03 Apr The Security Institute: people drive results
Peter O’Connell, Chair of The Security Institute Mid-East Members Group, looks at how the ethos of ‘people drive results’ can be translated to address security challenges.
As Chair of the Security Institute Mid-East Members Group (MEMG) I am honoured to hold such a position and proud to note that our committee is a team of individuals with a knowledge base that I can only describe as first class. The team comprise individuals able to engage at a strategic level across many facets of security management encompassing: physical, technical, cyber, security by design and urban planning, emergency and crisis management, business continuity and resilience. Most of the MEMG team are Registered Chartered Security Professionals (CSyP) which represents the gold standard in security practice.
Leading such a team of top-flight professionals is not only a privilege personally but also inspiring for me and I believe for every member of the group. Professional camaraderie, passion and respect, striving for the highest standards and sharing and learning has established us as a much respected and influential team across the security industry and regulatory authorities. Security knowledge, communication, leadership, and professional development are amongst the core competencies required to gain the prestigious CSyP status.
For those operating at a strategic level it is the foremost professional accreditation to hold, comparable to that of other chartered professionals such as engineers, architects and accountants. Genuine chartered security professionals are listed on the register’s website chartered security professional.org. I am also proud to be a member of the Global Security team of a world-leading engineering and design company, supporting the Middle East and Sub-Saharan Africa element of the business. The ethos of the business is, ‘People Drive Results’. So, what does this mean, and how do we convert this into the day-to-day security challenges?
Global adversaries
Our adversaries are more calculative and cunning than ever before, unassuming, relentless and non-partisan in pursuit of their malicious objectives. We need to be alert to the constant danger that someone, somewhere is planning a new process, system or technique designed to:
- Steal your money.
- Breach your firewall.
- Steal your identity.
- Breach your assets.
- Steal your assets discriminate you and your business.
- Damage your personal or corporate reputation.
- Cause serious harm to you or your business.
The technology train
One thing is certain to us all, technology is advancing at an alarming rate and reminds me of a moving train, with some people and organisations already on the train, some in front of the train prepared and awaiting its arrival, with others behind the train and unsure how to embark. Tradeshows and events such as the recent Intersec 2023 provide everyone the ability to view the technology train, understand the advanced hardware/software systems and get an idea of how such systems can support a particular business or asset. Of course, as we discussed last year, the criticality of the asset or ‘critical assets it is deemed important to protect’, will all be identified within a risk assessment. The detailed risk assessment enables us to select appropriate measures/technologies commensurate and proportionate to the threats and risks against the asset we wish to protect. One of the best examples of this are the measures implemented at atypical ATM machine across the region. The machine may be situated inside a shopping mall or hotel usually clearly advertised and easily accessible. The ATM will see people visiting and potentially exposing personal information and data. Whilst the mall or hotel will have generic security measures in place such as guards, the particular ‘critical asset deemed important to protect’, will have specific measures in place such as CCTV, FR etc.
What is the most critical asset we own?
No matter how we grade our assets or class the criticality of the asset, it is important to remember that the most important asset of all is our ‘people’. People drive results, whether from an adversarial aspect, in a design capacity, developing risk assessments, security management plans, emergency and crisis management planning or generally building the resilience of any business or asset. The core knowledge base derives from people.
With technology becoming increasingly relied upon we cannot afford to become complacent and forgot the importance of those who protect us: our people.
We need to continue to ask the basics, for example: Are our guards 100% confident in conducting a detailed and thorough search of a person? Do they know how to search personal baggage and belongings? Do they know the approach and technique for searching a car? Do they know how to conduct a 3-sweep search of a room, building, complex, zoning and tagging as we advance throughout an asset search? Should they know? Should you know? Do you know?
Do we train our people to observe for behavioural traits and threat indicators? Should security leaders be aware of these factors and are you? Investment in security personnel training is essential to minimise risks to a business, technical security measures are important, but their value diminished without the people element. Ultimately security is everyone’s responsibility, from our guard force, across our middle management leadership team through to the board room, our people are our key drivers and pivotal in delivering the security outcomes.
People drive results
We must all embrace technology as a layer and key component for delivery on objectives, but one must never forget that people drive results. If a determined adversary wishes to attack an asset, they will study the asset for weeks, months, maybe even years. They will monitor all activity, processes, procedures and daily actions undertaken at the asset, identifying weaknesses and via meticulous planning will decide upon ‘when, where and how’ to strike.
We can guarantee the timing and delivery of a complex attack will not be expected nor will it favour the asset being attacked. When a complex attack has been planned, an initial phase of the assault may well target the power and lighting, rendering technology redundant as the next phase of the attack is implemented. A complex attack may have many phases, including cyber strikes. Insiders are often at play.
Insider threats and risk mitigation methods are areas prominent in the minds of security leaders and involve issues around staff vetting procedures, threats of and posed by intimidated or corrupt staff and industrial spies and the modus operandi. Our people are critical to our success, conducting awareness training for all employees, then ensuring security personnel (and managers with designated security responsibilities) conduct drills, exercises, day/night will not only build the capacity of the workforce, but more importantly ensure the asset is resilient and better prepared for the unexpected.