by David Pounder and Brett Zupan
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed on 14 August 2019.
During the aftermath of any suspicious activity, emergency, hostile event, or disaster is a prime opportunity to examine organizational incident response procedures for any potential weakness. When weaknesses are identified, the solution may require a change in procedure, but many times will simply require more intentional training regarding established procedures – whether the procedures changed or not.
Over the past few months there have been several hostile events which organizations can draw from to assess their own security preparedness. Specifically, there were several incidents where effective training was credited for saving potentially hundreds of lives. Training is one element of the preparedness cycle and of an effective risk management program. Training is also a challenge for many organizations in terms of resources, time, ability, and effectiveness. However, well trained people and prepared organizations are better positioned to respond to events and potentially save lives, such as were the cases in the Walmart incidents in El Paso, Texas and Springfield, Missouri as demonstrated by store employees and alert bystanders. In a time when threats are evolving daily, training is essential in fostering staff (and to some extent volunteers and visitors) who are alert, aware, and security-conscious. Effective training is also an important investment in people that benefits every organization and person in the long run.
In August, during the course of one week, there were threats at eight different Walmart locations around the US.
Walmart embraces the training philosophy. Walmart employees undergo active shooter training during orientation and afterwards on computers four times per year. The company had done annual active shooter training until the Las Vegas attack in 2017, at which time they increased it to quarterly. Reassessing risks and preparedness are important to do periodically based on evolving threats and after notable events.
As exemplified in the above events, employees often represent the first line of defense, and in some physical security situations, they may be the first to make contact with a threat. Effective emergency preparedness means that everyone knows what to do when an event happens. The situation is already stressful, but lack of training will create confusion and add to the chaos. Regardless of organizational size or staff composition, every employee and volunteer has a role in the organizational security and preparedness plan.
Who to Train: Everyone – full-time, part-time, seasonal, organizational leadership, administrative, facility staff, volunteers and remote workforce. Every employee within an organization should be required to complete organization-wide mandated training. Faith-Based Organizations (FBOs) may also want to consider training members who regularly attend services, and potential higher-risk targets. With the number of attacks against FBOs during service hours, it is important for congregants to be aware of the emergency preparedness plan and what to do in exceptional circumstances. This should account for those with special needs or otherwise requiring assistance.
What to Train: “What to train” will vary for each organization and should be informed by the organization’s risk assessment, primary areas of concern, and available resources. Training focus could be broken into three phases or stages: mandatory/baseline, reinforcement, and enhanced.
Baseline/Mandatory Training. General training for all staff. Many people may arrive at your organization with a baseline knowledge, but organizations should ensure general training is completed in accordance with each organization’s unique policies and procedures. Baseline training should be provided during the hiring/onboarding process before new staff are granted access to any physical or computer assets.
Reinforcement Training. This builds upon Baseline Training and includes workplace training and refreshers at regularly scheduled intervals. This also represents training unique to a specific team or function within your organization and can be focused on a specific job or skill set.
Enhanced Training. Organizations need to critically assess and identify gaps in current training and provide opportunities for more specialized/advanced topics and training exercises. Through the assessment, you can identify gaps and propose solutions to leadership for consideration.
When to Train: Timeframes will vary, but the key is making training a routine part of the organization’s culture. It’s important to have a clearly established training calendar. Even if the organization uses online/automated training, it is still important to have training modules planned out to ensure staff completion. Ideally, this calendar will be part of a multi-year preparedness plan.
In the end, training does not take away from time on the job – safety and security directly impacts all jobs and should be required for all organizations. Some considerations for developing a training program:
- Leadership Buy-In. Creating a culture of security must be demonstrated from the top.
- Tailorable. Training should be creative and tailorable to your specific organization and employees.
- Where appropriate, integrate online training. To promote accountability and comprehension, it is encouraged to incorporate short quizzes to reinforce key elements of training.
- Delegate responsibility. Make training an extra duty/responsibility “as assigned.” This will provide staff goals and additional criteria to evaluate performance.
- Integrate relevant topics and real-world examples. No one wants to sit through “death by PowerPoint.” Make training engaging by integrating real world examples and inviting guest speakers.
- Lessons Learned/After Action Reviews. It’s important to identify successes and failures and adjust accordingly.
David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!
- Donate to FB-ISAO today and help us execute our mission!
- Interested in sponsoring FB-ISAO, or our 2019-2020 FB-ISAO Workshop Series? Read more here and contact our team for more information!
- Learn about our Membership Programs
- Learn why your FBO, charity, or non-profit should join FB-ISAO
About our Vetting Policy
About the Traffic Light Protocol