Examples of Mediocrity in Asset Protection

1. “No, we haven’t defined and prioritized our assets.”
2. Paper visitor log
3. Unarmed security officers making less than US$30 net (or local equivalent) per hour
4. DVR
5. Wiegand and magstripe
6. Security software UIs
7. Lack of end-to-end encryption in security systems
8. Military / police titles on corporate security teams
9. Security function reporting anywhere but the risk function
10. Annual training
11. Unhelpful terminology and its attribution: “physical” vs. “cyber”
12. Security control rooms
13. Oversaturation of tech
14. “Lowest bidder”
15. Lack of operational and technological orchestration
16. “We haven’t had any incidents.”
17. 100-page Crisis Management Plan, in a 3-ring binder, on a shelf
18. “Security” and “safety” used interchangeably
19. Calling security officers “guards”
20. Conducting tabletop exercises without testing performance under physical and mental stress. “Would you like pastries with your coffee this morning?”
21. Equating information with data
22. Having less than 100% visibility of your network environment
23. Electronic security product software with default passwords
24. Going to industry events just to get away from the office
25. Selecting incident management leaders solely based on seniority
26. Using the word “should” in policies, procedures, and standards
27. Ignoring the fundamental importance of delay or “time-to-target” when planning and designing controls
28. Taking full credit for work of competent consultants out of fear for negative perception of your own knowledge
29. Blind trust in asset protection controls of third-party service providers
30. Considering past law enforcement or military service as a substitute for years of asset protection experience without validation of required skills
31. “We don’t need a service and maintenance contract; we’ll call you if stuff breaks.”
32. Manufacturer-suggested minimum training
33. Over-reliance on contractual obligations
34. Engineering firms taking on security scope without having competent professionals to execute
35. “Buyers” willing to pay minimum rates for outsourced security staff
36. Delivering event security, close protection, and physical penetration testing services without at least two weeks of advance planning
37. Asking for security advice in late stages of facility design
38. Offering and accepting “free security assessments”
39. Sharing individual provider’s proposal with competitors to get a better price
40. Changing the name of an industry event but not its dated content or format
41. Publishing standards but not promoting and defending their usefulness and wide application
42. The way in which security technologies are offered to the market: volume incentives, FUD, minimal investment into fit-for-purpose analysis and prospective client education, lack of user-centric design
43. Manufacturers capitalizing on post-incident hysteria
44. “Old boys’ club”
45. Making vendors and consultants pay for opportunities to speak at industry events
46. “We take security very seriously.”
47. “Independent” security consultants pushing products
48. Industry research methodologies and reporting
49. Using the number of years in the industry as justification for expertise and quality of work
50. Poorly thought out, written, and formatted client reports
51. Industry marketing (hooded criminals, smiling “bodybuilder guards”, locks, cameras, stick-figures with risk puzzles, handshakes, globes, …)
52. Insufficient efforts for attracting women to the industry
53. Women’s tokenization (“We need at least one female panelist.”)
54. Low quality engagement with and commoditization of young talent — making them feel easily replaceable
55. Lack of integrity in bid management and provider selection — “grapevines”
56. New “techy” buzzwords and acronyms (blockchain, AI, cloud, AR, ML, etc…) attached to new security products without clear demonstration of justifiable value and user-centric design
57. Lack of meaningful partnership with thought leaders in design, psychology, and human capital
58. Recruiters who don’t offer meaningful, detailed feedback to every candidate
59. Lack of focus on prevention
60. Not practicing what we preach
61. “What do you mean you have to see my ID? Don’t you know who I am?”
62. Asset protection function with headcount of 1
63. Borrowing publicly available information, slapping a company’s logo on it, and regurgitating it as bespoke analysis
64. Self-congratulatory events and conferences
65. Job descriptions and futile efforts of matching talent to them
66. Recruiters who treat talent as a commodity and deal with candidates from position of superiority
