Strategy for corporate security – Sir David Veness
BUSINESSES MUST BE ON ALERT
An alert business provides prudent protection for its staff, visitors, clients and customers against a range of threats including the developing menace of international terrorism. An alert business is also better prepared to reduce loss of life and other harmful impacts of malevolent events. An alert business neighbourhood provides greater protection than businesses acting on their own and is likely to generate more purposeful preparation.
Fundamental to addressing a corporate agenda on this theme is comprehensive engagement from leadership to staff at all levels. Immediately after the tragic attacks in Paris in November 2015 it was apparent that those businesses which proved most resilient were those with the asset of senior management concern for staff safety and a security culture across the business.
The Director General of the UK Security Service (MI5), Andrew Parker delivered the “Lord Mayor’s Defence and Security Lecture – A Modern MI5” on 28 October 2015. His remarks were illuminating, perceptive and prescient.
He stressed the complexity of the threat stating, “Today we face a three dimensional threat: at home, overseas and online. An increasing proportion of our casework links to Syria and to ISIL. Even three years ago, when Jonathan Evans gave this lecture, we could not have predicted how the ISIL phenomenon has developed since. More than 750 extremists from this country have travelled to Syria, and the growth in the threat shows no sign of abating.”
He emphasised, “in a range of attacks in Europe and elsewhere, this year we have seen greater ambition for mass casualty attacks. All of this underlines the growing threat we face”. He reinforced the unprecedented scale and tempo of these developments and stated that the threat “may not yet have reached the high water mark, and despite the successes we have had, we can never be confident of stopping everything”.
Dire events in swift succession rapidly demonstrated the accuracy of these warning comments. On 31 October 2015 a Russian civilian airliner was downed by terrorist action over Egypt. A Daesh-associated group claimed the bombing. All on board the aircraft – over 220 – were murdered.
On 12 November 2015 suicide bombs killed 40 in Beirut, Lebanon and on 13 November 2015 concerted brutal attacks were mounted in Paris at diverse commercial and entertainment venues, killing over 130 people.
The Paris attacks were claimed by Islamic State (Daesh), with a threat that further attacks would follow. London continues to feature specifically in Daesh propaganda as a prime target.
This first major attack by Daesh in a major Western European city included a range of attack methods delivered with great savagery in a short time span. The Economist leader dated 21 November 2015 entitled “How to Fight Back” noted “It could have been any big city. It could have been you”.
John Brennan, Director of the Central Intelligence Agency (CIA), has spoken of an “External operations agenda” for ISIL (Daesh) (CSIS, Washington DC. 16/11/2015). He also asserted that he certainly did not consider the Paris attack as a one-off event.
The 36-page UK Government document making the case for airstrikes in Syria contains the comment “ISIL has a dedicated external operation structure in Syria, which is planning mass casualty attacks around the world” (Memorandum to Foreign Affairs Select Committee. Prime Minister’s response. November 2015).
The conclusion to be drawn from the tragic events of 2015, which have been followed by attacks on city centres in 2016, is that commerce is inextricably involved and that it is timely to review corporate action.
The excellent “NACTSO Guidance Note 2/2015 – Reviewing your protective security” (November 2015) details a check list of 10 points. These are introduced with the comment “This is the right moment for businesses to review their security plans to ensure that measures they should already have in place, are still current and have been tested to ensure that staff are prepared and confident.”
In support of this NACTSO Guidance and other commendable publications by CPNI, NACTSO and Police Services, what follows is a suggested corporate agenda to achieve effective implementation. The intention of the corporate agenda is not to repeat the official guidance and advice, which must be studied in its original version, but rather to aspire to an outline of a commercial context which is most conducive to making the very best of the official advice, with bespoke business plans.
There are 5 recommended points for company leaders and 5 all-encompassing items
For the leadership, the items are:
- Understanding threats and response.
- Appreciation of corporate impact, especially staff reassurance.
- Top level plans to address threat variation.
- Corporate security structures, organisation and resourcing.
- Enlightened self-interest and corporate social responsibility.
Understanding threats and response
Leadership understanding is the pre-requisite for an effective corporate security culture and for arrangements whereby advice and guidance can be translated into balanced actions. Senior corporate disinterest or inaction is a major barrier to implementation. The present threat of international terrorism displays distinctive features at global, operational and tactical tiers, with business included in the target span. This is a strategic subject apt for briefing and debate at board level. The briefing should include constraints upon national and multi-national response and realism concerning the enduring nature of the threat. The prospect of terrorist innovation is also a vital briefing component.
Appreciation of corporate impact, especially staff reassurance
Impactive and brutal events, akin to urban warfare, produce understandable human concerns, particularly when attacks are repetitive. Corporate pro-activity to reassure staff and to display business grip is essential. Companies which prioritise this activity are likely to enjoy greater employee confidence. Reassurance is best delivered immediately it is needed and therefore board recognition of this important topic and prior planning for timely action is essential.
