Red Team testing, or otherwise known as physical security penetration testing (pen test), occurs more often than is typically discussed amongst perhaps more sexy topics in the security industry like Executive Protection, Workplace Violence Prevention, or Event Security. However, the benefits learned if the red-teaming is done well can help solidify the very essential elements of a good security program.
Having administered in the proximity of 200+ pen tests over the course of the last half dozen years approximately I can say that no two tests often happen to be the same. Varying up days of the week and times of the day that tests are conducted will help ascertain the most robust, holistic information regarding a security program. And just because you might test one day at one time does not necessarily make the result of that particular test the definitive answer and solution; it could have been a case of the personnel working that particular day & time having a good or a bad day. You will want to test that day and/or time more than once to ensure the same pattern is in place before jumping to a conclusion…not too dissimilar to surveillance in workers comp cases to refute the “Good Day” defense by the injured party.
The personnel who are conducting/administering the pen test should also be generally creative people in their approach and mindset in undertaking the assignment. Given creative freedom (within reason) could yield surprising results from the pen test. For example, in one instance our agent assigned for a pen test in the San Francisco Bay Area for a client through his advance research on the location and company created a cover story whereas he was a journalist from the local newspaper who desired to print a story regarding the client company in which he would provide very positive press for their philanthropic endeavors. This client location had security officer personnel in place and restricted elevators to each floor. The agent approached the security officer personnel at the lobby desk explaining his cover story and requested to meet with an individual (whom he had located in his advance open source research) that was a C-suite person for the company in that location. Within 10 minutes time the agent was sitting across a conference room table from this C-suite executive. His credentials were not checked. No screening mechanism enacted. All because the company strongly desired very positive press to be published on them and the opportunity was presented for just that. This is a very good learning experience for the company. No one has to lose their job nor should they be disciplined. It should be used as a learning experience to grow from for all parties involved. Having a creative agent in place who understands security programs while pushing boundaries in an authorized manner can achieve such objectives.
To summarize what steps were taken from the example above in order to get to the end-result:
1. Agree upon a specific statement/scope of work (SOW) between the service provider and the client.
2. Resource/assign an agent that is creative in their approach.
3. SOW should have had an allowance for advance research time prior to pen test to be conducted. I would generally recommend up to 5 hours of time for this in most circumstances but can change based on scope, square footage needing to be tested, and other factors.
4. Expect about the same amount of time on-site for conducting the pen test plus a couple of additional hours for report writing time.
5. Expect to have near real-time communications between the agent/service provider and the client during the operation being conducted to ensure clarity of exact timing of the pen test. Doing so will help avoid any potential “bad actor” confusion with the operation.
6. Depending on the company’s goals and objectives of the pen test operation, consider having a tracking tool in place that is shared between the service provider and the client representative that is available on a moment’s notice. It could be an Excel sheet or other software that details dates, times, locations as well as names and contact numbers for each respectively should a timely call or note have to be placed. An effective tool will allow for filtering and sorting the content uploaded to moderate varying forms of data for different parties who might desire to see it.
7. While testing people and their practices is the most common denominator in physical security pen tests, there is a component of testing the company’s security technology as well. How well the agent can be seen on camera while conducting the test, any bypassing of access control systems in place that might have been had, or any alarm systems that might have (or should have) been activated when accessing a more vulnerable area of the company’s space are all aspects of security technology that should be looked at while the pen test was conducted. This can be done after the fact, it doesn’t have to be real-time, but doing so ensures the company equipment is also functioning properly.
Trusted Global Private Security Services
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
Managing Director | Consulting, Joe Zaccaria, was interviewed by SecurityGuyTV.com while attending the annual ASIS International Conference in Dallas, TX on September 26, 2017. Learn more insights on our knowledge base and offerings by watching his 5-minute interview!
How prophetic of President Franklin D. Roosevelt, during his inaugural address in 1933, when he uttered those famous words, “So, first of all, let me assert my firm belief that the only thing we have to fear is…fear itself — nameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance…” While the context at the time was far different than our experiences today, these words aptly describe how workers are feeling in 2019. I have been fortunate to work in the public and private sector for over 30 years. Never in my career have I experienced the level of fear in the workplace I see today. While there is cause to be concerned about violence, the challenge for security professionals is mitigating this concern before it elevates to fear.
I believe there is little debate anymore about the impact of violence on the American worker’s psyche. The recent incident in Virginia Beach serves as yet another example of why American workers are frightened. While information is still being gathered, we know a “veteran city engineer” used a firearm to target people he worked with for years. If the investigation runs its typical course, facts and other information will surface that will provide some insight; but, like many incidents of this nature, will fall far short of painting a complete picture. Tragic incidents like this defy understanding and leave a lasting imprint in our minds.
