Expert assessment. Plain-English plans. Real practitioners.
Everything you need to stay safe — without the complexity.
Not a summary. Not a feelings-based evaluation. A number, a gap list, and a ranked action plan — from a practitioner who has actually walked your site.
to your first site visit
to your full assessment report
A WorldSafe assessment doesn't stop at the front door. We look at everything.
We map every coverage gap and show you exactly what isn't being watched.
Every entry and exit evaluated — doors, windows, loading docks, stairwells.
We review your existing protocols — and drill what's missing before it's needed.
We evaluate your team's readiness across every role — not just security personnel.
Every gap in your report is quantified against real incident cost data. You'll know exactly what's at stake.
NERC CIP, TSA Pipeline, FERC — we flag regulatory gaps and cite the specific requirements you're missing.
Already have a program? We'll work with it, around it, or instead of it.
WorldSafe practitioners are security practitioners, law enforcement officers, and security specialists. When we walk your site, we see what trained operators see — not what a checklist says to look for.
WorldSafe Certified is a practitioner-verified security standard. Three levels. Real criteria. A certification that actually means something.
Learn about certificationWorldSafe finds meaningful gaps in over 90% of organizations that already have programs in place.
Book an AssessmentNo obligation. No sales pitch. An honest picture of where you stand.
A WorldSafe practitioner walks your site, scores your risk, and hands you a plain-English action plan. Within 5 business days of the visit.
Book an assessmentNo obligation. Most first appointments available within 5 business days.
Most security assessments are checklists. Ours are investigations. A WorldSafe practitioner — security practitioner, field experience — physically walks your facility the way a threat actor would.
A 30-minute call with a WorldSafe practitioner. We learn about your organization, your current security program, and your concerns. No sales pitch — if we're not the right fit, we'll tell you.
A practitioner visits in person — typically 4–8 hours depending on facility size. We look at everything: access points, cameras, protocols, staff readiness. We're not filling out a checklist. We're looking for what a threat would find.
A scored risk report with every gap ranked by severity and financial exposure. Written in plain English. Prioritized so you know exactly what to fix first and why.
No sales pitch. An honest picture of where you stand.
Book an assessmentRaaS turns your security program from a one-time project into an ongoing capability — assessed, tested, and improved every quarter.
Talk to us about RaaSMost organizations do a security assessment once, file the report, and forget it exists. Threats don't work on that schedule. WorldSafe RaaS does quarterly assessments, exercises, and reviews so your security posture keeps pace with your organization.
Full site walk with scored report. We establish your baseline, identify your top 5 priority gaps, and build a remediation roadmap.
A facilitated scenario exercise with your team. We test your response plan against a realistic threat scenario and identify breakdowns before they happen in real life.
We return to your site, verify remediation progress on priority items, and look for new exposures created by changes in your operations or footprint.
A board-ready report showing how your security posture changed over the year, what was closed, what remains open, and what to prioritize in the year ahead.
RaaS clients renew at . Once you know what real security feels like, the old way doesn't make sense anymore.
Talk to us about RaaSHigh-profile individuals face threats their teams aren't trained to see. The Creator Risk Snapshot finds them — and hands your management team a clear action plan.
Get your risk snapshotDelivered within 48 hours of engagement.
Follower counts don't just build careers — they build threat landscapes. Online visibility creates opportunities for stalking, swatting, targeted harassment, and physical confrontation that most management teams have no framework to address.
The Creator Risk Snapshot is a written threat intelligence product. No site visit required. We profile the specific threat landscape facing your client and deliver a plain-English action plan to your team.
A clear threat picture, plain-language recommendations, and a plan your team can act on — delivered to management, not the talent.
Talk to us about your rosterWorldSafe Certified is an independent vetting program for security vendors, technology providers, and practitioners. For organizations, it's a directory of independently evaluated partners. For providers, it's a way to build credibility with clients who are already looking for what you do.
Security procurement is opaque. Certifications are self-reported. Vendors make claims that no one verifies. Buyers have no independent way to evaluate whether a provider actually delivers.
WorldSafe Certified exists for both sides of that problem.
For organizations: a directory of independently vetted security vendors, technology providers, and practitioners — evaluated against the same standards we apply in our own assessments.
For service and solution providers: an independent credential that builds credibility with clients who are already in the market for what you do. A listing in a directory that WorldSafe actively uses when clients ask for referrals. A badge that holds up in a proposal because it was earned, not purchased.
The security vendor landscape is crowded and opaque. Certifications are self-reported. Claims are unverified. Procurement teams making security buying decisions often have no independent way to evaluate whether a vendor actually delivers what they promise.
WorldSafe Certified changes that. We evaluate vendors and practitioners against the same rigorous standards we apply to our own assessments — and we put our name on the ones that pass. That means something.
WorldSafe Certified is open to vendors, technology providers, and independent practitioners operating in the physical security and resilience space.
