Guns – Should We Allow Them In Churches?

guns bible churches
Pistol on Open Bible (Image Source: Getty / Huffington Post)

Should We Allow Guns In Churches?

So my professional and operational answer about guns in churches is, “it depends” and I don’t have time right now to go into MY views on the PROCESS to decide which is legally, operationally, spiritually, financially a complex process, but….

Recently I was talking to some of my amazing and really smart, peers in the “church security / safety (education) industry” and read some articles and news stories on this question.

But this post is about a very small guide into the process, but I think a huge issue that I believe is missing from the conversations.  I think most (probably not all) churches are mistakingly starting with the wrong question or at a minimum are not looking at this question in a non bias way.

Here is my thought I have had for awhile on this question… If you took the cross off your building and removed “church” from your sign, letter head, business card, and you were just a company, with a building, visitors, money, employees, other valuable assets, and people that speak in public forums….

……would you allow/want/implement guns in your company?


The process for a church and a process for a company is almost exactly the same.  Are there differences, no doubt, but these differences are probably 1% of the process, the other 99% is the same whether you are a company or a church.  You may even need to leave the property to go through the process so you are not biased based on where you are sitting.

BTW: Legally, financially, tax-wise, public relations wise, etc…….uh……news flash, you ARE a company, a VERY PUBLIC COMPANY and in the non-spiritual sense, you are a company first.

If your board is made up of business people / owners, they may be a better or at least an ADDITIONAL  source of “best practices” on the PROCESS then Billy Bob’s Church down the street.

More to come on this topic, but kind-of needed to vent, hope it helps.


Integrity In My Company – Absolute or “I Hope”

Absolute Integrity
Absolute Integrity

Integrity In My [your] Company – Absolute or “I Hope”

Survey 100 Top CEOs on whether they and their companies are operating with “Integrity” and publicly you will get a resounding “Yes or Absolutely”, privately, “I hope so”.  But my experience is what they are really saying is something like:

  • “I believe we are”
  • “We better be”
  • “I’m not aware of any violation of integrity”
  • “I sadly know we are not”
  • “We have an integrity problem”

Follow up Question


“Why do you believe that?”, “But how do you know for sure?”, “How do you track it, monitor it, detect it, test it, measure it?”.  The sad, but very common follow up answer is “because we have a culture of integrity” or “because we have a Code of Conduct / policy”.  I can’t tell you how many times, I have heard companies that are as young as 1 year old or 15 years old, say, “we have never had an investigation of employee misconduct”.

[Insert Humor] Last time I checked, most companies hire these interesting people called humans and suppliers/vendors that also, for some funny reason, also hire humans.

Who doesn’t put “integrity” in our policies, employee handbooks, on posters, on walls displaying our company values.

I suspect the reason we do this is:

  1. Hopefully encourage a person to act with absolute integrity today and not go down a slippery slope they may be heading towards, a good thing and it does work.
  2. Make the readers believe that integrity is not a problem here, a very, very naive belief.
  3. So we can believe that publishing will cause all integrity issues to go away so we don’t have to deal with them. A blinders / head in the sand mentality.

We all know the value of every human that impacts our company’s success when they operated in integrity, but we struggle on our response when they don’t.  “Why?” is our most common reaction.

A mentor of mine once said, many times a integrity issue with the employee, is many times a reflection more of the supervisor than the violator….part true, part deflective.

There must be a level of integrity violations that, through company culture or social culture that we allow to be exceptions to what we publish and enforce. So is there maybe a difference between “integrity” and “absolute integrity” that we have learned to accept/allow?

Stealing a single pencil from the office supply cabinet that ends up for personal usage or making 3 copies for the Boy Scouts on the company copier – does that violate your company’s definition of integrity? Or does it take 25 pencils or 100 copies?  Anyone have “limited personal use” in their policies, we didn’t have that  a few years ago, why now, enforce to hard?  “Work Life Balance”?  Really.

