These are the questions pastors, executive pastors, elders, and facilities directors actually ask — not the questions security professionals ask each other. The answers below come from 36+ years of converged security experience, including pro bono security consulting with 450+ churches and faith-based organizations across the United States. Security for a house of worship is not a Sunday morning volunteer problem. It is a 24×7×365 converged security responsibility, and it deserves the same honest, practical guidance as any other organization.
— Jim McConnell, Ask McConnell, LLC | Contact Jim | Free Versus Comparison Docs | Free Policy One-Pagers
Note the use of the term “Pastor” is not meant to limit the audience or other leadership titles in your House of Worship.
1.0 The “Do We Even Need This?” Questions
1.1 We’re a church. Isn’t having security guards or a security program sending the wrong message to people who need us most?
Yes Pastor, it could, you know your culture better than I would. However I would challenge you think about how do make them all FEEL safer with appropriate security. Also remember that security guards, without providing awareness of reasons from the pulpit is very different then deploying a “security program”, which includes people security, building security, information security, fraud prevention, cyber security, etc. You have a security program today, we are just encouraging the maturing of that program to better protect the resources you have been blessed with.
1.2 Our senior pastor says “God will protect us.” How do I respectfully push back on that — or should I?
Leader, there is old story in my career, where I was asked about stopping bad behavior that a security program helps managed, and my answer was, “Stop Hiring Humans”. So I think there is simple education that can take place around the responsibility the senior pastor and oversight board about safety and security beyond of their beliefs and faiths. For example, would he say that if OSHA (US Safety Regulator) showed up? “God will maintain safety for us”, Probably not.
Check out my highly trusted authority and friend, Simon’s book on this topic.
1.3 We’ve been here for 40 years and nothing has ever happened. Why do we need a security program now?
That is one of the most dangerous statements in church security, and I hear it more than any other. “40 years without an incident” usually means 40 years without a major documented incident — or 40 years where incidents happened and were not recognized as a security failure. Background check failures that went undetected. Financial fraud quietly absorbed. Volunteer misconduct handled as a pastoral matter, not a security event.
Locks, alarms, cameras, passwords, offering collection controls, email security, children check-in process – oh wait you have all these in place, that means you have part a security program already under your leadership. Should it be improved, yes. Should it be done with excellence, yes. Remember a “security program” is never one thing and hopefully that “one thing that bothers you” isn’t what is holding you back with make your church a more secure and safer place to worship.
1.4 How do I convince our elders and board that security is worth the budget line — without making it feel like we’re running a fortress?
Frame it as stewardship, not paranoia. The people, property, finances, and programs entrusted to your organization are not yours to lose carelessly — they belong to your congregation, your donors, and ultimately your mission.
The question for your elders is not “should we feel like a fortress?” — it is “what is the cost of not being prepared?” A data breach exposing member giving records. A child abuse incident on your property. An active assailant event you were unprepared for. A wire fraud that empties your operating account two weeks before payroll. Those are not hypotheticals — they are incidents that have happened to churches your size, in communities like yours, in the last five years. What is the difference between your elders’ personal security and their businesses security and the church’s security responsibilities? Not Much.
A security program is a risk management program. Budget for it accordingly.
2.0 Theology in Tension
2.1 We believe in grace, redemption, and second chances. A registered sex offender (or other type of criminal) wants to attend our services. What do we do?
First, know your state laws — some states restrict registered sex offenders from attending services where minors are present, regardless of your policy. Second, verify the registration. Third, engage your church attorney before you set policy, because this is a legal and liability decision, not just a pastoral one.
If you choose to allow attendance, a Covenant Agreement — a written, signed document specifying where the individual may and may not be on your property, when, and under what supervision conditions — is standard practice in churches that have navigated this well. Never in or near children’s ministry areas. Never alone with a minor under any circumstances. Supervision by two designated adults throughout every visit. Written records maintained.