Access control systems, surveillance platforms, visitor management software, mass notification tools, and other technology products deployed in physical security programs. We evaluate whether the product does what it claims — and whether the company stands behind it.
Guard services, monitoring companies, alarm response providers, and physical security contractors. We evaluate operational standards, licensing compliance, training protocols, and the consistency between what's promised and what's delivered.
Security consultants, threat assessment specialists, executive protection professionals, and EH&S practitioners who operate independently. We evaluate credentials, methodology, and prior work — and we refer certified practitioners to WorldSafe clients by name.
Active threat response training providers, de-escalation training companies, and safety and emergency preparedness educators. We evaluate curriculum quality, instructor credentials, and whether the training produces measurable competency.
Brokers and risk advisors who specialize in security-related coverage and understand how security program quality affects underwriting. We evaluate their knowledge of the security landscape and their ability to connect clients with appropriate coverage.
Attorneys, compliance officers, and regulatory specialists who advise organizations on security-related legal obligations — NERC CIP, OSHA, Joint Commission, and others. We evaluate their regulatory knowledge and practical advisory track record.
The WorldSafe Certified evaluation is conducted by practitioners, not administrators. We look at how you operate, not just what you claim.
Submit a detailed application covering your organization's history, service scope, key personnel, client references, and any relevant credentials or certifications. WorldSafe reviews the application and conducts a preliminary interview before committing to a full evaluation.
A WorldSafe practitioner conducts a structured evaluation of your operations — methodology review, credential verification, client reference calls, and in some cases direct observation of work product or service delivery. The evaluation is designed to verify what you do, not just review what you say you do.
Your operations are assessed against the WorldSafe vendor standards for your category. These standards reflect what WorldSafe expects from organizations it refers to its own clients — which means they're practical, field-tested, and calibrated to real-world performance rather than documentation compliance.
Organizations that meet the standard receive WorldSafe Certified status, a verified digital badge, and a listing in the WorldSafe Certified vendor directory. The directory is actively shared with WorldSafe clients seeking vetted vendor recommendations — it is not a passive list.
Certification is valid for 12 months. Annual recertification ensures that listed vendors continue to meet the standard and that the directory reflects current operational quality — not a past snapshot. Significant changes to your organization or service offering may trigger an earlier review.
The badge signals to clients, partners, and procurement teams that your organization has been independently evaluated — not self-assessed — by practitioners who work in the field every day.
Applications are reviewed on a rolling basis. We'll respond within 5 business days to confirm whether your organization is a fit for evaluation.
Apply nowWorldSafe brings together enterprise security leadership, EH&S management expertise, and business development experience — backed by advisors who have run security programs for some of the world's largest organizations.
Joe Heinzen founded WorldSafe in 2022 to bring enterprise-grade security intelligence and resilience planning to organizations that needed it most. The firms with sophisticated security programs were large and well-resourced. Everyone else was guessing.
WorldSafe changes that equation. Through assessment, planning, training, and ongoing resilience partnership, we give every organization the quality of security analysis that Fortune 500 companies take for granted.
Every engagement starts with a consultation. No sales pitch — if we're not the right fit, we'll say so.
Book a consultationFill in what you can. A WorldSafe practitioner will reach out within one business day to schedule your initial consultation.
Response within one business day. A real practitioner, not a sales rep.
A 30-minute call. We learn about your organization and current program. If we're not the right fit, we'll tell you.
A clear next step. Every conversation ends with a specific recommendation, not a generic proposal.
No obligation. We don't do pressure. If the timing isn't right, we'd rather wait and earn your trust.
Scenario-based training built around your facility, your team, and the specific threats you face. Not a generic course. Not a checkbox exercise.
Schedule a trainingChoose what fits your organization, or let us recommend based on your assessment findings.
A facilitated discussion-based scenario. Your leadership team works through a realistic incident — active threat, workplace violence, breach — and stress-tests your response plan without the chaos of a live drill.
Practical, scenario-based training for your full staff on recognizing, responding to, and recovering from active threat situations. Based on real incident data, not generic FEMA frameworks.
Training your staff to actually enforce the security protocols you have. Who challenges unfamiliar faces. How to handle tailgating. What to do when someone ignores a badge-in requirement.
For C-suite and high-profile staff who operate in high-exposure environments. Covers threat awareness, travel security, digital footprint management, and how to work effectively with security personnel.
What your team says — and who says it — in the first 60 minutes of a security incident matters enormously. This training covers internal communication protocols, media handling, and stakeholder notification.
A structured annual training calendar designed for organizations that want to maintain readiness without reinventing the program every year. Includes two tabletop exercises, one full-staff drill, and a post-exercise review.
Tell us about your organization and we'll recommend the right format. Most training sessions are available within two weeks of booking.
Book nowWorldSafe works across industries because security gaps follow patterns — and practitioners who've seen them in one sector recognize them in another.
