Was the Capital Gazette Shooting a Reminder of Security Responsibility?

On June 28, 2018 at 2:40PM eastern time, shots rang out at the offices of the Capital Gazette; a local newspaper covering Annapolis, Maryland. The shooting resulted in the deaths of five people and injuries to two others who worked at the paper who were reportedly shot by a suspect identified as Jarrod Ramos of Laurel, Maryland. Predictably, the shooting triggered a media firestorm speculating numerous possible political motives for the shooting, as well as rumors that Ramos mutilated his fingertips to avoid identification and the possibility that it was a coordinated attack on the media, resulting in preventative sweeps of newsrooms in Baltimore, New York and Washington.

After the dust settled, the Capital Gazette shooting ended up being yet another horrific case of workplace violence, resulting from a long-term feud that Ramos had with the paper. Ramos, triggered by losing a defamation claim against the Capital Gazette over their coverage of a domestic harassment case against him, carried out the shooting as an act of revenge. While Ramos is being uncooperative with law enforcement, the many reports of his fingerprints being mutilated have been debunked, as well as any political motivations and possible coordination with other attackers. Reportedly, Ramos used an unmodified shotgun in the attack, and while reports emerged of his having smoke grenades, none of the victims recalled him using any.

So given the absence of the usual media sensationalism and shift to wedge issues experienced after an active shooting, America could use this attack as an opportunity to examine an employer’s responsibility relative to the safety and security of their staff and visitors.

On a positive note, the Capital Gazette shooting showed that, on a public level, public agencies that train effectively for these types of incidents can respond quick enough to save lives. The shooting prompted a combined response by both Anne Arundel County and Annapolis City Police, with officers arriving in just one minute from the first calls for service. Ramos was caught on scene with the weapon without shots fired, nor any officers injured. Employees were then evacuated from the building with hands raised above their heads, with subsequent sweeps for additional attackers and possible devices by police. The Capital Gazette, while grieving the loss of five of their colleagues, was not deterred by this cowardly act of violence and put Friday’s paper out on time.

So what can we learn from this attack? Like all others, this shooting could have possibly been prevented, if not mitigated, by the adoption of basic corporate security best practices on the part of the Capital Gazette or its parent company; the Baltimore Sun. The Capital Gazette’s offices were in a mixed-use office building, which is common in many American workplaces. In my threat assessment experience, most businesses who rent space in mixed use buildings take no further responsibility for security measures in their workplaces than what measures are offered by property managers.

When speaking with corporate leaders, many I interact with have a narrow view of corporate security as someone with grey pants and a blue blazer greeting people in the lobby, or recently more as a data security professional. However, an effective approach to corporate security includes the appointment of an enterprise-level executive who understands the physical, cyber and investigative threat profile faced by their organization.

At issue with the threat of workplace violence is the question over who has the responsibility to detect threats and secure the workplace effectively. Normally, public and media scrutiny after an attack gets directed toward law enforcement response and/or those close to the attacker. The Capital Gazette attack, however, shows a long history of vitriol, litigation and threatening communications from Ramos, which resulted in no increases in security, restraining orders or reports to law enforcement.

This need for threat detection is highlighted in a June, 2018 FBI report that studied the 63 active shooters from 2000-2013, including the 2012 Sandy Hook Elementary School shooter, in which four or more people were killed indiscriminately. The report states: “What emerges is a complex and troubling picture of individuals who fail to successfully navigate multiple stressors in their lives while concurrently displaying four to five observable, concerning behaviors, engaging in planning and preparation, and frequently communicating threats or leaking indications of an intent to attack.” The study also said: “In the weeks and months before an attack, many active shooters engage in behaviors that may signal impending violence”.

This illustrates a clear gap in the private, routine detection of potential security threats. While the common layman’s perspective is that it’s the government’s responsibility to identify and stop these threats, there needs to be a systematic method for detecting and reporting these behaviors before an attack. In a free society, there is no “big brother” that is culling through millions of social media posts and private communications to identify those that signal a potential threat. Workplaces of all kinds need to have people in responsible charge of security who lead both physical and investigative elements to act on threats identified by employees. The FBI report clearly states, “While some of these behaviors are intentionally concealed, others are observable and — if recognized and reported — may lead to a disruption prior to an attack.” If security industry best practices are applied to threats leading up to attacks, steps would have been taken at places like the Capital Gazette and Marjorie Stoneman Douglas High School that possibly would have prevented the senseless loss of lives.

In this day in age, employers can no longer subscribe to the irresponsible “it can’t happen here” approach to workplace violence threats. On the safety side, we have business continuity plans and drills for fires and natural disasters that may never happen, but we still plan for them on a routine basis. While we all hope that it will never happen to us, the standard-of-care in workplace safety and security has changed with the rise of active shooter incidents. Therefore, employers need to seriously consider the cost of inaction in weighing the pros and cons of upgrading your corporate security posture.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.