Thinking Smarter About Security

If you work in any facet of public safety and you aren’t thinking about how you secure public and event spaces, you haven’t been paying attention.  Our complacency is the greatest gift we can give to terrorists and criminals.  I certainly acknowledge that the most difficult aspect of dealing with criminal intent versus natural hazards is their determination to circumvent our own protective measures and systems, but we often make it easy for them because it’s too difficult for us to change. Is that really the excuse you want to give to the board, the media, or the families of those killed in a criminal act?

While I will never claim to be a security expert, I try to look at things with a critical eye and take the advice of those who are experts in the field.  Here are a few examples of things I’ve encountered.

Several years ago I was part of a team supporting preparedness at a major sporting venue.  The organization who had exclusive rights to the venue requested support in planning, training, and exercise activities.  I provided incident management training and was the lead on exercises.  As preparation for a tabletop exercise, I coordinated with the organization to observe security procedures during a major event.  The security screeners at the entrances to the venue did a reasonable job with most patrons, although consistently faulted with one type of patron – persons in wheelchairs.  Anyone who came to the door in a wheelchair was waved through ALL security screening without so much as a bag check.  This became the gap that I exploited for the exercise, much to the objection of their head of security who insisted that personnel were trained in how to screen patrons in wheelchairs.  While they may have been trained, it is something they consistently failed in doing and I never observed a supervisor correct the behavior.  Perhaps they weren’t trained at all, or the training wasn’t effective, or it was too uncomfortable or inconvenient for them to do.  Regardless, this is a significant gap that I’ve continued to see at other locations through the years.

Earlier this year I attended a large convention that drew tens of thousands of patrons in a large convention center over a long weekend.  I was an attendee and not working in any official capacity.  Security at the venue was laughable.  Security personnel had three main activities – bag checks, credential checks, and metal detector operation.  Metal detector operation was only performed the first day, utilizing walk through detectors as well as wands.  The personnel clearly had no idea how to operate either (I was among dozens if not hundreds of people who were directed to go through a walk through detector – which I noticed was unplugged).  On the occasion that a walk through alerted (one that was plugged in…), I observed security personnel waiving the wand around people too quickly and too far away from their bodies.  For bag checks, we were asked to open all bags for security inspection.  The ‘inspection’ I observed on each day usually consisted of someone saying thank you and waving you through as they looked around the room or chatted with a co-worker, certainly not actually looking into the bags.  As for checking credentials, every patron was provided with a lanyard and a pass to be attached to said lanyard.  Security personnel were supposed to be checking passes as people entered doors to the main exhibit hall and other areas.  I noted some security personnel did this better than others – some of which didn’t check at all.  I actually managed to keep my pass in my pocket through the entire event, only being challenged by security once.  I was so alarmed by some of the practices that on separate occasions I introduced myself to a county sheriff’s deputy and a fire marshal to point out some of the more egregious issues.

My work has brought me to a number of secure facilities owned by various levels of government and private entities.  One federal facility I’ve frequently visited through the years usually screens vehicles.  As expected, this includes the opening of doors and the trunk of the car.  Not once, in the many years and visits to this facility has anyone ever moved a seat or checked a bag or package.

My last anecdote comes from a few years ago spending some down time in a small park in an area of DC where there a number of embassies.  One embassy seemed to have regular traffic in and out for visitors as well as some light construction work being performed on their grounds.  As one guard would check identification and presumably verify the need of the visitor to be there, another guard would walk around the vehicle with an inspection mirror (the type at the end of a pole with which to inspect the underside of a vehicle).  It was evident that the guard was either not trained in its proper use or the importance of this protocol, as every time he walked around a vehicle holding the mirror, but never actually putting it in position to view under the vehicle, much less ever looking down at the mirror.  He simply took a casual stroll around the vehicle.

The things I’ve noted here are just a few that happened to come to mind as I crafted this article.  There are dozens more, and I’m sure each of you can come up with a list of poor practices as well.  Keep your eyes open when you go to a public space to see how security is handled.  Look at things through the lenses of potential adversaries.  How could someone gain entry?  Are there recognized security patterns they can circumvent?  What vulnerabilities exist?  If you are responsible for security for a facility, have a security audit performed.  While formal security audits are valuable, often the most meaningful ones are casual and unannounced, with someone the front-line security personnel don’t know trying to gain entrance to the facility.  Are they challenged appropriately? Are they screened effectively?

The mitigation, prevention, and protection against security threats is something that many take too lightly – clearly even those whose job it is to focus on those matters.  Highly effective training programs are available – but we need to ensure that people take these courses and implement what they’ve learned in accordance with documented organizational practices.  Supervisors must be present and constantly maintain quality control.  This is a good matter of practice, but even more important when most non-sworn security personnel have a high rate of turn over or may be part time or temporary employees, or even volunteers.  For large events, proper just-in-time training must be performed for supplemental security staff who are not certified or otherwise professionally qualified security personnel.

