John Pistole is a former administrator of the United States Transportation Security Administration (TSA) and a former deputy director of the Federal Bureau of Investigation (FBI)
It’s hard to believe we’re staring down the end of another year – and 2022 is already shaping up to be one unlike any other. For many workplaces and industries, there’s still a feeling of starting anew after suffering so much disruption through most of 2020 and 2021. From a security standpoint, much about the year ahead is going to be like the past two years – planning and being ready for the uncertain.
Evolution of challenges and threats
As people physically return to offices in 2022, there are challenges and opportunities when it comes to safety. Most organizations have had a year (and in many cases more) to review previous protocols and think about how to revise them to meet today’s new work environment, risks and threats. In addition, the fact that most organizations are welcoming employees back in a staggered or hybrid fashion means they can test new approaches and collect feedback and data from smaller, more manageable numbers.
On the other hand, challenges and threats have evolved. For example, in years past, companies that rent office space in a high-rise could rely on security provided by the building management. That approach needs to be reconsidered given the impact the pandemic has had on commercial real estate and the need (or lack thereof) for sprawling office space.
On the threat side, experts worry we will see an uptick in workplace violence as more Americans go from working at home to back in the office. According to the Society for Human Resource Management (SHRM), one of the key reasons behind the anticipated increase is that many workers continue to struggle with physical, mental and emotional stress stemming from the COVID-19 pandemic. Retired FBI agent Terri Patterson, a psychologist and principal at Control Risks, reinforced this when he said, "I do firmly believe that we're still in that space where we have a workforce that is really vulnerable right now. We do believe that a stressed population is more vulnerable to becoming disgruntled or aggrieved."
In response to these changing challenges and threats, I anticipate more companies recognizing the need to take security measures into their own hands. For mature companies, this shouldn’t be much of an issue; they’ve likely already addressed security as a corporate priority, and, as a result, included it in their annual budget. For a lot of start-ups, though, security might not have ranked high on the priority list, but will begin to move as employees and customers start demanding a safer environment. With the threat landscape changing every day, no company gets a pass when it comes to thinking about – and prioritizing – digital and physical security.
Risk mitigation, not elimination
Every chief security officer (CSO) is worried about access control, from both inside and outside the workplace. As people return to the office, security personnel need to make sure they’re managing risks with a risk-based approach. For example, how can they make sure people with authorized access should continue to maintain that access?
On the physical security side, it’s imperative today’s CSOs and others charged with their organization’s security are planning with these new threats in mind. For example, an employee with authorized access on Friday is arrested over the weekend for domestic violence comes to the office on Monday. What is the protocol?
No matter the size of the organization, any multi-person company needs to have a strategy for security; and that strategy should be focused on mitigating, not eliminating, risk. After all, eliminating risk is a fool’s errand; it’s impossible. But having a solid and comprehensive plan for risk mitigation that is reviewed and revised on a regular basis is a must-have for any company doing business in 2022.
One way to get started is to figure out what the biggest threats are and then identify the areas that are most vulnerable. Once that’s done, you can employ mitigation strategies or identify existing opportunities.
Immediately following the September 11th attacks, for example, many of the risk mitigation strategies centered around travel. The threat of another attack resulted in strengthening vulnerable areas in aviation, like increasing the number of federal air marshals, reinforcing cockpit doors, and differentiating passengers from high- to low-risk.
Public perception: risk vs. benefit
There is an element of convenience involved in getting people on board with security measures. When it comes to being screened, people don’t want to be inconvenienced. They don’t want invasions into their privacy or to have their movements tracked, but they do want to remain safe when they get on a flight, attend a concert, or go to work.
For the security industry, that means finding a balance in how safety and protection is offered and the impact that has on people who are not a threat.
In my experience working for the Transportation Security Administration (TSA), that really comes down to the messaging, and how the measures are presented to the public. There is no one-size-fits-all solution – what works for one industry does not always work for others. Sometimes that has to do with cost, but sometimes it has to do with what’s practical in each setting. For example, airports must have multiple layers of security, many of which require people to stand in line to go through screening. Travelers know that in order to mitigate the risk of an attack happening on a plane, they have to deal with a bit of mild inconvenience. People going to work in an office are unlikely to weigh the benefits and risks the same.
For businesses and security personnel, it’s important to remember that people need to understand that there’s a trade-off in what they are willing to accept in order to remain safe. As safety and security technology improves, we are seeing more and more companies not only recognize this delicate balance, but finding ways to meet safety demands plus expectations for a seamless and convenient experience.
It is difficult to anticipate what lies ahead as we emerge from such an unpredictable two years. But we can take what we do know and use that to figure out what is most likely. For example, we know to be alert for domestic terrorism, which the FBI deems a persistent threat. And the rising rate of cyber terrorism provides a good indicator that money spent on digital security and protection is a wise investment.
The only true "known” is that risk knows no boundaries, and it can’t be completely eliminated. But it can be prepared for, and the organizations that are constantly assessing risk are the ones that will be most ready for what might come.