Absolute Integrity – The real goal we seek is hard, some may call impossible, by the mere fact that we hire sinful humans (I are one). But should we water down this goal and still be allowed to shout “We are an organization of integrity!!!”

Man, some people even wrote a book on the topic: The Pursuit of Absolute Integrity (no endorsement, just interesting)

Discuss the difference at your next board meeting, ethics / compliance council, or lowly staff meeting.

Obvious note: I am far from any personal success of absolute integrity, but every morning, I wake up and before my feet hit the floor, I fight with everything I have to reach it each day.  I fail often, I strive daily, will you and your organization do the same?

Please, return to (absolute) integrity before the competition does or you are called to the table of accountability or the court of public opinion.  People are watching, especially your kids.


If you are local to the Dallas Fort Worth Area, I do a 30-45 minute challenge teaching on this topic if you would be interested for your next Men’s Church / Business Group, contact me @

Letter To My Younger Self – Pen Testing

jim mcconnell then and now

I am working on a number of “Letter to My Younger Self” posts, so here is my first edition, kind of just my small effort to pass along some wisdom / knowledge to up and coming professionals / students in my areas of interest.  Cross Posted with my website.

My Letter About Pen Testing

Yo Gumby (one of many nicknames when I was growing up),

Hey you little punk, think your going to be so hot at Pen Testing? Listen Up!!

Here is just a few things I have learned from performing and being involved in what my industry calls a “Pen Test”, there are a lot smarter people in this domain then me, this is just what I have learned, in no particular order, so listen to this old geezer:

Purpose Principles

Pen Testing is about changing a client’s belief system, not about getting the trophy.  You don’t change their belief system your ROI is slim.

Make sure your audience is prepared for the results, before you sign up

The “Rules”

The top most important rules of a pen test: 1. Defining scope / goal / “the period” / rules / time limits 2. Getting your “Get out of jail free” Card ahead of time 3. Providing SOLUTIONS to what you learn 4. Make sure the right people are aware.

Pen Testing can be fun unless you break rule #1 above so have fun, but realize you are there to learn just as much you are there to “win”.  Learning doesn’t get you paid, “win” knowledge for the client, that is why you get paid.

If you get found or found and stopped, honor the defenders openly, they weren’t lucky, they were good.  Calling them lucky is disrespectful.

You break the rules, you may be a felony or at a minimum a show-off

If you can’t provide operationally practical solutions (not just more consulting hours), don’t sign up to do a pen test.

Anyone can plant a bomb or break a window or other criminal activity, if you are resorting to these type of findings, #fail

The Reality

You can test your own organization and get good results, you don’t have to hire someone, but make sure you are skilled in the art and science and techniques.

Getting found is not the same as getting stopped

Pen Testing should always include technical, physical, and human targets, tools, and techniques

Pen Testing is not about a tool, its about a process and skill and use of your knowledge and wisdom all rolled into one small window of time and scope.

Pen Testing is about vulnerability detection, vulnerability discovery, incident response validation, intrusion detection, intrusion discovery, intrusion prevention, security operations process validation, training, mentoring, asset discovery, supply chain security, sales (there I said it), and much more.

There may be times, where you find things so egregious, you should just stop before you reach the goal.  You may even find violations (of policy or law). Stop.

Your professor or Pen Test teacher are wicked smart people, but they are no replacement for your own studies, interning, listening, or plain ol’ hard work at 2:00am.

The Testing Ideas

Have a junior person documenting your steps and successes but don’t limit their participations, you will learn something from them, smarty pants. By the way, be glad you are that “junior person” sometimes.

Consider a strong link analysis diagram, makes for a great summary picture at the end!!

Pen Testing is not the same as vulnerability scanning, a cron job can do a vulnerability scan dude.

If you are too textbook / academic in your approach, you may miss the obvious and huge holes right under your nose.

First data acquisition target? Floor plans and company telephone directory, not a scan of a IP range. Hey what if the entire scope involves no IP addresses or URLs?