Security is a challenging environment to work in.  We must constantly be recognizing threats and trying to out-think potential adversaries.  We must strive to keep passive and active security practices up to par, meeting or exceeding standards without becoming predictable to an observer.  How do you assess security in your facility?  What best practices have you identified?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

NOAA Issues Updated 2017 Hurricane Season Outlook

<From FEMA>

On August 9, 2017, the National Oceanic and Atmospheric Administration (NOAA) issued the scheduled update for its 2017 hurricane season outlook. Forecasters are now predicting a higher likelihood of an above-normal season, and they increased the predicted number of named storms and major hurricanes. The season has the potential to be extremely active, and could be the most active since 2010.

Forecasters now say there is a 60 percent chance of an above-normal season (compared to the May prediction of 45 percent chance), with 14-19 named storms (increased from the May predicted range of 11-17) and 2-5 major hurricanes (increased from the May predicted range of 2-4). A prediction for 5-9 hurricanes remains unchanged from the initial May outlook. 

Is New Media Really Journalism?

This is a concept I’ve been struggling with for a while.  I see bloggers, podcasters, and YouTubers portray themselves as journalists quite often.  But are they?

The more traditional part of me wants to laugh at their pipe dream, considering that newspapers, TV and radio, and magazines fit into the definition of media and journalism that I’ve had most of my life.  But times, they are a changin’.  The term ‘new media’ isn’t new anymore.  Bloggers, podcasters, and YouTubers, as a whole, are mainstream and it appears they are here to stay.

While I’ve seen this on occasion in governmental and emergency management media relations, I see this most often in another facet of my life – pop culture.  Along with being a blogger on emergency management and homeland security matters, I’m also a co-host on several pop-culture and entertainment related podcasts.  Looking at things like fan conventions (think ComicCon and similar events), dozens and even hundreds of media badges are given to bloggers, podcasters, and YouTubers.  While some media credentials go to more traditional media outlets, the proportion is rather staggering.  In entertainment and pop culture this makes sense to a great extent.  Many who pay heed to pop culture also seem likely to consume blogs, podcasts, and YouTube content.  It’s also not necessarily location-bound (i.e. following a new media provider because they are local to you and report on local things – although some do).  The free media badges given out by convention organizers turns into free promotion of the goings-on of their events – so it makes sense, but what are the limits?  The sheer number of people applying for media badges for these events is staggering, and many are denied.

Why is new media so popular?  On the provider end, the barriers to entry are insanely low.  Generally, you need a computer, an internet connection, and an account to whatever portal you want to push your content through.  There are a few other resources needed depending on the actual medium, such as cameras and microphones, editing software, etc., but good quality in all of these can be found at very reasonable prices.  You can also go really lean and do it all from your smart phone.  Certainly there are the intangibles such as talent, good ideas, and persistence, which all tends to cull the herd.

On the consumer end, people crave new media content to read, hear, or see more about the things that entertain and interest them.  Despite things said about people’s attention spans, most blogs I read (as well as my own) have a reasonable length to them.  Most podcasts run 30-90 minutes.  YouTube videos tend to be shorter, but obviously tend to have a higher production value.  There is also a huge variety of new media available, with differing opinions and formats, and generally something for everyone.

But the question still remains, is new media actually journalism?  Obviously, I haven’t missed the irony in this.  Despite having and maintaining a blog for several years as well as my involvement in podcasts, I don’t consider myself a journalist.  At best, I’m an op-ed writer on the blogging side; and whatever the equivalent is on the podcasting side.  I appreciate that people value the content and opinions I put out there, but I’m no Walter Cronkite (really who is, but Walter himself?).

At the risk of taking heavy fire from my fellow bloggers and podcasters, I’m reluctant to broadly categorize much of new media as journalism.  It just seems there needs to be something that qualifies you to use the title.  I’m not saying a certification or anything bureaucratic like that, but honestly I don’t know what it should be.  When any person on any given day with little investment can suddenly announce that they are a journalist (or honestly anything), that tends to not sit well with me.  There needs to be a demonstration of commitment and professionalism.

There are some bloggers, podcasters, and YouTubers that I would consider journalists because of their longevity, their professionalism, and their following, but these are few.  I think most new media folks are entertainers.  Some are informers, yet still not journalists.  But there are some that are journalists, and they should be respected as such.

On the event management side of this (both in regard to pop culture as well as emergency management), where does the paradigm sit and does it need to change? How do you determine who you will give a media badge to?  In emergency management and government as a whole, it’s long been a best practice to maintain positive relationships with media outlets.  What kind of relationships, if any, are you maintaining with bloggers, podcasters, and YouTubers?  Do you need to?

