|Key Business Challenge
You’ve generally got to admit it’s very hard to write histories ahead of time. As we release this, the world has just seen the World Cup dominating broadcast media. Meanwhile, allegedly surprising things have been bubbling up again in the Middle East, one hundred years have passed since the events that presaged the First World War, and we continue as people to be wiser and more ignorant every day. Whatever next? We are a strange lot, homo sapiens, celebrating creativity on one level, trying to process things so boxes can be ticked on another level, and when things go badly wrong we say people are behaving like animals. That’s a denigration of much of the animal kingdom.
What has this got to do with corporate security today? A lot, as it happens. We need to get even better at being good at the ‘Whatever next?’ business. When things go wrong you can’t always blame others. If the world is full of stimulus and response, those of us on the Good Guys side appear too often to be less imaginative and creative than those who, for whatever reason, are attracted to, and stimulated by, what we might call The Dark Side. We are all too often pursuers of change, after the fact, as our American colleagues might describe it. We are there to introduce locks after we have been burgled, legislation after the criminals have bolted with the spoils, declare the global drawn-out pursuit of perpetrators, and commence bureaucratic debates that stifle action.
On another level, we are often too keen still to talk about fences, walls, and retrospective measures, when what is really required is leaps of imagination translated into leading-edge products and services. It may be easier, but too much security is still about offering protection from identified threats and actions, simply because it is harder to defend against intangible future phantoms – but they are what The Dark Side is giving birth to.
Corporate Security is as hard a sell to most as trying to get the average teenager to think about pension plans. Or it’s like those Drink Don’t Drive television campaigns governments still put out before Christmas or other holidays – “I’m not like that, it won’t happen to me, it’s about others”. Too many people still think they are unlikely to have a security breach, it’s all about if’s, not about when’s. Many more enterprises need to think that they have already had problems, and work through how they would deal with them, not treat threats as some kind of kiddie’s one-time bad dream. Kids have bad dreams occasionally that for them are very real. This brings us on to another point.
‘Grown-ups’ are often too sure that everything can be sorted out through disciplines and procedures and systems, easily measurable, tangible things. That’s a solution to maybe half the problems we face now.
But in today’s world (indeed, in all previous worlds too), many surprises come from the most intangible things, not the mapped out and counted things.
There are many and growing forms of attacks on enterprises and systems, and indeed many of these are created in digital cauldrons. But the growth of ‘social-engineering’ attacks continues as well. These are often intangible things. What does this mean?
Too often security is still trying to provide defences against things you can touch or see clearly. It’s much harder to defend against emotional attacks and breaches of trust. It is also clearly tough to prevent attacks against or the stealing of Intellectual Property. OSAC in the US reckons some $300 billion a year is being taken out of their economy, often by nation-state sanctioned or sponsored parties.
We still find it concerning that many people in security environments, or high-level technical environments, fight shy of words like ‘Brand’, ‘Intangible Asset Value’, ‘Tone of Voice’, ‘Brand Personality’, as if somehow these are beneath contempt, or belittling, because they are harder to identify, define, and respond to. There are no logarithms for Brand Values. Yet in this world of elusive elements where brands build lasting and profitable relationships with users, there are many things that can help security cast its net wider, and more successfully, by embracing successful knowledge and experience from the world of creating and marketing brands. That is one of the key reasons why Burrill Green was founded with a balance between unbeatable security and marketing credentials.
Brands are often distinguished as having high levels of tacit trust – they work at building relationships with us. This is what leads us into the nub of today’s thought.
Many of today’s criminally-minded people are not the chancers they might once have been. They have access to the same materials we do, manuals, articles, points-of-view, research, programs, and coupled with smart minds and the motive of either money or disruption, they are increasingly capable of challenging the things so many of us have almost come to take for granted – the principle of which is the thing that underlines much about brands we value – trust. Social engineering approaches and hidden-in-plain-sight infiltrations are undermining people’s confidence and trust in both public and private organisations, and the products and services they offer.
