The Need to Overcome the Lack of Security Operations Center and Interoperability Capabilities for an Active Shooter Incident
Abstract
In an active shooter incident, a coordinated response from first responders is critical to effectively manage the incident and optimize the safety of all involved. Accurate intelligence and data is the key – getting the right information, to the right people, at the right time for informed decision making. This paper will discuss the benefits of developing Security Operations Center capabilities and greater Interoperability between all stakeholders for enhanced response capabilities.
The Need to Overcome the Lack of a Security Operations Center and Communications Interoperability Capabilities for an Active Shooter Incident
By Louis Barani
SS & RC, Inc.
A Risk Consulting Company
The Need for a Security Operations Center Capability
In an active shooter incident, a coordinated response from first responders is critical to effectively manage the incident and optimize the safety of all involved. As a nationally accepted tactic[1], arriving law enforcement become the contact officers and proceed into the area they believe the attack is taking place to engage/neutralize the shooter. This must be conducted in less than an average of 10 minutes per incident. It is a dynamic scenario which requires immediate action by law enforcement personnel to a rapidly evolving and life-threatening situation. And, it is not as easy as it sounds – if the shooter is moving, the shooter’s location is not known or there are two or more shooters – all complicating variables. At this point, decisions must be made by law enforcement for appropriate tactics, methodology and immediacy as they are waiting for as much current intelligence as possible. But how are the contact officers passed information to better understand shooter description(s), current location/direction, casualties, safe/cleared areas and how is this information vetted, managed and appropriately applied and disseminated – when seconds count?
As a follow-on to the initial actions taken by contact officers, responding a law enforcement supervisor will immediately declare and establish Incident Command[2]. This process, which is another nationally accepted process, immediately establishes an incident commander and command post to facilitate communication and decision-making. This includes coordination of law enforcement, medical teams, and other emergency services to ensure a unified approach. Law enforcement officers will typically prioritize neutralizing the threat and securing the area, while medical teams will prepare for rapid triage and treatment of casualties. Establishing a secure perimeter around the scene and directing incoming personnel efficiently will help manage the disorder and ensure that critical resources are deployed where they are most needed. Effectiveness and best-case coordination is predicated on the conditions that everyone involved in the response has interoperability; the Incident Commander and first responders have comprehensive situational awareness; and, all have a common operating picture of the attack environment.
Additionally, the school controls relevant and response-applicable data from access control, video surveillance, shot detectors and other security technology. This data has the potential to simplify location of the shooter(s); determine safe/cleared areas; locate casualties for immediate attention and locate students sheltering in place. However, since there is no security operation center at the school where this information is managed, the data is confined to each respective technology system and the Incident Command post does not have feeds from the school to leverage this data. Except for occasional feedback from contact officers and 9-1-1 calls there is no situational awareness and no common operating picture for first responders – which these security technology systems have the potential to provide.
Lastly, some schools have engaged the services of a School Resource Officer. During an active shooter incident, a resource officer plays a critical role in ensuring safety by quickly assessing the threat, engaging the shooter if trained to do so, and coordinating with law enforcement and emergency responders. They are responsible for securing the area, implementing lockdown or evacuation procedures as needed, and establishing a perimeter to control access. Additionally, the officer provides first aid, supports and comforts victims, and communicates essential information to authorities, parents, and the public. After the incident, they participate in debriefing sessions to evaluate the response and assist in the community’s recovery. Responding law enforcement would benefit greatly if they had the capability to communicate with a trained resource officer actively involved in the incident as they respond. Coordinated interoperability between the contact officers, Incident Command and the resource officer(s) would greatly support a more efficient and rapid engagement of the shooter.
Based on these conditions, there is a significant absence of well-defined intelligence for first responders in an active shooter situation. However, there is a potential to mitigate these conditions with strategic planning, integrating the right technologies and providing enhanced response capabilities to first responders and stakeholders.
