Education – An underused tool in managing organisational security risks
First appeared in The Australian Security Magazine.
For the past 12 years I have travelled the world managing security risks and implementing risk reduction strategies for a wide range of organizations. During all of this time one aspect of security risk management that is constantly overlooked; or at best played lip service to is the education of staff about security risks that they, or the organisation face.
Some organisations are prepared to spend millions of dollars on technical security systems but fail to deploy sufficient operators to use them effectively or explain what the system is intended to do. Whilst other organizations will send employees and their families half way around the world in search of increased profits but fail to brief them about potential security risks that exist. Most importantly, organisations are failing to utilize their employees to help protect themselves and the organisation from potential safety or security risks that they might face.
What is Security Education is it just the same as Security Training?
Many individuals and organisations confuse the two terms and whilst both are representative of “learning” there is a clear distinction between them. Security training provides the skills needed to conduct a primary security function or role, i.e. how to operate search equipment or control access into a building. Security education provides the information, advice and guidance needed to help informed choices to be made that avoid or reduce the risk to the organisation or individuals from potential security threats. Security education influences, empowers and enables a proactive risk mitigation approach to be taken that helps employees and organisations operate safely and securely at work, home or during travel.
There may be times when the advice and guidance given in a security education programme is formalised into security training sessions. However, this is normally based on a change in the situational risks that are faced, i.e. operating in a hostile environment such as Iraq or Pakistan.
Why should Organisations Invest in Security Education?
1. Protection of Assets. Most organisations recognise that their employees are one, if not the most important asset that they have and without which they would find it difficult to operate or function. Therefore by default the protection of staff from risks should be one of the highest organisational priorities. As outlined previously a security educational programme provides advice, guidance and information about security risks that can affect the organisation and individuals. By knowing and understanding what threats exist enables steps to be taken to avoid or reduce their adverse impact; thereby enabling the employee and assets to remain safe and functionable.
2. Value for Money. Investing time, effort and money in the provision of security advice and guidance in a workforce should reduce workplace abstractions caused through being the victim of criminal acts or security incidents. A security educational programme should provide the guidance needed to enable positive steps to be taken when faced with pre-determined situations or incidents that reduce the impact or loss to an organisation. A technical security system might cost millions of dollars but will be limited in scope and normally only cover certain areas or vulnerabilities. A security education programme is a fraction of the cost and protects not only the organisation but also the employee whether at work, travelling or home; something a technical system cannot achieve.
3. Duty of Care. A security education programme helps an organisation address duty of care issues by working proactively to identify security threats that could adversely impact employees and provides them with information to avoid or mitigate them. This is especially important when sending employees on overseas assignments. Any organization operating an effective security education programme demonstrates social responsibility to its employees and families and is able to extend a duty of care beyond just the workplace. Whilst the question of whether an organisation has acted responsibly will normally be for a court to decide any failure to readily identify a likelihood of a security risk will most likely result in a conviction or adverse ruling against the organisation.
Having won a multi-million dollar contract Company X sends 5 members of staff to Mexico in order to find office accommodation. They are given plane tickets, a limited budget and two weeks to identify a suitable location. No security briefing, advice or guidance is given.
Whilst walking along a street one is stabbed and robbed at knifepoint, two are kidnapped, one is hospitalised due to pollution problems and the other flies home and resigns.
Do you think Company X acted responsibly and exercised an appropriate level of duty of care? Did it achieve its objective of finding accommodation? Or is it going to survive the number of civil court cases that it is going to face from staff and families?
4. Improved Security. Employees that are aware of the security risks that they or the organisation face are better able to support the organisational security efforts and help reduce loss or harm to assets. Instead of the organisational security management being left solely in the hands of the security department/team the workforce can be empowered through a security education programme to play a proactive part in protecting the organisational assets. For example, a thousand pairs of eyes observing a building is better than one pair of eyes looking at a thousand CCTV cameras, also an access control system will not identify somebody ‘tailgating’ an employee into a building; but a security educated employee knows they are able to challenge somebody not wearing a pass.
Is security education only suitable for war and conflict zones?
Not at all, although not having an educational programme in these areas could result in criminal negligence on behalf of an organisation. A security education programme is usable anywhere and by any sized organisation. The only real changes are the levels of security education needed to meet the security challenges that exist. As with most security measures the organisational risks need to be understood so that effort at the development stage is not wasted and is being correctly channelled. In many cases the “what and where” factors; what the organisation does and where it does it are cornerstones of understanding the threats faced by an organisation and its employees.
Security threats such as burglary or fraud in the United Kingdom can be just as crucial to an organisation’s survivability as a terrorist attack in Peshawar. Educating employees about the threats enables individual and organisational steps to be taken to avoid, reduce or take a positive action (i.e. closing a window before going home) irrespective of where it is located.
You said that security education programmes can help families; how?
Any advice or guidance that you give an employee about how to avoid being the victim of crime is transferrable from the employee to their family. Telling the employee not to walk by themselves at night in a dangerous part of a town is equally as applicable to other members of their family as it is to the employee. Likewise advising an employee that there has been a spate of armed robberies in a certain part of the city allows them and their families to avoid the area; thereby reducing the security risk.
Where families accompany employees on overseas assignments it is vital that they are included in any security education programme. I would go as far as to say that an organisation has a legal responsibility to ensure that steps are taken to protect families from security threats. One of the easiest ways to achieve this is through security education. In this context security education can take many forms including briefings, explaining known or suspected risks, any protective security measures that are in place to protect them, i.e. burglar alarms, the provision of a driver or even a security information booklet.
One of the main benefits of including families in security education programmes prior to and during overseas assignments is that they are able to arrive having been empowered with sufficient information to avoid or mitigate identified threats. For the organisation this normally has an added benefit in that the employee is able to concentrate of the reason for the assignment; their work.
Security education programmes are a cost effective security measure that are easy to implement by any organisation and provide the biggest ‘bang for the buck’ of any security programme; and they do work! I have established security education programmes from Colombia to Kazakhstan and have repeatedly seen the benefits in reducing the organisational and individual security risks whether from loss, harm or damage. I have witnessed the effectiveness of security education programmes in saving lives, avoiding conflicts and protecting buildings from protesters.
So next time you are reviewing your security strategy take a second to think about the benefits outlined above, it does make sense.
Please click here to return to the main blog page.