It is our belief that value-added corporate security needs to concern itself to a higher degree than ever with achieving the right balance between values, like trust, and transparency and privacy, on top of its core responsibility of protecting other core assets and enabling a business to flourish.
Many companies are finding it a tough challenge to make concrete a security vision whose strategy can embrace technology, softer values and other operations to enhance the security provision effectively. In terms of our Business Intelligence led approach to corporate security, this highlights the need to ensure there has been a threat-centric model created as part of the overall security strategy development, and that this must embrace intangible asset value as well.
Both traditional and cyber-criminals now work on strategies, targets and executional plans like their legitimate counterparts around the world. Another key difference is that they don’t appear to have the same squeeze on shrinking IT budgets and ever leaner support teams – no shareholder pressure there.
An additional problem comes from companies committed to network data-sharing, where they become more porous with each passing day, trying to be both open and compliant (on and off-line). Threat intelligence for us is a growing business.
We will continue to make people aware of the need to drive a balance between hard and soft issues that affect an organisation’s ability to be competitive. We continue to monitor new approaches to securing assets that might leapfrog legacy systems, plus the monitoring of the closely following herd of black sheep and other Dark Side practitioners.
Prime criminal targets this year see an increase in high-profit verticals – those in the pharmaceutical, electronic, chemical, agricultural and mining industries, energy, oil and gas. It is a combination of intellectual property enterprises and finite commodity suppliers – a fight for world resources both natural and invented.
The 2014 Risk Report from the World Economic Forum takes a wider look at challenging issues, as these indicate:
Instabilities in an increasingly multipolar world: Changing demographics, growing middle classes and fiscal constraints will place increasing domestic demands on governments, deepening requirements for internal reform and shaping international relations. Set against the rise of regional powers, an era of greater economic pragmatism and national self-protection might increase inter-state friction and aggravate a global governance vacuum. This may hinder progress on cross-cutting, long-term challenges, and lead to increased inefficiencies and friction costs in strategically important sectors. Managing this risk will require flexibility, fresh thinking and multi-stakeholder communication.
Generation lost?: The generation coming of age in the 2010s faces high unemployment and precarious job situations, hampering their efforts to build a future and raising the risk of social unrest. In advanced economies, the large number of graduates from expensive and outmoded educational systems – graduating with high debts and mismatched skills – points to a need to adapt and integrate professional and academic education. In developing countries, an estimated two-thirds of youth are not fulfilling their economic potential. The generation of digital natives is full of ambition to improve the world but feels disconnected from traditional politics; their ambition needs to be harnessed if systemic risks are to be addressed.
Digital disintegration: The world may be only one disruptive technology away from attackers gaining a runaway advantage, meaning the Internet would cease to be a trusted medium for communication or commerce. Fresh thinking at all levels on how to preserve, protect and govern the common good of a trusted cyberspace must be developed.
Our resolve remains firm – to add undiminished value to the challenged whole lowering costs where feasible. What you can’t see can protect you or hurt you as much, if not more, than what you can see. On this note we can report on progress in the first half of the year.
|Burrill Green Group Practices
A warm welcome to our new associate in our Latin American Region, where Cesar will be capitalising on his extensive experience and networks to carry the Burrill Green message and services to further audiences in these burgeoning markets. You can see how he has built up a superb career path.
|Burrill Green Consulting
Early in the year we continued our long-term relationship with Russia and that country’s range of security concerns. In a congress in Moscow, David was a key player in a strong field of senior government and industry figures talking about forecasting and preventing risks and threats to ensure business sustainability, a level that brings additional dimensions to the established subject and challenges of business continuity.
The consulting practice continues to seek out opportunities and develop ventures with additional clients and prospects, and in yet more countries. We have advised on corporate security approaches for tertiary education establishments in Australia, and we seek to provide further support services to organisations who are grappling with the ever-rising set of challenges that the word cyber both embraces and instils fear about.
David in Moscow
|Security Solutions Now
In our previous Burrill Green newsletter we outlined this new service. It has now been running successfully for over 6 months. It delivers assistance for those dreaded ‘OMG’ occurrences and provides successful, short-term deployment of resource from our pool of experienced interim managers. Individuals and bespoke teams can tackle immediate issues and challenges in a business where there may be a temporary gap, for instance, where the company awaits the recruitment of a new full-time management recruit.
A response can be set up very quickly from such a simple start-point as a telephone call to our global dedicated number or a rapid e-mail alert. Our purpose and role is neatly captured by our business address for this practice:
Security Solutions Now >
Geoff Gillion, our Director of Operations, leads this practice.
"Whether people are concerned about security risks in a new venture or anticipating a need for rapidly improving security, this practice is our front-line response service. Try it out and see how we can assist you.
No problem is too small or too large for us to advise on. All you have to do as a potential user is outline your challenge to us and we will provide you with a realistic, comprehensive and professional solution at reasonable cost within a short time frame. We aim to provide a service where you can see "added value" to you and your business to levels that you stipulate and that we agree on as a project commences.
Within this operation, we also operate a Technical Support Counter Measures (TSCM) capability, delivered by our associate Tony Mannakee, (read biography) who has over twenty years’ experience in this specialist and invaluable field.
For assignments that may subsequently require more time and input, the resources of our core Burrill Green consultancy group practice can be seamlessly accessed. Our overall approach helps ensure a more effective strategy for security’s role and contribution to business, as soon as immediate threats and challenges have been addressed.”
Learning from the early phases of our new practice, we have decided to introduce a further element to the service: One Stop Shop. This suits those clients who want or need to control a number of inputs tightly. Our operating coverage is now being expanded so we can match client requirements with our specialist advisers even more quickly. More of our experts are located close to operating areas and have current experience in required geographical fields and specialisms. This new level of input can provide both interim and permanent support levels.
Here is just a small set of examples from our overall portfolio of work we carry out:
• Theft in the workplace
• Training requirements
• A need to produce contingency plans quickly
• The challenges of helping members of staff travelling overseas to high risk countries or areas
• Counterfeit product in supply chain or sales arenas
• Search procedures during heightened periods of tension.
|Burrill Green Corporate Security Business School
The school continues to blossom. We have given bespoke programmes in four other continents so far this year, on top of our commitments close to the school’s original base in Europe.
March saw the team in Botswana, helping people increase their skill levels in conducting thorough security reviews, developing strategy, and implementing effective systems and solutions.
The Botswana Group
We then had an inaugural Executive Master Class session in Toronto, Canada, a programme where participants noted,
“It was an excellent week for meeting and sharing with the finest corporate security specialists.”
“I found your knowledge and experiential advice and “teachings” to be very insightful. The program is truly unique in terms of security education and I look forward to going through the book presented at the end of the course.”
the latter quote from the first person from the Public sector to comment on the course.
Our Value from Security book to which this person refers continues to gain five-star reviews on Amazon.
Read review: Amazon.com »
Read review: Amazon.co.uk
We have already been booked for another Masterclass in Canada in June 2015. On this occasion Cyber and Information Security issues and remedies will be woven into the intensely interactive programme.
Executive Master Class, Toronto, Canada
We have been active in Taipei and Japan, delivering bespoke Business Security Managers courses for major players. We have also delivered in house training on Crisis Management in Malaysia and Denmark, led by our Director of Training, John Hedley (read biography), and our in-house courses have been delivered in Philippines, Russia, Belarus and Austria by John and Rick McConnell.
Our Investigative Interviewing course ran in Belgium, and our overall range and geographical spread continues to expand.
We are also looking at the potential to extend our programmes to other markets, including Australia.
The Canadian experience, along with other pieces of insight and feedback, has resulted in our spending more time increasing the range of what we can offer in the arena of Cyber Security, and particularly the contributions mastered by our Director of Cyber and Information Security, Dr Frank Marsh. This work is significantly aimed at the C-Suite.
Frank is an exceptional and internationally renowned information security specialist covering all aspects of information security including physical, digital, oral and intangible forms, and the prevention, detection and investigation of information leakage.
Recently he gave a highly acclaimed key note presentation at the 11th MIS CISO event in Berlin in June on ‘The Blurred Boundary’, exploring the challenges facing both Corporate and IT Security in delivering cohesion to the security of business information.
The roles of Corporate Security and IT Security meet head on when considering security of information. Traditional roles and responsibilities have become blurred, with a risk of wasted resources (duplication, miscommunication, misdirection), increased risk (gaps, incomplete intelligence, misunderstanding) and both at the same time.
In looking at how we got here, where we are and where we need to be, this talk considered ways to bring a holistic and coherent approach to information security to the benefit of the whole organisation.
In recent examples of ‘hacking’ by (allegedly) nation state agents and organised crime, the broader background, contacts and investigation expertise of Corporate Security is essential to an organisation’s ability to deal with such threats, even though they appear on the surface to be an IT issue.
It is important that C-level executives ensure there is a fully joined-up approach to information security. Burrill Green has been helping organisations tackle this sometimes contentious issue as part of a coherent approach to business security.
|Business Security Managers’ Course
This additional course has already gone to market under the direction of Tony Judge.
Client companies regularly use Tony's services to coach and mentor country security managers to ensure that all the fundamentals for fit for purpose security are in place. Usually, Tony is attached to the company concerned for periods varying from one week to 6 months.
It is complementary to the foundation elements of security management that enable an organisation to protect its assets and flourish as an enterprise. This integrated layer concentrates on the ways in which additional value can be introduced and managed across an organisation, and with all its target groups and suppliers.
Its effects can be measured through resulting gains in profitability, productivity, goodwill and shareholder value. This practice shifts the security function from being primarily a cost of doing business into an area where additional value can be identified and released, often while lowering costs.
Tony has developed the Business Security Managers' course with the aim of sharing the techniques and insights he has gained in markets worldwide with in-post Business Security Managers as an important part of their development process.
The purpose of this unique course is to equip managers with the incremental knowledge needed to manage the delivery of added value business security capability across an organisation.
No other business security course matches the focus of this one on building an in-depth understanding of the role and scope of business security management together with the skills and techniques required to integrate business security into other business activities.
Managers will explore the advantages such integration brings, and how to shape security services’ contribution to add value by ensuring that profit, reputation and resilience under both normal operating parameters and adverse circumstances, are protected.
The course concentrates on Business Security activities that can best impact upon and be integrated with those of other business functions to add value to overall business operations. An enhanced understanding of cross-functional roles and contributions is achieved.
This is a senior level course suitable for Country Security Managers and Managers who have a secondary but significant responsibility for security. Additionally, managers from all functions who have a stake in business security, its value to the company and its integration with the operations and business activities of their business function are all welcomed.
In line with the school’s flexible approach in recognising the demands on security professionals around the world today, the course can be delivered in two different ways.
Option one is for managers to attend first a residential session of three days. This part is an active learning format with a strong participant/lecturer-dialogue ratio. Scope is included for flexibility in both the order of presentation and the emphasis given to each topic, according to participant requirements, around a set content for each session which the lecturer ensures is covered.
This session is followed by a distance learning section of eight modules which focus on practical examples of implementing and managing business security. Each module consists of an assignment, which should take about an hour of the participant’s time, followed by an hour's online discussion with the lecturer.
Option two is for the complete course to be delivered by distance learning. In this option, the eight practical modules are preceded by 16 hour-long interactive discussion sessions covering the full content of the residential section from option one.
We continue to work on the provision of bespoke and specialist programmes for other client groups we service.
|Search and Selection
Secure Leadership - Keeping the best company
The finest former CSOs from global organisations, we are uniquely qualified to identify
and help integrate exceptional talent for operations seeking truly outstanding results.
Our search and selection practice continues to thrive.
Burrill Green is a vocationally driven company (a quaint but true reality) and, for us, success is achieved by raising the capability and impact bars of corporate security.
Put simply, in an HR context, this cannot be achieved without the "Right People" in the right positions. This should be the goal at the heart of any recruitment process: the key investment. Yet too often we see companies trying to "go it alone" or using recruitment companies whose staff do not have in depth security knowledge. The result is that they risk getting the "Wrong People".
Too much reliance on carefully crafted CVs/résumés, too little penetrative interviewing and weak job descriptions hamper the process. Where the first two of the aforementioned factors apply to recruitment companies, risks include some of the very best candidates not even making it on to short lists. Weak job descriptions exacerbate the risks associated with an over reliance on ‘word match’ between those (the job descriptions) and CVs/ résumés.
Being a vocationally driven company (there, we have said it again – quaint!), we are prepared to help companies to get the "Right People" in a number of specialised ways, including proprietary approaches in search processes and in service levels, attitudes and behaviour. We would always recommend our full service but we are mindful of the fact that budgets are often constrained. We offer a range of support measures including - writing job specifications, providing interviewers to "in house" recruitment activities, CV/ résumé verification, setting scenario tests for short listed people. We are happy to discuss other needs and requirements within our service scope.
Warranting separate mention, and this has happened throughout the six year existence of Secure Leadership and twice very recently, we can step in when client company "in house" efforts or those of another recruitment company have failed to find a suitable candidate; a frustrating conclusion and one heavy with risks. Using our unmatched connections and foreshortening our normal service timetables, we have been able to find one or two people who have turned out to be a very good fit, with no loss of value or reduction of standards. What we will not do is to partner other recruitment companies.
We also offer a service to help companies to construct and implement a talent development strategy and programme. Bearing in mind the criticality of ‘Right People’ it is surprising how often this crucial field is neglected and less than desirable circumstances pertain. The same holds true for succession management planning.
So much for the services provided to our client companies. The other focus of Secure Leadership is on those seeking senior executive employment, those wanting to be the "Right People". At no cost to candidates we believe have clear strengths, we provide career guidance to individuals whether or not they are competing to fill a current specific role we are managing for a client.
Tomorrow may be their turn to fit a need, and we work hard to harmonise the quality of the fit. Amongst these are many people, in the UK and other countries, who wish to or are making the transition from public to private sector roles. Those we help usually do well, often extremely well. Here is but one of many tributes:
“I have to say our discussions, your openness and the process I went through with you helped enormously in getting to the right position – I am truly grateful to you.”
|Analysts for Security - Keeping the best company
The finest former Senior analysts and CSOs from global organisations, we are uniquely qualified to identify and help integrate exceptional talent for operations seeking truly outstanding results.
Security Management for Security and Intelligence Analysts.
We believe that analysts offer the potential to bring their beneficial diversity of talent to security management. Unfortunately, their suitability for broader engagement in business has generally been ignored. We are pleased to be offering a way of helping to address and change this position.
This programme, a modified version of the Business Security Managers’ Course, is designed to give security and intelligence analysts the knowledge and management tools and techniques they need if they wish to broaden their careers by moving into a security management role.
The course places emphasis on the skills, tools and materials of the senior business security practitioner while still providing an understanding of the management of business security. It enables participants to see how the different aspects of business security activities impact on and benefit organisations through integration with other business functions.
This course is designed to be delivered through distance learning, a form that suits analysts (and their employers who may wish to provide financial assistance as part of their talent development programmes), though the option of a part-residential/part distance-learning course remains a possibility.
Progress on all fronts continues. We welcome questions and the tabling of issues and challenges for us to consider. These help us refine both the content and ways we deliver our services. As ever, we continue to strive to add value to enterprises through the way we practice corporate security, while lowering costs wherever feasible. We try to be as fleet of foot as those on the Dark Side,
while dedicating ourselves to being transparent for all those on the Bright Side.
See you again later in the year.
David, Kevin and your entire Burrill Green Team.
|Archive: March issue »