Security Operations Center Capabilities and Benefits
The capabilities and benefits of a Security Operations Center (SOC) can provide are numerous and play a can crucial role during an active shooter event by providing several key benefits:
- Real-Time Monitoring and Response Coordination: SOCs are equipped to monitor security feeds and communications in real time. During an active shooter event, this capability allows them to provide immediate updates and situational awareness to first responders, security personnel, and management.
- Centralized Information Hub: SOCs serve as a central point for gathering, analyzing, and disseminating information. This ensures that all relevant parties receive accurate and timely updates about the situation, which is critical for coordinating an effective response.
- Communication Management: SOCs can manage internal and external communications, ensuring that information is consistent and controlled. They help in coordinating between different teams (e.g., law enforcement, emergency services) and managing public announcements or notifications to employees.
- Incident Tracking and Documentation: During an event, SOCs keep detailed records of all activities and communications. This documentation is vital for post-incident analysis, investigations, and legal proceedings.
- Coordination with Law Enforcement: SOCs can work closely with law enforcement agencies, providing them with access to video feeds, building layouts, and other critical information that can aid in their response efforts.
- Crisis Management Support: SOCs support crisis management teams by providing them with actionable intelligence, helping to manage resources, and supporting decision-making processes during the incident.
- Automated Alerts and Notifications: Many SOCs are equipped with systems that can automatically trigger alerts and notifications to employees, guiding them on safety protocols and evacuation procedures.
- Resource Allocation: SOCs help in managing and allocating resources efficiently, ensuring that personnel and equipment are deployed effectively to address the situation.
- Continuity of Operations: By managing and mitigating the immediate impacts of the incident, SOCs help organizations maintain business continuity and manage the aftermath of the event.
- Training and Preparedness: SOCs often conduct training exercises and simulations for active shooter scenarios, which helps in preparing staff and refining response strategies before an actual event occurs.
In summary, a SOC enhances the effectiveness of the response to an active shooter event by providing real-time situational awareness, coordinating communications, supporting law enforcement, and efficiently managing resources and information.
The Need for Interoperability
In an active shooter incident, interoperability refers to the ability of various emergency response agencies and units to effectively communicate and coordinate with one another despite differences in their communication systems, protocols, or organizational structures. This capability is crucial for a swift and effective response, as it ensures that law enforcement, medical teams, and other responders can share critical information in real-time, synchronize their actions, and make informed decisions. Currently, achieving interoperability involves implementing standardized communication systems, joint training exercises, and protocols that facilitate seamless information exchange which would enhance the overall efficiency of the response and improve outcomes for those affected by the incident.
Since the terrorist attack on September 11, interoperability has been one of the key challenges for emergency response and incident command as well as managing situations like an active shooter incident. The National Commission on Terrorist Attacks Upon the United States[3] (9-11 Commission Report) highlights significant challenges for interoperability and areas for improvement in emergency response coordination during critical incidents. The report reveals that many agencies experienced difficulties in sharing real-time information due to incompatible communication systems and fragmented protocols. These interoperability issues led to delays in response times and inefficiencies in managing the situation, as critical data was often not disseminated quickly or accurately among responding units. The findings emphasize the need for adopting standardized communication technologies, enhancing cross-agency training, and developing unified protocols to ensure a more cohesive and effective response in future emergencies. The Department of Homeland Security established the Office of Interoperability and Compatibility (OIC) based on this and other reports. The OIC’s focus is supposed to be on enhancing communication and coordination among federal, state, local, tribal, and territorial agencies. Its mission is to improve the effectiveness and efficiency of emergency response through the development and support of interoperable communication systems[4].
And yet, as recently as the assassination attempt on former President Trump in July of 2024, interoperability issues[5] are still in the forefront of coordinated law enforcement responses. This challenge is still evident in the after-action reports of active shooter events as well.
Interoperability during an active shooter event can significantly enhance the effectiveness of the response and ultimately save lives. Here are some key benefits:
- Improved Communication: Different agencies and units can share information in real-time, which helps coordinate actions and ensures that everyone has access to the same situational awareness. This includes police, fire, medical teams, and other emergency responders.
- Coordinated Response: Interoperability allows for a more unified approach to managing the incident. This can involve joint tactical operations, coordinated evacuation efforts, and synchronized medical triage and treatment, all of which are critical during an active shooter situation.
