I’ve been involved with security, risk assessment, and management in some shape or form for over 20 years. Whether dealing with geopolitical risk, terrorism, corporate risk, school safety, security, or the protection of valuable assets, almost half of my life has been dedicated to these industries and their innovation. I’ve put together comprehensive strategies and plans while trying to fix acute and specialized problems. I’ve always approached complex problems with simple and practical unconventional wisdom and a great sense of humility. I tried to balance a realistic view of failures with the hope that society will learn from mistakes and be collectively safer as a result. My view has primarily been more pessimistic, but based on the events of 2024, I will be dismayed if we still can’t learn from stark failures.
This article will take you through some significant security lapses and events of the year with a brief analysis and a practical assessment of the main root causes and the associated wake-up call on what to do about it. The intent is not to cast blame or put down the parties involved but to objectively reflect on what could have been avoided to avoid these issues in the future. I am not coloring in any party lines or selectively targeting specific groups, but the truth requires some discussion. We are actively working towards fixing problems and challenges in the security industry and will continue to help in that vein as security risk management consultants and risk technology companies. The goal is for all security and risk professionals and lay people to take this analysis and recommendations seriously.
The Trump Assassination Attempt
Event: The Republican candidate for president of the United States was nearly shot in the head by a would-be assassin near Butler, Pennsylvania, on July 13th, 2024.
Main risk management failures: There were several here, but the main ones dealt with poor inter-agency communication, poor threat vulnerability assessments, a lack of coherent drone strategy, improper security operational planning, rehearsals, and overall risk assessments, and a lack of crowd-sourced or OSINT intelligence collection capability.
Wake-up call: In this age of technology, it is not difficult to solve most of these failure points. However, the main wake-up call is that prior planning, risk intelligence, and comprehensive risk management cannot be a footnote and must be the most prominent
aspect of a security plan. Had the Secret Service established a proper security management strategy for this event, this assassination attempt never happened, and the assailant either never attempted it or was apprehended quickly before taking the shot. Governments cannot assume they have everything covered, and private security must learn to work better with government-related events when required. Interagency ego and lack of communication will ensure these types of occurrences persist.
The Resurgence of Ransom Attacks
Events: Depending on what data you look at, there has been an increase of between 60% and 300% in ransomware attacks globally. Roughly 1 in 10 businesses are impacted, and brute force attacks are also rising. Even a well-respected consulting company was hacked, leading to negative reverberations throughout the community.
Main risk failures: Poor company security culture, human risk factors, lack of risk intelligence, poor dark web scanning, insufficient vulnerability analysis, and reaction-based risk management budgets.
Wake-up call: The rise of cyber attacks is not going to subside. Governments can’t keep up, and methods are only getting more sophisticated. This is not even considering quantum computing capabilities coming soon to a hacker near you. You might be the next victim if you don’t get the proper assessments, build a coherent security risk management strategy and plan, and monitor like your company’s life depended on it.
The Rise of Theft
Events: Car thefts and other types of property theft are up by at least 10%, depending on who you ask. Denver took the lead as the car theft capital of the United States. Retail establishments have had to close their doors or radically alter their geographic footprint, mainly due to losses due to larceny. A recent study showed 93% in shoplifting incidents from 2019 to 2023, with a 90% increase in dollar losses. Shoplifting statistics continued to rise in 2024. Many companies have relegated their response to locking everything up in cages, creating more friction and reduced revenue for retail buyers.
Main risk factors: Lack of risk and threat assessments during planning/investment, minimal physical security budgets, poor security quality and training, absent trend monitoring, lack of threat environment monitoring, weak preventative measures and education, lack of security technology, poor security strategy and optimization preceding implementation.
Wake-up call: The economy is a significant indicator of crime rates and increased organized crime. The housing market, inflation, and social welfare programs are all integral to the recruitment efforts of criminal organizations or crimes of economic desperation. It is essential to understand that there are not many positive indicators here and that crime rates, already high, are not likely to drop. The rise of extremism may also lead to more targeted crimes and property destruction. Take this seriously; conduct the assessments for a strategy to protect assets, prepare the proper budget, and execute to avoid severe losses residentially and in business. Innovative businesses, using security as a lever toward risk ROI, can differentiate and outperform with the right risk intelligence.
The Murder of a CEO
Events: On Dec 4th, 2024, an anti-corporate/health insurance extremist murdered the CEO of United Healthcare on a New York City street. There are indications that United Healthcare considered an increase in security budget and/or presence months prior and that the CEO had received threats. It is unclear how the company handled its risk management and the totality of security lapses related to this protective failure, but it suffices to say the result could not have been worse.
Main risk failures: Some of this is conjectured with the recent event, but one can surmise that the following breakdowns in risk management probably occurred. These included poor travel risk management, poor risk monitoring and response to identified threats, lack of physical security based on the nature of threats, poor overall security risk management strategy, and inappropriate security budget in the context of the threat environment.
Wake-up call: As rare as executive murders are, we live in a charged political and domestic context domestically and abroad. When proper vulnerability assessments and profiles are completed, it contributes to a coherent security risk management strategy. In some cases, when a vulnerability assessment is completed, the business fails to act on it or alter security. Risk intelligence improperly acted on becomes a liability and preventable loss. Security and risk executives must be empowered to insist on budgets and effective implementation strategies when the risk becomes intolerable and must be managed, mitigated, or removed. Unsurprisingly, this event was avoidable.
School shootings in 2024
Event (s): There have been at least 971 school shootings in the US in 2024 alone. The numbers continue to persist despite national and global exposure and funding, countless
“experts” advising, and attempts to limit gun sales. In many cases, these shootings happened off of the main campus or exploited significant security vulnerabilities or oversights.
Main risk failures: There are many persistent security issues still facing schools, but we will isolate a few here: 1) Poor consulting work with a lack of emphasis on comprehensive risk management, 2) Ineffective and incompetent school security budget governance, 3) Lack of proactive human risk monitoring and communication, and 4) a complete ignorance of how environmental and community threats impact what happens on campus. There are many more, but this would be a good start. Problems usually start with a lack of a competent security risk management strategy.
Wake-up call: This one is easy. Stop hiring former police officers, insurance personnel, or school admins to consult on risk management and set up your security risk management plan. This is a specialized skill set, and it requires comprehensive vulnerability and risk assessment modeling to be completed. No offense to most police officers or insurance reps (they have important places in society), but they don’t usually have the skills needed. At some point, you need to define insanity and do something else. There are many good SRM experts, unconventional security and risk intelligence leaders, and progressive risk management experts who stop hiring cops to do work they don’t know how to do. Additionally, private schools must be held to a minimum risk management standard and pass these criteria to stay in business. You cannot open a restaurant without passing cleanliness scores, and you should not be able to teach or care for kids unless you can adequately protect them.
Conclusion
We must stop demonizing vendors and consultants who care enough to innovate and are trying to develop solutions and approaches to mitigate the above failures. Quietly tip-toeing around these realities will only ensure that nothing changes. We have been programmed to believe that capitalism is somehow greedy and that we should be sensitive to failures in security and not take advantage of the business opportunities they bring. I agree that a certain level of respect and sensitivity must be in place, but many people build businesses with purpose and passion. It is not always about money, even if it sometimes becomes a factor. As a society, innovators must step up, be heard, and be supported to show merit and opportunity for change. In many cases, like those outlined above, changes must be made now.
– Toby Houchens, CEO and Founder