I do not know if you can ever give clients what they want because some have no idea what security does. All they know is that they do not want to be woken up at 3AM because the toaster is not working.

Offer - Verifiable results with time clock accuracy - Your contract our bond.
( I would not add 30 minutes or free)

The way to provide this would involve the Client (and Maintenance staff)spending one hour (or a complete patrol) with the Security Officer(s) and a Supervisor who makes notes. These notes are then turned into instructions confirmed with the client. I would also expect the Client to be more involved with unannounced spot checks and regular meetings to spot trouble and correct it early. (long before contract renewal)

Most business's have cameras / pass cards / punch clocks / even cell phone records to provide confirmation of Security activity.

Yea I know, what world am I living in.....

SecTrainer as an independent security consultant I conduct security surveys. It is my desire to ensure they are comprehensive and to that end I want all players involved. If the CEO is too busy to attend an in-briefing, then I will not accept the assignment. My philosophy in conducting a survey is as follows:

One, the survey is designed to produce a realistic threat analysis from which a comprehensive crime prevention profile is derived. The expressed intention is to raise management’s security awareness and its “duty of care” responsibilities. The information gained from this survey will enable the security specialist conducting the survey to recommend to management cost-effective security improvements in the facility and meet the “duty of care” requirements. Using of a probability matrix, specific assumptions can be made which will lend them to site specific security improvements within the realm of what the owner(s) can reasonably afford and budget for in the out years. As Sal DePasquale, CPP puts it, “Security does not cure diseases, and it simply deals with symptoms. The task for security is not to correct the system that manifests the antisocial behavior. Security’s goal is to prevent the behavior from impacting the organization, to drive the criminal elsewhere. To do that means raising the bar to a height that compels the criminal to seek another target.” These improvements translate into:

THOR - Target Hardening Opportunity Reduction

Two, the survey is designed to reinforce the concept that anything that interferes with a company’s ability to provide goods or services-hence makes a profit is by definition a primary concern of security management. Hence there is the need for an accurate and realistic threat analysis. For success, ALL employees of the company, from the CEO to the person who sweeps the floor and takes out the trash must share this security concern. It must be understood by all concerned, if they are not part of the solution, then they are part of the problem. Security and law enforcement cannot explicate human behavior. It will always be a closely run thing.

Three, the completed survey is to facilitate site preparation or site restoration for installing or restoring of a reliable and effective alarm system, free of false and nuisance alarms. There is proof that thorough site preparation, proper sensor selection, installation methods and techniques, along with owner/operator education and training, incidences of false and nuisance alarms are significantly reduced. Scarce security and law enforcement resources can be effectively utilized in either a proactive manner, or squandered by responding to spurious alarms. It is management’s choice and management’s choice alone.

There are a number of things to remember when conducting a security survey. They may appear at first glance to be unimportant but in reality, crucial.

A security survey is the pursuit of trifles and subsequent study of the insignificant. Small things, bane of management, cause most security breaches.

Security personnel scan the horizon looking for the big security violation that will establish them in the field.

We tend to be on the lookout for the Elephant, when it is the Ant who is carrying away the store bit-by-bit. The presence everywhere of the innocuous, the ubiquitous trifle, would seem to be our undoing. What of one lost key, or one sensitive paper left on a desk overnight, or one unlocked safe or file cabinet. Small yes—petty no!

Lose a ring of keys and management goes ballistic. Lose one key, hardly a ripple on life’s water. We salivate at the prospect of a “kicked-in” door or “smashed-in” window. We could have either as a diversion and never know the difference. Why? The crooks in prison told us so.

Wonder why we keep replacing light bulbs on that one particular fixture? Or what about sizzling sounds from that electrical receptacle or switch? Not to worry, it just reminds us to have that BLT when we get home. Could it possibly be an electrical problem? Could it portend of disaster? That fire down the street, didn’t that start with a switch or something like that? No, it’s only a trifle.

Your secretary complains when she touches that metal frame it tingles, feels strange. Could that be AC ripple? Could someone get shocked or electrocuted? It takes 17 milliamperes to stop your heart and 50 milliamperes to trip a 20-ampere circuit breaker. It’s so insignificant, not to worry, right?

There are chemicals in the basement that nobody seems to notice. Gee, what would happen if that chlorine and ammonia got mixed up? What about that carboy of sulfuric acid? Shouldn’t they be in separate rooms? Nothing could happen and if it did, nobody would get hurt. It’s just a trifle.

