Welcome to the latest edition.

(click a subject to jump to item)

      Introduction »
      New Associates »
      The Stimulation Piece »
      Burrill Green Consulting »
      Masterclass and New Masterclass »
      Security Solutions Now »
      Secure Leadership »

In this condensed newsletter, we include our usual piece to stimulate thinking and discussion, this time on cyber security. We will also follow up with further thoughts on cyber in the next edition. We also point to our latest version of our Masterclass which embraces information security and cyber security, an ever-growing area of essential activity and investment attention. CSOs, the C-Suite and above should all be taking a responsible interest in these topics that can all too quickly rupture a flourishing business.

We then update additions to our extended offers for those who want to use our search and selection specialist, Secure Leadership, in places where there are significant cost constraints yet a major need and desire for world-class talent to help organisations flourish securely.

New Associates

We are delighted to welcome Andrew Jackson to the team.

Andrew Jackson - Associate.

Andrew Jackson is a British national with a broad global perspective and extensive international exposure. He served for 13 years in the UK Diplomatic Service (security and intelligence) and has 15 years international corporate security, compliance and reputation management experience.

His most recent role was Head of Global Corporate Security and Corporate Aviation with Novartis International AG from August 2009 until March 2015. He was previously Vice President, Corporate Security, with Novartis Corporation in New Jersey, US (2008 – 2009) and Executive Director, Corporate Security with Novartis in Switzerland (2002 – 2008).

Responsibilities included the direction of the company’s product security programme (anti-counterfeiting, cargo and supply chain security), extremism risk strategy (animal rights extremism), due diligence, pre-employment screening, physical and technical security, fraud and misconduct investigation management, travel security and executive protection. He managed an international team of 70 Novartis Corporate Security professionals.

Andrew worked previously as a Security Adviser for Société Générale de Surveillance (SGS) AG, and as an independent security consultant.

Prior to moving to the private sector in 1998 Andrew spent 13 years with the UK Foreign and Commonwealth Office (Diplomatic Service) in a security and intelligence function and enjoyed postings in the UK, Latin America, and Central and Eastern Europe.

Andrew holds an MSc (with distinction) in Security and Crime Risk Management, a BA Hons. in Modern Languages (French and German) and is a qualified linguist in Russian, Czech and Spanish. Andrew is also a Certified Fraud Examiner.

Andrew is a member of the International Security Management Association (ISMA).
The Stimulation Piece

Back in 2001, and even before that statement “9/11” came to be of such symbolic significance, one of us was in Washington at one of the now frequent conferences on the relationship between privacy and security. Even then, certain voices were saying, “Forget about privacy. Get over it. Those days are over.” Others were equally vociferously defending the need to respect the sanctity of privacy. The trouble is, such words as ‘security’ and ‘privacy’ are so loosely defined that they represent a feeding ground for interpreters the world over. Interpreters of the words include governments, lawyers, the media and any number of interest groups and individuals. The words themselves have become co-opted almost as the flags of warring states, and much energy, passion, time and money have been spent on skirmishes and clashes around the world on behalf of these often intangible notions.

Today, and for this article, we are taking a narrow definition of ‘security’, and looking at what people often conjoin as they talk to their organisations’ worlds of people and places - that is - information security. Privacy has not been given such a qualifier. As 2015 ends its third month already, the battlefields where information security issues are being fought are growing and even more bloody. Much ‘digital blood’ is being spilt. The challenge is to contain this before it is converted to real blood in many cases. Each week sees high-profile cyberattacks that are actually reported, not now suppressed, and they have focused attention on valuable data, and its protection, in higher profile ways than we have seen until now. In parallel, a chorus of voices about privacy in general clamours to be heard on the same stage.

We were relatively innocent, we citizens not on the front-line, until recently, but now the words ‘Wikileaks’, or the names Assange and Snowden are on many lips. These leaking events are now becoming part of the daily diet in the strategies of governments, businesses and other organisations, celebrities, families and individuals, to get what they want, or to ‘set the record straight’ on any number of topics, from countrywide attitudes about other nation states down to denials about other important things like digital classroom bullying.

Cybersecurity has now achieved its own celebrity status by making it into the 2015 State of the Union Address in the USA. President Obama said:

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

Apart from the Star Wars – style grammar, he’s got a point.

To use another insight, it appears that information has been weaponised. Instead of the thrill of uncovering the next layer in a children’s party game of Pass the Parcel, many people appear to be stimulated by the frisson of getting at information that is somehow hidden, or secret, or simply not theirs (although entitlement to it throws up another major opportunity for some for making money out of these crises).

