We’ve all heard the old adage that security is like an onion. For it to be effective, it has to be layered and applied layer by layer. Well, while true there is something far more important than just making it layered. When describing their onion, security professionals will describe one of the following. When they say “layered” they mean that the layers consist of the four D’s – deter, delay, detect and defend. Or they mean that the layers are overlapping, for example, a CCTV is installed and then there is a procedure for the guards who are monitoring the camera to follow when something out of the norm is spotted. And still others will say, what they mean is that there are four lines of defense or layers to almost every physical asset (building).
Let’s look at each of these ideas independently and collectively.
The four D’s
First, what is deterrence? It is the use of technologies, simple or sophisticated, to keep a potential “bad guy/gal” from doing something bad. We usually do this with a sign, a fence, security lights or some form of technology. Hopefully that will be enough of a deterrence. When we think it won’t do the trick, we add delay; i.e., distance, fencing with barb wire, something that will slow them down enough that we can observe them while they attempt to overcome whatever it is that we placed in their way. We use delay in order to give ourselves more time to observe behaviors. Observation is the detection piece, if you will. We want to observe everything and then we’ll decide what is good or bad. When good is detected we allow the person to access the door or the ATM machine. When bad is detected we don’t dispense the money or allow them to gain entry. When the rules aren’t followed, some type of defense is required; such as, password reset or try again later. And, if there is still an issue the help desk or systems administrator or a guard shows up.
A Comprehensive Approach
Those who say a layered approach means having a comprehensive strategy, where every part of the security program is overlapping aren’t entirely wrong. Plans and policies, drills, exercises and training, the use of electronic technologies and non-technologies, must be in place in order to bring the different layers together. Not only should the guard force be trained but so should the staff; routinely but not excessive and taking a variety of formats and time; i.e., pop-ups on the computer, role-playing exercises, and with and without first responder. The reliance of electronic technologies cannot be overstated – this reliance if it becomes burdensome will cause it to be non-effective. When security is a tax people will figure out how not to pay it. Hopefully good inhabited space design was a consideration during new construction or a recent retrofit and it augments access and circulation control. Not all breaches of security require security force intervention; a friendly reminder from a colleague or a supervisor may be enough to nip it in the bud before it becomes part of the culture.
Most physical assets will have one to four layers; 1 – the property boundary, 2 – an enclave perimeter, 3 – the façade or “envelope” and 4 – any internally controlled spaces that have restricted access. Not all will have a layer two or four, and sometimes layers one and three are the same (a building in Manhattan where the door is the property line). In any case, and regardless of which layer is present the four D’s must be used at each layer. Each one gives us another opportunity.
There are two things to remember; 1) all security measures can be defeated because there’s an inherent vulnerability somewhere, and 2) the goal is to “sauté” your strategies so that mitigation resembles a mixture of caramelized onions that aren’t crunchy but are full of flavor and melt in your mouth.
By combining all three of these concepts, you will have “onion breath” and everyone will thank you for it.
Doug Haines, MPSE, is owner/CEO of Haines Security Solutions, Ventura, CA.