Multi-site, complex access control environments, regulated industries, high-profile leadership, and the constant pressure of operational continuity. WorldSafe becomes your embedded security function — not a vendor you call once a year.
Hospitals, clinics, and healthcare facilities operate 24/7, serve vulnerable populations, and face a unique threat profile — from workplace violence to pharmaceutical theft to access control across hundreds of entry points.
Faith communities and nonprofits face a difficult balance: they exist to welcome people, but open-door environments create real exposure. WorldSafe designs security that's invisible to visitors and effective when it counts — no fortress required.
From single storefronts to multi-location retail operations, WorldSafe assesses your exposure and builds a program your team can actually run — without a dedicated security department.
Energy facilities, water systems, pipelines, data centers, and transportation infrastructure operate under some of the most demanding regulatory requirements in the security landscape — and face a threat profile that general security programs aren't designed to address.
WorldSafe practitioners understand the regulatory framework — NERC CIP, TSA Pipeline Security Directives, FERC physical security standards — and assess your physical security posture against both the regulatory requirements and the actual threat environment, which are not always the same thing.
WorldSafe works across schools, government facilities, financial services, data centers, and more. If you have a facility and a threat, we have a practitioner.
Talk to usWorldSafe builds business continuity plans that work under real conditions — tested, drilled, and written for the people who have to execute them.
Talk to us about continuity planningA business continuity plan that's never been tested is a hypothesis. WorldSafe builds your plan, then drills it with your team until they can execute it under pressure — not just recite it in a meeting.
We work backwards from your most critical operations to define exactly what has to keep running, who's responsible for keeping it running, and what the decision tree looks like at 2am on a Saturday.
A clear inventory of every function that has to keep running during a disruption — ranked by criticality and mapped to specific roles, systems, and dependencies. The foundation of any real continuity plan.
Scenario-specific response guides written in plain language. Not a 200-page binder — actionable decision trees that tell the right person exactly what to do in the first 60 minutes of a disruption.
For each critical function, we define how long the organization can operate without it, what the recovery process looks like, and who owns it. No ambiguity about who calls what at 3am.
WorldSafe continuity plans are tested before they're delivered. Book a consultation and we'll scope the right program for your organization.
Book a consultationLast updated: January 2026
Plain-language analysis, practitioner perspective, and field notes from the front line of physical security.
No marketing. One email when something worth reading goes up.
Every engagement is different. These are some of the problems WorldSafe has helped organizations identify and solve.
A 340-bed regional hospital network engaged WorldSafe after a series of after-hours access incidents. Their existing program consisted of badge access and a contracted guard service — both of which turned out to have significant blind spots the internal team had no visibility into.
WorldSafe's assessment identified 11 distinct gaps across three campuses: after-hours door propping in the emergency department, camera coverage blind spots in two stairwells, and a visitor credentialing process that hadn't been updated since 2019. All 11 were documented with financial exposure estimates and a 90-day remediation roadmap.
A management company representing three artists with combined social audiences exceeding 40 million followers engaged WorldSafe after a series of escalating online incidents that the team wasn't equipped to assess or contextualize.
The Creator Risk Snapshot profiled each artist's public exposure across posting patterns, location signals, travel routines, and event schedules. For one client, the analysis identified a predictable weekly pattern that had been inadvertently published across three different platforms. The management team implemented posting controls and a travel protocol within two weeks of delivery.
A 2,400-member church with three locations wanted to implement a meaningful security program after a concerning incident at a neighboring congregation — but was deeply concerned about changing the welcoming, open atmosphere that defined their community.
WorldSafe designed a layered protection approach that prioritized visibility without overt security presence: staff positioning and training, access point management for large services, and a volunteer security team protocol that was indistinguishable from general hospitality. The congregation's senior leadership reported no negative member feedback after implementation.
An industrial operations company with NERC CIP compliance obligations engaged WorldSafe after an internal audit flagged discrepancies between documented procedures and actual field practice. Their compliance team had verified documentation. Their security team had documented processes. Neither had been observed operating together under pressure.
WorldSafe conducted a full assessment including a tabletop exercise that surfaced five procedural gaps that existed only in execution — not on paper. The remediation plan included updated training, revised protocols, and a quarterly drill schedule. The company has maintained WorldSafe Certified Level 2 status since completion.
Every engagement starts with a consultation — if we're not the right fit, we'll say so.
Book a consultationSpeaking engagements, industry conferences, workshops, and webinars. Find us in person or online.
Las Vegas, NV · Sands Expo Convention Center
Gary presenting: "The Practitioner's View: What Security Assessments Miss and Why." Main stage, Track 4 — Physical Security Leadership.
Online — 1:00 PM ET · 60 minutes
Perry Hawkins walks through a live assessment report, explains what the scores mean, and shows exactly how to build a remediation roadmap from findings. Open to WorldSafe clients.