Organizations, especially ones open to the public, feel the tension. I have directly experienced circumstances where fear becomes so compounded, some staff feel the need to go home even when the threat is benign. In other words, “…paralyzing the ability convert retreat into advance.” From my perspective, “instant” knowledge fuels this fear. For example, we immediately know when an active assailant has occurred. Due to mandated reporting laws in many states, we can also easily find out the latest trends in workplace violence. The perception of one’s safety can instantly elevate based on what is read online during lunch.
What can be done to provide workers comfort when they experience fear? Security professionals know some peace of mind can be found in a strong security posture and training. A properly trained and staffed security team serves as a deterrent to violence and enhances the overall feeling of safety. Conflict resolution training, a strong zero-tolerance stance on workplace violence, mandated reporting and active-assailant training are all helpful because it enhances communication, threat recognition, reaction time and response. Engineering strategies such as video systems, electronic access, employee identification, and duress alarms have preventative benefits as well. Unfortunately, these barriers can be easily defeated. For example, a threat received via the telephone instantly touches the interior of the organization and sends the message that the threat is close-by when it could be hundreds of miles away.
The challenge is providing comfort to people who are in fear based on what they have experienced, even if minor. Common and vague threats such as, “I’ll be back” or “I’ll make you pay” often produce terror and a leap in thought to they are definitely coming back with a gun. I have experienced staff who simply cannot work and need to go home because of the strong, but misplaced belief violence is about to occur. It is important as security professionals to seize this moment and leverage it to produce comfort.
Trust, Credibility & Comfort
The power of trust, credibility and comfort when trying to calm a fearful employee or when influencing an entire organization cannot be overlooked. A comparison can be found in healthcare. We can become very fearful when experiencing symptoms that could be serious. A subsequent examination by a physician leads to the conclusion that we have nothing to worry about. The doctor’s opinion gives us comfort because it is based on their experience and training. In other words, their word gives us comfort because we trust them. We trust the expert, and it is this trust that gives us comfort.
The challenge for security professionals is providing this same level of comfort when an employee or organization is experiencing fear. For security entities who provide a human behavioral threat assessment, we want the fearful employee to trust us, to believe in our opinion, based on science, (threat assessment software program, training, and experience) that the threat is minor. To develop this trust and to provide comfort, the security professional needs to:
Establish a strong partnership between security and staff – share your experiences, make yourself available, provide safety presentations, conduct human behavioral and physical threat assessments, active-assailant defense, and other safety presentations.
Market your services and expertise – prepare security articles for internal publication; personal and professional safety tips, home safety, and others.
Security staff and their leaders need to exude confidence – professionally dressed, clean uniform (for those with a uniformed security presence) free of damage and avoiding unprofessional language.
Be a fast problem-solver – our critical stakeholders expect problems to be addressed; what leaves a lasting impression is when problems are solved quickly.
Promote credibility – based on training and experience; many have opinions but know you are the expert.
Familiarity breeds trustworthiness – they will come to trust and believe you.
Follow-through on commitments and bring resolution for those initially involved.
Speak to their fear. Know a rational appeal will probably not work because they are afraid. Assess appropriately. What services can you provide?
Check-in for the next several weeks. Let them know you have not forgotten. For example, one employer experienced thefts from their parking lot. Track how many patrols and contacts security made for two weeks and report back to the victims what you did and the results.
Sustain absolute trust through consistency each and every time.
For further information on how to build a strong and competent security team and how to have your word provide comfort, contact Premier Risk Solutions at www.premierrisksolutions.com.
Trusted Global Private Security Services
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
Listeners will gain a better understanding of approaches and philosophies to increase engagement of personnel working in or assigned within your team in corporate security programs of all vertical markets.
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
Let’s start by advising that this is intended to be a high-level overview and not a state-by-state or metropolitan jurisdictional driven breakdown. However, if you are looking for such a thing, this is as decent a resource as one will find out on the net for information for a consolidated breakdown. Although we recommend going directly to the governmental entity in each respective state to elicit information directly from them as laws & statutes can change from year-to-year.