Develop a “calling card” that you place in interesting places (physically / electronically) so you can show you have been there.

Learning about the company and its structure, employees, supply chain may be much better “intel” then some vulnerability scan.

Public information like Shodan, whois, reverse phone lookups, etc. are a gold mine for intel gathering, don’t try to make this too difficult.

Conference room cabinets and trash cans should be part of the scope.

Social Engineering / Pre-Texting are great tools for pen testing, but they may be illegal, and takes a special skill, don’t use unless you are great at these tools.

If you are pen testing electronic systems, better know how to code and script things.

Watch Hollywood’s pen testing / social engineering movies to get “it worked in the movies” out of your brain: Sneakers, War Games, Catch Me if You Can, Ocean Eleven, etc.

Screen shots or calling cards or pictures are great evidence

100% “physical security” test can still be a “pen test”

The Bottom Line

Make you are know and agree with your client on how you both MEASURE success

It is NOT about the quantity of findings, its about quality of solutions

If you can’t provide proof a vulnerability was exploited, its a theory dude, don’t use it/write it up.  “We could have gotten in”, “We found a system that is vulnerable” are not words you should be using in communicating the results of a pen test.

If you can’t find a way in or don’t get to the goal, honor the organization with a strong warning.  Pen Testing is a moment in time.

The good or bad results of your testing can very likely be out of date the second your finish your testing.

You find process problems, your solutions can provide long term value, you find a vulnerability that can be mitigated, the value of the finding could last only as long as a patch is installed (minutes).

Remember the audience of your final report/presentation will have a variety of emotions, get over it.  Some will hate you, laugh at you, appreciate you.

Want a great end report, take the stressed out sysadmin/network admin for lunch before your report goes “up the chain”. Ask him/her what resources they need you to recommend to help them.  They may know of other dark secrets that help you.

Next Steps

Just a few random thoughts young man, enjoy, retain, never stop learning

This was not training or a replacement for formal training, boss won’t pay for your training, that’s your personal budgeting problem not your boss’ problem.

Pen Testing Rule #0 is operating with ABSOLUTE INTEGRITY and total transparency (to the right people), honor people, pass out business cards, building relationships, but its okay having a little fun scaring the client just a little.



Travel Secrets by AskMcConnell

Plane Travel Secrets

My Travel Secrets

  • Read you company’s travel/expense policy word-for-word.  Keep a copy at your desk.  Any questions ask!!
  • Yep, I try to never check baggage on business trips, but ALWAYS be prepared that it may get checked for you and you need to buffer in time on the destination.
  • Signup for Global Entry and that will help with TSA Pre-Check and if you do ever go overseas (on work or personal)
  • I carry a roller board and a backpack.  Backpack is where my day-to-day papers/tech stuff goes.  If you are a backpack fan, spend the money on a TSA approved backpack so 99% of time you won’t have to remove your laptop/tablet/cell phone/stuff from this bag
  • Book your own travel, don’t let a “travel desk” or assistant do it (unless it is international….again….differet set of bullets)

TSA (USA Transportation Security Administration)

  • Get PreCheck (Great for domestic and international)  and/or Global Entry (International)
  • (Guy thing) I empty pockets, watch, jewelry, etc. before going through TSA.  I put most everything in the backpack or pockets of my jacket so when I take the jacket off for TSA, I’m all set.
  • Remember the TSA agent is a human being, you say: “Good Morning Ma’am / Sir”, and “How are you doing?” Questions, the answer is “crazy times” or “awesome” even if you are having a tough day, they want to talk to another human that is as bored as they are.

Boarding Pass

  • Cell phone – QR Code based boarding pass, don’t like them at all, most of the time they don’t work….I do the paper boarding pass at home or kiosk/counter at airport. Plus the paper record helps better track trips for company records or if there is a missing mileage issue.


