Paul DeMatteis is the Principal of Global Security Risk Management LLC (GSRM), a consulting firm specializing in security, counterterrorism, and crisis management for global organizations. With over 60 countries of experience, he has advised corporations, law enforcement agencies, and high-risk institutions on terrorism vulnerability assessments, risk mitigation, and physical security strategies. He has held executive security positions at Citigroup, Prudential Financial, and Republic National Bank, developing security solutions for industries like finance, healthcare, education, and technology.
A former professor at John Jay College of Criminal Justice, DeMatteis pioneered graduate programs in cybersecurity and terrorism vulnerability assessments, overseeing 1,500+ security assessments across the U.S. He has received FBI commendations and counterterrorism awards for his contributions and frequently lectures at global security forums. A media expert, he has appeared on NBC, CNN, and Fox News, and in 2017, he authored Security Readiness, a guide for securing Jewish community institutions.
This interview has been authorised for publication by Paul DeMatteis.
We thank you, Paul DeMatteis for accepting our interview with the Saint Pierre International Security Center.
SPCIS: In your experience, what are the fundamental principles that should guide the design of physical security systems for high-risk facilities?
Paul DeMatteis: Over the years, most of my work has involved high-risk environments, typically falling into two categories. First, organizations that have lost faith in their security programs, often due to ineffective leadership or lack of a structured security approach. For instance, I recently worked with a privately held global company valued at $50 billion that had no security director and struggled to implement effective security measures. The second category includes organizations responding to significant security incidents. A notable example is Planned Parenthood, where I was brought in after the Colorado mass shooting to reorganize and manage their security department.
When assessing a high-risk facility, my approach begins with an adversarial mindset—how can I compromise this facility? This perspective helps identify vulnerabilities. Next, I examine historical data: what incidents have occurred at this location, in the surrounding area, and globally? My assessments often involve extensive observation, sometimes spending five to ten times more effort than clients expect, to understand their operations fully. I analyze security measures at different times of the day and night, interview stakeholders from board members to front-line employees, and define the organization’s risk tolerance.
Understanding an organization's risk appetite is critical. For example, Republic National Bank, owned by a single individual, prioritized reputation, investing heavily in seven highly secure vaults worldwide. In contrast, Citibank, with several 1000 vaults globally, accepted the risk of a loss as a cost of doing business. This distinction underscores the importance of aligning security measures with organizational priorities.
A comprehensive security review must include detailed evaluation and testing of physical and electronic systems. It is astonishing how often critical oversights occur. For example, in some cases, battery backups for security systems are missing, rendering alarms and electronic locks useless during power failures. Security policies and procedures must be assessed for completeness, implementation effectiveness, and alignment with the actual security posture.
SPCIS: What emerging technologies or strategies do you consider the most effective in counterterrorism today, particularly in urban environments?
Paul DeMatteis: The most crucial element remains the human factor. Many organizations assume that simply investing in advanced technology is sufficient. However, without proper training and awareness, even the most sophisticated systems can fail.
A core strategy is deterrence—creating the perception of a hardened target to discourage opportunistic threats. Beyond physical security, intelligence gathering is critical. Social media monitoring, or "scrubbing," provides valuable insights into potential threats. Maintaining strong relationships with law enforcement is also essential. My work with the U.S. State Department and various security committees has shown that global threat trends often mirror each other across regions.
The importance of intelligence was evident after 9/11. At Prudential, where I was Director of Global Security, senior executives initially struggled to process the crisis. Security personnel had to take the lead in implementing protective measures for 7,000 employees near Manhattan. Our subsequent security enhancements were validated in 2004 when intelligence from captured Al-Qaeda operative Dhiren Barot (also known as Issa al-Hindi) revealed detailed surveillance of financial institutions, including Prudential. His assessments were remarkably thorough, identifying vulnerabilities we had already addressed. This incident reinforced the need for proactive security investments, even when financial considerations create resistance.
We also introduced counter-surveillance teams and temporary physical barriers, working closely with law enforcement to monitor threats. This integrated approach—combining technology, intelligence, and human vigilance—was instrumental in mitigating risks.
SPCIS: Technology (including AI) plays a significant role in security, but how important is the human element? What strategies can organizations use to ensure staff remain vigilant and proactive against security threats?
Paul DeMatteis: AI and video surveillance have significantly improved security, but human oversight remains essential. In high-risk locations, surveillance should be actively monitored, not just reviewed after an incident occurs. AI is becoming increasingly effective in identifying suspicious behavior, such as vehicles circling a building multiple times or unusual movements within a restricted area.