67. Industry groups which treat consultants and vendors as inferior and specifically disallow their membership
68. Technology installation and workmanship
69. Fragmentation and complexity of products
70. Delivering and accepting “band-aid” services and tech without solving underlying causes
71. Including and charging for useless features in security tech
72. Equipment racks inside security control rooms
73. Unscrupulous installation of “mag-locks” and “strikes” simply because door hardware coordination in advance is more difficult
74. Installation of incident / threat alert technologies without clear understanding of their fit-for-purpose, user competence, and response orchestration
75. Over-reliance on questionnaires in assessments.
76. Allowing professionals in other disciplines (auditors, lawyers, architects, etc.) feel and act like “security experts”
77. Inconsistent inclusion of asset protection screening in third-party due diligence
78. Huge gap in program maturity between a handful and the rest of organizations
79. Meritless awards
80. Confusing security with safety and vice versa
81. Poor knowledge and use of choice architecture (https://lnkd.in/dA4zGJr)
82. Baseless dispensation and acceptance of CEUs (“Our next meeting will feature buzzwords and dated content!”)
83. Allowing data security folk usurp our domain
84. Parade of false expertise after every school shooting — most resulting in procurement of useless training and blinky lights
85. The term “active shooter”
86. “Band-aid” consulting
87. “Norman Doors” (https://lnkd.in/dKTg2fV)
88. Bias of focused curiosity (explained here; start at 1:40, https://lnkd.in/dwtbfHv)
89. Unfounded trust in data security pros’ abilities to protect information in three domains: mental, physical, and digital
90. Trusting people, services, solutions, and tech without sufficient scrutiny
91. “We’ve always done it this way and our neighbors are doing the same thing”
92. No clear direction / pathway for young and aspiring professionals to enter and grow in our field
93. Fragmented and unvalidated education for young and aspiring professionals
94. Lots and lots of preventable incidents, including school shootings, workplace violence, data breaches, etc.
95. Assessing controls and offering advice without understanding basic tenets of behavioral and organizational psychology
96. Migrating security technology infrastructure to the cloud without granular evaluation of relevant protection measures, people responsible for administration, system configuration, and underlying management controls
97. Assuming that threat analysis today is largely associated with data security niche
98. Talking about importance of “human factor”, but doing very little to mitigate its negative consequences
99. Architects and engineers who continue to be oblivious to, or simply unaware of, asset protection fundamentals
100. Inconsistent processes of software and firmware patching
101. “Getting back to basics…” overshadowed by “We have the most advanced…”
102. Ever increasing signal noise
103. Confusing information with intelligence
104. Archaic talent search, selection, hiring, and development practices
105. Speaking in front of peers and daring to be predictable, boring, underprepared, and uninformed. This last one is a nudge in advance of any upcoming industry event.

BONUS — EXAMPLES OF MEDIOCRITY IN SCHOOL SECURITY

1. School psychologists
2. Site and building design
3. Arrival and dismissal processes
4. Tick-box security and safety training
5. Vulture consultants and vendors
6. Repeated and escalating attempts to solve human problems with “Blinky Lights” (adopted from Chris Roberts)
7. Finger-pointing and “rugs” that can’t conceal any more dirt
8. School districts that hire former cops as their security “experts”
9. School district security “experts” who hire their buddies for consulting and integration gigs
10. Implementing a plethora of edge tech (video, sensors, etc.) and forgetting to design consistently proactive, predictive, and professional monitoring and early warning environments
11. School PTAs focused on “fun and games” instead of better parenting, encouragement, social adaptation strategies, recognition of and action on social-emotional issues of individual students and groups of students
12. Education, preparation, and enablement of teachers and principals in social-emotional awareness and strategies
13. Addictive tech that makes our kids more withdrawn and susceptible to depression (schools only exacerbate this problem)
14. Our short attention span fuelled by media noise
15. Lack of unified and thoughtful gov-t action