Chicago, IL · Full-day workshop · Limited to 20 attendees
A hands-on session for security directors and CSOs who want to build and run effective tabletop exercises in-house. Includes WorldSafe scenario library and facilitator guide.
Online — 2:00 PM ET · 45 minutes
WorldSafe's creator security methodology for artist managers, talent reps, and PR teams. Covers threat profiling, exposure management, and the Creator Risk Snapshot process.
Dallas, TX · Kay Bailey Hutchison Convention Center
WorldSafe at Booth 1142. Stop by for a live demo of the WorldSafe assessment methodology and to learn about the WorldSafe Certified program. Gary and Perry both in attendance.
Washington, D.C. · Marriott Marquis
Gary speaking on soft-target security for faith and nonprofit organizations. Panel: "Security Without Surveillance: Protecting Open-Door Organizations." Co-presented with Dept. of Homeland Security representatives.
WorldSafe has presented at ISC West, ASIS International, the National Sheriffs Association Annual Conference, and a range of regional security and industry events. For speaker inquiries or to request a WorldSafe presentation for your organization, get in touch.
After hundreds of site assessments across healthcare facilities, corporate campuses, faith communities, and industrial operations, certain vulnerabilities show up with striking consistency. Not occasionally — almost every time. These aren't exotic attack vectors or sophisticated threats. They're gaps that exist because no one was looking for them, or because the fix never made it off the to-do list.
Here are the eleven we find most reliably. If your organization has addressed all of them, you're ahead of the curve. If even a few sound familiar, it's worth a closer look.
The single most common finding across every industry we work in. A door that's supposed to be secured gets propped open — by a delivery person, a smoker, someone who forgot their badge. The prop gets removed, but the habit persists. We've walked into server rooms, medication storage areas, and executive floors through propped doors that staff walked past dozens of times a day without registering as a problem.
The fix isn't just an alarm on the door. It's a culture that treats an open door as an incident, not an inconvenience.
Cameras cover the parking lot. Cameras cover the lobby. Nobody covered the stairwell between the second and third floor, or the corridor between the loading dock and the warehouse floor. Threat actors move through transition points, not monitored zones. We map every blind spot and show you exactly what isn't being watched.
The visitor log exists. The process was designed five years ago. Since then, the organization has moved buildings, changed staff, added contractors, and shifted to hybrid work — and the visitor credentialing process reflects none of it. In healthcare settings, we regularly find visitor protocols that haven't accounted for after-hours access or vendor relationships established years after the original security program was written.
Former employees. Vendors whose contracts ended. Temporary staff from two years ago. Badge access lists accumulate over time, and routine deactivation processes either don't exist or aren't being followed. In one engagement, we found 47 active badges belonging to people who no longer worked at the organization.
The plan exists. It was written by the security director three years ago. That person left eighteen months ago. The plan is in a binder somewhere. The current team has never read it, has never drilled it, and couldn't locate it under pressure. This is not a hypothetical — we encounter it regularly.
One PIN for the loading dock. One code for the after-hours entrance that everyone in the department has memorized. Shared credentials eliminate accountability and make it impossible to trace who accessed what when. They're also remarkably common in organizations that otherwise have sophisticated security programs.
Your staff knows they're supposed to badge in. What happens when someone follows them through the door? What happens when an unfamiliar person walks through the lobby with purpose and confidence? In most organizations, nothing happens. Nobody challenges them. We've walked through controlled access areas in business attire carrying equipment, unchallenged, in facilities where the staff would have described their security culture as strong.
The intercom system. Or the phone tree. Or the mass notification app that three people know how to use. If your emergency communication plan depends on a single channel, it has a single point of failure. We find this in organizations of every size and sophistication.
Leadership knows there are gaps. They don't know what those gaps cost if exploited. Without a financial frame, security investment decisions get made based on gut feel rather than risk calculus. Every finding in a WorldSafe assessment comes with a financial exposure estimate — because knowing what a gap costs changes how seriously it gets treated.
The compliance requirement is met on paper. The procedure exists. Nobody has tested whether staff can execute the procedure under actual conditions. In regulated industries — healthcare, energy, financial services — we consistently find a gap between what the compliance documentation says and what actually happens on the floor.
Something happened — a breach, a threat, a near-miss. It was handled. Then everyone moved on. There was no structured review, no root cause analysis, no update to the response plan. The same gap that allowed the incident exists at the next facility, or will exist again next year when staffing changes.
Security programs fail most often not because of what organizations don't know — but because of what they know and haven't fixed.
None of these gaps are difficult to close. Most can be addressed without significant capital expenditure. What they require is someone who knows to look for them, and an organization willing to act on what they find.
If any of these sound familiar in your facility, that's exactly what a WorldSafe assessment is designed to address.
A WorldSafe assessment finds every gap, scores it by severity and financial exposure, and gives you a prioritized remediation roadmap. Start with a consultation.
Book an assessmentThe annual security assessment made sense when organizations changed slowly. When the same 200 people used the same building the same way, year after year, a point-in-time snapshot gave you most of what you needed to know.
