I’ve worked in the security industry for several decades but there was always one conundrum that I couldn’t explain. Why aren’t best practices always practiced?

It seemed to be counterintuitive. I’m not saying that security practitioners are doing things that are wrong. Rather, there are better ways of doing some things. I think I finally figured it out. Looking to the natural world, many creatures herd together for the protection provided by being part of a large group. This is true for wildebeest, herring, geese, butterflies, horses, cattle and countless other animals.

Isn’t it reasonable that humans would have the same innate instinct for self-
protection?

Most men – virtually all men – wore hats until the mid to late 1950s, and then they suddenly stopped. Some credit John F. Kennedy with having struck the death knell for hats because he didn’t wear one to his inaugural in 1961. Yes, I do know that a lot of body heat is lost through the head; but with the exception of very cold climates, hats don’t serve much of a purpose and certainly not in major temperate cities for people who work indoors. So why did men wear hats for many decades?

They wore hats because everyone else wore hats.

There are echoes of a Gary Trudeau’s Doonesbury comic strip of many years ago. The first panel shows a Congressman praising a young man for a creative and marvelous suggestion he submitted. The praise is effusive. In one of the last panels, however, the older politician says that “we, of course, can’t do this. It’s never been done before.”

There is immense comfort and protection by staying with practices and conventions that everyone knows. This is what is commonly dubbed conventional wisdom. I prefer to call it the “herd instinct.”
Not to get too literary for a security audience, but I am reminded of a poem, the Eagle and the Mole by Elinor Wylie.

“Avoid the reeking herd,
Shun the polluted flock,
Live like that stoic bird,
The eagle of the rock”

So what are some of these best practices that are being ignored? Let’s look at a few.

IDENTIFICATION BADGES

The standard ID badge is the size of a credit card and has a photo of the badge owner that usually measures about an inch square.  It would take the eyes of an eagle for a security officer or co-worker to match the photo with the person wearing the badge at a distance of five or six feet.  I am reminded of my time at CIA Headquarters many years ago.  To quell occasional boredom, some “techies” got a little frisky and counterfeited a CIA badge.  They inserted a photograph of a bunny with pink ears and labeled it Agent 007.  It was two weeks of daily use before the miscreant was finally caught by a CIA security officer.

Most specialists agree that the photo image should be double in size.  Why not fill the entire badge with an image.  If a badge is lost, most agencies and companies don’t want any identifiable information on the badge other than perhaps a P.O. Box, anyway.

LOBBY SECURITY STATIONS

How many office buildings have you seen where the security station is installed in a kiosk or counter in the center of a busy lobby? The desk attendants are constantly distracted by visitors with questions. Would-be criminals can easily determine what kind of security the building has. In the worst cases, the security video monitors are behind the console operator. Put the security console in the least rentable space and out of sight.

DESIGN-BUILD PROJECTS

Costs are the chief determinant in the design-build process.  These contracts tend to be fixed-price deals.

It is obvious that the construction company’s profits increase if the building can be built below the construction cost estimate.  They cut corners and prefer price over quality.  I recall one occasion when a general contractor directed me to stop rejecting a security subcontractor’s incompetent shop drawings because it was affecting the project schedule.  My experience is that design-build projects end up costing the building owner more than traditional design-bid-then-build projects, and often end up in litigation.

REQUEST-TO-EXIT (REX) SENSORS THAT UNLOCK DOORS

If an exit door is along a heavily used corridor, REXs that have been configured to unlock a door allow a would-be intruder to wait at the door until someone inside passes by. Electric strikes allow free exiting at all times.  The REX should be configured to only suppress an alarm each time an authorized exit occurs.  With rare exceptions, they should not unlock.  Besides, it’s redundant!

SECURITY VIDEO/QUAD-DISPLAYS

A lot of bleeding occurs at the cutting edge of technology.  These devices are still called “Quads” because when they were introduced into the market only four scenes were inserted.  Today, a video display multiplexer can place numerous camera scenes on a single monitor, to the point that the console operator sees little detail. Moreover, if poorly specified, the individual windows show jittery and jumpy motion, making matters worse.

SECURITY VIDEO/WALL OF MONITORS

Unlike honeybees that have hundreds of facets in their compound eyes, humans can’t effectively watch more than about nine to 12 video monitors.  Despite that, video walls of 30, 40 and even 50 or more, monitors are not uncommon.

SECURITY VIDEO AUDIO-PANNING CAMERAS AUTO-SWITCHING MONITORS

Related to the poor practice described above, console operators working an eight hour shift (a problem in itself) cannot “see” anything if the scene is constantly changing and/or switching, particularly if there is continual pedestrian traffic.  Console designs should be based on a “passive” layout and all security video should be event-activated.

ACCESS CONTROL/NOT PREVENTING TAILGATING

If a single door can be tailgated, especially fire exits used by smokers, the entire access control program is jeopardized.  In my experience, the vast majority (my guess is 90 percent) of office buildings (governmental and commercial) are vulnerable.

PIR BLINDING

Although using glass to blind a passive infrared sensor (PIR) is a fairly rare attack method, manufacturers can fix this shortcoming easily and inexpensively. The detection logic should generate an alarm if the sensor suddenly stops seeing infrared energy beyond three microns of wavelength.  So why don’t they do it?

This is only a sampling of ignored best practices.  I could go on for many pages.

Consider eight hour console shifts, pick-ups pulling wire through conduits, building owners not contracting for construction observation services, using RG-59 coax instead of fiber optic cabling, believing that razor ribbon delays intrusions (or fences for that matter), installing electric strikes on double-leaf doors, failing to install time-delayed unlocking of fire exits, allowing 22 American Wire Gauge (awg) wire to be used, and so forth.  But, I’ll stop here for now.