Hackers now come in at least 50 shades, refining hack-attack skills at an amazing rate. Defenders, like old generals, often appear to be facing the new threats with the tools they used to fight the previous wars. Barbed wire (or, in today’s world, basic firewalls) are no defense against quantum approaches, for those who like such scientific notions with their breakfast cereal. With some software there are now so many patches it could be turned into quilts. Users often don’t help, as their behaviour keeps handing over the keys of the castle to these hackers, or worse, simply not bothering with locks on digital doors. “Hey, that’s someone else’s problem/jurisdiction/responsibility”.

From a US study, here is a list of the declared top security breaches of 2014 in that country alone. (Source - Appriver):

This isn't exhaustive. Allegedly secure data (i.e. YOURS) is hemorrhaging down the wires. There are nice graphical representations of this kind of thing for those who prefer a visual stimulus, on informationisbeautiful.net – World’s Biggest Data Breaches.

As we have consistently said, and demonstrated at Burrill Green, any such attacks mean that an organisation can not only lose valuable data, but it also damage to its brand, reputation, shareholder value and goodwill, that can all take a lot of time and money to fix. Sometimes damage is irreparable.

The highest media profile attack of 2014 was the theft of data from Sony Pictures Entertainment (SPE) by a hacker group calling itself Guardians of Peace, or GOP. Among the claimed 100TB of data stolen was employee information (some 47,000 social security numbers) and insights about the inner workings of the company and the industry at large. The movie, The Interview, a comedy about an assassination plot against North Korean leader Kim Jong-un was also targeted. Eventually, the US government came to believe this action was driven by North Korea itself, which has naturally denied any involvement.

All of this kind of activity is unlikely to go away any time soon.

It is easy to suggest that those with ‘solutions’ to offer in the cyber-security market might wish to ‘ramp up’ threats, but in fact there is actually little going on in the world to suggest that activities of the negative kind in cyber-security are doing anything other than really expanding. This is happening at the individual level right through to major corporations and governments. Responses to threats of the kind Burrill Green can talk to you more about reveal that much effort is going into responding to threats and incidents. More significant work needs to go into trying to get ahead of the risk curve and build stronger and more flexible pre-emptive defenses that can work for longer. This is called advanced detection. It is all a complicated dance.

Burrill Green can help CSOs and their organisations get ahead in this challenge through understanding the cyber intelligence capability of their IT functions and helping establish shared intelligence of cyber threats and common response process.

In the next issue we will visit threat predictions, and a series of responses that should be considered.

To discuss any aspects of this further, contact Dr Frank Marsh here »
Burrill Green Consulting

David presenting in Moscow, and with Dmitry Budanov, the Chairman of
SPHERE and the Regional Vice President of ASIS-International Region 9f.

David recently ran a Branding and Integrating Security for Success seminar in Moscow. This highly successful element of our service is designed to help bring corporate security and other Management executives together to gain practical insights into the added value that a closer understanding and partnership in cross-functional co-operation can bring. If CSOs are ever to get a seat at the C Suite top table, a deep understanding of aspects of the value and importance of branding, and, through it, the ability and determination to influence at Board as well as other levels is, to put it quite simply, critical. . If you operate with any kind of public face, you cannot escape the effects of perception and brand values these days – best to make sure that yours are optimised.

The seminar was most warmly received as these comments indicate:

“Fantastic! Our ExCom should be exposed to this”

“Thank you for your outstanding and compelling delivery.”

Masterclass and New Masterclass

Our Director of Training, John Hedley, seen here with some happy but tired
candidates after our most recent Masterclass, held in London in conjunction
with the MIS Training Institute

“I actually consider (the Masterclass) to be the most informative and engaging week of training I have ever been involved in.”

“The high level topics were delivered with intelligence and wit, and at the end of each day I really felt that I had been tested, and importantly, I genuinely considered that the experience was fun.”

In response to valuable feedback from previous participants, we have worked to fine-tune our flagship Masterclass course so that it continues to harmonise with the evolving requirements of our client-base. We received especially thoughtful feedback from the delegates to our 2014 Masterclass courses held in Toronto, Botswana and London. For our 2015 programme we are therefore expanding significantly the Cyber Security element of the Masterclass. At the same time we are extending the interactive, scenario-based element from three days out of five to comprise the full five days of the re-branded Corporate & Cyber Security Executive Masterclass.

Though he has always advised on cyber content in our Masterclasses, Dr Frank Marsh, our internationally renowned Director Cyber & Information Security, will, with immediate effect, participate from start to finish.