That world doesn't exist anymore.
In the past three years, the average mid-sized organization has renegotiated its lease, shifted to hybrid work, onboarded dozens of new vendors, lost institutional knowledge through turnover, and added physical locations it didn't have before. The threat environment facing that organization has changed every quarter. The annual assessment hasn't kept pace.
Here's what typically happens with an annual assessment cycle. An organization completes their assessment in Q1. The report identifies 14 gaps. Eight of them get addressed over the next six months. Six remain open — not because no one cares, but because remediation takes time, budget, and organizational attention that's competing with everything else.
By Q4, the organization has also onboarded a new facilities contractor, moved two departments to a different floor, and hired 30 people who have never been trained on the emergency response plan. The assessment from Q1 has never been updated to reflect any of this. When Q1 of the following year arrives, the organization begins a new assessment as though the intervening twelve months didn't happen.
The assessment becomes an annual event rather than an ongoing capability.
The things that change security posture don't wait for annual cycles:
Any one of these can render a previous assessment's findings incomplete or incorrect. All of them can happen in the same quarter.
The alternative isn't running a full assessment every month. That's neither practical nor necessary. What it requires is a structured cadence — quarterly reassessments against a known baseline, combined with ongoing monitoring of the factors that change security posture between formal assessments.
This is what Resilience as a Service is designed to do. Rather than treating security as a project with an annual deliverable, RaaS treats it as a function — one that operates on a schedule that matches how organizations actually change, not how audit cycles are traditionally structured.
The question isn't whether your program was sound twelve months ago. It's whether it's sound today.
Organizations that move to a continuous model consistently find that the cost of ongoing assessment is lower than the cost of remediating the gaps that accumulate between annual audits — and significantly lower than the cost of an incident that those gaps make possible.
The annual assessment isn't wrong. It's just not enough.
WorldSafe RaaS gives you quarterly assessments, tabletop exercises, and 24/7 practitioner advisory — all on a retainer that scales to your organization.
Learn about RaaSA trained threat actor doesn't need access to private information to build a detailed picture of a high-visibility individual's life. They need a social media account, patience, and the ability to read patterns.
This isn't a hypothetical. It's how most serious approach incidents targeting public figures begin — not with a breach, not with inside information, but with a systematic reading of publicly available content that the subject posted themselves.
Consider what a typical week of content from a creator with a significant following might contain:
Individually, none of these is alarming. Aggregated over weeks and months, they constitute a detailed operational picture: where the subject is on a Tuesday morning, what their travel schedule looks like through the end of the year, who their close contacts are and where they live, and what their home looks like from the outside.
The most dangerous exposures aren't the dramatic ones. They're the patterns — the third-place locations that appear consistently, the timing signals that reveal when someone is home and when they're not, the travel routines that make someone predictable at specific locations at specific times.
Patterns are dangerous because they're reliable. A threat actor who knows that someone is at a particular location every Tuesday morning doesn't need luck. They need a calendar.
The information was already public. Most management teams just hadn't mapped what it revealed.
The individuals who manage high-visibility talent are focused on building careers, not on reading their clients' public content as a threat intelligence document. That's not a failure — it's a specialization problem. Talent managers are not trained threat analysts, and they're not supposed to be.
What they need is someone who is. Someone who can look at six months of public content and identify the patterns that create meaningful exposure — and then tell the management team exactly what to change without disrupting the content strategy or alarming the talent.
Effective exposure reduction for high-visibility individuals doesn't require going dark or abandoning the content strategy that built the audience. It requires three things:
None of this requires a dramatic operational change. It requires a clear-eyed assessment of what the current footprint reveals, a set of practical guidelines, and a management team that knows why those guidelines matter.
That's exactly what a Creator Risk Snapshot delivers — and it starts with the content your client is already posting.
The Creator Risk Snapshot profiles exposure across posting patterns, location signals, travel predictability, and proximity risk — and delivers a plain-English action plan to your management team in 48 hours.
Learn about the Creator Risk SnapshotMost organizations approach a tabletop exercise as a plan review. They gather the relevant team, walk through a scenario, confirm that the documented procedures align with what people would actually do, and leave satisfied that the plan is sound.
That's not what a tabletop exercise is for. And that framing is why most of them don't produce the insights they should.
In almost every tabletop exercise we facilitate, the plan holds up reasonably well. The documented procedures are defensible. The decision trees make sense on paper. The roles and responsibilities are mostly clear.
What doesn't hold up is the space between the plan — the assumptions that never made it into documentation because they seemed obvious. The things that everyone believes someone else is responsible for. The dependencies that nobody mapped because they'd never been tested.
In a well-facilitated tabletop, within the first 20 minutes of the scenario, several things typically become apparent:
None of these are plan failures. They're assumption failures — and they only surface when a realistic scenario forces the team to actually work through the decision sequence under simulated pressure.