Odd, the electrician found some plastic tubing in the box when he was replacing a receptacle. He showed it to me. Looked like the stuff they used for my IV drip when in hospital. Well, wasn’t this a medical office clinic before we moved in? Not a problem. Couldn’t be anything important.

We have, or so it would appear, lost our way. Lessons learned from Protection Of Assets Manual® or similar publications are either forgotten or, in cavalier fashion, ignored. We repeat mistakes made last year by the Widget Company this year despite the warnings.

We may even add a bit of flair or bravado to our harmless blunders. We act with dismay at the incurred wrath of our stockholders or the taxpayer. The message has not filtered through.

Enjoy the day,
Bill

Bill - From a friend of mine and a fellow consultant - under his "Must Dos" - Always give a bit more than your client expects. It's cheaper to give a little extra than it is to find new clients.

I learned this lesson many years ago from the owner of a national auto repair chain. His standing order, to all of his stores, was to perform some small extra service when working on a customer's car. Then note it on the service order and point it out to the customer when they pick their car.

I make it a practice to give the customer more than they contracted for. I put it on my invoicing, and note that I did not charge for it.

To a large degree, what the client is seeking from its security program is the absence of any type of security loss or event - in essence, if the security program is working effectively, nothing happens.

This is one of the things that makes security so difficult to sell and so difficult to build a business case for. I know that there are some security practitioners out there who try to use the classic "Return On Investment" (ROI) model to justify security expenditures. This works well when dealing with certain types of predictable high frequency loss events (such as shoplifting), but I find it tough to apply to low frequency, high consequence loss events such as physical assaults on employees or the theft of trade secrets.

In my mind, security should be viewed like insurance and life safety systems such as fire alarms and sprinkler systems. I don't think that these can be strictly justified on a ROI basis, but no reasonable corporate executive would deny that they are necessary. To be sure, a security department can provide a number of "value added' services that can contribute to the bottom line, but it is my opinion that the core security function falls into the same category as insurance in that it cannot be justified on a purely economic basis.

I have been in the security industry for 35 years, and have been an independent security consultant for 22 years. During this time, about 75% of my engagements have been in response to a major security incident that has just occurred. Types of incidents have included major thefts, compromise of sensitive information, loss of top secret product prototypes, physical assaults against employees, and attacks by radical activists.

In these cases, I am usually called in by senior management and asked "What can we do to keep this from happening again?" The irony is, that in many cases, by the time I have completed my assessment and submitted my report, the client's memory of the incident is beginning to fade. Sometimes the client will look at my recommendations, and say "These all make very good sense, but I believe that we will keep on doing what we have always done; other than this one incident, we really haven't had any problems..." And the cycle repeats itself.

About 25% of the time, I am called in on a proactive rather than reactive basis. This usually occurs in conjunction with a major new construction project where the client wants us to help plan the security program for a new facility. If the client has been fortunate and hasn't had any real problems in the past, it is tough to get acceptance of certain security recommendations despite the potential for loss indicated by my risk assessment. Clients who have a history of past security incidents tend to be much more receptive to making investments in reasonable security countermeasures.

After a major theft or other adverse security event has occurred, the client usually has a crystal clear understanding of his vulnerability and the security risks that he faces. The challenge for me has always been this: how do I create this same sense of awareness ahead of time? How do I convince the client to invest in preventing something that has never happened to him before, despite the fact that there is a reasonable likelihood that the unwanted event will occur?

After 35 years, I still don't have a great answer to this question...

Sec T,

I think the lads have summed it up well - deliver more than you promise, SHOW them what you are protecting their assets from, show them why just security guards are not the answer because anyone can be a robot and just regurgitate information. Whenever I have conducted a mini Risk Assessment on a site (just 1 area) it has shown the client or my employer of WHY they need to consider what it is we are providing for a service.

Silva is right when he explained that people respond to an incident with panic and ask for it to be fixed for next time. It is like car maintenance, check the oil, water, coolant and tyres and this will go along way to preventing further incidents and all it could take is a simple walk around a building site or premises or business analysis to identify areas of concern. On 9/11 I had a satellite office in the same prestigous building with the US consulate (not embassy) here in Sydney - just a few floors away. I could not get access initially, but with permission had a 5 minute visit under federal escort as we were known to the US Consulate and had permission but it was something I had contingency plans for but it was a decision we were prepared for but should have prepared better for.