- Efficient Resource Allocation: Agencies can quickly identify and deploy resources where they are most needed, such as additional personnel, equipment, or medical supplies. This prevents duplication of effort and ensures that resources are used effectively.
- Enhanced Safety: By sharing information and coordinating strategies, responders can minimize risks to both themselves and civilians. For example, they can avoid accidentally engaging friendly forces and ensure that medical teams are directed to the right locations without delay.
- Streamlined Command Structure: Interoperability helps establish a clear and effective command structure, which is crucial for making rapid decisions and directing the overall response. This clarity can reduce confusion and improve the efficiency of operations.
- Public Information Management: Coordinated communication with the public can be managed more effectively, providing accurate and timely information about the situation, instructions for safety, and updates on the response. This can help to reduce panic and misinformation.
- Post-Incident Analysis: After the event, having interoperable systems allows for better data collection and analysis. This can be used to review the response, identify areas for improvement, and develop better strategies for future incidents.
Overall, interoperability ensures that different teams and agencies can work together seamlessly, making the response to an active shooter event more effective and potentially saving more lives.
Considerations for Mitigation of these Conditions
The narrative above demonstrates the information and communications “stovepipes”[6] which are inherent in almost every active shooter event and also provides the benefits enhanced security operations center and communication interoperability can facilitate to overcome and leverage these critical sources of intelligence. Information stovepipes refer to the segmented and often inefficient flow of critical information among various responding agencies and units. These stovepipes can severely hinder coordinated responses, as they create barriers between law enforcement, emergency medical services, and other support teams including school officials and administrators. This condition often leads to delays in communicating critical intelligence and informed decision-making. When information is trapped within isolated channels, it prevents a unified approach to managing the crisis, potentially escalating the situation and impacting the safety of both victims and responders. Effective incident management requires overcoming these stovepipes through integrated communication and technology systems and regular stakeholder coordination to ensure timely and accurate information sharing and response.
Since schools and many organizations are not normally budgeted or resourced for a full-fledged Security Operations Center, the next practical step is to design a capability that maximizes existing resources while addressing critical security needs. This process should emphasize the integration of essential technologies, customization to fit the specific environment, and the establishment of a resilient framework to respond effectively to incidents, particularly active shooter situations. This can be achieved using a virtual SOC capability – Gabriel Protects. https://www.gabrielprotects.com/
The platform is a smart incident prevention and management solution which enables a ‘virtual security operations center’ (Virtual SOC). It is specifically designed to be an instant response system for active shooter situations. The software suite enables any public space to prevent and respond to threats faster by seamlessly connecting all responding stakeholders within a single information distribution system for situational awareness and a common operating picture.
Practical Integration of Advanced Technologies
An effective SOC requires the integration of various technologies to enhance real-time communication and situational awareness. To achieve this the system provides:
- Instant Situational Awareness: Leveraging existing video surveillance and providing low-cost options for adding ‘eyes and ears’ inside the scene is essential for understanding what threat exists, where it is, where medical attention is required, and other time-sensitive decisions to save lives when seconds matter. This visibility also prevents the greatest danger of incident management – chaos.
- Unified Communications: Ensuring all responders and stakeholders, including the location’s own first response team and law enforcement are connected through a unified system. By integrating existing communication tools like mobile devices, Gabriel creates a common operating picture and communications channels that are essential during emergencies, ensuring that all parties receive synchronized information.
- Early Detection: Empowering your people with early tip-off tools in the event that they see something suspicious, and utilizing AI-powered analytics to spot danger earlier has proven to save lives in countless incidents. Pulling this information into the ‘Virtual SOC’ means security teams can instantly review the alert and determine whether it’s a false alarm, escalate to an emergency, and determine what type of emergency action should be initiated with one-touch options.
Fortunately, these capabilities are no longer an unaffordable aspiration for institutions or organizations with insufficient budgets.