A tabletop doesn't test whether your plan is correct. It tests whether your team can execute it under conditions the plan didn't fully anticipate.
The quality of a tabletop exercise is largely determined by the facilitator. A facilitator whose goal is to confirm the plan will design a scenario that confirms the plan. A facilitator whose goal is to find the gaps will design a scenario that finds the gaps — one with realistic ambiguity, incomplete information, and time pressure that mirrors what an actual incident looks like.
The scenario should be uncomfortable. Not artificially so, but realistically so. The most valuable moment in a tabletop is usually when someone says "I assumed that was handled" — and it turns out it wasn't.
The exercise itself is not the deliverable. The post-exercise review is. A structured after-action discussion that identifies every assumption that didn't hold, every coordination gap that surfaced, and every procedure that needs to be updated is where the real value is produced.
Organizations that treat tabletop exercises as confirmation exercises come out of them feeling good. Organizations that treat them as gap-finding exercises come out of them with a clearer, more executable plan — and a team that has actually practiced working through a crisis together.
That's a meaningfully different level of readiness.
WorldSafe facilitates scenario-based tabletop exercises designed to surface execution gaps — not confirm what you already know.
Learn about training & drillsHealthcare workers experience workplace violence at rates significantly higher than almost any other industry. The data on this is not in dispute. What is less well understood is that the data vastly underrepresents what is actually happening in clinical environments — and that the gap between reported incidents and actual incidents shapes how healthcare organizations make security investment decisions.
If your security program is calibrated to your reported incident rate, it is calibrated to a fraction of your actual exposure.
Healthcare workers don't fail to report workplace violence because they're not paying attention or because they don't understand reporting requirements. They underreport because the culture of many clinical environments treats certain categories of violent behavior as an inherent part of the job.
Verbal aggression from patients in acute distress. Physical contact during restraint procedures. Threatening behavior from family members under stress. These incidents often don't get reported not because staff don't recognize them as incidents, but because they've been socialized to absorb them as the cost of working in healthcare.
This isn't a failure of individual staff members. It's a systemic normalization that produces a reporting environment where the most common forms of workplace violence are the least likely to generate a formal record.
Studies examining healthcare workplace violence through anonymous surveys and direct observation consistently find reporting rates between 20% and 40% for physical assault events, and significantly lower for verbal and psychological incidents. That means for every reported physical assault in a clinical setting, there are likely two to four that were not reported.
The implications for security program design are significant. An organization that believes it has 12 workplace violence incidents per year may be operating in an environment with 30 to 50. The risk model built on the reported number is built on incomplete data.
When we assess healthcare facilities, the security gaps we find most consistently are not in the areas that generate the most reported incidents. They're in the areas that generate the most unreported ones:
Joint Commission standards address workplace violence prevention in healthcare settings. Most healthcare organizations have documented compliance with these standards. What Joint Commission compliance does not guarantee is that the documented program reflects the actual threat environment — because the compliance framework is built around reported data, not actual incident rates.
An organization can be fully compliant with Joint Commission workplace violence standards and simultaneously be operating a security program that significantly underestimates its exposure. Compliance is a floor, not a ceiling.
Calibrating your security program to your reported incident rate is like calibrating your smoke detectors to the fires your neighbors have reported.
A meaningful security assessment in a healthcare setting has to go beyond the incident log. It has to include structured observation during actual operating conditions — including high-stress periods — anonymous staff surveys that surface unreported experiences, and a systematic review of the physical environment against the actual patterns of patient and visitor behavior.
The goal isn't to produce a higher incident count. It's to understand the actual risk environment so that security investments can be directed at the right problems.
The organizations that get this right aren't the ones with the lowest reported incident rates. They're the ones that stopped using reported incident rates as their primary measure of security effectiveness.
WorldSafe assessments go beyond the incident log — including direct observation, staff interviews, and a systematic physical review calibrated to clinical operating conditions.
Book a consultationSecurity certifications are not all the same. Some verify that documentation exists. Some verify that training was completed. Some verify that a checklist was reviewed by an auditor who wasn't present when the work was done. The value of a certification is determined entirely by what it actually requires — and most security certifications require less than organizations assume they do.
WorldSafe Certified was designed to be different. Here's exactly what it requires, what it doesn't, and why we built it the way we did.
WorldSafe Certified is not a documentation audit. It is not a self-assessment with practitioner review. It is not issued based on a completed training program or a policy review. You cannot achieve WorldSafe Certified by filling out a form, completing an online course, or having your existing documentation reviewed against a standard checklist.
We say this explicitly because the security certification landscape is full of credentials that do exactly those things — and that produce organizations who believe their program meets a verified standard when it has only met a documentation standard.
WorldSafe Certified Level 1 requires a completed on-site assessment by a WorldSafe practitioner, followed by documented remediation of all critical and high-severity findings verified by a practitioner return visit. The certification is not issued when the remediation plan is submitted. It's issued when the remediation is confirmed.
