In this episode, Bryghtpath Principal & Chief Executive Bryan Strawser walks through the new Bryghtpath Global Security Framework. You could also call it a corporate security framework if that’s the frame of reference you prefer to use.
During Bryan’s career, he spent over 21 years working as a part of the Global Security Team for a Fortune 30 organization, ultimately spending the last six years leading that organization’s business continuity, crisis management, and global intelligence function. But Bryan also spent a lot of time working in and supporting different parts of the global security organization.
This framework came about after working with a client here in Minnesota who was working to establish a global security capability and happened to ask us where they should start. We put this framework together from our standpoint representing “Here’s our view of how we would think about building a global security program.”
Related Blog Posts & Episodes
- Episode #6: Leading during an Active Shooter Incident
- Episode #18: The Race
- Episode #26: The Top 12 Global Risks of 2018
- Episode #28: Protecting your Senior Executives
- Episode #30: Threat Management in Educational Institutions
- Episode #39: Travel Safety & Security Programs
- Episode #49: Preventing Workplace Violence
- Webinar: Insider Threat – The Threat lurking inside your organization
- Blog: An overview of Physical Security Penetration Testing (Red Teaming)
- Blog: Current best practices for mailing screening
In addition to the resources mentioned in this article, our friends at the Security Executive Council have a significant number of resources & knowledge available to organizations.
Bryan Strawser: Hello and welcome to the Managing Uncertainty Podcast? This is Bryan Strawser, Principal and CEO here at Bryghtpath. In this week’s episode, we’d like to walk through our new framework for a global security program, or you could call it a corporate security framework if that’s kind of the frame of reference that you prefer to use. During my career, I spent, prior to founding Bryghtpath, I spent about 21 years working on a global security team for a Fortune 30 organization, ultimately spending about six years leading that company’s business continuity, crisis management, disaster recovery, and global intelligence function, but I had a lot of experience working and supporting different parts of the global security business. Not too long ago, we were working with a client here in the Twin Cities, who was trying to stand up the global security capability, and so we built this framework from our standpoint kind of representing, “Here’s our view of how we should think about building a global security program.” Let’s take a look at this.
Bryan Strawser: Of course, if you go to the episode page, you’re able to download our Global Security framework as a graphic and able to kind of follow along as we take a look at how to do this. Starting on the left, the first category for a Global Security framework is physical security capability, and we really think about this and investigations, which is the second category here. We really think about these as being the principal, kind of foundational starting place for a Global Security framework, the ability to secure facilities in order to keep people and assets safe, and then second, the ability to investigate things that are happening that are outside the norm or that might be criminal in nature that affects the integrity of the organization. With physical security, we start with the priorities, the life safety of employees, a workplace violence prevention program, so, “How do we prevent workplace violence through training and policies, and things along those lines?” The third is threat management.
Bryan Strawser: Once we’ve had an incident of a threat reported internally, externally, social media, email, how does that get handled? What’s the threat management program? How is the threat triaged, and then if necessary, formally assessed, and then plans put into place? You can look at, or listen to our previous episodes on Workplace Violence and Threat Management Frameworks, and risk factors and escalations for ideas and more of a deep dive into that area. The fourth area under physical security is planning and design, so this is for new or remodel facilities, but what is the application of crime prevention through environmental design?
Bryan Strawser: How are we planning these facilities with security requirements in mind from the beginning, et cetera? Access control. What is the approach to securing access to the facilities? This could be key control. It could be a card access system. It could be biometrics, but what is the program, the official program for maintaining and controlling access to the facility?
Bryan Strawser: Next, the security presence. What’s the visible security presence, whether that’s security officers, plainclothes security individuals, armed security, robots or video analytics, or other things that are clearly visible that create that security presence that deters crime and kind of reinforces the right behavior? Then lastly, in physical security, just culture, and awareness, culture in terms of, “What’s the culture around following the security controls that have been put into place?”, and awareness around, “How is security communicating what they’re doing? What kind of material is out there, intranet, digital, internal social media, external social media, posters and things like that, that help drive awareness of the security program?” That’s physical security to us, one of the two major foundational elements of a global security strategy and program.
Bryan Strawser: The second is investigations, the ability to investigate something that is abnormal, or something that is wrong, or something that has been reported. The first area is just investigative policies. “What are the roles and responsibilities within the organization? How are investigations conducted? What are the ground rules around that?”
