Burrill Green - PICA Stategic Partnership.
Burrill Green corporate security consultants.

Welcome to the new edition.


(click a subject to jump to item)

      Introduction »
      New Global Strategic Partnership »
      David Burrill - (USA) Security Magazine Award »
      Integrated Security: People - Technology - Processes »
      New Associate – Haroon Khan »
      Business Resilience Services - A New Burrill Green Service »
      Cyber Security Fatigue »

Burrill Green.
Burrill Green security business school.

We are delighted to announce our new global partnership with PICA Corporation, a worldwide US-based enterprise we have worked with for over ten years.


As we join to enhance our capability to meet existing and emerging threats to enterprises, we are very mindful of the ease which people slip into about the capabilities and, to be honest, film-led fantasies about technologies' ability to solve all modern problems. The fact is that despite amazing progress in technological breakthroughs, and our ability harness these developments, humans are not only still around, but remain as amazing flaws in systems that illegitimately-minded people can continue to explore to uncover weaknesses and make significant illegal gains or disruptions to enterprises that are trying to deliver legitimate benefits and services to people all over the world.

The best security solutions must continue to manage the combinations of technology and human behaviour to help business feel and be safe, and to enable people to flourish. We look at what we call integrated security, a fresh approach to business resilience services, and the clear "creep" of cyber security fatigue.

We welcome a new associate who will be leading our business resilience service.

We also look forward to reporting on progress and developments emanating from the new strategic partnership we are proud to have forged together over a ten year period of collaboration.

Corporate and Cyber Security Masterclass.

Our next 5 day Masterclass, conducted in English, will be held in Spain in 2016 towards the end of Quarter 1 or in Quarter 2.

To register your interest please contact Becky Burrill at becky.burrill@burrillgreen.com
Security consultants.
New Global Strategic Partnership

Burrill Green and PICA Corporation have formed a new global strategic partnership, consolidating their mutual expertise and client service offers in corporate security.

Burrill Green and PICA Corporation founders, David Burrill and Vincent Volpi, first met at an inaugural cybercrime congress in Brussels in 2006. Way back then, cybercrime was an almost novel notion outside of specialist technical groups. In ten years we have now got to a point where many organisations claim they are suffering from "cybercrime fatigue". This kind of state is becoming more and more common across a number of critical areas in corporate security that won't wither and die any time soon. Both threats and real challenges really are continuing to grow. This is both good and bad. The bad part is the increasing extent to which legitimate businesses are being challenged by illegitimate activities. The only good part is that this has created a burgeoning business for those enterprises that are dedicated to defending and nurturing legitimacy, and combatting the extraordinary variety of illegitimate activities around the world. Burrill Green and PICA Corporation have been collaborating on developing responses to these threats from that original encounter in Europe, and have continued to develop different portfolios of capabilities to handle existing and emerging threats across a wide range of areas, and at many levels of operation.

PICA Corporation has grown organically and its palette of expertise has resulted in a competitive operation able to draw down on deep and proven talent to address a significant set of challenges that face bona fide enterprises every day. The skill set embraces focused approaches and solutions within five overall operating clusters that have overlapping and interlocking elements. - business intelligence, risk mitigation, enterprise-wide brand protection, security consulting, personnel and asset protection. This strength in depth and breadth utilizes the professional talents located in over 300 metropolitan areas in 50+ countries. The core group has access to a wider range of experts who can contribute to the execution of specific briefs requiring tailored or unique sets of responses. PICA serves organisations at multiple levels of operation, and for all asset classes - personnel, physical property, technology, intellectual property and shareholder value. The operating mantra is mitigating risk and securing business, a focused, pragmatic and often immediate response system.

Burrill Green has specialized at Board and C-Suite levels with a focused drive to derive incremental value from corporate security best practice while lowering the costs of achieving this. The approach is driven by the following summary of core beliefs - The best security practices can be a competitive asset, not simply a cost of business. Security must make sense. Security must count. Security must be accountable.

All Burrill Green people have worked in senior corporate roles, around the world, bringing an unrivalled difference in depth through hands-on experience. Burrill Green has spent a long time working with an enormous variety of organisations to foster and nurture the practice of world-class integrated security, and they are dedicated to continuing to serve in this way.