  • Assume from the time you land and you get in your rental car and you are on the road averages 60-90 minutes.
  • Plan your time to be at TSA with minimum 1 hour to spare is always my goal (use of Kiosk and PreCheck help this) for domestic flights.
  • If you see lightning in the area, assume a minimum of 30 minute delays
  • If I don’t know my exact schedule coming back, I always get the last flight back (not red eye) and then go on standby.  Only had to stay over once, but get on earlier flights almost always.
  • I change to the destination timezone AS SOON AS I SIT DOWN on the outbound flight.  My weird body is blessed with easy adjustments to time.


  • When you book your ticket, select a good seat, wait about 60 minutes, then logon to the airline’s website and move to the best/free seat.  The booking systems don’t recognize your airline status as well as the airline’s website.
  • 23 hours 59 minutes before your flight, most airlines will open up most of the reserved seats and all their pre-arranged upgrades have been cared for  by this time.
  • Check on the kiosk when you check in for a better seat.  remember a “better seat” ( is not necessarily in front of you.
  • I am primarily an aisle person for the same reason many others might mentioned, but if I am in a no-work/sleep mode, I might change to a window seat to lean my head.  (Note: I can sleep from the minute I sit down to when we land, I’m weird in that way).
  • Most aisle seat arm rests actually can go up to make getting out or moving out of the way easy.  Feel under the arm rest for a small button.
  • I have changed seats 4-5 times from booking to sitting.
  • I have been sitting in a seat and they moved me to a better seat so never be afraid to ask, but don’t let me take your boarding pass and say “we’ll call you”.

Car (Domestic USA only)

  • I don’t rent a car in NY (Manhattan).  I don’t rent a car in Washington, DC, if I am covered well with the Metro.  I 50/50 rent a call in Atlanta if I can use the MARTA. Depending on the time and location of venues/office/hotel, I may stick to cab or arranged car, I am not a security/timing fan of Uber quite yet.  But I like having the control with my own car and since I don’t drink, I sometimes become the designated driver.
  • I don’t like to arrive in a city for the first time at night (car+dark+directions)
  • Remember that some airports do not have a gas station close by when returning if you care to refuel.

Travel Wallet 

  • Don’t carry passport unless going international (keep in safe at home)
  • Carry passport in USA if going to government buildings
  • Calling Card (yes, a calling card)
  • Remember room key can get erased with certain wallets.
  • I split cash between regular wallet and travel wallet (and other areas, if international), but always have a few bucks available for tips.
  • Wallets never leave my person.


  • Get you a rubber door stop, great for room protection when used in reverse to keep the door closed.
  • Don’t rely on cell phone alarm, get you an alarm that is LOUD and some of them have a built in flashlight
  • Don’t carry the hotel sleeve with your hotel name/room number with the key
  • Assume hotel room does NOT have a safe, and if they do, it will be too small for most electronics.  
  • Plan on locking your roller board and backpack in the room with a TSA lock when leaving the room. 
  • If you leave your laptop out (hotel or office/client), cable it down to the chair or something and screen saver locked
  • Biggest USA travel safety risks, believe it or not is:
    • Electric / water outage at the hotel (I had to shower with (cold) bottled water one time)
    • Fire/smoke at the hotel


  • Always hail a cab from the airport support staff or pre-arrange one with a receptionist
  • When getting in a cab/shuttle, never let them put your backpack in the trunk/”in the back”, it stays with you. 
  • If getting picked up at airport, have driver hold sign with just your last name (no hotel/company information) and if you really want to do good, use your maiden name, ladies.
  • If you don’t recognize the knock at the door, call the front desk
  • Be careful some hotel peep holes are TWO way….yes for safety reasons.