SecTrainer there is one more piece of information I'd like to submit for your consideration, "The Checklist." I give this paper to all my clients begin before any agreements are agreed upon. I guess this idea comes from my military background especially as a training NCO checking all the training required for members of a squadron, group, wing or division. To survive, it had to be organized and methodical and that meant writing it down.

WHY THE CHECKLIST?

We see a security survey in progress. We hear the questioning and witness the taking of notes. I remember being asked about embarrassment using a checklist? My response was the question: “Do you think an airline pilot feels embarrassed using a checklist before takeoff and landing?” “Well, that is different was the response. There are so many things that pilots have to do. What they do is very demanding and many lives are at risk. What happens if they miss something?”

What happens indeed? What happens if we miss something on a security survey? Security surveys are demanding as lives and properties are at risk. If this makes sense, why are some of us so skittish? Why do we think only amateurs use checklists? Why do some of us look with disdain upon those who choose to use a checklist? Are checklists really for the beginner rather than the consummate professional?

The answer to our discomfort may be attitudinal. The macho image is at work. “I can store all of the security information on a given subject or subjects in my head.” That might be true if the security field was very small and never changed. I still worry. What if I was having a bad day? With liability issues being what they are today, we have limited choices as to the help we can give ourselves. If we shortchange our client, we do so at our peril. The client’s attorney, the judge, and jury will pick the carcass clean! The penalty for bluffing can be most severe.

Should we decide to use a checklist guide in our work, how do we insure it is up-to-date? The day we run off our checklist it is obsolescent. The checklist should be a dynamic document constantly evolving; changing as necessary with every professional journal, magazine, and newspaper we read. The checklist might change with every seminar, workshop, trade show, and class we attend. The checklist might change after a conversation with a fellow security professional. There are many ways to insure the checklist is current.

The checklist will be easier to maintain current if it is in a word processor. Depending upon the magnitude of the change or changes, only one or two pages may require editing. This is a small price to pay for professional accomplishment and maintain an edge over the competition.

If your security survey report leads your client to initiate a lawsuit, do not be surprised if the defendant’s lawyer serves you with a “Subpoena Duces Tecum,” New Latin for “under penalty you shall bring with you." (A writ commanding you to produce in court certain designated documents or evidence.) Along with your notes that support the survey report, the lawyer will want to see a copy of everything you use when conducting a survey. This includes outlines, books, pamphlets, studies, checklists, and so forth. You may rest assured the defendant’s lawyer will go over everything you provide with a fine toothcomb.

After that fun-filled event, you receive a “Subpoena Ad Testificandum,” New Latin for “under penalty to give testimony.” (A writ commanding you to appear in court to testify as a witness.) In my experience, my notes accompanied the survey report. The client destroyed my notes as a part of the contractual agreement. That left the checklist. Both lawyers will go over all salient points in the survey report. Your client’s lawyer will observe and comment on the thoroughness of your checklist. The defendant’s lawyer will do the same, to include questions on the origin of the material. Next, there are precise questions on how you use the checklist and whether or not you always use the checklist in the same manner in every survey? Have you ever deviated from the checklist? That was a variation on the previous question. Interspersed with questions on how you use the checklist, are questions concerning how many surveys you have done in your security career and the number of publications you receive? Do you read each and everyone, and of what you read, how much goes into your checklist?

That process goes on for a better part of an hour. In the end, your client wins and just as important, your integrity remains intact. A valuable lesson ─ consistency and preparedness pay off again. The well-appointed checklist comes through again.

This is someting for which you do not charge the client as it is just a part of doing business.

Enjoy the day,
Bill

Bill,

Excellent point. I have always used checklists and outlines for all of my surveys. I have a general checklist that I use for all projects, as well as supplements for each of the specific industries that I serve (pharmaceutical, manufacturing, etc.)

As you say, the checklists need to be frequently updated to remain effective. Which reminds me, it is time for me to update mine once again.

Silva Consultants

Great points. This business as usual mindset is exactly why there is never a shortage of potential targets for those who wish to harm others. Contrary to the Geico TV ads, people are stupid.