Your children’s ministry volunteers need to know — not as gossip, but as a designated security posture. Grace and accountability are not opposites. Real grace for the individual and real protection for your vulnerable population can coexist. Get policy, get legal review, and document it before the first service.
Check out this “Versus” document on this topic also.
2.2 Our congregation is deeply divided — some members feel that armed security shows a lack of faith. Others feel it’s irresponsible not to have it. How do we navigate that as leadership?
This division exists in virtually every church that’s working through security. The honest answer is that both sides are partially right — and neither side should be making the decision in isolation.
Armed security and a security program are not the same thing. A robust security program includes access control, video surveillance, trained volunteer teams, emergency protocols, cyber, fraud, personnel, buildings, missions trips, background check programs, etc.— all of which can be implemented without a visible armed presence. If your congregation’s culture makes armed security feel like a mission compromise, build the non-armed program robustly first. That addresses a significant portion of the risk.
If you decide armed security is appropriate — and for many congregations it is — then education from the pulpit about why this reflects responsible stewardship, not faithlessness, matters.
Leadership’s role is not to poll the congregation to find consensus — it is to make a defensible, documented decision and own it. You should be able to explain to any stakeholder why you made the choice you made.
Here are some additional resources on my site that might help:
“Versus” document on armed vs unarmed
2.3 We call ourselves a sanctuary. How do we hold that theological conviction and still run a responsible security program?
Sanctuary means a place of refuge and welcome — not an unprotected place. An unprotected sanctuary (office, childrens building, playground, etc) is actually a poor one. The people who need sanctuary most — abuse survivors, refugees, families in crisis — are made less safe by an environment without any security controls. The people who would do harm in your sanctuary depend on it being unprotected.
A responsible security program does not undermine the sanctuary — it protects the people, the physical assets of the church, money, etc. inside it. Access control tells you who is in your space. Volunteer screening protects children seeking refuge. Cyber security protects confidential counseling records. Financial controls protect the resources that fund your mission.
What sanctuary challenges is an attitude of exclusion — which is different from security. You can screen without excluding. You can protect without profiling. That requires intentionality, policy, and training.
3.0 Scope — Beyond Sunday Morning
3.1 What does security actually look like for a house of worship on Tuesday afternoon? We have staff in the building, a food pantry running, a daycare operating, and a grief support group meeting — all at the same time.
Tuesday afternoon is harder than Sunday morning — and most church security programs only address Sunday. This is one of the most wise and mature questions a church can ask me.
Just like at a home, a business, a school, or and a church, security is 24x7x265 and recognizing that Tuesday has different (sometimes harder) security requirements than Sunday, than 3am on Saturday…..at that offsite Kids’ Camp.
So we you looking at budget, volunteers, staff ownership, policies, procedures, trainings, security controls, make sure you (all) are considering these and other elements for any time day or night.
The answer is a layered security posture that is active all week, not just on Sunday. And someone has to own it.
3.2 We rent our facility to outside groups — community organizations, a youth sports league, a Narcotics Anonymous chapter. What are our security responsibilities during those events?
More than most churches realize. When you rent or lend your facility, your security policies, your insurance, and your duty of care do not stop at the rental agreement (oh wait you don’t have one…..eh, might not be a good steward of your responsibilities) — you/they transfer into whatever happens in your space under your roof.
At minimum: every external group that uses your facility should have a point of contact responsible for their attendees, a background check policy for any individuals who will be alone with minors, and a signed acknowledgment that they have received your emergency procedures and security policies.
Youth sports leagues with children present activate all your children’s ministry security standards — even if your church did not organize the event. Require compliance with your child protection policy in writing. This is a great example, oh we don’t have to worry about this because they won’t be in our buildings, think again.
I have a great One Pager Policy resource on this topic for your to integrate into your agreements (that you are going to have for all outsite groups going forward right?
3.3 We handle cash offerings every week. Several staff members count it in a back office after the service. What should we have in place?
Cash offering handling is one of the highest-fraud-risk activities in houses of woship operations, and it is routinely handled with almost no controls.