Intelligence-led, business integrated security can increase shareholder value, and this can be demonstrated by them time after time. Effective business security comes out of the anticipation of the impacts of uncertainty on the delivery of business objectives, and the team has excelled at this endeavor.

A critical differentiator in success has been the recognition and practice that finding and developing first-class talent, placing senior candidates in key cross-functional roles within organisations, ensures a greater ROI for recruiters. It also creates a band of experts with shared knowledge and experience that can work closely and consistently over time in cooperative networks. This is a strategic approach much favoured in general business practice by major consulting groups like McKinsey and Bain, but is a unique service within the senior corporate security industry, embracing an unparalleled strategic approach to search and selection, coaching, mentoring, and continuing professional development.

Burrill Green and PICA Corporation, in reviewing growth objectives and the desire to continue to strengthen capabilities and expertise again, means we have now decided we can progress strongly through even closer collaboration and a deeper enmeshing of our two organisations' capabilities.

Our new global strategic partnership will enable us both to extend our range of services from the bottom to the top of organisations, and across a wider range of operating cultures. Both general and niche services can be complemented with additional expertise within the group, giving more flexibility and resilience to our ability to meet emerging challenges in timely and cost-effective ways.

Our coverage is now more globally balanced and there are no redundancies in the matching of skills and people. The availability to the whole organization of the search and selection and continuing professional development operations will also reinforce the capability of our networked alliances to deliver justifiable security practices that will underpin organisations' value and goodwill.

Vincent Volpi, PICA Corporation's founder partner, said, "We regard this new strengthened partnership as one of the most promising rallying of talents in recent times. It significantly enhances our ability to add value to security’s contribution to business productivity, profitability and customer respect."

David Burrill, founder partner of Burrill Green, said, "Having worked with PICA over the last decade, including four years as a non-executive director on their board, it has become clearer that both organisations will benefit from a deeper level of interaction and involvement, and that, even more importantly, our clients and prospects will see a positive extension and set of benefits to the services we provide and can now refine further."

In this evolving relationship, services from the two entwined operations can be seen at both www.pica.net and www.burrillgreen.com

For immediate contact with the partnership on any aspect of this enhanced partnership, please contact david.burrill@burrillgreen.com and /or vincent.volpi@pica.net
David Burrill Security Magazine USA Award


In the most recent of this publication's annual review, David was voted one of the 16 most influential people in the world in the business of corporate security. This is recognition once again of David's career-long contribution to excellence in the industry, and his continuing energy and commitment to demonstrably adding value to security in many successful and effective ways, all around the globe.

For more on "the most influential people in security in 2016" click here: www.securitymagazine.com

David was both delighted and surprised to be still receiving honours and rewards in a very busy industry sector, full of excellent people. On the other hand, he has shared his expertise and experience with a good number of the very best, so we extend our congratulations to the Mature Master!

Integrated Security: People – Technology - Processes

Now is a relaxed post-event and excitement time to reflect on the extraordinary levels of performance we were privileged to witness in both the Olympic and Paralympic Games in Rio de Janeiro. There seemed to be two key strands supporting the exceptional achievements unfolding before us. In many events there was evidence of the success of the aggregation of a marginal gains approach, where every aspect of human, mechanical and technical performance, separately and combined, was minutely examined to see how inter-relationships and dependencies could be improved.

As Sir David Brailsford, the cycling coach credited with developing the doctrine, puts it: "The 1 percent margin for improvement in everything you do would, together, add up to remarkable improvement." This quantitative, data-based approach is echoed in many of the management processes used to monitor and improve business performance. However, in sport, as in business, there is still that critical inseparable component in the performance equation - people. Notwithstanding the technical wizardry on display, an abiding memory of the Games was the indomitable spirit of the competitors. This was exemplified by Ibrahim Al Hussein and Tatyana McFadden, who received the Whang Youn Dai Achievement Award for the athletes who best exemplified the spirit and values of the Paralympic Games at Rio 2016. Their stories are truly inspirational. The Games vividly demonstrated that the key to success is the ability to blend human and technical factors correctly.

When you try to monitor and improve the performance of corporate security teams, CSOs are often bedevilled by the same need to marry qualitative with quantitative elements. There is a need to reconcile the business management guru Peter F Drucker's view that, "If you can't measure it, you can't manage it", with the cautionary words attributed to Albert Einstein - "Not everything that can be counted counts. Not everything that counts can be counted."