We might have a lively discussion about whether employee/customer assaults or the theft of intellectual property are, in fact, "low-frequency" events, but a more relevant question might be whether the absence of adverse events, whether high- or low-frequency, is really what clients want, or even whether they want an acceptable ROI from their security dollars.

The value proposition for a client must relate to the reason they are in business. Why did they seek initial funding, get a business license, make capital expenditures, hire people and go out in search of customers? Why do they get up every morning, put their pants on and go to the office?

We can be sure they didn't start the business so they could avoid adverse events, which they could completely avoid by never starting the business at all. Their mission has something to do with making a profit (or achieving some social good) by means of doing <what>?

A good starting point is the client's or prospect's mission statement. Here's one from Starbuck's, for instance:

__________________________________

Establish Starbucks as the premier purveyor of the finest coffee in the world while maintaining our uncompromising principles as we grow.

The following six guiding principles will help us measure the appropriateness of our decisions:

* Provide a great work environment and treat each other with respect and dignity.

* Embrace diversity as an essential component in the way we do business.

* Apply the highest standards of excellence to the purchasing, roasting and fresh delivery of our coffee.

* Develop enthusiastically satisfied customers all of the time.

* Contribute positively to our communities and our environment.

* Recognize that profitability is essential to our future success.

________________________________

Note that missing from this statement is anything about avoiding adverse events. We can presume that whatever Starbuck's does, whether it's buying espresso machines or contracting for security services, is done because executives believe it will further the objectives stated above, and no others.

Indeed, Starbuck's specifically tells us that they will "measure the appropriateness of their decisions" by these six objectives.

Our value proposition to Starbuck's, then, must explain exactly how our service or product will contribute in a positive way to achieving one or more of these objectives. How would the absence of adverse events do this? Can "ROI" be offered as the basis of a value proposition?

Starbuck's is committed to providing "a great work environment", and to "respect and dignity" for employees. We must ask, then: Just what does make for a "great work environment" (a sense of safety, surely?), and what is involved in assuring that employees treat each other with "dignity and respect" (prompt attention to employee complaints, surely?). An insecure work environment can never be a "great" place to work. Starbuck's needs to have the capability of objectively (third-party!) investigating employee allegations of harassment (disrespect), etc.

We might, then, see a value proposition that incorporates these elements:

* Enhance the sense of safety and security enjoyed by both employees and customers while working or shopping in the client's stores.

* Provide prompt, objective and expert internal investigative services to support the client's commitment to respectful treatment of all employees.

* Secure the client's supply chain in order to help the client realize maximum possible profitability from its business activities.

...etc.

Or, instead of looking at the mission statement, you might approach this by performing a SWOT analysis on the client or prospect.

Strengths
Weaknesses
Opportunities
Threats

("Threats" should be interpreted in a total business sense, not just security.) The client might have already done one, or might participate. If you have to perform your own, there is a lot of OSINT information available for most industries and you'll look like a hero if you can discuss the client's industry intelligently.

What might your value proposition have to do with respect to Starbuck's "opportunities", for instance? If Starbuck's is looking to expand globally, for instance, an element of your value statement might be:

* We will provide a robust security program featuring global security partnerships that will enhance the client's ability to expand into new territories.

OR

* We will provide relevant and timely security, socioeconomic, and political intelligence analyses in support of the client's desire to expand into new global markets.

(Of course, any of these sample statements presumes that they express your company's real competencies.)

The value proposition must be expressed in terms of the client's fundamental business objectives, corporate culture, values, etc. It is written from the client's point of view, not ours. "We will keep bad things from happening to you" might be what you do, but it isn't what clients buy.

Note that a properly expressed value proposition will then provide you with a framework for presenting a specific action proposal: We will achieve item #1 in the value proposition by doing <whatever> and measure our performance by <however>. We will accomplish item #2 in the value proposition by doing <whatever> and measure...etc.

(Some action objectives, such as "the employee's sense of safety" are subjective and must be measured by subjective instruments such as surveys. Others can be expressed - in the action proposal, not the value proposition - in monetary terms, percentages of increase and/or reduction, relevant measures compared to similar facilities, etc.)

SecTrainer,

Your points are valid. I actually review the corporate mission statement when preparing my overall security strategy and attempt to dovetail my specific recommendations with the guiding principals stated for the corporation. For example, a workplace violence prevention program is consistent the stated principal of "Provide a great work environment and treat each other with respect and dignity", and a theft reduction program would be consistent with the stated principal of "Recognize that profitability is essential to our future success".