Packing (these come from a GUY perspective)

  • Credit my brother Sam for most of these:
  • 99% of time there will be an iron in the USA hotels (not that I know how to use one)
  • PACK like you are leaving the hotel to come home, UNPACK like you are leaving the hotel to come home.  You might have a change of plans quick.
  • Each night you pack used stuff, like you are leaving the next morning.
  • Shirts first, they wrap up around (“hug”) the other clothes….
  • (don’t shoot the messenger) – ALWAYS assume you only get one pair of shoes and that you will walk outside 10x more than you thought you would.  Great for the fitbit, hard on the feet.
  • Small umbrella if you can fit it.
  • When leaving for the airport (either way), remember there are only 2 critical items, your wedding ring and your (travel) wallet, your company laptop/documents, might be a close second.  Clothes, shoes, suitcase, ipad cable, all can be replaced.


  • Primary Airline app
  • Home Airport App
  • Either Flight Aware, FlightTrack and/or FlightBoard (good for tracking the INBOUND flight that you will be getting on).
  • Google’s Flight tool is a good independent quick check tool for flight options.


  • Set your Airline profile to notify your via text messaging of flight changes


  • I push all my awards (car, hotel, airline, credit card, etc.) to miles if I can.  Some of the hotels will let you gather miles AND points.  For me, miles are more important and have higher “value”
  • For American, 25000 miles = Round Trip Ticket (unless you do some shopping).  For American, a reward mile used to equals about .01 dollar value. So compare your airline to this vs. points vs. buying tickets.  
  • Look for cross reward partnerships for example, American  / Citibank / Marriott are all partners with each other, so the “deals” add up better since they are partners. 
  • For American, they many times have bonus miles that your should look for BEFORE booking.

Hotel selection

  • Outside of Company approved / price……
    • Think about location…..sometimes closer to the airport is better than closer to the office / client…..sometimes better to be closer to a subway/metro train….
    • I don’t stay long so the ones with a kitchen don’t do much for me.
    • I like one big bed
    • (free) wifi is hit or miss


  • Always assume you can NOT get good quality wifi or good signal for cellular.  Most popular now-a-days is a Mifi Access Point.
  • Get a laptop power adapter that has BOTH regular plug and car plug via interchangeable cable.
  • I carry an external mouse always
  • Privacy Screen for Laptop (and ipad)
  • Phone / ipad chargers (car and outlet) and/or get a good battery brick (I carry all of them)
  • Pack cords in ziplock


  • Learn the airline’s lingo (Watch ‘Catch Me If You Can Movie’)
    • PNR
    • Inbound
    • Outbound
    • Dead Head
    • Non rev
    • Fare Code
    • Open Jaw
    • Hidden cities

Service at hotels

  • If you stay at a particular hotel a lot or frequent a particular restaurant, one of times upon check in, ask for the MOD or general manager (make sure you tell them that you don’t have a problem)
  • Give them your business card, ask for theirs
  • Ask for recommendations for staying often
  • Before your next visit, email them and thank them and ask if there any suggestions / specials.
  • Build a rapport for the manager / chefs and it will pay off!!

Those were random and I may add to them as time permits,

Fraud Triangle – Cookies, Pencils, & Stealing

fraud cookieFraud Triangle

fraud pencil

Fraud Triangle-Cookies, Pencils, & Stealing From Your Employer

As my students and clients and past audiences know, I think many make security and fraud out to be something complicated when its not so here is another view of The Fraud Triangle.  The methods of the bad actors can absolutely be complicated, which makes chasing them FUN.  The principles, the root cause, the why, many times are quite simplistic.

Whether you are in a parent, a Fortune 15 multinational corporation, a small “mom & pop”, a 100 person NGO, or a 35000 person megachurch, the principles of bad behavior have something in common. The principles are what is generally known as The Fraud Triangle by the great criminologist, Dr. Donald Cressey.   I learned about The Fraud Triangle over the last 17 years from the amazing organization called The Association of Certified Fraud Examiners (The ACFE / @theacfe).

Intro to Fraud and The Fraud Triangle


All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated.

Source: Black’s Law Dictionary, 5th ed., by Henry Campbell Black, West Publishing Co., St. Paul, Minnesota, 1979.