The basics: never fewer than two unrelated individuals present during the entire count — from collection through final count, deposit prep, and transport to the bank. Rotating pairs, not the same two people every week. A count sheet both individuals sign, reconciling what came in against the deposit slip. A drop safe or locked location for currency between the count and the bank deposit. Deposits made the same day or next morning — not held over weekends. Video coverage of the count room where possible. Separate the deposit and bank reconciliation functions so no single person can collect, count, deposit, and reconcile without a second set of eyes. These are all EXAMPLES of a FEW of the procedural controls that should be considered in your environment.
These controls are not about distrust — they protect honest volunteers and staff from false accusations as much as they protect the church from theft.
One of my One Pager policies also might be of help on this topic
4.0 People & Personnel
4.1 Do we really need to background check our volunteers (and staff)? These are people we know — they’ve been members here for years.
Yes. And “we know them” is exactly the scenario where background checks are most important — and most often skipped.
A amount of criminal activities in faith communities involve a trusted, known individual. Someone who has been a member for 20 years. Someone whose family gave to the building fund. Someone everyone liked.
A background check does not tell you about offenses that did not result in a conviction. It does not tell you about incidents in states where your county check does not reach. But it tells you things that your personal knowledge of someone’s church attendance does not. It also creates a documented standard of care — evidence that you exercised reasonable diligence in your selection process.
Without it, you do not just have a safety gap — you have a liability exposure. Churches that have lost abuse, insurance, and criminal/civil cases were found to have failed to take the reasonable precautions a reasonable organization would have taken. A background check is the minimum floor. Know what your denomination requires above that floor.
Also a good Versus resource on this topic that you also might consider.
4.2 One of our elders has a concealed carry permit and wants to be our “security.” Is that enough?
No — and in most scenarios, it creates more risk than it resolves.
A concealed carry permit means the elder has met the state’s minimum training standard to carry a firearm legally. That standard does not include active assailant response, threat assessment, trauma first aid, use-of-force decision-making under stress, or coordination with responding law enforcement — which are the skills you actually need in an active assailant event. An untrained armed responder in a crowded sanctuary with people running and screaming is a significant liability. Law enforcement arriving on scene cannot distinguish between an attacker and an armed volunteer.
That said, a background-screened, church-endorsed armed volunteer with appropriate training can be a legitimate part of a layered security program. The elder with a carry permit, if willing, should be required to receive active assailant response training, scenario-based exercises, documented rules of engagement, and coordination with your local law enforcement like all other members of the service protection team. Obviously armed security is one piece of your broader program — not the whole converged security program.
4.3 Our youth pastor meets one-on-one with teenagers for counseling and mentorship. What policies protect the students — and protect him/her?
Two-adult rule, visible locations, and documented sessions — every time, no exceptions. Male / Female (adults) vs. Male / Female of the teenager must be part of your policy.
The two-adult rule means no adult is alone with a minor without another adult present or in direct visual proximity. Not in an office with a closed door. Not in a car. Not in any space where a third party cannot observe the interaction. If a second adult cannot be physically present, the meeting should take place in a glass-walled space where staff can see in but not hear confidential conversation. And no a video call with the second adult is NOT a replacement.
Session notes — date, time, general topic, who was present — should be kept by the organization, not just the youth pastor personally. This protects the youth pastor from false accusations and protects the student from undocumented interactions. If a student discloses abuse, neglect, or self-harm during a counseling session, mandatory reporting obligations may be triggered. Know your state’s mandatory reporter law and who on your staff is covered. Don’t forget about HIPAA and licensing as “counseling” can be a slippery slope.
4.4 A staff member came to me and disclosed that he/she is being abused at home. What am I legally required to do — and what should I do?
Understand the distinction between mandatory reporting law, “CEO” of the business of the church, and pastoral response — they operate in parallel, not instead of each other.