As a 2010 US Department of Justice funded research report points out, private security is an essential element of protecting persons as well as intellectual & physical property of business’ today. The private security industry has been experiencing consistent growth over the past approximate decade period of time as evidenced by a 2017 report by Statista detailing the global revenue forecast for private security to be approximately $96.3b by 2018. North America’s share of this is purportedly about 24%. Moreover, a Forbes article from August 2017 highlights that the US Department of Labor statistics claims there are over 1.1m private security officers in the US compared to 666,000 police officers. Buried within that number are that personnel operating in the Executive Protection industry as there is no separate line item for tracking this personnel specifically. The ranks within the Executive Protection segment of the industry however are growing rapidly. With each passing week/month/year there is more and more high net worth individuals coming into their own. This is causing the rapid growth within this segment of the private security services field and the need for professionalization, standards, and best practices now. With all of these moving parts in business growth, training, recruiting, hard skills, soft skills, operational tactics, etc. we cannot lose sight of our ethics. Our ethics define who we are. The French Philosopher, Albert Camus, is quoted as saying:
“A Man Without Ethics is A Wild Beast Loosed Upon This World“
There are numerous opportunities and temptations out there for any one of us to let our ethics slide. This is however a very slippery slope. I would go so far as to say that a person’s ethics are exemplified as to what they do (how they act) when no one is looking or watching over them. Statutes, laws, regulations, licensing, best practices, etc exist for rules and creating/operating on a level playing field with each other. There are some who may wish to try to bend or break said rules. They’re out there today and they give all of us who make every attempt to operate above-board a bad reputation as their actions impact the industry negatively as a whole. It’s such actions that make the news, unfortunately. Take a look over the news reports on the private security monitor from the University of Denver and you will see news stories that are generally negative towards actions taken (negligent or otherwise) by private security personnel. Those that do follow the rules generally aren’t in the news. These are the entities and people that businesses desire to do business with, at least on the surface level of things (it will get you a “foot in the door”).
How does one operate ethically in private security? Here is a list of examples (not all-inclusive):
Do not give or accept bribes of any kind
Do not make promises you cannot or do not intend on keeping
Do get all appropriate licenses to operate in any state or municipal area you intend on performing business
Do get appropriate insurance levels (typically mandated minimum by state regulations, however, some specific clients may require a higher level(s) of insurance)
Do utilize only licensed personnel for the area an operation is taking place within (i.e. if an individual is properly licensed in Washington but you have a project in Oregon just because they have a license in WA and are willing to accept the assignment does not mean they can legally operate in OR themselves based on their WA issued credentials).
Ensure you keep your certifications and licenses up to date/current. It is your responsibility to comply with the state or municipal government and/or client requirements for the assignment. You own the certifications and in many instances also the license(s); be sure they are not expired. If they do expire, it would likely bar you from an assignment until they are renewed and current.
Ensure you carry your current credentials on your person during any assignment. If a person of authority from the property or law enforcement requests you to produce identification, show them your current licenses as appropriate for your geographic location.
If you are acting in a subcontract capacity to another vendor company, do not issue out your company’s business card and/or similar information or solicit the other vendor company’s client for their direct business moving forward. This is bad mojo and will generally get around that you attempt to steal business. Not a reputation anyone wants in this industry for long term success.
Do not post on social media outlets before or during an assignment any information about your assignment (i.e. location, principal or company, schedule, etc details). We work under non-disclosure, confidentiality agreements and must maintain operational integrity at all times. Upon completion of the assignment if you wish to make a benign post about the assignment that is vague in it’s nature (nothing client specific, unless you have their expressed permission) that would be the time to make a post on social media if you must.
Do not speak with any members of the media about your client or your assignment. This is best reported to the client directly for their handling and/or your employer’s management but should be contained within your Op Orders or Company Handbook for reference.
Do work cordially and be cooperative with your peers and colleagues when it’s appropriate to do so (share information). If there is a subject (person) whom is presenting a significant threat to the public that you know about and there is/are other protective services agents working another principal or assignment nearby you, it is likely wise best practice to share that information with that protective team as well as so they too can take proper preventative measures for their team and principal.
If something goes awry on your assignment, be honest and transparent about it with your client and management team. If you are not, no one will learn from the opportunity and it could cause potential stress or liability to the operational plan if it goes uncorrected.
Ensuring that a vendor agency as well as an individual(s) are operating ethically (and legally) is a risk management strategy incorporated into operations for those who may hire or utilize them. If the agency or individual does not have a strong Code of Ethics or regularly practices a strategy of “cutting corners” it will eventually catch up with them in the long term. As our industry continues to grow and expand our people operating within it will as well…let’s be sure to pass along strong operational ethics to ensure their longevity!
Trusted Global Private Security Services
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
Today we continue our discussion on Acumen Capacity in the protection industry series. In this article, we will focus on the third of six dimensions “Systems Judgement”.
Systems Judgment is the development of the capacity to recognize systems and order in the world. This might include activities such as thinking and planning, concepts and idea development, authoritative order (laws, policies, rules, and procedures), and understanding big picture & long-term objectives.
The capacity to understand how the world around you fits together along with the cause and effect is not universal. Some individuals with high clarity can quickly and easily see patterns, understand the why behind actions, and make better decisions. The benefits of systems judgment capacity can be seen throughout the law enforcement industry for example. There are a large number of departments who use training simulators to help officers improve their systems judgment skills (Basich, 2016). The use of these training simulators allows the officers to experience various scenarios increasing their knowledge base and more quickly react and apply better judgment in decision making.
