This article is the fourth in a series of four (4).

PART 1 explained that to legally operate a cannabis business, whether medical or recreational, a license or permit to operate must be obtained.  Every state has its own regulations and application process in place.  These regulations all require security measures to provide for the safety and security of the operation, its associates, and the neighborhood within which it operates. Most states refer to this as a “Security Plan” and require it be submitted with the application to operate, but what exactly is a “Security Plan?”

I have worked with many in the industry who think that a Security Plan is nothing more than a floorplan drawing with security devices added (cameras, electronic access control, alarm, door intercoms, etc.) As a result of this misconception, they often have their security integrator provide this as a design-build, selling and installing the equipment as well. PART 2 discussed this in more detail. In PART 3, I discussed how the Security Management Plan outlines at a high level what will be done to ensure the security of all assets including staff and patrons. The Security Operations Plan details how the overarching Security Management Plan will be implemented and details the performance of the tasks that will be performed.  This is where the policy and procedures, SOPs, and Post Orders can be found.

This is the part of the overall Security Plan that is the most complex and therefore most difficult to compose. Applications for the Illinois Adult Use Cannabis Dispensary permits were accepted from 9:30 a.m. December 10, 2019 through 12 noon January 2, 2020.  I provided security content for 12 of these dispensary permit applications.  On the afternoon of Saturday, December 28^th, I received a phone call from a woman who was frantic. She had seen my presentation at a cannabis seminar and exhibition in Rosemont, IL and had spoken with me afterward. She told me that she had decided to use someone else to supply the security content for her application and that she just received the security plan from them.  She explained that the plan was five  pages, mostly drawings. This is a tell-tale sign of the shortsightedness and naiveté a typical systems integrator demonstrates in providing a “Security Plan.”  The security plan section of the application was limited to 50 pages and all the plans I had written were a full 50 pages. So, I can understand her being distraught over receiving a five-page security plan. I asked her if those who provided her with the security plan were the same ones who were going to supply and install the security equipment in her dispensary if she were to be awarded a permit. She replied, “Yes.”

Unfortunately, on such short notice, I was not certain that I could dedicate the significant amount of time to properly develop a customized security plan for her and her organization. Sure, I could have “cut and pasted” from one or more of the plans I had already written but that would not only be unethical, it would make me no better than the security integrator who had provided her with a Security Technology Plan  and sold it as a Security Plan.

No two Security Plans I have developed are exactly the same. Each organization is unique in how it goes to business. Time must be taken to understand the culture of the organization so the Security Operations Plan can be developed in the least intrusive manner for the specific organization.  Two things that can be said about security: security is always an inconvenience; and security is always too expensive until you need it. It is important to devise the operations in a manner that is not only compliant with the rules and regulations (that is what the Security Management Plan does) but is acceptable to the organization and has buy-in from leadership. The Security Operations Plan is not easily written by someone without experience in security operations in the same industry.

I recently worked with clients in Missouri applying for permits. The application to operate a cultivation center under Missouri’s medical cannabis program has 10 questions as well as a requirement for a drawing with the security systems overlaid on a floor plan.  The first question is: Describe your security plan, including staffing, at the facility. You may submit up to 500 words. Without operational security experience within a cultivation center, it is difficult to describe what exactly will be done to prevent the theft or diversion of cannabis as well as protect the safety and security of all employees, visitors, and contractors.  A drawing representing the intent of the security systems’ design and device locations does not answer this or any of the other 9 questions in the security section of the application.  Though it may have a very short-term deterrent effect, putting a camera in a room does not in and of itself prevent the theft or diversion of cannabis. Cameras are tools. Together with SOPs, creating procedures for determining who has access to the room and when they have that access, procedures for the performance of the specific activities performed within the room, procedures for monitoring the activities within the room, and training to react to exceptions to any of these, work together to prevent the theft or diversion of cannabis. There are not many integrators who can develop and articulate this beyond how to operate the security systems as they are not skilled or experienced with using the security systems as part of security operations.

As the caller mentioned on that December 28^th call learned, security integrators (those who sell and install security equipment) are not generally the best people to provide a security plan. The temptation to allow them to provide a security plan at no cost, with the contingency that if you win the permit you will award them the equipment and installation contract, is real. The likelihood of scoring well in the security portion of the permit application is greatly reduced, no matter how many “security plans” they have provided and may just be the reason for not scoring high enough to win the permit. In the end, it is the buyer’s responsibility to become educated and properly vet potential security partners, especially during the critical application stage.

My advice as to where to start…

• Contract with a board-certified security consultant for your security plans.
• Check your consultants’ certifications, experience, and references.
• Ask not how many security plans the consultant has authored or in how many states, but how many permits were awarded for the applications for which security content was provided.

Stay tuned and stay safe, and always remember that it is everyone’s responsibility to become an active participant in the safety and security of themselves and others.

In Case You Missed It

Security Master Planning in the Cannabis Industry – Part 3: The Security Management Plan

Security Master Planning in the Cannabis Industry – Part 2: The Security Technology Plan

Security Master Planning in the Cannabis Industry