The Fraud Triangle

The fraud triangle is a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, together, lead to fraudulent behavior:

1. Perceived unshareable financial need

2. Perceived opportunity

3. Rationalization

Simple to Complex

When a child is in your home and there is a cookie jar, the principles behind taking a cookie is rooted is the same principle as the biggest fraud you may hear about on a show like American Greed.

When you took that pencil or pen home from work or the hotel, the principle for why you took it, is rooted in the The Fraud Triangle.

No different than the typical act we consider to be fraud, like stealing a customer list or other confidential information or money from one’s employer/organization.

But Jim, really, my 5 year old is not a fraudster and how dare you call me a fraudster for this pen from the Hotel California….like you never committed fraud as your describe it.

Ah, but I didn’t, I am purely using a well researched concept of The Fraud Triangle to focus on the concept of living with Absolute Integrity and bringing up the next generation with a healthy fear of the consequences of not striving for Absolute Integrity everyday.

If Spade=Spade, then Fraud=”Fraud”

We are _________, We don’t __________, We have ________, so we don’t have fraud. Wow.  I am amazed at how scared organizations are at using the word ‘Fraud’.  A great fraud examiner that I had a privilege to work with for too few years recently, Cheryl Davis, always joked about “The ‘F’ Word”.  I didn’t fully grasp her wisdom until recently.  The word ‘fraud’ is so feared that is has become almost part of the “bad four letter word group” in many organizations.  “What do you mean Fraud?”, “I don’t consider that fraud”, “That’s just a management issue”, “That’s just a petty issue”.  There are no fraudsters in my house, church, organization, how dare you. Hey if you have people that work for you as employees or suppliers/vendors, look in the mirror and say it, “I am vulnerable to the ‘F’ Word”…I mean, Fraud.

Stop being a wimp.

If your 5 year old can justify stealing the cookie, you and your fellow workers can justify many other more malicious things.

Preventing Fraud – “Fight Fire With Fire”

If a fraudster (or child) needs opportunity, rationalization, and pressure to commit fraud (or take the cookie), how hard is it to maybe prevent fraud through simple things like:

  1. OPEN OPPORTUNITIES for the fraudster or child to be rewarded for finding their passion and providing small, ongoing rewards for creating new opportunities for you, your organization and the next generation.
  2. REPLACE RATIONALIZATION with rewards that are as diverse as your organization. Not just the best pay, but the best benefits, the best culture, the best place to work, the best listening skills. The best doesn’t mean perfect, the best means don’t do it unless you can do it with excellence that involves everyone.
  3. PURSUE PEOPLE’s PRESSURE with conversations and culture and rewards for transparency. Don’t put the employee recommendations box over the top of the trash can.  Post them on a wall with a big green check when you have implemented them.  Develop benefits that pops the pressures of the world.  Tell your story of the pressures you are under and how you handle them.

Absolute Integrity

Whether it is a note on the mirror in your bathroom or office or car or a foot mat next to your bed or a daily calendar reminder or all three, create a daily “stop” in your life that forces you to challenge yourself, “I will operate my life with absolute integrity today.  I will reflect absolute integrity without using words.  I will challenge my family to absolute integrity through love and example”. Okay Jim, I will ‘try” to no longer take the cookie…..

yoda there is no try

Start with your daily effort to live with absolute integrity and not as a fraudster and then become contagious.

A Great Read on the Topic from Joe Wells


Free Software – Church (Security) Analytics Just Got Easier

 Tableau & Church Security & free software

Tableau Foundation Announces Free Software and “Service Corps” for NGOs/Non-Profits


Need / Want some (almost) free software for your church?


Back in 1994 when I started full time in Corporate Security, I found out real quick that I was analyzing raw data on a regular basis for security purposes.  It wasn’t as formal as it is today in the technology or business world, but it was data analytics.

