Nudge: Embracing Asset Protection
“I’m selfish, impatient and a little insecure. I make mistakes, I am out of control and at times hard to handle. But if you can’t handle me at my worst, then you sure as hell don’t deserve me at my best.” — Marilyn Monroe
For the purposes of this nudge, let’s define asset protection as a complex of interdependent procedural, technological, and physical measures for elimination or reduction of harm to life, information, reputation, systems, physical objects, and environments.
So where do we start? I mean this literally. What’s at the root of asset protection? What affects every single decision and control? The answer is so trivial and yet so difficult for us to process.
It is… people!
Our individuality, social connections, and ability to cooperate. The way we think and process information. How we build habits and behavioral patterns.
Humans are at the root of asset protection. We generate risk-based needs as consumers and develop solutions for risk mitigation as suppliers. We all do it — only some more competently than others.
Our challenge, however, is also seemingly never-ending. This is because we are, by design, unable to be rational and deeply thoughtful at all times. Based on now famous research and publications by Daniel Kahneman and Amos Tversky we have two systems of cognition. The first is largely based on acquired habits and intuition. Through this system we make decisions and perceive our environments by filtering volumes of information with the assistance of learned constructs — sort of filling in missing pieces in a puzzle with assistance of past experiences. This system works well most of the time under normal and largely recognizable conditions. The second system, which we use less frequently, is the one which requires us to pause and apply critical thinking to conditions or situations which are less familiar or more complex. For example, try multiplying 24 by 16 and walking at the same time. If you want to learn more interesting stuff, check out this link for another experiment on inattention blindness: https://youtu.be/vJG698U2Mvo.
Another huge issue for us is negative effect of cognitive biases on our decision-making. For example, we seek out and like information that helps confirm our beliefs (confirmation bias). We also tend to be overconfident (based on statistical analysis) about our assessments and predictions. Have you ever done this yourself? I bet you can remember at least one such instance.
To sum up, people are the the root of asset protection as consumers and as suppliers of solutions. But, we are not always rational actors in this system. We use mental shortcuts, make assumptions about information and environments, and are subject to cognitive biases.
Why did I just spend so much time on psychological concepts? Because, just as people are at the root of asset protection, psychology is at the root of our behavior in general and decision-making in particular. Therefore, to raise standards in asset protection we must weave psychology into it. Let’s consider some ideas for how to do it.
1. It is important to understand that incremental change is much easier to achieve. It is unwise to push for huge overhauls — especially in asset protection — because our industry is so complex and fragmented that a small improvement is much easier to deliver successfully. Therefore, it makes more sense to achieve and demonstrate several small improvements than one which is significant. In asset protection, even a small improvement may generate significant value to an organization. Just think of a positive change in demeanor and tact of security officers at main entrances of your building. Easy to achieve and very likely to be noticed by nearly everyone — a bright spot. So, please always focus on a “bird in your hand” instead of “two in the bush”.
2. “Security” is NOT everyone’s responsibility. It is clear nowadays that asset protection practitioners largely missed the mark pushing for everyone to be “responsible”. I used to believe in this, too! It’s not that most people are unwilling or unable. Psychology tells us that we’re simply not wired this way. For example, I was in my second year in a Global Security department when we had to supervise groups of kids on corporate campus during the “Take your children to work” day. I was responsible for a group of 8–10 kids as they moved around in one building. Our group got into an elevator to move to a different floor. Surprisingly, the elevator wouldn’t move up or down. In a moment of “infinite wisdom” I asked the kids to get off the elevator and suggested to 3–4 of them to stay with me as I was “checking” why the elevator wasn’t “cooperating”. I thought it would be cool to share my experience with them while completely forgetting about my responsibility for their safety. Everything was resolved within a few minutes, but I still remember this brain fart. Didn’t sleep well for a couple of nights after it. This experience taught me that humans trained in vigilance and protection of assets will always do much better more of the time than those without such training and extensive hands-on experience. I was undergoing such training in my early years and still made a mistake because my vigilance and decision making relative to protection of assets were not yet well developed.
So, instead of wasting time on making everyone in your organization “responsible”, consider frequently and openly sharing with them simply what good and bad asset protection looks like. Don’t demand action. Just tell stories to highlight your objectives, your struggles, your achievements, and your failures. Build a community of like-minded people. Remember, we feel first and think later. A Harvard psychologist Amy Cuddy recently shared this awesome image through her LinkedIn feed.
3. Because of the way our brains work, we make LOTS of assumptions leading up to making decisions. It may not matter much when a decision is about moving a glass of water from one side of the table to another — the stakes are virtually non-existent and such a decision is made almost automatically. But, consider decision-making involved in incident management. Contrary to popular opinion, very few organizations — and only a handful of them in the private sector — have actually achieved proper orchestration of people, processes, and resources in their incident management. Even police departments dealing with often recurring incidents make assumptions about their capabilities. The most vivid example of this is a number of recent cases involving police use of force and accuracy in momentary threat assessment.
In the private sector, assumptions are abundant when it comes to every single aspect of a desired asset protection program — from capabilities of people to performance of technologies and physical controls. For example, think quickly of an average security officer. What comes to mind in the first 5–10 seconds of your reflection? Did your thought process start with the words “capable” or “knowledgeable”? Just recently I witnessed a fire alarm incident on a school campus. As the alarm was going off I came up to one of the visibly confused security officers and asked whether he knew what visitors are supposed to be doing. The officer, looking even more confused, mumbled “I don’t know”. There is a big difference between simply having security officers and getting them to perform effectively.