However, in spite of the lofty goals established at the corporate level, I find that most of the operating managers that I deal with are hesitant to make investments in security unless that they believe that there is a real and immediate possibility that an adverse event will occur. Often the only thing that will convince them of this is for an actual incident to happen.

Trying to persuade clients to make investments in security improvements just because "it is consistent with the guiding principals of the corporation" has been a tough sell for me. Maybe that is why you are a graduate school candidate and I am not ...

SecTrainer, this is the last piece I can think of to help your cause. I think too many times some of us fail to act when we see first hand, through examination of documents or physical plant inspection or what is gleaned through interviews evidence of criminality. I add this article during the initial negotiations with a perspective client: "Remember the principles of “misprision,” “facilitation” (which means having knowledge of or encouraging), accessory after the fact and “the reasonably prudent man theory,” when obvious criminal conduct or actions are observed. I have a legal obligation to report what I have seen or heard to competent law enforcement if the client fails to do so “after having been put on official notice.” The client cannot simply be allowed, as a course of action, to flood the moat and raise the drawbridge. (18USC, Sections (§) 3 and 4 Accessory After the Fact and Misprision of a Felony."
SecTrainer, sometimes the conversation ends there or I never receive a call back. That is a risk you run. With the experience most of have, plausible deniability.
A client may accept rebellious actions of contumacious employees in an attempt keep an otherwise "productive" workforce or out of fear of certain employees. I cite the example of severals employees running a drug smuggling and distribution ring from a moving company that DEA busted recently. Fencing stolen merchandise or a chop shop operation on the side are other examples.
Enjoy the day,
Bill

SecTrainer,

Your "value proposition" discussion reminds me of something that occurred several years back. I was hired by a major national grocery chain to do an assessment and design security improvements at their corporate headquarters facility.

One day while I was working on site, I was pulled into a meeting unexpectedly and asked if I could assist with site selection for proposed new store locations. I began to explain the normal process; how we would obtain crime forecasts for the sites so that high-risk sites could be avoided, that CPTED principals would be used in site design, etc.

About half way through my explanation, I was interrupted and the client said: "No, you don't understand, we want to locate stores in high-crime areas. We feel that these neighborhoods are under-served by our competition, and think that we could operate profitable stores in these communities if the right security precautions were put into place from the start".

So, I think that this could be an example of the type of value proposition you are seeking: "By having a proper security program in place, you will have the ability to operate stores in profitable markets that are being ignored by your competitors".

Silva, those are excellent points. Before starting a survey these are a few things I start out with and I encourage other consultants to do the same:
1. Before starting the survey, obtain from the local law enforcement crime statistics for the surrounding area. During the course of the survey, make it your business to befriend the nearby homeless. The information obtained through subtle interview, especially after buying coffee or a hot “fast food” meal, is priceless. You should interview as many maintenance and janitorial personnel as possible. They have fears, concerns and ideas on how to improve existing security. Listen attentively. To hear is not the same as to listen. Verify all the information! And never, ever, burn your informants. That makes you a slimy person.

a. If there were crimes against people — murder, rape, aggravated assault, where did they occur in relation to the property? When necessary, visit locus in quo.

b. If there have been reports of burglary, what were the most common entry points and methods of entry used? Again, visit locus in quo.

c. What time of day did most of these offenses occur?

d. If this survey is conducted for, or under contract to General Services Administration (GSA), a jaundiced eye should be cast upon their completed security matrices. Often, the information contained therein was false, or at the very least, misleading. This has been the author’s personal experience for more than 15 years. Recent events may have changed this.

2. How many surrounding facilities have alarm systems installed?

a. Were the alarm systems working at the time of the burglary?

b. Did law enforcement indicate a history of false or nuisance alarming?

c. Were there a number of false alarms just prior to the burglary?

3. Were there cases of “smash and grab?”

4. Were there cases of alarm systems being bypassed?

a. If possible, determine from law enforcement or the insurance company, the methods of circumvention used in these burglaries and the degree of sophistication.

Enjoy the day,
Bill

Thanks for your thoughts, everyone. I appreciate them.

I thought we had more owners and consultants and needed at least 10 respondents, so I'll suspend the thread and try this another way.