Burrill Green have long been advocates of integrated security. By this we do not simply mean applying the differing strands of security in a cohesive and complementary way.

We mean working hard to ensure the appropriate fit of security practices and behaviour within the dominant operating culture of the overall enterprise.

We mean finding the correct approach and language to enable widespread specialist functional groups and services to fully understand, feel comfortable with and practice the integrated security elements that have become a critical part of their operation.

To this end we have recently been revisiting and re-analysing well-established business performance models like Kaplan and Norton's Balanced Scorecard, W. Edwards Deming's PDCA Cycle (Plan-Do-Check-Act) and Alexander Osterwalder's Business Model Canvas to see how we could adapt them to create a performance management framework that would resonate with corporate practices, but not require security practitioners to complete an MBA before they could put it into effective practice.

We now have a set of performance management tools that will allow CSOs to demonstrate to the C-Suite in particular that they are credible business partners who are aware of current and emerging material risks to business operations and employees, and can identify proportionate risk mitigation controls in a cost-effective way. As ever, we work in close partnership with clients to ensure they are confident of their improved ability to deploy these tools and processes in a way that is demonstrably aligned with their organisation's vision, values and operating culture. Our approach combines analytical research and hands-on implementation practice in significant global business environments.

To find out more about our approach, experience and credentials, contact initially rick.mcconnell@burrillgreen.com
New Associate - Haroon Khan

Haroon Khan - Associate.

Director Recruitment and Business Resilience Services

Directs Security Leadership Recruitment
Directs Business Resilience Services
Corporate Security Consultant
Tutor - Burrill Green Corporate Security Business School

Haroon's expertise and experience spans the entire spectrum of business resilience services covering both physical and virtual domains. Haroon started his career with the Pakistan Army and after a distinguished career spanning two decades, with postings in Africa and the Middle East, he moved on to work as a senior executive with the Emirates Airlines.

Thereafter, as country security manager for British American Tobacco (BAT) in Pakistan, Haroon Khan was instrumental in protecting the business in an extremely difficult and challenging security environment. In 2009, Haroon was promoted by BAT and moved to the United Kingdom to take up responsibility for ensuring business continuity and security of British American Tobacco's Corporate, Duty Free and Western European entities. Haroon is the first Asian security executive to have been selected for a position in Europe.

In 2014, after five highly successful years in BAT, Haroon decided to move into the security consultancy business and as head of a security consultancy practice advised major multi-nationals operating in the UK and the Middle East on all aspects of security and business resilience including cyber security, business continuity, fraud protection etc.

Muhammad Haroon Khan, who is resident in the United Kingdom, has a MBA from Warwick Business School and a MA in Terorrism and Counter Terrorism from Kings College London. He also holds major industry credentials in the fields of cyber/information security, business continuity, fraud control/management, counter-terrorism and security.

Business Resilience Services

The risks facing any organisation today are often increasingly dynamic and blended. They are not often easily able to be broken down and isolated into small manageable chunks – it's the new way of the new world of managing security threats.

Equally, unidentified risks in isolation can increase the probability of the risk rapidly expanding as they may be nurtured and thrive in these kinds of ‘blind spots’ within an organization like toxic viruses wating for innocent hosts to carry them out far and wide. This is often still because business functions operate in silos and focus principally on what they believe are risks specifically affecting simply their specialist function. This means there is not enough awareness of the implications and effect of adverse security lapses in their discipline having a dramatic, sudden and widespread cross-functional impact on the whole of the business they belong to. This can be exacerbated by that human factor again - The, “It's not my responsibility” mind-set or because they are unable to recognise the fall-out onto other parts of the business that lapses in their own could have.

For an organisation to protect its people, profits and prestige, there is a need to act proactively and work to discover and understand those potential blind spots and blended risks that could cause the overall business extensive damage if not managed properly.