Bryan Strawser: The second is we expect the investigative capability of a global security team to be independent, independent in that although at the end of the day, we all have a boss, but independent in that they are driven by the security organization who also only reports to a Senior Executive, and the investigators are able to investigate with a high degree of independence. That doesn’t mean they’re not talking with lawyers, internal or external to the organization. It doesn’t mean that they aren’t taking direction, but it does mean that they’re able to follow the investigation where the investigation leads. The third area here in investigations is just, “What are the investigative capabilities and technologies? Do they have the tools or case management systems or other things that they need?”
Bryan Strawser: The next area in investigations is compliance and investigations around our major anti-bribery laws and our major anti-terrorism laws. This is the OFAC regulations, the Office of Foreign Asset Compliance, where we’re verifying that we’re not doing business with third-parties that U.S. companies are prohibited from doing business with. Then, paired with that, the FCPA, the Foreign Corrupt Practices Act, where we’re validating that our organization is not bribing individuals in foreign governments or in foreign countries in order to do business. Next is exception reporting. “What’s available to the investigation’s function in order to detect and find exceptional behavior?”
Bryan Strawser: By exceptional, I mean abnormal things that stand out, and they may be legit and not criminal in nature and not impacting the integrity of the organization, but there’s reports that allows us to see exceptions and allows investigations to commence investigators to dig deeper into those exceptions. Then lastly, that your organization has an integrity or a reporting hotline, an integrity hotline or a reporting hotline, something that allows them or allows employees, and vendors, and parts of your supply chain and others to report unethical behavior, and that those hotline reports are then investigated and sent to the right unit within the organization to follow up on. Someone can call the integrity hotline for a sexual harassment issue that probably goes to HR, or employment relations attorneys or something like that, but something of a security nature should come to the security team for a follow-up investigation. Physical security and investigations, that’s kind of our foundation for our Global Security framework. In the next section, we start dealing with crisis management. It is the first category.
Bryan Strawser: Here, do we have a crisis management program? Do we have a defined crisis management team? Have we built a defined escalation process and a crisis management framework that allows for decisions to be made through a collaborative process, and then communicating the results of those decisions? To us, those three things are where we start. We have a defined crisis team with clear roles and responsibilities, we have a process to escalate things to that team, and for them to communicate upwards to executives into the board if that’s applicable, and then we have a framework on how to collaborate and make decisions and communicate the results of those decisions. Once those things are in place, then we look for a specific scenario, a crisis planning.
Bryan Strawser: “What are the top 10, 12, 15, 20 risk-based scenarios that we need to have specific plan annexes for?” Sometimes we build, think of something called a playbook that has all of this kind of laid out. Here’s our crisis playbook, and now we’re going to execute upon the things in that. Then lastly, that we have a good process, crisis management process for simulations and exercises. The next bucket is travel safety and security. This isn’t always applicable to organizations, but if you are traveling, and particularly, if your employees are traveling internationally to higher-risk locations than where you’re typically doing business, you probably need some element of a travel safety and security program.
Bryan Strawser: It starts with a legal concept around duty to care that you are planning and making life safety and safety, and the security of your employees is important to your organization. Travel safety and security starts with the duty to care, but it moves relatively quickly into travel policies like, “What are the travel policies? Are we looking at the risk of countries, or cities, or regions that employees are traveling to, and that we understand that there is a process in place in order to restrict travel and put some guidelines in place to ensure the safety and security of our travelers?” For example, in my previous employer, we had a country risk assessment process and a travel security council. Through that travel security council, we could bar travel to certain countries or certain regions because they were not safe for folks to go to in our opinion, but again, this varies by organization.
Bryan Strawser: We then look for companies to risk rate, countries whether you’re working with a company like International SOS or Control Risks group to use their country risk ratings or you’re doing something internally. Then, we look for monitoring for major events that are happening near where your travelers are at or where they’re going. We talk about this intelligence monitoring, but it pairs closely with a travel tracking capability where you have the ability to see where your employees are at, and you’re able to see the events around them that might create risk. For example, a few years ago, one of our clients, there was an Active Shooter event going on in Germany, and one of our clients, his Chief Financial Officer was there actually within about half of a kilometer of where the event was going on. We knew that he was there.
