From Campus Incidents to Critical Infrastructure: A Front-Line Perspective on Security That Works

I've Walked the Walk, And I Still Carry the Weight of It.

Author’s Note: I wrote this before the recent tragedies at Annunciation and Brown. I’ve lived through similar moments, where sirens echo across campuses, and parents wait by their phones, desperate for answers.

This isn’t a reaction to headlines. It’s a warning written from experience. I share this now because I don’t want another school, another city, or another leader to learn the hard way. If reading this sparks action before the next tragedy unfolds, then it’s worth sharing.

I served as a law enforcement officer, a Vice President of Safety, Security, and Operations at a large university in the Midwest, and a healthcare executive responsible for operational security oversight. I also worked in the private sector, where I had a front-row seat to how technology was reshaping policing and public safety.

While at the university, we experienced two devastating incidents: a student carried out a federally prosecuted act of violence on campus, and that same year, a distraught employee shot himself and falsely reported it as an active shooter. These weren’t drills. These weren’t case studies to dissect in a conference session. These were real-world events that tested every person, process, and piece of technology on that campus.

And we were not ready.

The Warning Signs Were There

Long before those incidents, I had raised red flags. Our campus was running on a Frankenstein network of outdated, non-integrated security systems. We had legacy analog cameras, multiple disconnected access control systems, aging intercoms, and limited panic button coverage. Some systems hadn’t been maintained in years; others were no longer supported by their vendors. There was no unified situational awareness. Everything functioned in silos, if at all.

Worse, in an effort to stretch budgets and be helpful, parts of the system had been homegrown by internal departments that weren’t security specialists. Our IT department, well-intentioned but lacking physical security expertise, had built NVRs from scratch. These custom-built systems weren’t rated or scaled for a campus environment, and it showed. It’s akin to walking into a hospital for heart bypass surgery only to find out your surgeon is an OBGYN. Yes, they’re both doctors, but specialization matters.

I later discovered that panic buttons across parking lots and remote buildings were failing during wet weather. Why? Because the cabling wasn’t outdoor-rated. Moisture would seep in, lines would short, and the buttons would become nothing more than metal boxes hanging on a pole. The whole thing was a hodgepodge of shortcuts, quick fixes, and misplaced confidence. It wasn’t just underperforming; it was creating additional risk.

And here’s the part few people want to talk about: the moment I hear “builder spec” on a security project, it’s a red flag. Builder spec means the system was designed for minimum code compliance, not for real-world threat mitigation. It’s the equivalent of asking a residential architect to specify fire alarms without talking to the fire marshal. When security is value-engineered into a construction budget as a checkbox, you’re not protecting people, you’re just installing parts. The result? Cameras with the wrong lensing, door hardware that fails under pressure, and systems that don’t talk to each other. Builder-spec approaches may meet code requirements, but they rarely address operational risk, nor do they usually understand or know the other products that are around your facility.

What I learned through this process is the importance of working with partners who understand how systems interact across their entire lifecycle, not just on installation day. The right integrator doesn’t just show up for installation. They are engaged from early specification through day-two operations, ensuring the infrastructure is scalable, integrated, and aligned to real security outcomes, not just a procurement checklist. Too often, integrators disappear once the project is closed out. Effective security requires continuity, not handoff.

I submitted risk assessments. I pushed for funding. I explained in excruciating detail how the gaps could lead to a catastrophic event. However, like many institutions, we were told the cost was too high and the appetite for disruption too low.

It took a federally prosecuted act of violence and an active-shooter report in the same year to change that.

After that, the university approved millions in emergency funding, and the systems were implemented immediately, just in time for the next school year. Suddenly, every decision-maker who had once deferred, deflected, or delayed was now fully supportive of a comprehensive modernization effort.

We upgraded to a modern, unified VMS platform. We integrated access control, panic buttons, video analytics, and a staffed SOC. We added mass notification systems, sound intelligence, LPR cameras, AI-driven object detection, and federated command dashboards. The campus was transformed.

But here is the question I still ask myself every day:

What if we had done it sooner?

Would we have seen that student scoping the site weeks or months earlier? Could we have identified warning signs in time to intervene? And what about the second incident, where a distraught employee shot himself and falsely reported it as an active shooter? That event shut down our campus for hours. Helicopters circled overhead. SWAT teams flooded the grounds. Students, parents, and the broader community were paralyzed with fear.

