The tragedy at Virginia Tech has renewed debate about risk mitigation as a science and in practice. Numerous experts have been quoted in the press and appeared on TV in support of the Virginia Tech Police Department’s response to the incident. Virginia Tech president Charles W. Steger defended the university’s handling of the tragedy, saying: “We can only make decisions based on the information you had at the time. You don’t have hours to reflect on it.” Shortly after the events, criticism emerged from other experts on how this emergency was managed from the lack of vigilance of a troubled individual on campus, to preparedness planning, response and communications.
We reached out to leaders in our industry for their thoughts if better preparedness might have made a difference at Virginia Tech as well as whether strategies will change toward prevention (i.e. security investment) in the university community specifically and our industry at large. Check this month’s News & Analysis for more information.
It is important to review recent history. In 1987 the term, “workplace violence” did not exist. The understanding that high risk, high threat workplace situations existed was known within small circles of our industry, but it was not recognized as an issue requiring intervention. That changed when the National Institute for Occupational Safety and Health published its ground breaking study in 1988 citing violence as the Number 1 cause for death among women and second cause of death among men (after automobile accidents) at the workplace.
The combination of liability, reputational risk and activism by victims and their families led to today’s policies including background checks on criminal, financial and prior employment histories. In addition, an increased focus on behavioral indicators and early intervention programs (such as EAPs) has emerged.
Yet, while everyone commented there is no silver bullet to eliminate the risk of another Virginia Tech-type tragedy, all felt more could have been done on the side of prevention and intervention. The concept of “Both And” simply states that neither prevention should be relied upon in lieu of response nor should adequate response planning reduce the importance of a prevention strategy in any organization.
We received insightful and experienced response from those we asked and here (collectively) are their thoughts.


  • Employers require background screening. Why not universities? It makes sense after these recent events that a person’s history be investigated pre-admission to a college or university.


  • The four steps for security strategy include:
  1.     Prevention
  2.     Intervention
  3.     Emergency response
  4.     Disaster recovery

Virginia Tech began with step 3. Most respondents noted that their response plan was not adequate. Further, as the crisis unfolded, the administration reached wrong conclusions and then initiated and inadequate response. Lessons must be learned from their decisions, including not notifying everyone on campus (using a system such as Send Word Now); not locking down the campus; not escalating the campus wide security search and by holding a press conference without adequate planning and information.


  • Physical security information systems (See the Vision Column in this issue), video, access control and analytics have the ability to capture, analyze and alert security to irregular activities as well as capture critical information about an event.
  • Could the D.C. snipers been stopped if the two gas stations where shootings occurred had cameras? No. So how do you use cameras to secure an entire campus? Technology is part of the solution, but not The solution. 


  • Regulation is not a solution; rather it is a knee-jerk reaction that would give a false sense of achievement and improved security. Avoid regulations.


  • Would additional planning and investment work? Most felt universities would review their current programs, rubber stamp them as adequate and make no changes as they believe the odds of a similar event on their campus is very remote while also hoping, “Not Here.”
  • The truth is that you will not know if your security fixes will work until the next event takes place, but you have the moral responsibility to try.
What do you think? Let me know