Security & Surveillance: Lessons from October 1

What needs to change?

Almost six months have passed since the tragic events of October 1 in Las Vegas, and the questions I am being constantly asked are, “What has changed in hotel security? What needs to change? Are we more secure than we were before?”

In short, the answers are: not much; the unwillingness to do what is needed; and, no, I do not believe we are safer than before October 1.

Allow me to begin with a question: Do we need security? Do we face probable and critical threats to our safety and security that need to be addressed? If the answer is no, then we should pack up our things, send the security personnel home and call it a day. If, however, we do need security, then the time has come to start doing it right. We need to keep people safe as opposed to just making them feel safe—no more “security theater,” but rather, the enactment of the long-overdue shift in the security paradigm that will effectively reduce risk and make people safer.

 

Real, Not Show

Security, real security, does not come from cameras, metal detectors, radar firearm detection systems or file rooms full of unrealistic procedures. The leading principles are, as always, stop the threat as early and far away as possible; prevention is better than intervention; and, stop the attack before it gets going. However, this is not always possible. Washing machines come with guarantees but not security.

We must acknowledge that security measures, no matter how good, may at some point be penetrated. Just recently, a woman bypassed all TSA and other airport security at Chicago O’Hare airport and succeeded in boarding a flight to London without a passport, ticket or boarding pass. People have broken into the White House and succeeded at penetrating a myriad of other “secure locations” without being stopped.

This is in no way a critique of existing preventative security measures. However, it goes to show that hostile events may occur despite your best efforts to prevent them, and recent events have shown us that we are ill-prepared to deal with them when they do.

At a recent conference for the security of sporting events, a security manager was explaining how well trained their employees were to check delivery vehicles at the access control points. He provided an in-depth description of the procedures and attention to detail when searching vehicles. However, when I asked if their team is as well trained to respond to a threat as they are to detect one, the answer was, and I quote, “Absolutely not! We have the police for that!”

It goes without saying that the chances the police are standing next to the staff member as they check every vehicle is close to zero, hence they had no effective ability to respond to a threat once discovered.

Herein lies the issue. Detection without the ability to respond is far from good enough. It comes back to our original question. Do we need security? If we do, then we need to consider that the worst may happen, and if we are not prepared, the results will not be good.

So, how do we approach today’s security threats in an effective manner?

Time after time we bear witness to attacks on hotels, casinos and events that attain an unacceptable rate of success. The security apparatus in most facilities today is not equipped to effectively prevent or deal with a hostile incident on the scale we have witnessed in recent years, and unless there is a fundamental conceptual change in the hotel security paradigm, when the next terror attack occurs, it too will succeed.

 

Feeling Safe is Not the Same as Being Safe

If there is one thing we know to be true, it is that higher-resolution cameras, more robust vehicle barriers or the addition of more inadequately trained security personnel is not the answer. Physical and technological security measures without properly trained manpower and proper procedures in place create an illusion of security that is both ineffectual and dangerous.

The perception of security does not necessarily mean security. So, how do we protect ourselves from becoming the next victim of a hostile attack? We propose a four-fold solution that starts with understanding the risks, threats and vulnerabilities a hotel, casino or event faces, then moves to the implementation of effective proactive and reactive measures to ensure the safety of both guests and staff.

1: Updated Risk, Threat and Vulnerability Analyses (RTVA)

There is no “one-size-fits-all” solution to security, especially not in hotels, casinos and events. A good RTVA shows this immediately.

Each location must be considered in terms of its environment, clientele, geographical location and many other factors. Back in the days when the main concern for security was petty theft and drunks in the bar, the concept had different connotations. In the reality of today’s world, without an in-depth analysis of the probable and critical threats and risks a facility faces—and where its vulnerabilities lie—it is not possible to build an effective security apparatus.

In order to improve security, it is imperative to have a clear understanding of the specific risks and threats facing the hotel and its guests, as well as the vulnerabilities that might allow these risks and threats to breach the existing security apparatus. Only after qualified professionals have properly conducted an RTVA is it possible to establish a security plan that objectively addresses risks, threats and vulnerabilities—and then reliably reduces the risks to acceptable levels.

We can compare risk mitigation to a vaccination. If one is traveling to a country where yellow fever is a high risk, getting a flu shot is not going to help. That’s not to say a flu shot isn’t a good thing to have. It simply means that for that particular country, additional and specific protection is needed to optimally reduce risk.

Today, many facilities have their security “flu shots:” a range of generic prophylactic measures they hope will insulate them from day-to-day low-level threats, but nothing based on a rigorous RTVA or a current understanding of the actual threat scenarios. This mindset needs to change.

Hostile events are on the rise, and hotels, casinos and events are highly attractive, and for the most part highly vulnerable soft targets.

2: Physical and Technological Barriers

  • Physical barriers: Gates, lights, locking mechanisms, windows, fences, walls, barriers, bollards, security booths, etc.
  • Technological barriers: CCTV cameras, alarms, biometric readers for employees, key cards, smart elevators, automatic fire doors, etc.

All of the above are essential for any facility security system, and should keep guests and visitors safe. Correct? Yes, but not on their own!

Physical and technological barriers that protect a fixed-site perimeter and shell should be part of every security plan. But it is important to realize that while they are necessary components, they are not sufficient to establish real security.