The most trivial way to reduce the number of assumptions in your decision making is to slow down, even momentarily, and ask yourself “What am I assuming here? How reliable are the capabilities and resources at my disposal? What gaps exist? How can the gaps be closed?”. Another useful way of reducing assumptions is to ask a colleague or consultant to conduct a peer review of your proposed decisions by asking similar questions.
4. You may have heard of the phrase “protection by design”. Sounds nice, doesn’t it? In the year 2018 we’re still terrible at blending protection and design. How dare I use such a sweeping statement? Have you ever heard a designer speak at a security conference? Even architects visit our industry’s events quite infrequently. What about user interface / experience designers? No-show. And industrial designers? Nope. How many standard credential reader colors are there? Only two. What about simplicity of electronic security systems’ user interfaces? Eyesore.
It is no secret that design and asset protection have been running in parallel with minimal intersections for many years. Too many years. In fact, in my almost twenty years in the industry I have not heard of any meaningful research into blending of design and asset protection. Of course, there is a concept of Crime Prevention Through Environmental Design (CPTED), but, as much as practitioners in the industry are aware of it, application remains inconsistent and questionable at times — especially in territorial reinforcement and maintenance.
The way to fix design issues in asset protection is also trivial — focus on humans and their desired ways of performing individual tasks or achieving specific objectives. Ask them what would make their lives easier in terms of getting their job done and demand from manufacturers and installers commensurate solutions. Furthermore, invest real hours into solution refinement and user training. Don’t just settle for “manufacturer-suggested” number of training hours. For every asset protection solution a strong focus on aesthetics, functionality, longevity, and maintainability is also a must.
5. Understand the “asset” part of asset protection. What is it that you’re tasked with protecting? Define it, classify it, and prioritize it in terms of potential impact financially, reputationally, and operationally. Here, I’ll use a very predictable example: people. No matter the size of an organization, or its type, people are an asset — some are more important because of the impact they have, and some are less important — yes, I said it. Some are important individually and some are important collectively. If an entire facilities management team in a building decides to go away to Bali for a team-building retreat, tenants in this building won’t be thrilled, to say the least. So, people matter. It is your job to determine the impact of their sudden absence from the job “grind” and develop both preventative and reactive solutions.
Another example is server hardware. Some servers, like people, are more important than others. I once worked with a team at an investment firm. Their most critical server contained all of their deal cycle information — from rough targets to conversion. They were surprised to find out that their incident management process relative to adverse impact on any asset was terribly flawed. Let’s just say that it would likely take them months and many millions of dollars to recover operationally and reputationally.
Once asset classification and prioritization is done, it is important to understand current and develop additional commensurate and justifiable protection controls for each asset relative to assessed risks and perceived level of impact. These protection controls should incorporate operational, technological, and physical measures. Use of adversary confusion and multiple control layers is very much encouraged in order to deter, detect, delay, and minimize negative impact. What I just wrote here should be well-known to most. What’s critical is careful evaluation of each individual control to validate its effectiveness and efficiency. Too often terrible vulnerabilities exist in asset protection systems just because of poor control validation. As mentioned earlier in this nudge, having controls doesn’t mean they’re optimally effective.
6. We urgently need to “unbox”. You can see by now that I haven’t used the word “security”. This is because this word very often prompts those who hear it to ask, “What type of security?”. In doing so, those who ask this question are committing a huge mental sin. They’re trying to put each person who answers into a “box”. Worse yet, the person giving an answer is often playing along and agreeing to be placed in a “box”. In our industry, once you allow others to put you in a “box”, you’re either “cyber” or “physical”. Both these labels do nothing but bastardize and divide those in asset protection whereas today, more than ever before, it is crucial to unite and collaborate.
The fix here is simple in and of itself, but terribly difficult to implement. What needs to happen is for all aspiring and current professionals in asset protection to develop mental stamina for correcting the message and sticking with “…I’m an asset protection professional…” because this will change the tone of the entire conversation to the one of unity, equality, collaboration, and solution building. The difficulty lies in our habits. If many already use “cyber” vs. “physical” in their vocabulary, it is tough to switch. So this can’t be done simply via grassroots movement. This change requires all industry associations to pitch in and adopt a common unifying lexicon.
7. I have so much more to say (just look at my LinkedIn feed), but need to wrap up. There’s only one more thing: diversity among us. We can leave ethnicity aside because this is not a problem. In fact, we should be very proud that there is such ethnic diversity in our industry. The diversity I’m referring to is related to our professional backgrounds. Our industry historically has been attractive to transitioning law enforcement and military folks because many of them assume that their skill-sets are easily transferable. I wish this were true, but adjustment, lots of additional training, and de-biasing are absolutely essential for success in our industry. It is not a secret to any of us that threats and threat actors continue to change. So should our talent pool. In fact, we should be seeking talent from the fields of design, humanities, and sciences. One of my friends who is now a very successful and highly respected asset protection practitioner has a background in arts. I’m often amazed by the way his brain works and how he approaches solutions and relationship building. I still have so much to learn from him.
So the fix is, once again, simple and yet challenging. We must abandon the notion of an organic relationship between experience in law enforcement and military and success in asset protection. I don’t have quantitative proof of this for you, so I ask you to simply trust me on this. Or don’t, but just pause and think for yourself. I simply propose that asset protection skills are teachable to anyone. I have 4 years of teaching at a graduate level as well as my own career to put on the line.
______
Embrace positive skepticism and soar above mediocrity!
Thank you for your time.
