I’m writing today to respond to the very immediate incident of an ex-employee who shot and killed 5 former co-workers.  You can read about the story here: http://www.cnn.com/2017/06/05/us/orlando-fatalities/index.html

It’s so unfortunate when these types of things occur, but these types of events are exactly the reason that organizations like Centripetum are working hard to promote good risk management practices, and not just ‘cybersecurity’.

You can classify these kinds of events as ‘insider threat’, ‘physical security’, ‘domestic terrorism’, or even ‘human resource management issues’ for all I care, but at the end of the day it doesn’t really matter how you classify them, because they are so incredibly difficult to predict and so incredibly devastating.  Consider for a moment that the person in question was fired in April, only to return in June.  That kind of delay is really worth considering, since it means that a planned defensive posture (even if it could have been somehow predicted and taken following the employee’s termination) would likely be relaxed after that much time.

It’s hard to know what to do.  At the end of the day, no business wants or needs a culture of paranoia, otherwise it would feel like a most unwelcoming environment for customers and employees alike (ask anyone who works on a military base how friendly going to work feels each day).

Instead, my suggestion is that a response protocol and plan needs to be prepared when it comes to the addressment of disgruntled customers or employees.  In my risk management reality, an active shooter plan presented to employees should be just as much a part of training and incident response as the other policies and procedures they must know how to follow.

And for the cynics, I’ll be clear: unless you can implement robust physical security, I agree that most plans are unlikely to actually stop a determined active shooter.  On the other hand, it’s a fairly nominal investment in a little training and awareness, with maybe a few extra controls (e.g., designated safe rooms with deadbolts).  If it provides your employees with an opportunity to save even one additional life, in my book it’s well worth it.