Top level plans to address threat variation
Threat levels should not produce a thin pencil line of corporate security measures in responses, but rather a wider band of activities which can be adapted and adjusted to cope with threat modifications such as attack methodologies. Senior management recognition and support for changes to security patterns is essential for smooth acceptance and demonstrates leadership by example.
An actual threat level increase may necessitate activation of business continuity plans with direct involvement of company leadership. An initial meeting to address the circumstances prompted by threat change is the minimum wise action.
What corporate entities need to avoid are security reactions which have not been thought through in advance and do not illustrate a long-term security perspective. Businesses which are prepared will act more swiftly and effectively. Reassurance and confidence will thus result.
Corporate security structures, organisation and resourcing
Corporate security is a business enabler, never more so than in testing circumstances. For these purposes corporate security is most efficient as a fully inclusive effort ensuring the cohesion of all relevant resources to enhance and advance safety and security. Human Resources, medical support, travel sections, legal services and others are key partners. Inefficient corporate structures can compartmentalise security endeavours.
Strains on corporate security resources can be made worse by protracted periods of high threat or the challenges of staff travelling and working abroad. The integration and resilience of comprehensive corporate security arrangements should be a senior leadership priority.
Enlightened self-interest and corporate social responsibility
The simple objective is to be a good neighbour and an engaged citizen. Neighbourhood local business security co-operation is especially beneficial for SMEs who do not have in-house security or much scope to attend to this issue. Business to Business schemes (B2B) are more ambitious and cohesive. Business self-help in facilitating public sector security events or providing internal staff training is of particular value when the target span is growing and public services are inevitably under greater pressure. Senior business engagement with business representative security bodies and initiatives plus specific projects (such as Project Griffin) are valuable drivers of mutual corporate endeavour, where the track record of practical benefit is very well established and a distinctive UK asset.
The 5 points relevant to everyone in the company are as follows:
- Situational awareness.
- Measures which match the threats.
- Business continuity and crisis management readiness.
- Staff communication, awareness, briefing and training.
- Optimising the contribution of security providers and security partners.
Whilst the board should be fully cognisant of overall threats and their trajectory, everyone needs to be aware of the consequences of specific incidents. The most effective (and free) option is business registration with Cross Sector Safety and Security Communications (CSSC), through which information is cascaded to industry sectors. Business peer groups and business security bodies are also valuable windows on current reality. Situational awareness is the key to informing decisions on useful actions and the basis for internal communication.
Measures which match the threat
Corporate company security specialists are instrumental in operating a package of security measures which seeks to address perceived threats. The business community has the unique ability to implement and review measures which contribute collectively to deterrence, detection, protection and preparation. These range from access controls for people, vehicles and goods, attention to hostile reconnaissance, employee vigilance, efficient CCTV to dynamic lockdown and evacuation/invacuation procedures. There is a wealth of officially promoted and easily accessible advice on these and many other aspects of business security, all of which is important and useful together with the counsel that generic actions need to be fully evaluated against specific company needs and requirements. The support of users for the dynamic security package based upon focused information and readily accessible reporting arrangements is a defensive multiplier.
Business continuity and crisis management readiness
Company leadership can define and reinforce the necessity of contingency plans for continuity and crisis management. Many within the company will ensure that this policy is taken forward to readiness, rehearsal, maintenance and exercising. The threat of international terrorism impacting upon corporate activities at home and abroad has sharpened the importance of professional incident response which is vital to sustaining core business operations.
Staff communication, awareness, briefing and training
The public launch of the STAY SAFE video on 18 December 2015 was an important step and an excellent example of wider communication. The involvement of staff beyond those directly concerned with security adds significantly to total vigilance and internal training opportunities enhance this valuable advance. There are innovative means of staff contact subject to constant technical improvement. The emphasis on increased business self-help in briefing and training is a reflection of the complexity of the threats including attack methods and venues. The proliferation of social media increases the need to provide timely and accurate information and to be prepared to dispel rumour. Staff communication briefing and training is a predictable zone of corporate expansion.
Optimising the contribution of security providers and security partners
The provision of corporate security regularly involves outside contributors. A developing threat picture suggests that security providers and those contracting their services should elevate their engagement and mutual understanding to address possible changes in requirements. For example, after the Paris attacks the availability of certified security guards was rapidly exhausted. Greater integration between the aims of security policies and the future planning of security contractors and other partners should be a positive process reflecting changing conditions. It is another example of how traditional linkages and approaches need to be refined to address the reality of 2016 and beyond.
Sir David Veness, Senior Advisor, Pilgrims Group Ltd (at time of writing)