In the last few years I have dived into the topic on a daily basis looking for a variety of answers to questions of the data to get the data to tell a story.  I use a small but diverse toolbox of tools, including but not limited to Excel, i2 Analyst Notebook, NodeXL (my newest), and Tableau.

I learned about Tableau from a large supplier that I didn’t have budget to buy their wares, but we had a good relationship and they recommended I look at Tableau.  Within the first few days, I was hooked, I was solving problems, and getting new answers that frustrated me for years.  If you are an Excel fan and do any kind of data analysis, I would encourage you to look at Tableau.

I “simple” example of Tableau that I did for you is Carl Chinn’s church crime stats here.

Check out’s discussing using Tableau at the User’s Conference last year (2014) in this video and their presentation.

Today Tableau announced Tableau for Non-profits and I think this is both awesome for their corporate responsibility program and in my selfish case, and awesome opportunity for churches and church security organizations.

Okay, so their is a small administrative fee of $58 for TechSoup, so close to “Free”

Tableau also announced Tableau Service Corps, which is a group of Tableau experts ready to help you with your data analytics program.

Church (Security) analytics can be as simple as attendance to as complex as geographical analysis of attendees.

  • For Churches in general, some ideas:

    • Service attendance
    • Class attendance
    • Age group attendance
    • Giving by type of giving
    • Giving by demographical information
    • Salvations
    • Attendance vs. membership
    • Volunteer (hours)
    • Missions
    • Budget
  • Church Security

    • Budget
    • # of incidents
    • Types of incidents
    • # of people with access to each access control point
    • Background check status
    • CCTV, security camera, access control, badge system maintenance
    • Lots of cyber security measures
    • Fraud analysis (e.g. church credit cards)

Would you all be interested in a Tableau Demo?  Sign up for our church security mailing list and put a comment in below and if we get enough interest, I will get one scheduled.

Get data, analyze it, tell a story to a safer church.



Privileged Access – Did you define it first?


Privileged Access – Did you define it first?

As many know (and dislike), I am big on understanding the CONTEXT of words/terms when it comes to (physical / fraud / cyber) security, so today, I was thinking about “privileged access”. I have to do this, because I am always thinking about how do you scale the management of some security control.

The default, I think many, people, suppliers, vendors, think of, is ‘root’ or ‘admin’ or some ‘god-like’ access in the cyber world.  In the physical world, “master key”, “All zones” badge access, etc.

General American English definition

“having special rights, advantages, or immunities”

Cyber World

If you have “read only” access to a application/dataset and Billy Bob has some authorization above “read only”, does Billy Bob have “privileged access”? Is “read only” more privileged then NO access?

I think its more like, if Billy Bob has some level of access above “Read Only”, he can (potentially) impact confidentiality, integrity, AND availability, whereas, I, with ONLY “read only” can only impact confidentiality. (Impact is relative, I know)

If Billy Bob is considered to have “privileged access” with access greater then “read only”, does the person with ‘root’ on the same system, have “privileged access”?

Physical World

You only have access to the front door and employee entrance door, is your access “privileged” because you have more access then the public?  If Billy Bob has access to ALL the doors, does he have “privileged access”?  But what about the person that sets up your and Billy Bob’s building access privileges in the access control application/system?  Do they have “privileged access”?

Knowledge / Information World

CEO has access to the latest merger information, whereas a payroll reporting expert has “read only” access to all the PII for all employees, whereas a supplier JUST has physical access to your core router 24×7.

Things to Ponder and Ask Yourself and Your Organization

Have I/we defined what is and what isn’t “privileged access” in my organization? Do we inventory ALL “privileged access”?  Do we log ALL “privileged access”? When our favorite auditor comes along and they ask for a list of “privileged access”, what do we give them? Does any of my supply chain have “privileged access” to my organization?  Have I ever considered graphically mapping (network link analysis) of our totality of “privileged access”?  You know, the easy questions.

Normal Disclaimers:


Found a Great Church Security Assessment

Shout out to Kris @ 5544885 for this resource!