This distinction matters. A plan to fix a gap is not the same as a fixed gap. Many certification frameworks treat the plan as the deliverable. Ours treats the fix as the deliverable.
Level 2 adds two requirements that Level 1 doesn't include: a passed tabletop exercise and verified staff training completion across key roles. Both are confirmed by WorldSafe practitioners — not self-reported.
The tabletop exercise is facilitated by WorldSafe using a scenario designed against your specific facility and threat profile. Passing it means your team demonstrated the ability to execute your response plan under simulated conditions. It does not mean your team produced the correct answers on a quiz about the plan.
Level 3 is earned, not awarded. It requires four consecutive quarters of RaaS assessments showing improving security posture, two live-drill exercises, and a verified incident response capability. It reflects a track record — demonstrated resilience over time — rather than a point-in-time evaluation.
Most organizations that pursue Level 3 don't start there. They start with Level 1, move to Level 2 within six to twelve months, and reach Level 3 after a year of active RaaS partnership.
We built WorldSafe Certified the way we did because we've seen what the alternative produces. Organizations with documentation-based certifications that believe their program is verified when it has never been tested. Organizations that discover during an actual incident that their certified program doesn't perform the way their certification implied it would.
A certification that only verifies documentation gives organizations the appearance of a verified program without the substance. We think that's worse than no certification at all, because it produces false confidence.
A certification should tell you something true about the organization it represents. Ours does.
WorldSafe Certified is not the easiest certification to achieve. That's intentional. It's meaningful precisely because it requires something real.
We'll scope the path to certification for your organization and give you an honest timeline.
Learn about WorldSafe CertifiedA 340-bed regional hospital network operating across three campuses engaged WorldSafe after a series of after-hours access incidents that the internal team couldn't fully explain. Their existing security program consisted of badge access infrastructure and a contracted guard service — both of which were functioning as designed. The incidents kept happening anyway.
The VP of Operations had spent two decades in healthcare operations and had engaged security consultants before. He was skeptical that an assessment would find anything the existing program hadn't already surfaced. He was wrong.
WorldSafe conducted a 2-day on-site assessment across all three campuses, including after-hours observation periods that the previous security reviews hadn't included. Within the first walk-through, the pattern became clear: the badge access system was functioning correctly. The gaps were in the behaviors and physical configurations that the badge access system assumed were being managed.
The 11 gaps documented in the final report included:
The report delivered a prioritized remediation roadmap with each finding ranked by severity and estimated financial exposure. The client's internal team, now working from a clear action plan rather than an undefined problem, closed 9 of 11 findings within 60 days. The remaining 2 required capital expenditure that was approved in the following budget cycle.
The after-hours access incidents stopped within three weeks of the first remediation actions — before the full 60-day remediation was complete. The propped door and the vendor credentialing gap were the root cause of the incidents the engagement had been triggered to address.
The VP of Operations enrolled the network in WorldSafe's RaaS program within 90 days of the initial assessment. The first quarterly reassessment identified 3 new gaps that had emerged during a facility renovation in the intervening period — a finding that, in his words, "justified the entire program cost in a single visit."
The network has maintained WorldSafe Certified Level 1 status since the completion of initial remediation, and is currently on the path to Level 2 following a passed tabletop exercise in Q1 2026.
A WorldSafe practitioner will visit your site, document every gap, and give you a prioritized remediation roadmap within 5 business days of the visit.
Book an assessmentA management company representing three artists with combined social media audiences exceeding 40 million followers had been managing a growing number of concerning incidents — escalating online messages, unexpected appearances at known locations, a credible threat communicated through a third party — without any structured framework for assessing severity or responding appropriately.
The manager, Tara, had been handling each incident as it arose. There was no documented threat assessment process. There were no protocols for what to communicate to talent, what to report to law enforcement, or how to determine whether an individual online represented a meaningful physical risk. She described her decision-making as educated guessing at best.
A publicist in her network referred her to WorldSafe after a particularly concerning incident involving one of her highest-profile clients.
WorldSafe conducted Creator Risk Snapshots for all three artists over three sequential 48-hour engagements. Each assessment profiled:
For one client, the analysis identified a posting pattern that had inadvertently published a predictable weekly routine across three different platforms. No single post was alarming in isolation. Aggregated, they established that the client was at a specific location every Tuesday morning, departed for rehearsal at a consistent time, and returned home via a route that could be inferred from incidental background details across multiple posts.
For a second client, the proximity spillover analysis identified a household member who was posting content that revealed the primary client's home address with enough specificity to be actionable — content the client was unaware of and had no control over.
For the third client, the escalation indicator analysis identified a small number of accounts that had moved from standard fan engagement to behaviors consistent with fixation — contact frequency, cross-platform tracking, and language that warranted a documented threat file and communication to venue security for upcoming appearances.
