Globally Responsive Security
In one form or another firms in the UK, and London in particular, are becoming more global every year, and acting accordingly. For the security and business continuity industry that supports them the challenge is to keep pace.
In any league table of institutions with true global reach the City of London would be close to the top. Why else would anti-globalisation protestors take such interest? Most of its corporate inhabitants are global or have powerful global interests, and the trend is firmly in that direction.
The Prime Minister’s recent trade visit to India has highlighted the trend. The party included a who’s who of British business, with strong London representation, and the themes were: more cooperation, more investment into Indian technology and infrastructure, easier visas and travel, more education opportunities; the PM spoke about our increasing reliance on Business Process Outsourcing in India in support of British industry, IT and finance, and the consequent need for us to share British cyber security skills.
Staying with India, less than five years ago that security challenge was thrown into the spotlight when terrorists attacked hotels and transport hubs in Mumbai. The UK’s security departments and corporate operations rooms instantly found themselves at the sharp end of analysis and response. Crisis rooms, physical and virtual, sprang up around the community in response to a tsunami of information from travellers and local staff on the ground, many using their PDAs and phones to Twitter, text and email from inside the places under attack, pre-empting the media coverage by up to an hour or more. If it was not clear before just how closely connected the UK was to the places where its interests were represented, then the attacks of 2008 left no room for doubt.
India then and now shows that international businesses based in the UK, and particularly London, are affected irrevocably by security events abroad. Twelve years on from 9/11, eight from the Asian tsunami, two from the Japanese earthquake, two months from the Amenas attacks in Algeria, and in the midst of a regional crisis with global impact centred on Syria, no-one can claim with a straight face that a security event abroad does not require a security response here.
Small scale events too can be devastating in effect. In 2012 an average month saw about three or four Westerners kidnapped abroad. The response to a kidnapping might have to be instant, the so-called golden hours. When staff are travelling, their transport, meeting arrangements, communications, tracking and alert devices are all likely to be managed from their parent control room; so when something goes wrong it is essential that whoever is at the monitoring desk interprets the event accurately and reacts instantly.
These examples show the need for a control room to respond to terrorist and natural incidents abroad but such events can happen at home. IRA terrorism in Bishopsgate, the 7/7 attacks, G20 protests, IT failures, and even heavy snow, have all impacted on our ability to continue business. Either way, a security control room with globally aware staff, backed by a security vendor’s own control room thinking and acting globally, is a highly effective weapon of defence.
Firms whose security companies have a global outlook and capability will be at an advantage. For example, security companies used to working in hostile zones will pass their experience on to their security officers and to their managed control rooms. In this context, a hostile zone can of course mean a country affected by conflict or terrorism, but it can also mean one where business is threatened by espionage, hostile surveillance, even by epidemic or extreme weather. Terrorist surveillance in Pakistan, Iraq and Afghanistan is a given, as is other more technically based state surveillance in countries such as China and Russia, and a security team trained and maintained by a company for whom these things are second nature will bring its clients considerable added value.
From the perspective of the business, there are three steps to setting up a globally responsive control centre:
- Analyse the security and business continuity risk
- Find a security vendor with global expertise that accrues to its security staff
- Design the control centre, set its standards, and embed it into the business
The Risk analysis
UK businesses that have foreign subsidiaries, offices, partners, investments, supply and distribution chains, particularly in the developing world, or those who send travellers abroad regularly, are likely to need a security and continuity response capability in a control centre at home. The higher the security threats encountered by the business in the overseas environment, their frequency and associated vulnerabilities, the scale of the business, and the human, financial, reputational, legal or regulatory impact of an event occurring or emanating from abroad, together determine if, and how much, global expertise is needed in the operations centre.
Most sizeable companies in London will require a globally capable security operations centre.