Customization Within Existing Constraints
Customization is critical in environments where budgetary resources are limited. This solution is designed to be flexible and scalable:
- Tailored Solutions for Specific Needs: Understanding that each institution faces unique security challenges is essential. Whether it’s a school, corporate office, or government facility, the software is customized and the SOC capabilities designed to meet the specific needs of the environment, ensuring effective monitoring and response protocols that address distinct threats.
Data-Driven Decision Making When Seconds Matter
Making informed decisions quickly is crucial. Automated workflows and maximizing existing data streams can provide:
- Automated Alerts and Emergency Flows: The technology utilizes automated systems to initiate critical workflows, guide security personnel in making swift, evidence-based decisions, a critical capability during high-pressure situations.
- Integrated Data Management: Smart data partners like Davista AI transform existing data into automated alerts and action. From internal communications, access control systems, environmental sensors, and threat detection tools, there is a wealth of data that can be leveraged to detect and create a comprehensive view of any situation.
Training and Preparedness
The power of any system is only as good as the ease of use under pressure and muscle memory built before a threat arrives. Leveraging this tool includes the additional benefit of onboarding and training with best practices, including:
- Empowering one-touch alert tools
- Establishing internal response teams
- Pre-programmed workflows for multiple emergency types
- Automated alerting and law-enforcement connectivity
- Simulations and exercises for resilience and training
- Launching drills and simulations on-site or remotely
- Track performance of drills and exercises
- KPI management
These exercises should be focused on enhancing coordination, communication, and decision-making skills, ensure that Virtual SOC’s personnel are well-prepared to respond effectively without incurring prohibitive costs.
In summary, while many schools and organizations may lack the resources for a traditional SOC, the platform offers a practical and affordable solution. By focusing on the strategic integration of technology, customization to meet specific needs, data-driven decision-making, and continuous adaptation, the software enables organizations to create a robust security framework that enhances their ability to respond to critical incidents, ultimately protecting people and assets effectively.
The information, suggestions and recommendations contained herein are for general informational purposes only. This information
has been compiled from sources believed to be reliable. Strategic Security & Resilience Consult, Inc. does not address every possible loss potential, law, rule, regulation, practice or procedure. No warranty, guarantee, or representation, either expressed or implied, is made as to the correctness or sufficiency of any such service. Reliance upon, or compliance with, any recommendation in no way guarantees any result, including without limitation the fulfillment of your obligations under your insurance policy or as may otherwise be required by any laws, rules or regulations. No responsibility is assumed for the discovery and/or elimination of any hazards that could cause accidents, injury or damage. The information contained herein should not be construed as financial, accounting, tax or legal advice and does not create an attorney-client relationship.
Copyright © Strategic Security & Resilience Consult, Inc. All rights reserved.
SS&RC. 12AUGUST2024
[1] Los Angeles County Sheriff’s Department, Active Shooter Response Tactics, Deputy John Williams, https://info.publicintelligence.net/LAactiveshootertactics.pdf
[2] Incident Command: Capabilities, Planning and Response Actions for All Hazards, Center for Domestic Preparedness, https://cdp.dhs.gov/training/course/MGT-360
[3] National Commission on Terrorist Attacks Upon the United States, https://9-11commission.gov/report/
[4] DHS Science and Technology, Office for Interoperability and Compatibility, One Pager https://www.cisa.gov/sites/default/files/publications/FinalUpdatedOICOnePager.pdf
[5] Tech Failings Plagued Secret Service at Trump Rally, C. Ryan Barber and Sadie Gurman, Aug. 2, 2024, https://www.wsj.com/us-news/tech-failings-plagued-secret-service-at-trump-rally-49d2286e
[6] An information or communication “stovepipe” refers to a situation where information flows in a narrow, isolated channel without adequate sharing or integration with other parts of an organization or system. This term is often used in organizational contexts to describe inefficient or siloed communication that hinders effective decision-making and collaboration. In such a scenario, departments or teams may only share information within their own group and fail to communicate or collaborate with other groups, leading to redundancy, missed opportunities, and a lack of coordination. Addressing stovepipes often involves improving cross-functional communication and creating systems that facilitate the flow of information across different parts of an organization.