Domestic violence between adults may or may not trigger mandatory reporting requirements, check with your legal counsel. Oh and if you have campuses out of the state or even out of the country, likely there are will differences. Sometimes this is based on whether or not children are in the home and you have reason to believe they are being harmed or at risk. If there are children in the household, your mandatory reporter status may be triggered. Know your state law.
Independently of legal obligations: ensure he/she has access to safety resources — the National Domestic Violence Hotline (1-800-799-7233), local shelter information, and a safety planning conversation. If she is in immediate danger, the answer is 911.
Resist the impulse to pressure her toward a particular decision. Your role is to connect her to resources, ensure her immediate safety, and document what was disclosed in a confidential, appropriate record. Involve your pastoral counseling team and your HR policy. This is not a situation to improvise. Note do not guarantee confidentiality as you may be required by law to disclose details.
5.0 Cyber & Financial
5.1 Someone sent a fake email that looked like it came from our pastor, asking our finance director to wire money. We almost did it. What do we do now, and how do we prevent it?
This is a Business Email Compromise (BEC) attack — one of the highest-dollar fraud schemes targeting nonprofits and churches specifically.
If money was actually wired, contact your bank immediately — within hours, not days — and your local FBI field office (FBI.gov/contact-us/field-offices). Fund recovery is possible but only within a narrow window. If you caught it before the transfer, treat it as a mandatory security improvement trigger. #NeverWasteACrisis
Report the email to the FBI Internet Crime Complaint Center at IC3.gov. Brief every staff member who handles financial approvals.
Going forward: implement a verbal or in-person confirmation requirement for any wire transfer, ACH change, or large payment request over a set dollar threshold — regardless of who the email appears to come from. Enable DMARC, DKIM, and SPF on your email domain to make spoofing harder. Multi-factor authentication on every financial account. No one — not the pastor, not the board chair — authorizes a wire transfer by email alone. Ask your bank to implement additional protection like positive pay.
Also consider recurring phishing testing with your staff.
5.2 We collect tithes online, store member contact information, and run payroll through our church management software. What cyber security basics does a church our size actually need?
At a minimum: Make sure you have full security controls, right-to-audit, and requirement for a SOC2 Type 2 from your church management software comapny.
Technically, at minimum: multi-factor authentication (MFA) on every account that touches finances, membership data, or your management software — this alone stops a large proportion of account compromises. 100% individual accountability on accounts, with full logging enabled. Strong, unique passwords via a password manager. Regular backups of your church management data to a separate location that you have actually tested restoring from.
HTTPS on your website’s donation and form pages. A written policy for what data you collect, how long you keep it, and who has access. Basic phishing awareness training for staff — human error is how most small-organization breaches happen. And a plan for what you do if you get compromised: who do you call, what do you tell your membership, what are you legally required to disclose. Who is your PIO and are they training in cyber breaches?
Start with Contract, then move to MFA and tested backups. Build from there.
6.0 When Something Goes Wrong
6.1 We had an incident last month — a verbal altercation that turned physical during a service. We handled it, but we know we weren’t prepared. Where do we start now?
Determine who your Chief Security Officer, now, even if not in their job title or description so they can independently manage from incident respone to incdient recovery. Start with an After Action Review before you do anything else. Sit down with everyone, individually and as a group, who responded and honestly document what happened: the trigger, the escalation, the response, what worked, and what did not. Not to assign blame — to identify gaps.
Most likely gaps: no defined response protocol (who responds, who calls 911, who manages the crowd), no designated security team, volunteers who froze because they had never been trained, no post-incident documentation, no PIO, and no strong training plan for staff, volunteers, and yes even your congregation.
Document the incident formally — time, description, individuals involved, witnesses, actions taken, any police involvement. This record protects you legally and gives you data for pattern tracking.
Then build the program: a trained, identified security volunteer team, a written de-escalation and use-of-force policy, emergency communication tools, and a relationship with your local law enforcement. Many departments will do a free walkthrough and consultation for houses of worship. The incident you had last month is a gift if you learn from it.