Benefits of Systems Judgment include
*Enjoys and depends on structure and order
*Understands the need for laws, policies, rules, and order
*Genuine willingness to cooperate
*Objectively evaluates ideas, plans, and theories
*Open, two-way communication with authority figures
How many times have you worked with someone who refuses to listen to directions and thinks they know better?
This describes someone with negative bias and good clarity. This becomes a major obstacle for teams. This consistent alternatives to get his or her way and someone being a lone wolf slows down the team, the project, and puts the principal at risk. Many assignments depend greatly on everyone being on the same page and the same schedule to successfully complete the assignment.
Low Clarity with Negative Bias: Someone with this combination would very likely be confrontational, have alternatives to all directives, and generally believes he or she knows more or knows it better than the boss. This also can indicate someone with low levels of knowledge or highly specialized knowledge limiting their knowledge outside of the specialization. If the individual follows direction, they will likely not understand the rationale behind it.
High Clarity with Positive/Neutral Bias: The benefit of selecting the right professional for this assignment with high clarity and neutral or positive bias includes values structure, identifies with the company, and will respect authority & processes
Let’s take a little deeper look into this dimension of Acumen Capacity™.
The Systems Judgement dimension is evaluated in two ways first is the clarity and second the individual’s bias. The clarity tells us how well the individual can discern values in situations in the outside world. Bias provides additional insights how the individual see the world around them.
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
Acumen Capacity Index™ Series – Understanding Others
Today we continue our discussion on Acumen Capacity in the protection industry series. In this article, we will focus on the first of six dimensions “Understanding Others”. This is a critical aspect of assessing your specialist for assignments and matching the principal’s needs. It sounds like a simple concept, yet a large number of professionals either cannot or choose not to develop their ability to understand others. The definition for “Understanding Others” is the individual’s ability to identify uniqueness and individuality in others around them. The goal for understanding your specialist’s level of clarity and bias on this is to provide you the insight to align your specialist with the needs of the assignment. This results in an overall improved client experience.
Top 6 Benefits for “Understanding Others”
Clearly Understanding People
Ability to adapt to different people
Perceiving the needs of others
Ability to see things from a people perspective
Ability to appreciate others
Ability to apply an understanding of people
Each of these show up in different ways for your organization, your client, and principal themselves. If we think about the day to day tasks and responsibilities associated with protection details you certainly can recall situations where these helped or hurt the assignment. This can range from a specialist who is unable to be flexible and adapt to the strong behavior style of a principal in one assignment to the extremely detailed behavior of the next.
You might even think about a prior situation where you had multiple specialists on an assignment and not everyone was able to work together. You may have that one person who the rest of the team does not like working with or can’t get along with no matter what you have tried.
When one team member does not see the value in his or her teammates and is disengaged it can be a distraction to the entire team putting the principal at risk. When the team has high clarity in understanding others they have the ability to connect easier and work more cohesively as a unit. This results in successful assignments, happy clients, happy principal, and even happy specialists who conducted the assignment.
Let’s take a look at a very common scenario for executive protection specialists.
Does this scenario sound familiar?
Your specialist is on assignment with the principal. During the assignment, the principal changes the plans. The principal decides they want to visit a restaurant, nightclub, or some other event. The specialist is now being asked to make it happen.
The specialist’s ability to understand people and connect with others is critical to achieving this goal. This might be the manager at a restaurant or club that you need to influence to get your principal into the location or get a reservation short notice. This may include the ability to build rapport with local security or law enforcement to park in a specific area for your principal not normally allowed.
Those with strong clarity in this area will successfully navigate this situation and result in a positive client and principal experience. Those with low clarity will likely fail and result in a negative client experience and possibly lose the client. Granted this request by the principal may or may not be part of the original scope of work. However, it is now being asked of them and the specialist’s ability to successfully navigate this request is essential.
Let’s take a little deeper look into this dimension of Acumen Capacity™.
The Understanding Others dimension is evaluated in two ways first is the clarity and second the individual’s bias. The clarity tells us how well the individual understands the uniqueness of others and connects with people. Bias provides additional insights into the individuals world- and self-views. Does the individual have the capacity to see the other person’s perspective?
Psychologist Sherri Campbell shared with Entrepreneur.com “Success in life and business boils down to effective interactions, humility, self-awareness and the all-important skill of perspective taking. These elements are the keys to success of any kind” (Campbell, 2016)
If you have any questions, feel free to reach out and contact us!
Co-Authored by: Michael Delamere
Works Cited
Campbell, S. (2016, May 12). Understanding the Other Person’s Perspective Will Radically Increase Yours. Retrieved from Entrepreneur: https://www.entrepreneur.com/article/275543