We are confident that the Burrill Green Corporate & Cyber Security Executive Masterclass is currently the most challenging training course available to the security profession anywhere in the world. This enhanced program is an opportunity for CISOs as well as CSOs, to those aspiring to the top positions, and to C Suite/ExCom members who have any responsibility for security. Indeed, some multi-national clients of ours now include it as an essential element in the talent development of their senior security executives.

The next two Masterclasses are scheduled for Copenhagen (8 – 12 June) (Download more information here) and London (7 – 11 December) and interest is already proving strong so we look forward to an ever more intensive and stimulating exchange of experiences and opinions among the 2015 delegates. If already committed on those dates, we have provided ‘in house’ Masterclasses for client companies and continue to offer this service. We are also able to help client companies to reduce the cost of the Masterclass by teaming up with one or more other companies.

Highly public cyber attacks recently in the news have involved theft and extortion which highlights the importance of corporate IT and corporate security functions working closely together to deal with these attacks. As we have seen, organisations face enemies capable of deploying state of the art digital attacks combined with the more traditional vectors of coercion, subversion and blackmail.

CSOs have a great opportunity to demonstrate leadership in ensuring that intelligence on both digital and traditional threats and sources is coordinated effectively.  Burrill Green can help CSOs interact more effectively with digital colleagues, and vice versa, and help them work through the sometimes obscure jargon to the key and core security issues.
Security Solutions Now

Since the last newsletter, we have been very busy servicing new multi-national clients and some smaller entities assisting them with various security-related activities. Remember - size is not important. We aim to advise anyone and everyone with sensible, timely and reasonably priced advice.

We are in the process of carrying out a detailed and comprehensive supply chain project for a major client and an intelligence-based investigation for another. We have had a number of enquiries through our “Security Solutions Now” site which incorporates our “Managed Outcomes” service relating to some straightforward and some more complex challenges. Think about the recent events in Paris involving hostage taking. Have you thought what would happen if your premises were taken over in this way? Sensitive files go missing in the post – What do you do? A member of staff passes sensitive information to the press without permission. How do you handle it?

We continue to work closely with our partners globally and we are planning to launch a new “SOS” service in conjunction with our partner, Praesidio Group. We aim to help small businesses, many of which do not have an in-house security function, to respond to immediate challenges i.e. when something goes wrong and needs to be corrected quickly or when policies or Standing Operating Procedures need to be put in place. We will also provide ongoing advice to such companies about prevention in the future to avoid additional “SOS” calls.

We are expanding our country coverage in Europe, Latin America, Africa, the Indian sub-continent and the Middle East to be able to react quickly to situations where companies and individuals may need our help and advice. We have locally based associates who can react promptly and efficiently to customer needs in the local language and who are in a position to understand the political, economic and cultural nuances of these regions.

We’re here to help so if you need immediate advice, call our offices on
+ 44 (0) 1233 850460 or Email us here
Secure Leadership - Search and selection

We continue to find flexible ways to support organisations in countries where effective resource is often scarce, and budgets are constrained. On the first level, this means no compromises on the quality of candidates, and the extent to which we conduct searches for absolutely the right people for the roles involved. On the second level, we have developed working practices and remuneration procedures that make it easier for participating companies to get affordable solutions whilst still benefiting from the Burrill Green reach to outstanding candidates. Want part of our service? Ask us.

Many people believe that with the internet, recruiting is now virtually free and anyone can do it. This has witnessed a surge in companies trying to do it on their own with a few notices and an ever open recruitment portal on their website. This can be a hugely costly and time-consuming mistake. Of course, there are people with successful stories to tell about ease and efficiency. There are many other less successful examples. Recently, one company, with a ‘self-help’ mission attracted over 70 applicants for a senior position. Not being sure that they were getting the quality needed, Burrill Green was asked to take over the process including looking at who were considered to be the best four of their applicants. At the conclusion of our involvement, only one of their top four applicants was in our top fifteen but not in our top ten! Against this background, where we endorse it as a possible route forward, we continue to demonstrate that there are still affordable ways to enhance achieving the best results consistently, by utilising our approach and reach.

We continue to offer candidates an unsurpassed level of support in their own search for new opportunities. Both for recruiting organisations and candidates looking for their next career-building role, we offer a very wide-ranging set of support services and access to a global base of highly-qualified people.

We remain committed to developing the most efficient and pragmatic ways to get the best fit between people and roles, without compromising quality standards. Talk to David Burrill. You really can get the best for less. Remember our difference: all our interviewers and selectors have practiced corporate security for real and with proven success – we are not easy to hoodwink.

It’s a tough principle, but someone’s got to do it!

See you next time,

David, Kevin and your whole team at Burrill Green.
Newsletter Archive:

December 2014 issue »

March 2014 issue »

July 2014 issue »