Dilettantes and agenda-driven executives ignore this for reasons of naivete or self-dealing: Security at times needs to occur in a particular sequence to maximize protective value. Indeed, this sequence can be like a telephone number, where the only way to get through is to dial all the right digits in the right order. There is little value in getting the numbers right but the sequence wrong. Where do we see this phenomenon at work?
Bomb Threat Checklists
What is the first question a well crafted security checklist would have you ask the person calling in a bomb threat? If it is either of these, then the architect of the checklist is not a security professional:
- What is your name?
- Why are you doing this?
Such questions waste precious time, making the caller defensive or inviting a diatribe without arming defenders with any immediately actionable information. Instead, what a security professional wants asked right away are questions that lend themselves to meaningful response, like
- When is it going off?
- Where is it?
- What does it look like?
In fact, the answer to the first question may well dictate whether the person taking the call stays around long enough to wade through the entire checklist. If the bomb threat checklist begins with questions that are emotively charged or otherwise take the dialogue in a direction other than one that allows finding or assessing the immediate threat, you may safely bet that this checklist is the product of a committee or rear-echelon staffer far removed from real-time response.
Critical Asset Protection
The same phenomenon applies on a larger scale when taken to the prevention vs. prosecution debate. If your prime objective is to protect people and property, you soon learn that you earn your salary not by catching adversaries after they have inflicted losses but by preventing those losses from occurring in the first place. True enough, apprehension and prosecution remain important societal objectives, linking crime to punishment and serving to throttle the baser impulses that, unchecked, might give rise to a world dominated exclusively by predators and societies marching daily by starkly Darwinian notions of survival. But a public safety objective is not necessarily the same as a security objective -- particularly if the security objective is to protect a critical asset. In the latter case, the management decision boils down to this: Do I apply my resources to catching the people who annihilate my employees and cripple my operations, or do I focus those resources on preventing such consequences to the best of my abilities?
The obvious answer is the latter. The right answer is more nuanced, seeking out a hybrid approach that really amounts to getting the sequence right. First prevent. Then respond, to at least limit the damage to the extent possible. Then worry about apprehension and prosecution. To do otherwise may nevertheless deliver societal value and validate the existence of organizations optimized to chase more than to interdict, but their objectives are not security objectives -- at least not as far as concerns the people, assets, or operations targeted. The dead, bankrupt, and leveled find small comfort in the eventual revelation that the agent of their destruction did not get away with it.
-- Nick Catrantzos