The shocking breach of physical security at the US Capitol, considered one of the most secure buildings in the world, will reverberate and cause discussions on multiple levels for some time to come. Law enforcement and security experts are already calling what transpired “a catastrophic failure to prepare” and “one of the gravest security lapses in recent U.S. history”.
It’s even more puzzling when you take into account that there were significant indicators in advance that should have heightened security concerns. A December 2020 report issued by the SITE Intelligence Group, a watchdog of online extremist groups, quoted a right-wing activist as saying, “I really don't care if people break into Congress and drag these politicians out in the streets." In another video cited by the report, agitators “encouraged each other to attend the event armed and prepare for violence."
Yet with all of these advance warnings and the expected massing of protestors, the mob was still able to quite easily breach the Capitol’s security, gain access to its most secure areas, and cause extensive damage resulting in four deaths and multiple injuries. There will be plenty of reviews and pontification on why this happened and what could have been done to prevent it. This article is not one of them.
As often happens after stunning security events, such as the Parliament Hill shootings in December 2014, there will be a surge in demands for security reviews and related discussions before everything likely returns back to “normal operations”. Some decision makers will dismiss that there are any lessons to be learned, believing “this event has nothing to do with us, we are not a government facility.” Nothing is further from the truth. It doesn’t matter if you are a “quasi-governmental” organization or a private corporation—precisely this type of security event can easily occur to you. The question is what can we learn from these horrendous events and how can we better prepare?
What is my security strategy?
The first step is designing a security strategy grounded in a true understanding of the threats facing your company and its operations. This should start with a general look at overall threats in your country and industry before focusing more specifically on trends in security incidents that have happened within or around your company. Threats are examined from the perspective of the likelihood of occurrence and the impact to your company should they occur.
There are numerous components of an appropriate security strategy including: Governance, Policies/Procedures and Plans, Training and Response. Putting thought into this question will enable you to make security decisions from a position of knowledge to thoroughly ensure that your organization’s security measures lower your risk and enable your company’s ongoing operations.
Assessing and tracking threats
The recent events at the US Capitol tragically illustrate what happens when threats materialize into actions. They serve as a stark reminder to businesses around the world of their responsibility to protect their employees in the spirit of “due diligence” and “due care and attention”. Rarely, if ever, do these violent situations manifest themselves without some sort of prior indicators. This underscores the importance of having proper procedures in place to track and assess threats to your employees.
These procedures include:
- Clearly defining what a “threat” is and ensuring that you have the capability to identify and track these threats
- Stipulating employee (most importantly security personnel) actions upon receiving a threat
- Defining threat assessment procedures
- Ensuring that appropriate analysis and response to any threats are undertaken
Security Intelligence Programs
In today’s digital world, there is an abundance of readily accessible information about any given topic or person. The immense growth of social networking in the past decade has added to a rich information bank that is readily accessible to anyone with an internet connection. The challenge today is sifting through immense quantities of data in order to assemble an accurate intelligence picture that supports your operations.
There are several key components of a suitable Security Intelligence Program, including:
- Governance
- Clearly defining intelligence requirements
- Developing a collection plan
- Creating and maintaining an analysis capability
- Dissemination of the assessed intelligence
A comprehensive Security Intelligence Program, whether conducted internally or outsourced, should be considered your early warning of any potential direct threats against your organization.
Security Leadership
Whether leading a small team or a large, complex organization, the value of good leadership cannot be overstated. This holds true for security organizations especially. Good security leaders will not only positively influence their team members to diligently protect their organization’s people, information, and assets, but they will also cultivate within the organization—and amongst its leadership—an appreciation and deep understanding of the important role that security plays in overall mission success.
A good security leader will display many leadership traits. Among the most important are: knowledge and skills; intelligence and vision; moral courage; interpersonal skills; honesty and integrity; and institutional acumen. Security leaders are critical in ensuring that appropriate responses are taken to deter and defend against identified security threats, thereby protecting not only your key assets and personnel, but also your reputation.
The attack on the US Capital, like many other recent security breaches, should serve as a reminder for organizations of the need to have a fulsome review conducted of their organization’s security program if they are to ensure that it is well prepared to identify and respond to any potential security events. No one wants their company’s name to feature in a news headline that includes the words “catastrophic security failure”.