Within 14 days of report delivery, the management team had implemented posting controls for all three clients — specific guidelines about timing, location, and proximity content, developed with the WorldSafe team specifically to preserve content strategy while reducing exposure. None of the clients were informed of the full scope of the assessment. The manager communicated the changes as standard practice updates.
A travel security protocol was developed for the client with the most active touring schedule, reviewed by WorldSafe and built into the standard advance work for venue appearances. The household member posting concern was addressed privately through the client's personal team.
The individual identified through the escalation indicator analysis was documented and shared with venue security teams for the client's next four appearances. No incident occurred.
The Creator Risk Snapshot is delivered to management in 48 hours. Plain English. Actionable. The talent doesn't need to know it's happening unless you want them to.
Learn about the Creator Risk SnapshotA 2,400-member congregation operating across three locations reached out to WorldSafe after a concerning incident at a neighboring church had prompted the senior leadership to take a serious look at their own security posture. They had never done a formal security assessment. They had no written security program. Their volunteer ushers and hospitality team had no security training of any kind.
What made this engagement distinctive was the explicit constraint the senior pastor placed on the outcome: whatever WorldSafe recommended had to be invisible. No guards at the door. No metal detectors. No security presence that would signal to congregants that they were entering a building that needed protection. The community had been built on radical welcome, and security theater — in either direction — was unacceptable.
The goal was a program that would work when it needed to, and that members would never notice.
WorldSafe conducted a 3-location assessment that included observation during live services — the most important operating condition for a faith community and one that standard security reviews typically don't include. The assessment covered:
The security program WorldSafe designed for this congregation operated on a layered model — multiple rings of attention and response capability that were activated through natural human behavior rather than visible security infrastructure.
The hospitality team — already the most present and most trusted people in the space — became the first layer of the security program. Their existing role of greeting, directing, and attending to congregants was extended with specific training on what to observe, what to report, and how to respond. They remained hospitality volunteers. They also became trained observers.
The volunteer security team — a separate group of congregants who wanted a more active role — was trained on de-escalation, communication protocols, and emergency response procedures. They were positioned to blend with the congregation during services, identifiable only by a small lapel pin that other trained team members could recognize.
Specific protocols were developed for large gatherings, holiday services, and community events — the moments of highest attendance and highest exposure. An emergency communication plan replaced the existing informal system. A children's ministry check-in protocol was implemented that the congregation experienced as a welcoming administrative process, not a security measure.
Implementation took 8 weeks from assessment completion. The leadership reported no negative feedback from any congregation member in the months following implementation. Several members commented positively on what they perceived as an improved sense of organization and welcome — not recognizing the security function underlying it.
The senior pastor described the outcome in simple terms: "It works. Nobody knows it's there."
The congregation has since extended the engagement to include an annual reassessment before the holiday season — the highest-attendance, highest-exposure period of their calendar year.
WorldSafe designs protection programs for faith communities and nonprofits that preserve the open, welcoming environments you've built. Start with a consultation.
Talk to usAn industrial operations company with obligations under NERC CIP (Critical Infrastructure Protection) standards engaged WorldSafe after an internal audit flagged discrepancies between their documented security procedures and what was actually happening in the field. They were not out of compliance — their documentation was current, their training records were complete, and their last external audit had passed without findings. The problem was subtler than a compliance gap.
The compliance team had verified documentation. The security team had documented processes. What no one had verified was whether the compliance documentation and the security processes were actually the same thing — and whether the people responsible for executing them understood their role well enough to do it under the conditions an actual incident would create.
WorldSafe conducted a full site assessment covering physical security infrastructure, access control, personnel security protocols, and regulatory alignment. The physical assessment produced 7 findings, all of which were addressable through operational changes rather than capital investment. None were critical from a NERC CIP compliance perspective — the documentation accurately reflected the intended program.
The more significant findings came from the tabletop exercise WorldSafe facilitated in the second phase of the engagement. The scenario was designed around a realistic intrusion event at a critical asset location — the kind of event NERC CIP's physical security standards are specifically designed to address.
Within the first 20 minutes of the scenario, 5 execution gaps surfaced that no amount of documentation review would have found:
All 5 execution gaps were addressed within one quarter. The remediation included updated documentation, a revised notification chain with verified contact information, a redesigned shift handoff protocol, and a second tabletop exercise at the end of the quarter to confirm that the changes held under simulated pressure. The second exercise passed.
The company achieved WorldSafe Certified Level 2 following the second tabletop. Their Director of Security Operations noted that the certification had become a meaningful tool in conversations with regulators and insurance underwriters — both of whom had asked about their security program verification process in the months following their last audit.
The engagement produced something the internal audit had correctly identified as a problem but couldn't define: the difference between a program that exists on paper and a program that can be executed by real people under actual conditions.
WorldSafe assessments and tabletop exercises verify whether your program works — not just whether it's documented. Start with a consultation.
Book a consultation