - everyone who wins a fight talks - and this can be beneficial to you. Develop a "Discipline of Training" and stick with it. A little here, a little there. When you can't afford training (and I know how that feels making $5.90 catching thieves) get a book, conduct a free survey, plan a security system, engineer a breakin, and use your imagination to train yourself - it's free. Offer to work with someone on your off-hours; informal internships can be very useful. AND go where the knowledge is - just like salespersons go where the money is - spend time in the circles that your potential mentors will be and be involved. This is where ASIS can be a great help because you can go where the best are - monthly meetings, committees and so on. When you drink beer or otherwise socialize with these folks take some time to get advice on your career direction, opportunities, tricks and tips, and then make sure you don't monopolize the time. DON'T be afraid to offer your opinion on any discussion concerning security. If you're wrong you'll learn, and if you're right then you're contributing. If those with you blow you off and act like you should be a child - seen and not heard - then it's time to find a new group of pro's because there's little reason to waste your time with pompous fools unwilling to drive someone else's success. Your time is valuable - DO NOT waste it. Build your network - nurture your network - expand your network - improve yourself so others want to network with you - and focus on quality and not size. 200 business cards are just a stack of paper - 2 good contacts that you can reach out to and not be a stranger can change your life.
Those are my thoughts on ASIS - for me it is a facilitator for all of this.
Rob
/
Wednesday, September 28, 2005
Walk - don't run... No wait, run for your lives!!!
We have a special request for a very interesting, and I daresay relevant, topic. Oh, and a polite out-of-bandwidth comment on being lazy and not blogging.
How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...
When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.
Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.
How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.
So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.
Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.
Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.
Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.
One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!
Think fast...
How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...
When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.
Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.
How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.
So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.
Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.
Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.
Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.
One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!
Think fast...
Subscribe to:
Posts (Atom)