We ended 2024 on a sour note. In early December the CEO of one of the largest insurance carriers was murdered in the early morning hours as he arrived at a Mid-town hotel in Manhattan to kick off an investor day. A few weeks later we would ring in the new year with two separate and apparently unrelated attacks in Las Vegas and New Orleans. The former the result a veteran suicide while the latter a clear act of terror.  All three incidents are incredibly tragic and leave a wake of pain and frustration that not only impacts the immediate families; but extends out to multiple communities and the nation itself.  

Though all three investigations are ongoing, and there remains much to do to flesh out the circumstances of each incident and to sort out accountability and provide some semblance of understanding, I believe all three incidents were avoidable.

Much of the media has focused on the incidents themselves–– regurgitating every aspect of these incidents. Perhaps they believe by dissecting the tactics, techniques and tools used to carry out these acts of violence we can gain a better understanding of who to blame and present the public with a quick fix on how to prevent these incidents from transpiring in the future.  

However, as security and risk practitioners, I suggest a different approach. An approach that raises a mirror up to our industry––that forces us to acknowledge what we all know to be true: all three incidents were preventable, and the root cause of each resides in our fundamental understanding of information, or lack thereof. 

If I’ve learned anything in the last three and a half decades in this space, it’s that a lack of information or the disregard of existing and available information gets people killed, and unnecessarily so.  

There have been a host of talking heads over the last four weeks who have espoused the lack of executive protection for CEOs, the failure to implement bollards to restrict vehicle access, or the failure to address veteran suicide (which continues to rise). And each of them is correct in pointing out these shortcomings; however, none of these actions would have 100% assured the public these incidents would not have occurred.  

What could have and should have prevented these acts of violence is a thoughtful and intentional approach to what I often refer to as “watching the dials”.   

By example, if we look at what transpired in early December in Manhattan, some will suggest the CEO’s risk profile was low. He was well liked, and as such, his company believed an increased security posture was either not necessary or or was entirely unconsidered. However, they failed to realize a CEO’s risk profile is always tied to not only his respective organization, but to the industry as well. As such, if one had focused on the “right” dial, it would have been immediately apparent there was/is a wave of negative sentiment focused on insurance carriers because of a perceived lack of coverage by some of their insured.

This singular data point related to negative sentiment should have provided enough impetus to harden the CEO’s itinerary, agenda, and security posture––removing the likelihood that he would find himself on December 4, 2024, walking alone to the hotel at 06:45 AM in the morning. Had he simply not been on the street, the shooter would not have access to him.  

The tragedy in New Orleans was equally avoidable. Could bollards have prevented the assailant from driving down Bourbon Street? Absolutely. However, a determined attacker, as terrorists are, would have merely chosen another populated street to unleash mayhem.  

What we’ve learned since the attack is that prior to the incident, the assailant was transparent and open, posting online about his radicalization and his intention to inflict harm on innocent people. Who was watching the dials? And if we were watching; were we watching the right ones?  

If social media giants can employ sophisticated algorithms that push content to each unique user to trigger or entice a commercial transaction, surely, we can expect those responsible for safeguarding the public to harness the same algorithmic attributes to highlight potential threats that blatantly espouse a desire to harm innocent people.  

The Las Vegas incident was also preventable. As more information is made available, it’s becoming evident that warning signs were missed or ignored, and as such, an opportunity for intervention was missed. 

In short, I’m challenging us, as security/risk practitioners, to focus on situational awareness at all levels within an organization: from the tactical, to the strategic, and everything in between. We’ve become over-reliant on checklists; we need to challenge preconceived notions of risk and find the relevance to an organization, a business unit and even to the Office of the CEO. Protection details, bollards, and eight-foot fences can be effective tools; but as an old mentor of mine once said, “show me an eight-foot fence, and I’ll show you a nine-foot ladder”.