Would real-time alerts, better communications infrastructure, and more reliable panic systems have shortened response times? Could they have clarified the threat earlier? Would they have spared hundreds of people from the trauma of an extended lockdown?

Minutes matter when lives are at stake, as does the ability to quickly verify, communicate, and respond to complex, high-anxiety situations.

Security is not about playing Monday-morning quarterback. It is about eliminating the “what ifs” before they turn into memorials.

From End User to Integrator: I Know the Pain Points Because I Lived Them

I have protected hospitals, K-12 districts, college campuses, and municipalities. I know what it’s like to fight for the budget against non-security stakeholders who don’t understand the risk until it’s front-page news. I know how it feels when a vendor overpromises and underdelivers, or sells a solution that doesn’t integrate with the broader ecosystem.

That experience is what drives my work today at Premise One. I do not push boxes. I build solutions. And every system I help design must answer one question:

Would I have trusted this system if I were in charge?

If the answer is no, it does not make the cut.

History Repeats Itself If You Let It.

Following the 9/11 attacks, funding for security infrastructure increased significantly. Cities, ports, and campuses finally received the support they had long been seeking. We hardened targets. We installed systems. For a time, we were alert.

But time passed. Administrations changed. Budgets tightened. Today, much of that infrastructure is unsupported, outdated, or failing outright. Once-premium systems are struggling to operate on outdated firmware. AI capabilities go unused. Hardware has outlived its service life. The urgency that once drove investment has been replaced by complacency.

I am watching it happen again at my former university. The systems installed after the attacks, systems that contributed to improved detection, response, and institutional confidence, are now being questioned.

New administrators have come in. They were not present during those events. They do not carry the lived experience of those days. They are reviewing budgets and questioning whether AI-driven analytics are necessary when the expansion of panic buttons is also on the table.

This is not just a budgeting issue; it is a risk-management failure. Risk is not static. It evolves. And when mitigation tools stagnate, exposure grows. When leadership evaluates security solely through spreadsheets, they are not managing risk; they are assuming it.

Critical Infrastructure is the New Soft Target

We are seeing similar patterns across utilities, correctional facilities, and smart cities: the same siloed systems, the same hesitation to modernize, the same belief that “it won’t happen here.”

Examples include:

• Moore County Substation (2022): Over 40,000 people lost power due to a perimeter breach, contributing to a fatal medical outcome.

• Las Vegas Solar Facility (2023): A lone actor set fire to the infrastructure with no thermal detection or early warning.

• EPA Findings (2024): Dozens of public water systems lacked basic physical security controls.

These examples span jurisdictions and administrations. They reflect systemic infrastructure gaps, not political outcomes.

These are not complex nation-state cyber threats. They are physical breaches using simple tools and surprise, and many were preventable or significantly mitigated with existing technology.

What Modern Protection Looks Like

Today, at Premise One, I help organizations implement:

• Open platform VMS solutions

• Federated site views with remote access

• AI-driven video analytics for real-time detection

• Integrated access control with behavior-based triggers

• Perimeter detection using radar, LiDAR, and thermal cameras

• Smart sound analytics, gunshot detection, and glass-break alerts

• Incident dashboards that allow security teams and first responders to see the same data at the same time.

  
  

These are not bells and whistles. They are baseline tools for modern threat detection and response, and every one of them could have made a meaningful difference that year.

Final Word: Build Before the Fire

Security is often treated as a sunk cost until it becomes the most essential investment an organization can make. We cannot afford to remain reactive.

The campus I once protected became one of the most secure in the region, but it came at a cost that should never have been paid. And now, as memories fade, that posture is being dismantled in the name of savings.

If I could leave every boardroom, budget meeting, and procurement review with a final set of warnings, they would be these:

Listen to your end users.

Fund before failure.

Integrate before the incident.

Build before regret.

About the Author

Mark Johnson is a Key Account Manager at Premise One, supporting national clients and strategic partners across the U.S. Mark brings decades of client-side security operations experience to his role in National Sales. His operator-informed approach helps organizations navigate complexity with clarity, align technology to real-world operational needs, and build security programs rooted in trust and practicality. He is based in Arizona.