I’m interested in thoughts and opinions on this – from everyone.  Are you a producer of new media – Do you consider yourself a journalist?  Are you a traditional journalist – what’s your take on this?  On the government and emergency management side – are you involved in media relations, and if so, what are your ideas?  Are you not involved in either, but have an opinion?  Please share it!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

 

Exercises: Simple is Usually Better

I find often that people want to run exercises they aren’t quite ready for.  Sometimes those exercises are too complex, or they simply aren’t the appropriate type.  Most often, we run exercises to test plans, policy, and procedures; but sometimes those plans, policies, and procedures aren’t quite ready to be tested.  Last year I advised a client to run a workshop instead of a tabletop exercise.  The initial goal of the tabletop was to validate a new plan, but this plan wasn’t ready to be validated.  The problem was that many stakeholders hadn’t yet seen the plan, and the review of that plan by our team in preparedness for the exercise wasn’t favorable.  The plan had much of the needed content, but it was disjointed and didn’t have any logical flow.  By conducting a scenario-based workshop, we were able to identify not only the ideal flow of the plan by flagging benchmark activities, but we were also able to discuss expectations of and for each stakeholder agency in the plan.  The client was then able to apply the results of the workshop to restructure their plan and make some needed substantive changes.

Similarly, I’ve encouraged a current client to conduct a workshop instead of a tabletop.  The initial goal of this tabletop was to identify how a new group of stakeholders could integrate into an existing plan.  In this situation, the tabletop would have been less than effective as the new stakeholder group isn’t yet identified in the plan.  The outcome of the workshop will be to identify how this integration can occur.

I think that sometimes people gravitate to certain exercises simply because they are more popular in a certain application.  That preconceived notion might be too complex or simply a poor choice for what you really need to accomplish.  When it comes to discussion-based exercises, most people default to a tabletop.  With operations-based exercises, it can vary.  Drills are often used for tactical applications, but we don’t see them as much in EOCs.  Drills certainly have a place in an EOC if you are looking to test a very specific function or activity.  While full-scale exercises are fun and sexy, I’ve been to the site of plenty that are total chaos because the fundamental premise of certain plans hasn’t been worked out (or some stakeholders aren’t familiar with them), which perhaps should have been done through a discussion-based exercise or a drill or functional exercise first.  Running a drill to test and familiarize the process of setting up key equipment prior to doing it for the first time in a full scale will pay a lot of benefits, and certainly prevent dozens or hundreds of other people being held up in a full scale.

Another issue I often see with exercises is very long and complex Master Scenario Events Lists (MSELs).  The MSEL is essentially the timeline or script of the exercise.  Along with listing all injects, it also identifies all benchmarks in the management of the exercise, such as StartEx and EndEx, and the introduction of new elements or transition to a different segment.  While there is no particular rule of thumb for how many injects are needed for different exercise types, everything needs to associate back to the objectives of the exercise.  I hate injects that are crafted simply for ‘noise’ (unless it’s an intel exercise), or injects intended to just give someone something to do.  Arguably, if the participants take an exercise seriously, such as a functional exercise, and play out the situation as they would in real life, you can engage an entire EOC for a few hours with even ten well-crafted injects.  While some functions are very focused, consider that the vast majority of what we do in emergency management requires coordination among a variety of elements and functions.  Capitalize on that.  One inject may engage multiple agencies or functions because of the need to coordinate and problem solve.  It’s not enough to identify a solution to the problem, but work through where the resources will come from, how they will get to where they need to go, and what support is needed for them and how long.  That’s a lot of problems to solve and will often transcend every function within the incident command system.  Exercises don’t need to be complex to be effective.  Create a handful of objectives and make sure everything relates back to them.  Simplicity can work.

My last recommendation is to keep your exercise planning team a manageable size.  I’ve been the lead planner for some very large exercises.  These exercises, largely due to their sponsors, ended up involving massive exercise planning teams – and by massive I mean over five or six dozen people – or more.  These are just sheer insanity.  Not every agency or organization involved in the exercise needs to be directly represented, nor does each organization need to send a small army of people.  What you do need is consensus from those organizations on the objectives and their scope of play.  That doesn’t mean they have to be involved in every aspect of planning the exercise.  Just like any other meeting or group project, a large exercise planning team can be cumbersome and management by committee is never efficient.  If need be, stakeholder groups can be developed based upon function.  For example, a fire service exercise planning team would develop their contributions to the exercise.  Just make sure that these groups are well coordinated and the overall exercise planning effort is unified, otherwise you’ll end with a disjointed exercise effort.

In the end, simplicity rules.  As you begin planning your exercise, consider, in every step if it can or should be simplified.  Always refer back to your intent and your objectives.  Chances are you can create a simpler exercise that is just as impactful, or perhaps more impactful.  When our inclination is to make things overly complicated, we often miss the point entirely.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC