Author’s Note: This article is a little outside our standard fare here; however, we felt this was important and would be both of interest and of use to this audience. Your students’ thinking is usually going to be far more valuable than their shooting, especially for armed professionals.
By now everyone in America, perhaps the world, knows the basic details of the horrific event that occurred this past weekend in Las Vegas, so I will not repeat them here. As more information has begun to emerge over subsequent days, one of the things I find stunning, even as a security professional who has run emergency response programs, (and therefore would at least like to think that I have a somewhat tempered outlook on “realistic” response) was the timeline of the incident. Specifically, the part where the shooting started…then just kept going.
Before I get critical, let’s be clear: the fault for this atrocity lies with the coward and murderer who perpetrated it. Nobody and nothing else. Unfortunately, in the security industry, dealing with other peoples’ messes is our business. It’s why we exist.
Also, for the purposes of this article, I’m not interested in, and am not going to engage on, the tactics or decisions of the first responders on the ground. Anybody can armchair quarterback somebody else to death, especially without really having all the facts. Besides, from the details of the Sheriff’s recent news conference, everything sounded pretty solid. While learning from events is crucial, and critical analysis extremely useful, I don’t have access to any information with enough detail or quality to even attempt something like that. And, if I did, I would not disseminate it in this type of “open source” medium.
The first responders and tactical commanders on the ground are not the issue here. The security managers and planners are.
In an October 3rd article in the Las Vegas Review Journal, Pat Christenson, president of Las Vegas Events, while speaking of changes to protection in the future, said, “…security personnel may have to expand their thinking…we’ll have to look even beyond the perimeter of these events.”
Security professionals would be expanding their thinking by looking outside the perimeter they directly control?
Later in the article, Danny Zelisco, an event promoter who works on the Las Vegas Strip says that, in the future, “…security systems may need to be tweaked.”
He goes on, “…you can’t possibly prepare yourself for this…it’s like defending yourself against an earthquake.”
Hold the phone. What?
Anticipating and mitigating against, frankly, the inevitability of a direct-fire weapon system being employed against a time and place predictable, immobile, soft, high-value target from an elevated position is unrealistic? It’s equivalent to defending against an act of God, like an earthquake?
The Las Vegas shootings were certainly an act. However, while I certainly can’t speak for Him, I’m willing to bet that God had nothing to do with it.
Let’s frame this another way.
Security managers and planners in 2017, at one of the highest profile locations on the globe, after 15 years of multi-theatre warfare against terrorists who are in love with mass murder, symbolic statements of violence, and who are hell-bent on striking civilians within the United States; against a backdrop of multiple mass murder attacks carried out domestically over recent years using firearms; and with recent news reporting that over two thousand terror investigations are currently underway domestically at the Federal level, have routinely, on pre-announced schedules, been packing tens of thousands of people into an ingress and egress controlled fishbowl that is dominated by a key terrain feature consisting of dozens of floors of uncontrolled—and uncontrollable—terrain, all within effective point-target small arms range? And, they’ve done this without even considering the potential security impacts this presents, much less employing countermeasures?
In an October 4th New York Times article, Louis Marciani, director of the National Center for Spectator Sports Safety and Security was quoted as saying, “There’s no way any good operation would have caught that. We’ve now got to go back to the drawing board.”
Really Louis? You think so?
If you’re speechless reading this, you should be. It is beyond stunning.
This wasn’t a “swiss cheese” event, where many points of failure line up to produce a tragedy. Contrary to what industry security professionals are apparently claiming, neither was this an unthinkable or unforeseeable act. Hell, it wasn’t even creative. It wasn’t application of some new and misunderstood technology. It wasn’t a technical exploit of tools and systems that few people really understand. It wasn’t bad policy directed by bureaucracy, hamstringing operations, nor was it refusal to implement recommendations from security professionals. It also wasn’t “only money,” or “only property.” People died, a lot of them—and it could have been much worse.
This was an inevitable event, with more than ample precedent, that is anticipated and countered at least dozens, if not hundreds, of times per day by security teams around the globe.
Yet, in this case, there was but a single countermeasure in place – the innate psychological resistance of a potential attacker to carrying out such an act. In other words, security success with respect to this risk depended entirely on the innate goodness of man.
This begs the awful question, why? What has the security and risk management industry become? And how did it get there?
Have we collectively morphed into little more than a slick collection of clip-board carrying, keyboard punching pogues who coordinate logistics, fill out checklists developed by somebody else, install camera systems so we can see what went wrong after the fact, write procedures nobody reads, and give the same power point presentations over and over again, justifying success mainly based on being the lowest bidder and because nobody actually attempted an attack?
Are we too insulated and sheltered in our bubbles of technology and layers of paperwork to look out the window and connect with the very real risks that are all but slapping us in the face until after it’s too late?
Apparently, yes. Maybe that’s harsh, but I don’t care. Shame on us.
If you’re a security manager thinking, But, what could they have done? Stop right there. You have a serious knowledge gap—and you need to fill it.
I won’t discuss tactics here and, in any case, if I claimed to be a SME in this particular area of tactics and countermeasures, I’d be lying. I’m not; however, there are plenty of people out there who are. If this sort of thing may be a risk faced by you or your organization, you need to go find some of them, posthaste. I’ll give you a hint. A good place to start is by looking for combat arms veterans, with combat experience, and drilling down from there. It’s not the only place to find those skills, but it’s a good one.
The same New York Times article referenced above also quoted Chris Robinette, the president of Prevent Advisors, a security advisory company for sports and entertainment venues as saying, “There’s no manual for this.” And he, at least with respect to providing security, is correct. There is, however, a “manual” for how to figure out doing it effectively each time.
A personal pet-peeve is hearing people start a planning session or procedure development project by saying, “We don’t need to reinvent the wheel here.”
Actually, you might. If you don’t dig in and find out, how will you ever know before something goes wrong? Checklists are good tools, I like them. I develop them for specific areas of risk, and I think they are good references. Previously developed plans and procedures can also be useful; however, these things are only as good as the assumptions, terrain, and risks they were based on. Using a standard checklist or security protocol from another venue, event, or mission can always bite you because different environments, different objectives, and, frankly, different assets to protect, are going to lead to different threats that require different countermeasures.
Some of the most catastrophic security incidents I’ve ever seen directly resulted from “lessons learned” from one environment being applied in a different one, where they should not have been. This led to disasters that were completely predictable and avoidable, had somebody only understood how differing circumstances impacted the risk.
If you’re a security manager or event planner thinking, But, how could they have known? Read on. That I will discuss here. The security industry apparently needs to learn the same lesson as the surface navy right now. In short, it needs to get back to the basics.
Here’s the Twitter summary: Before applying your model of protection, do terrain and threat analysis.
This might sound complicated, but it doesn’t need to be. There are a lot of ways to approach doing this, some harder than others. Fortunately, there’s no need to create anything new, or to get really fancy and sophisticated. The military has been doing risky things for quite some time, and has developed some pretty good tools for assessing and addressing threats, tools that are simple enough for even us knuckle draggers to figure out.
Let’s look at a few of them.
When you assess risk for your operations or organization, do you analyze the terrain? I’m always amazed at how few people do this. It doesn’t have to be physical terrain either; there are plenty of ways to frame this component of assessment.
Let make this as plain as I can:
If you’re not doing a dedicated terrain analysis as an integral component of assessing and managing risk in your operations and organization, you’re wrong—and you’re probably a lot more vulnerable than you know.
How can you assess terrain? The military has a simple tool. It’s gone through some variations over the years but I’ll use the old-school version here: KOCCOA.
Key Terrain – What are the important and significant features of the operating environment (like a 30+ floor building overlooking your entire venue—for instance)? These can also be features within a system, if you’re analyzing a communications network, for example. How might these terrain features impact an attacker’s capabilities? How might they impact yours? Please notice, many of these are going to be, by definition, outside the perimeter.
Observation and Fields of Fire – Can anyone think of an example of how this might apply? Over the years I’ve been told several times when working on threat assessments in the private sector that people in the civilian world get too frightened and intimidated by this so we can’t use it. Apparently, that’s accurate. Evidently a lot of security professionals are also too frightened and intimidated by the words in this component of terrain analysis to use it. Hopefully that stops, starting right now. Can anyone imagine standing in that venue for an assessment, thinking “hmmm, observation and fields of fire?” And not seeing the risk exploited here? Does anybody think these are all inside the perimeter of a venue?
Cover – Stops incoming. Remember, this works both ways. In 2017, don’t ignore the tech and commo side here—if that’s in your wheelhouse. Again, inside and outside the perimeter matter.
Concealment – Obscures or prevents observation. Perimeter? You guessed it…
Obstacles – Seem self-explanatory? Maybe. It’s important to understand what you’re trying to stop from moving when you’re looking at these. People? Vehicles? Swimmers? Electronic signals? Don’t get trapped into looking at a single point of focus either. These can work both ways, like in Las Vegas. If there’s an obstacle to getting out—it might increase the necessity of preventing and mitigating risks that are specific to being inside the venue. Reference the point below—do obstacles outside the perimeter matter? You bet.
Avenues of Approach – Please note that, by definition, these are pretty much going to be outside the perimeter. The concept is fairly self-explanatory but, again, don’t get tunnel vision on single types of risk here. Threats and people are not the only things impacted by terrain.
The next component is threat analysis. There are a lot of models for this. Here we’ll keep it simple. Again, the military has some great tools so let’s stick with the old-school version of one of the most fundamental tools for analyzing a mission, METT-T.
This age-old acronym stands for Mission, Enemy, Terrain (see above), Troops (your security team and resources) and Time. For threat analysis, I’ll drill down a bit into the “Enemy” component here.
I generally find it helpful when doing threat analysis to separate “enemies” into three general categories. The first is non-people stuff, like fires, power outages, etc. The second is specific threats made against a venue or asset — usually based on some sort of intelligence. The third is generalized threats, for which I find it useful to use motivations and objectives as segregators.
For example, a professional thief working for paid industrial espionage has different motivations and objectives than a petty thief seeking small cash for his next fix. These allow you to make useful assumptions about the subsequent criteria.
What are those other criteria? The three most important are:
Capabilities – What can this threat do? What resources does it potentially have access to? What skills does it have or have access to? Who does it know? What is this threat willing to do?
Limitations – Is there anything this threat can’t do? Any resources it doesn’t have? Anything it’s not willing to do? Warning: a fundamental rule of threat analysis is to never assume away an enemy capability.
Potential Courses of Action – What are the possible things this threat can do to mount an attack, based on the assessed motivations, terrain, capabilities, and limitations?
That was a “quick and dirty” overview of some simple methods for terrain and threat analysis.
These tools aren’t on a tablet, internet enabled, part of an app, buried in software, fancy or complicated—but that’s kind of the point.
They may not have a fancy label, a snazzy business card, or some cottage security industry tagline like “active shooter” attached, adding an air of specialization and exclusivity to them (also kind of the point); however, they are simple, they work, and had they been used, there’s a pretty good chance Las Vegas would have looked a lot different last weekend. The attack may even have been prevented altogether via deterrence countermeasures or other means.
These planning and analysis tools are taught to every soldier and Marine who attends the school of infantry, and many others besides. (I was a ship driver in the Navy before going the security route). Hundreds of thousands, if not millions, of people know them and how to use them.
Why, then, do these simple precepts seem to be an utter mystery to so many senior people in the event and venue security industry and law enforcement—people who are responsible for protecting tens of thousands of lives on a daily basis? I’m sure these folks are very good at specific security functions like crowd management and logistics coordination; however, how can they be so far off base when it comes to understanding and applying the most fundamental tenants of the analysis that underpins effective security operations?
Surrounding this entire, horrific circumstance, however, one thing is not: it is long past time that we in the security profession get back to the basics.