The security vendor
It is unusual to find corporate businesses running their own operations rooms. Most use a security vendor, with a contract or senior control room officer reporting to a security or facilities manager in the business. In some cases, although there is a strong and effective relationship between vendor and client over manned guarding, front of house, and physical response to incidents in the buildings, there is a disconnect when a more complex event happens.
Major crises are managed by the business at Gold level, with the core security and continuity departments advising and providing professional input at Silver level. Activity in the security control room might be categorised ‘Bronze’, which makes sense if the incident is in the UK, but there is often a misconception about its role when the incident is overseas. If the centre is to provide a real Bronze role in that case, or if it is expected to be the first recipient and interpreter of an emergency call from a traveller, out of hours for example, then standard manned guarding skills, training and back up will not be enough.
To be effective in that scenario the control centre staff will need a number of competencies. They should understand their client’s business: not just what it does, but where and with whom it works; what travellers are on the move at any time, what countries are involved, and what the main threats are in those countries; where the major cities and landmarks are; what the climate is; where the embassies are. They need to have situational awareness, know how to deal with people in stressful situations, and know instantly who to call in given situations while managing a caller calmly and securely. Otherwise, when they answer the emergency phone they become a point of delay or failure rather than an active source of help or rapid communication with those who can help.
The business’s own security staff will often be on permanent call for incidents, but it is rare to find a ‘duty officer’ rota, particularly as departments downsize. This means the control centre might not always be able to raise a client’s security manager quickly out of hours. This is where an experienced and well structured security vendor, with its own 24/7 operations centre, manned by experienced staff with access to a 24/7 senior management system that knows its client, can be invaluable. In an emergency a senior manager who has personally worked in hostile and challenging places, who has global perspective, and who could have seen business from the client’s as well as the vendor’s side, might stop an incident from becoming a crisis.
Training, of course, is a key element. Some security officers in control rooms will have had military or similar experience, but these days many will not. Therefore the security vendor will need to leverage the skills and knowledge of its central staff in order to train the officers it deploys to its clients’ control centres. That presupposes that the central staff has those skills and knowledge to transfer. A client whose risk assessment directs them towards a globalised operations centre would do well to write its RFP to elicit security vendors with those credentials. A standard manned guarding company might not be able to respond, including at operational, contract management or relationship management levels.
Because the business is likely to be fast moving and responsive to changing markets the security vendor needs to be equally light on its feet, meaning training methods and technologies that can deliver and test tailored knowledge quickly. Interactive, web based modules, as well as on-site training and quality assurance, based on regular engagement with the client and a deep understanding of security best practice and standards, are essential if the security team is to keep up to speed.
The control room
The control centre itself should be modern and functional, but need not be state-of-the-art if money does not allow. Most important are good communications, on line SOPs, and information management systems.
If client staff travel or work in hostile places, then a tracking system is needed, and probably an option for end to end encrypted communications, device to device, including mail, texts, voice and video. An ergonomic design of the control room, including seats, desks, monitors, and the management of heat, air, light, cables and storage encourages an efficient response: good references are BS5979 and ISO11064.
In certain situations a ‘forward operations room’ might be needed. In a recent case our client travelled into a hostile environment in the Middle East, accompanied by one of our security consultants. Throughout the trip we and the client ran a temporary operations room away from the hostile areas but close enough to communicate well and to mount a planned response in an emergency.
It would be completely wrong to conclude that globally responsive security operations mean high prices. In practice, especially for those vendors who are lean and focused enough, the opposite is true.
Security vendors providing UK manned guarding alongside a global security service is the model that works best. However, if a security company is too big and unwieldy it loses the ability to apply its global management experience and knowledge directly onto its individual clients, and will probably have to replicate its global structure in its various business functions, including in manned guarding.
A leaner company leverages its global management experience and resources on behalf of its individual clients, thus keeping management costs down and the quality of the management up. By centralising its training on line, supported by Q&A visits on site, training costs become both cheaper and more effective too.
Director of Risk Management Operations
Pilgrims Group Ltd.