Great Church Security Assessment

Okay, I admit I am generally NOT a fan of checklist security assessment with one exception, when a organization (yours) doesn’t have full time security team / professional available and has a desire to improve their posture AND commits to engage with a trained security professional based on the results.

Kris Moloney is a great church security professional and developed this excellent Church Security Assessment.  The important thing is for you and your team to complete the assessment honestly and completely.  In fact, have several people complete and compare answers.  Ask yourself, are you completing it based on what is fact, what you think exists, or what someone has told you?  Even if you have to physical walk around your organization / building with the assessment, do it. Church Security Assessment

Please email Kris and thank him and share this post with your fellow church leaders  / churches.  As always, feel free to reach out to me if you have any questions.

BTW: If you are planning on being at Gateway Church’s Leadership / Pastors Conference this year, I will be there again and available for one-on-one FREE discussions on your church security questions. I will have two give aways for 3 hours of consultation at the conference.  I will be volunteering, but just email / DM me on Twitter and we can find a place to meet up.


My Church Security – Just Give Me a Church Security Manual


church security manual

My Church Security – Just Give Me a Church Security Manual….and I’ll be all set.


Church Security Manual – Check – All done…….Really, I hope no one has convinced you that a church security manual is the answer or will contain the answer.  I have seen some of most immature security practices in large organizations that have a security manual that was 3 inches thick.  Now I am a fan of a church security manual but for a specific set of purposes.  I am a fan of training using a church security manual. I am a fan of pocket guides that are a subset of a church security manual.

Here are a FEW of the domains/sections/documents that should exist, of which a few I will provide you a template when you sign up for our mailing list and let us know which specific ones you are looking for.

Internal employee, Internal Contractor/Vendor/Supplier, Volunteer are three different groups of people that you need to consider when writing your church security manual and think about the audience, the maturity of the audience, the impact on the audience, etc.

A church security manual can contain:

  • Policies
  • Guidelines
  • Standards
  • Requirements
  • Recommendations
  • Procedures


  • Missing Child, Missing Parent
  • Evacuation
  • Shelter-in-Place
  • Active Shooter
  • Incident Reporting
  • Camera Usage
  • Suspicious Persons
  • Network, Electronic Communications Usage
  • Export Control
  • Missions Trip Security and Safety
  • eDiscovery
  • Protection of sensitive information (PII, SPI, HIPAA)
  • Use of Radios
  • Alarm Response
  • Roles & Responsibilities
  • Security Camera Management
  • Security Alarm Management
  • Supplier / Vendor Security Requirements

A good church security manual AND church safety manual  are critical both in day-to-day assurance and in crisis. But remember, people aren’t going to be running to find the manual when a incident occurs. Thus the critical piece is awareness / training and retraining and retraining on the CONTENT and CONTEXT of the relevant part of the manual.  The #1 part of these manuals is not the STEPS its the scope and the roles and responsibilities.

Sign up for our mailing list to receive our free Church Security Template and other great resources and information

My Church Security – Where do I start?

MyChurchSecurity.comMy Church Security – Where do I start?

I know never answer a question with a question, but this will be a contextual exception. Where should you start?

Start by asking yourself or your team, “do I understand I have a security apparatus already? All I need to do is understand what I have today, what else I MIGHT need, where should I start to move forward.”.  Future blog posts will focus on a FREE tool I created to help make this SIMPLE.

Another question, “does my leadership/board understand where we are and that we need to move forward?”

Last question, assuming you are the champion of this work, do you have a trusted, available individual, preferrable trained,  that will be your go-to person for this moving forward.

I know this is strange, but let’s hold on “do I have any money?” question, don’t want to spoil the fun before we start.  I’m also going to hold off also the question, “do I need security”, I think my blog will end up answering this question in the end, without going crazy with a complex threat assessment.

Serving Ministries To Help Churches Stay Safer With Simple And Proven Solutions