In fact, they can sometimes provide a false sense of security.

Even though the attacks of the last several years have shown that these measures alone do not mitigate, control or contain threats, numerous articles still call for hotels to install better-quality incident-response and high-resolution cameras, sophisticated alarm systems and more secure locking mechanisms on doors.

The fact is, however, that no camera has ever stopped a gunman from entering a hotel lobby, any more than an alarm prevents them from accessing the premises.

Every fixed-site security apparatus requires all four cornerstones to be truly effective, but many today place disproportionate emphasis on the physical and technological aspects of security, and far less on an RTVA, manpower/training and procedures.

The questions that need to be asked before installing or upgrading physical and technological security measures are:

  • Why do we need this?
  • What threats are we addressing or mitigating?
  • What is our purpose?
  • Is it going to make our guests feel safe, or actually be safe?

We do not suggest throwing away cameras or leaving rooms unlocked. We do want to emphasize that CCTV cameras do not prevent attacks. Cameras have a function and a place in the security paradigm, but they are not a preventative measure. This is a prime example of feeling safe as opposed to being safe.

3: Manpower and Training

Having the “right person for the right job” may sound cliché, but that doesn’t make it any less true. From the selection of the security manager to access control guards, choosing the correct people is of paramount importance to the security of any facility.

Specific qualifications for all security positions need to be established, and only qualified candidates must fill them. Proper vetting and screening of all potential employees, not only for security-related positions, is equally important. (In the Mumbai attacks, for example, employees who had been planted there by the terrorist organizations supplied much of the useful intelligence about the interior of Taj Mahal Hotel.)

Once the security team has been selected, appropriate and comprehensive training by well-qualified instructors is essential.

Training should not only teach the skills necessary to carry out day-to-day responsibilities in an effective and thorough manner. It should also enable staff to be a proactive security force. This means that training courses should include lessons on hostile surveillance indicators, suspicious behavior identi- fication, imminent-attack indicators, proper monitoring of CCTV, case studies of actual attacks and more. The mantra must be: We are all responsible for our security and safety.

A further aspect of training that is mostly neglected is response training: what to do when a threat is detected, or a hostile incident occurs.

When security personnel hear shots fired or a receptionist hears an explosion in the parking lot, what do they do? How do they respond? It is not reasonable to expect the average person to respond effectively to extreme circumstances, especially life-threatening ones, without proper training.

It is critical that your personnel, all personnel, undergo some degree of security-related training so that if a crisis hits, they will know how to respond correctly to minimize casualties and save lives. In an emergency, the more people who know how to respond, the higher the chances of a positive outcome and limiting damage.

4: Procedures

The fourth cornerstone, procedures, is vitally important and yet the most neglected. Procedures are the manner in which staff should respond and act when faced with a particular set of circumstances. But while there are rooms filled with generic security procedures, and these may have been enough in the past, they no longer provide adequate answers to the emerging threats fixed sites face today.

Security procedures need to be location-specific, and they need to address a wide variety of risks and threats at various levels. The concept of one procedures manual being applicable to all hotels in a chain or region is no more logical than suggesting that one guidebook could be relevant for every country in the world.

Security procedures relate directly to the RTVA (risk, threat, vulnerability analysis) for a specific location. They need to consider variables such as geographical locations, environment, clientele, facilities, budgets, manpower and many other issues. They provide structure and methodology for carrying out security-related tasks, not just for security personnel, but for all employees.

Procedures, both routine and emergency, must be simple, effective and implementable. It is not good enough that they look good on paper; they must be field-tested and properly imparted to the employees, both security and general staff. Ongoing drills must be done and procedures reassessed on a regular basis to ensure they are still relevant and effective.

Procedures must be clearly written and accessible so people can refer to them when necessary. They must be simple and unambiguous, and they should provide clear instructions for how to act during routine and emergency situations.

We are aware that operators have emergency procedures in place for fires, earthquakes and various other natural disasters, as well as contingency plans in the event of war or other extreme circumstances. We are also aware that one cannot know if these plans will effectively save lives until they have been field-tested in an actual crisis. That is why it is critical these procedures be prepared with the help of experienced professionals who have a deep understanding of real-world threats and firsthand knowledge of what will actually work and save lives.

The combination of properly written procedures and training equips employees with not only the “what” and “how” to do things, but also “why” these things need to be done. This facilitates proper and effective function in the field.

 

It’s All About The Guest Experience

Turning fixed sites into fortresses is not the answer. Guests and visitors must feel welcome, safe and happy, and they should be able to enjoy a positive experience in keeping with the operator’s culture.

Effective security will not come from radar weapons detection systems, barbed wire fences or more inadequately trained guards with more guns. It will come from accepting the new reality: The world has changed and is no longer what it once was. We need to have properly trained people supported by technology, and not to be reliant upon technology supported by people.

Hotels, casinos and events are considered legitimate targets by those who wish us harm, and only an intelligent shift in the hotel security paradigm that will provide actual, not perceived, security is going to prevent the next attack from claiming innocent lives.

Mac Segal is director of Hotel & Fixed Site Security Consulting. He has over 25 years of operational, training and consulting experience in the security industry, specializing in mitigating and responding to terror and criminal threats.