Check out our many Checklists, One Pager Policies, and Versus documents on the site, there are many related to incident management. I also do a 3 day onsite that covers many elements of incident response.
6.2 If someone is assaulted on our property, or has a medical emergency we weren’t equipped to handle, what is the church’s legal exposure?
The circumstances matter, for example “on our property” vs. “in our building” vs. “in our building being used by an outside group” vs. “involving staff, volunteers, members, or visitors”. Churches may (check with your attorney) receive some level of charitable immunity under state law, but that protection has eroded significantly in courts that found organizations failed to take reasonable precautions. The question in litigation is not “did something bad happen on your property?” — it is “did you fail to take precautions a reasonable, “open arms” organization would have taken?”
A couple of examples:
For assault: if there was prior documented warning about the individual and you did not respond, your exposure increases significantly. If this was an unknown first incident with no prior warning signs, your exposure is much lower — but your response and documentation afterward matters.
For medical emergencies: was there an AED on premises? Were staff trained in CPR/AED use? Did you have a documented medical response protocol? If the answer to all three is no for a congregation of any significant size, your failure to have basic life-safety infrastructure is an exposure point.
Get your general liability policy and read what it covers and excludes. Talk to your carrier’s risk management team — they want to help you prevent claims.
Having a strong incident response policy, owner, program and training is key BEFORE it happens.
7.0 Getting Started
7.1 What’s a realistic security budget for a congregation our size? We’re about 400 members, one campus, no paid security staff.
For a 400-member, single-campus congregation with no paid security staff, a realistic annual security budget starting point should consider:
- Camera system (if you have none or an outdated system): 15,000–25,000 one-time capital
- Background checks — initial sweep of current volunteer roster + ongoing new-volunteer onboarding: $35-50 person person
- Active assailant and first aid training: $0 to $5000 (many local police departments offer free or low-cost versions and some qualified security security consultant offer this for minimal costs)
- AED device if you do not have one: $1000-$2500 plus mounting and signage. Don’t get a used one and check with local hospitals, fire departments for inexpensive options or grants.
- Basic cyber security tools (MFA, password manager, cloud backup): Plan on a few $100 dolars per employee, annually
- Locks, access control hardware improvements, intercom at main entry: $1500 per door, depending on current setup
The single highest-return investment for a congregation your size is a trained, background-checked volunteer security team operating under a documented policy. That costs training time and administrative discipline, not large budget lines. Start there, and build toward the hardware.
7.2 If I could only do three things this year to meaningfully improve our security posture, what would they be?
These three, in this order.
Step Zero: (okay besides seek God for wisdom) Perform a blunt and honest (my) Governance Self Assessment using multiple staff members including setting definitions “in stone” (biblical pun)….than…..
First: Complete background checks on every active volunteer and staff member who has access to children, finances, or your facility. No policy change, no new equipment — just close the screening gap. This single step addresses one of your highest-probability liability exposure.
Second: Conduct an active assailant response and medical emergency training session for your staff (first) and volunteer (togther with staff) leadership. One session with your local law enforcement and a qualified trainer. Run, hide, fight — practiced before it is needed. Confirm where your AED is and that someone is trained to use it.
Third: Implement two-person controls on your offering count and financial approval process. Paper, signatures, rotation — nothing fancy. This partiallycloses the financial fraud door that stands open at most congregations.
If you do these three, okay four,things well this year, you are well on your way to building out a balanced culture for a comprehensive converged security progam.
Related Resources
- Versus Library — 19 free church and organizational security comparison documents covering armed security, access control, staffing, emergency response, and church-specific policy decisions.
- Security Policy One-Pagers — 44 free one-page security policies applicable to churches, NGOs, and faith-based organizations of any size.
- Converged Church Security — A Starting Point Tool — Integrated framework covering physical, personnel, cyber, and medical response for houses of worship.
- Converged Security FAQ — General converged security Q&A for practitioners and organizational leaders.
- Book a Consultation — Pro bono and paid church security consulting available. Include your challenges, congregation size, and 2–3 available dates.