Collaboration and convergence, critical cross-functional elements, are key success factors in managing such risks. A converged or business resilience-centred risk management approach recognises and addresses the interdependence of business functions, overlapping risks, and integrated business processes and assets i.e. people, technology and information/processes. This approach aims at bringing together all those dedicated to the well-being of the organisation to assess corporate risks and respond to these risks in a collective manner, ensuring high levels of resilience. As more and more organisations become aware of the need to adopt this kind of business resilience approach to managing risks, Burrill Green has now set up a dedicated Business Resilience Services division, headed by Muhammad Haroon Khan, our highly experienced business resilience professional.

This is targeted to offer organisations a spectrum of business resilience related services ensuring a converged approach to risk identification and management.

The operation works particularly closely with our Operations, Cyber & Information Security and Training divisions and, as with all our service provisions, aims to add value while lowering costs. Early enterprise services include:

IT/Information Security Lifecycle Consultancy
Data Protection Compliance (EU GDPR & UK Data Protection Act) support
Business Continuity Consultancy - Program Audits, Setup and Roll Out Support
Fraud Management Support - Program setup, roll out and audit support
ISO 27001 and ISO 22301 standards implementation and audit
Security incident response & crisis management
Training and awareness programs for all resilience services

These can of course be combined with other Burrill Green And PICA Corporation services.

Haroon Khan welcomes your enquiries at haroon.khan@burrillgreen.com
Cyber Security Fatigue

Cyber fatigue.

A recent study by the US National Institute for Science and Technology (NIST) reports that they found a considerable amount of "cyber fatigue". The press always seems to have a new "Cyber Security Threat" or "Cyber Breach" to report to the general public and technology departments are constantly being told of new bugs and updates that they need to install, or worse, new attack vectors. In theory this means checking every system to see if they are vulnerable and then patching them. With ever increasing types and numbers of connected devices and much of the delivery of IT outsourced, this is increasingly challenging.

There is then the risk that over-worked staff or service providers will cut corners, or respond on the basis of "who-shouts-loudest".

For those trying to deliver messages about any topic, this should come as no surprise - any awareness campaign has to be careful about becoming just background noise.

There is a role for Corporate Security Managers here to help moderate and focus both technology and general staff. As security professionals, Corporate Security Managers are used to dealing with many varied threats to assets and will be used to the idea that as fast as the good guys come up with a counter-measure, the bad guys will start trying to find another way in. Dealing with a constantly adapting threat profile is not new to Security professionals and this attribute should be shared with the cyber technologists to help them manage and cope with their constantly changing threat profiles. Yet of course these elementary human factors we have raised constantly in this newsletter continue to come out of the woodwork or the digital wires to bite us.

Corporate Security Managers often feel these "cyber" issues are too technical these days, a view some technologists like to encourage, but the technical nature of IT does not mean that a Corporate Security Manager should not be involved. Indeed a Corporate Security Manager has vital information to input in this area.

Let’s start with internal threats - of course corporate security understands the behaviour and motivations of those who might steal or commit fraud. Ensuring that IT staff are also aware of tell-tale signs and can feel comfortable in contacting Corporate Security with their concerns should be a straightforward procedural introduction, if not already in place.

Now, let's come to the external threats. For a traditional security manager, the threats have come from traditional criminals or other players using violence, coercion, blackmail or bribery to achieve their ends, and Corporate Security has developed tried and tested methods of dealing with these.

These same criminals have moved on and have adapted to add digital skills and techniques to achieve their aims. As a "starter for 10 points" the Corporate Security Manager should be able to profile the digital skills of known criminal groups and what they are likely to target. This would be information to share with IT to help them focus on critical business areas.

This approach should be a quid-pro-quo as the IT/cyber professionals should have their own assessment of the groups that are likely to pose a threat in the digital world. It may be an opportunity for Corporate Security to help them construct such a profile.

Finally there are the messages delivered to audiences - staff, users of systems and, of course, other levels of management. It becomes more essential to manage hype, provide re-assurance and encourage the right forms of behaviour. It is easier to do that together than as a lone voice, or, worse still, while engaging in internal turf-wars.

Every corporate security professional should engage with their cyber security colleagues. By working together the technology department and corporate security can create synergies that will benefit themselves, the business they serve, and the simplification and consequent understanding of the messages they deliver.

To find out how Burrill Green can help you with these kinds of issues, please contact frank.marsh@burrillgreen.com

All the best from David, Kevin and your whole new Burrill Green and PICA Corporation team

Adding value – lowering costs
Newsletter archive service.