A recent example in New York highlights the power of AI-driven intelligence. A suspect was apprehended in New Jersey before he could carry out an attack in New York, thanks to social media monitoring and proactive law enforcement coordination. Similarly, in Pittsburgh, a mass shooting at a religious institution could have been prevented if the perpetrator’s repeated visits to potential targets had been reported. AI can help identify such patterns, but human awareness and reporting remain crucial.
The 2019 attack on a synagogue in Germany further demonstrates the importance of physical security. The attacker failed to breach the building due to a locked, reinforced door, preventing a mass casualty event. By contrast, the lack of a secured entrance in the Pittsburgh incident contributed to the tragedy. These cases underscore the necessity of training staff to recognize and report suspicious activity proactively.
SPCIS: When designing training programs for staff, what key components are essential to building a strong culture of security within an organization?
Paul DeMatteis: Effective training starts with well-documented policies and procedures. Surprisingly, even global corporations often lack coherent, actionable security policies. Simply having a manual is not enough—it must be practical and integrated into daily operations.
Once policies are established, training should be structured in phases:
Foundational Training: Employees must first understand their roles, responsibilities, and the overarching security framework.
Tabletop Exercises: These four-hour interactive sessions challenge participants to think critically and apply security concepts in simulated crisis scenarios. I conduct these sessions globally, often with interpreters, ensuring engagement from mid-management to top executives. Senior leaders initially commit to only an hour but often stay for the entire session due to its value.
Drills and Practical Simulations: Realistic, scenario-based drills test the organization's response to threats. Unlike some extreme training programs, our goal is to empower participants, not instill fear. Exercises should reinforce confidence and preparedness rather than induce anxiety.
Continuous Training and Inclusion: Security awareness should extend beyond full-time staff to include contractors, volunteers, and temporary personnel. In a museum setting, for example, volunteers must know reporting procedures to prevent security gaps.
A well-trained workforce is the cornerstone of effective security. Security is everyone’s responsibility, and fostering a culture of vigilance can make all the difference in preventing and mitigating threats.
SPCIS: What do you see as the biggest challenges in physical security and counterterrorism, and how should organizations prepare for them?
Paul DeMatteis: Technology is certainly a factor, but I believe that relying solely on it—without proper training—is nearly valueless. In recent years, there's been a tendency to assume that AI and technology can manage everything. However, in my experience, security systems are never fully automated or self-sufficient. They require human oversight, decision-making, and strategic management.
Recently, I was invited by a long-time client in New York to conduct an in-depth assessment of their security environment. This location has hosted various U.S. counterterrorism units and foreign security experts for evaluations due to the presence of high-profile dignitaries. Despite multiple assessments, critical vulnerabilities were consistently overlooked. The issue, I believe, stems from inadequate testing and a reluctance to thoroughly inspect every aspect of security operations. If you don’t rigorously test your systems, they will never function effectively.
The key to robust security is a combination of thorough training, strong management, and the right technological tools. Over the past 30 years, I’ve witnessed significant technological advancements, many of which have been highly beneficial. AI, for example, is increasingly capable of tasks like web monitoring and system management. However, there is growing interest in weapons detection technology, and I worry about the overreliance on these systems.
As an older professional, I may have a different perspective, but I strongly believe that human intuition and quick decision-making remain irreplaceable. A prime example is the tragic shooting at the Holocaust Museum in Washington, D.C., several years ago. I frequently work with museums, so I visited the site to assist with security improvements. Despite having advanced technology, the museum's security team was unprepared for the specific threats they faced.
The lobby had at least ten armed security personnel from various law enforcement agencies. Yet, I noticed something unusual—many were carrying revolvers. When I asked why, the response was, "I don’t trust them with more bullets." That was alarming. If you don’t trust your personnel, you need better-trained staff, not fewer bullets.
Furthermore, the security team was so preoccupied with operating scanning equipment and other manual tasks that they missed a glaring threat. The shooter, carrying an antique rifle from the 1890s, exited a cab, walked approximately 75 feet to the entrance, and was allowed inside without suspicion. A security officer even opened the door for him—only for the shooter to immediately fire, killing a guard.
This incident underscores my primary concern: security technology must support, not replace, well-trained personnel. Quick thinking and situational awareness are crucial, and AI cannot fully replicate these human abilities. Organizations must resist the urge to blindly invest in security technology without a strategic plan for implementation, training, and continuous oversight.
Commentaires