Richard Diston, on behalf of the Security Institute, discusses strategies to tackle the complex issue of school security.
Security operations in educational environments are a complex challenge, requiring a robust strategic approach. The interplay between social, legal, technical, emotional, operational and ethical factors can present a significant headache to educators and their administrators, many of whom may not be particularly well versed in the world of security. Further pressure is added through limited financial resources and the use of education as a political tool. Finally, the task of planning security in educational environments makes it necessary to concentrate on scenarios that are often unthinkable and the pressure of ‘getting it wrong’ can take a toll on people whose primary career choice did not include learning how to manage such situations. Schools, colleges and universities in the UK all need clear, rational and practical advice on securing their organisations, and while such advice is extremely valuable, it does come at a cost that many simply cannot afford.
Like any organisation, an educational establishment needs to take the first step with a security strategy. This will be a formal document that outlines the context of security, describing what it means to the organisation and what it is intended to deliver. Without this, there can be no rational business case for any security purchasing decisions. The formal strategy will first assign an ‘owner’ of security who is likely to be a senior figure, and go on to define the ‘security risk appetite’ for the organisation: the level of risk that it is prepared to tolerate. This will naturally lead to a register of the assets that are to be protected and the nature of the threats that are perceived.
The primary consideration has to be the legal duty of care that the organisation holds. This is not just the safety and welfare of the students, but also that of the teaching and support staff. Then there is the security of the physical assets within the site itself, such as computer equipment. Finally, there is a real threat to the data that the organisation holds. Information security is a significant problem, whether we are talking about the protection of student and staff personal data from theft, the protection of organisational financial data or preventing enterprising students from illegally accessing the systems to change their grades.
All of this needs to be defined within the security strategy so that it can be prioritised and budgets allocated before solutions are sought. Threats should be split between internal and external, allowing clarity for what is genuinely within the control of the organisation. All this then should be documented in a risk and threat register which will be the basis for all security countermeasures.
Understanding the threats
Once the security strategy is in place, the next logical step in the process is to understand the nature of the threat to the organisation and its users. This should take the form of an internal incident review first, where reports are assessed from previous events for trends. It is all too common for serious and semi-serious events to be written off as ‘part of the job’ and ‘normal’ when in fact they are indicators of failing organisational systems and processes. An unknown third party being able to gain access to the site is not a random event but an indicator that the perimeter and access controls are not working as they should, for example.
Once the internal reports have been analysed, there is benefit in performing a crime mapping exercise for the site. This should take into account the major routes into the teaching site so as to extend our protection to all service users when they are outside the gates. If we focus on security purely within our organisational perimeter, we won’t see a problem until it arrives at our doorstep. An example might be to perform a crime mapping exercise of the local bus station that many students may use to get to our site, so that we can warn them to remain vigilant and adapt their behaviours. While historical data cannot help us predict the future, it can help us perceive our current state of fragility and work to reduce it.
Policies and procedures
Once the strategy is defined and information has been gathered both internally and externally to support security decisions, the next step is to review the security policies and procedures at the site. This review is essential as it is entirely foreseeable that some policies may be written by well-meaning but ill‑informed people in response to a particular set of circumstances without due consideration for their unintended wider consequences. Where evidence indicates that a policy or procedure is not fit for purpose, there needs to be an appetite for review and an acceptance that security and risk is a constantly evolving area where there is no room for dogmatic defence of ‘the way we have always done things’. The quality of our security is only as good as the quality of our thinking, after all.
Policies should certainly include a requirement for reporting of all incidents of aggression where there is an escalation concern, and this can tie comfortably into the PREVENT and safeguarding strategies which already raise awareness of undesirable behaviours and the identification of indicators that a safeguarding response is required. Safeguarding policies should certainly extend to the staff, who should also be considered to be vulnerable people by virtue of the client-facing nature of their roles.
There should already be standard procedures for incidents like fire evacuations, gas leaks, and serious injuries, however there is a necessity for a set of procedures that address threats that are derived from human actors. This might include a response plan for a suspicious individual seen filming outside the site, or it could be the process for dealing with a parent who has arrived to collect a student who is the known subject of a custody dispute. There should certainly be plans for responding to a hostile third party within the site (whether an angry parent or a complete stranger), and this should be tested alongside other evacuation and response procedures.
It may help to consider separating the procedures into three distinct categories: each site should have three ‘postures’ which demonstrate the levels of awareness and action. The first is ‘peace-time’ which reflects simple, day to day operations. Then at the other end of the spectrum, there is the ‘response’ posture where something is actually happening and procedures are being implemented (such as an evacuation, for example). The middle posture is ‘alert’ where there is no recognisable threat but information has been received that requires further attention. It is certainly worth acknowledging that the way that the security procedures are designed and implemented will have a significant effect on the security culture at the site, and, done poorly, can create significant legal risks to the organisation.
On site security measures
The next step is to review the security measures at the site. This should include the physical security, security systems, IT systems and an assessment of any security guarding contractor who is engaged. It is undesirable for educational premises to take on the characteristics of prisons, and certainly there has been discussion in some places around the installation of walk-through metal detectors as seen in the US. All decisions on physical security and ‘target hardening’ need to be reflective of the levels of threat that have been ascertained, and care needs to be taken that money is not wasted on ineffective purchases that actually harm the organisation. One of the most important decisions is around the engagement of private security guards.
In the UK, contract security operatives require a Security Industry Authority (SIA) licence to practice. To get this, they need to take a short course, pass exams and undergo identity and criminal records checks. Much has been written about the quality of the initial training, which has been recognised by the security industry itself as being largely sub-par. Further, the criminal records check done by the SIA does not include the higher level check that the person is not listed as unsuitable for working with children or vulnerable people. Security employers are already struggling with low margins and are unlikely to perform this additional, more expensive check themselves without prompting. The performance of security in educational establishments at security guard level is a challenging one and the current training simply does not provide the skills and knowledge that is required. A full review of the skills and knowledge of any security officer (as well as their management) is therefore essential.
A final consideration would be to reach out and partner with other organisations in the area. This should definitely include forging a strong relationship with local police teams, and there is real value in seeking out counterparts in other local educational organisations who hold a security remit. In this way, both intelligence and best practice can be shared, and it may even be possible to negotiate better rates from security suppliers by working together.
Once all this is done, there needs to be a structured approach to training and testing in an ongoing cycle of continuous improvement. Security is not a ‘one size fits all’ function, and it is easy to get wrong. Security operations that might be perfectly suitable in an airport may not be appropriate for a shopping centre, for example. Security can also be said to exist on a sliding scale with personal freedom. The more security procedures, equipment and personnel are brought to bear on a location, the less freedom the users of that space may feel they have. A heavy handed approach to security is usually inappropriate and expensive, both in terms of the financial costs and the costs to the organisational culture. Getting it right in an educational environment is therefore critical to the development of a healthy working culture. A key aim should be that security is not a department, it is an organisational responsibility that is shared by everyone: staff and students alike.
Richard Diston MSc MSyI is the director of Astute Training and Consulting and is currently studying for his Professional Doctorate in Security and Risk Management (DSyRM) at the Institute for Criminal Justice Studies at the University of Portsmouth. He has extensive experience in security and risk management and has consulted with organisations as diverse as care homes, educational establishments and national retailers.