Bryan Strawser: We had a travel tracking capability. We were able to quickly make contact with him and get him to a safe location, and then we’re able to evacuate him safely back to his hotel. That’s the kind of travel tracking an event or intelligence monitoring that you really need to have in place. Then lastly, for travelers internationally, you’re going to want to have third-party medical and security support for when these events do happen or when someone gets sick. Particularly, in some parts of the world, you need a vetted medical provider or access to vetted medical providers.
Bryan Strawser: You do not want your folks just walking up to the nearest hospital or clinic because you will wind up having folks in places that are perhaps not safe and where they’re not getting the level of care that you’re going to want them to have. That’s travel safety and security. The next area talks about partnerships, and here, we’re looking at, “What are the Public-Private Partnerships for an organization and their connectivity with the global security team?” We have these in several areas, and where your prioritize here would really depend upon the maturity of your organization and where you’re operating and what those risks are, but some of the partnerships we should look at are with emergency management agencies, and you have these typically local county, state, and then federal across the United States, and other countries are somewhat similar to this. Some countries only have this at a national level.
Bryan Strawser: Law enforcement, “What is your relationship with local law enforcement and law enforcement at different levels that may impact the business that you’re in?” If you are operating, if you’re a significant global operator, you will want to have partnerships with the intelligence community. You can look at the Public-Private Partnership programs at the Office of the Director of National Intelligence or through the state departments, Overseas Security Advisory Council, or through the FBI’s Domestic Security Alliance Council, or for smaller organizations, FBI’s InfraGard, but are you getting access to the information that you need to make sure that you’re making the right moves as an organization to secure your business and protect your team? You also have the opportunity to interact with peers, so this is a kind of industry connectivity through your trade groups or local, regional and state Chambers of Commerce. Then, in a really mature organization, we would look to see a public-private sector strategy and evidence of collaboration, that there’s a deliberate strategic effort to build partnerships with public sector agencies where the company has something to gain in terms of information and insight, perhaps an early look at some things, and the public sector agency gains from the company’s expertise and information about what’s going on.
Bryan Strawser: The next category here is executive and event security. We lump these together because we typically see the same leader have responsibility for both, but in a large enough organization, this is about protecting your senior executives, perhaps at home, perhaps in travel, perhaps only at company events, perhaps it’s 24/7. This depends on your organization. The second part here is just major events planning, large company meetings, shareholder meetings, big vendor, financial community presentations. These are all possibilities of things that need to be planned, and then managed, and it requires a little different level of care, which is why we often see this aligned with executive protection.
Bryan Strawser: Then lastly, corporate aviation, perhaps you own or lease aircraft and operate them yourselves, or perhaps you have some kind of agreement with a company like NetJets or Flight Options or something else, but just the management of the security aspects of your corporate aviation unit, we would see that program falling into this area. The next category is an operation center or a GSOC, a Global Security Operations Center or just a SOC, a Security Operations Center. In a Global Security program, we look to see the operations centers set up as a single source of truth. They’re a trusted part of the organization that’s communicating what’s going on. They have a lot of information flowing in, and then they’re pushing out to communication that is relevant and timely and impactful and provides a good overview from a situational awareness standpoint of what’s going on.
Bryan Strawser: In large organizations, GSOC centers like this run 24/7. They’re actively monitoring a number of things going on around the country and world. They’re likely the starting point for an incident management process that then escalates into a crisis management or crisis leadership process, and we see a GSOC is being a really core to that, that they’re monitoring what’s going on. They’re kind of at the base of that crisis leadership process, even though you may have a crisis management team that comes in and does more as things go on. We also see GSOCs as being a place for centralized security operations.
Bryan Strawser: They may be dispatching security officers. They may be responding to a ShotSpotter alert and things along those lines. Then, getting to the far right of our framework graphic, we see an intelligence program as an important part of a Global Security framework, particularly in a more mature organization. We typically see kind of three categories of intelligence, and then kind of a foundational element here with intelligence. The first is geopolitical intelligence, like, “What’s going on around the world that may have an impact on us?”, looking at major events that are playing out
Bryan Strawser: May go as far as to look at just politics. I mean, as we’re recording this in September 2019, there are major political earthquakes going on in Great Britain, in the United Kingdom around Brexit. There’s a lot of things happening with that. There’s a lot of instability that’s being generated through the Brexit process in the U.K. and in London. There have been protests with thousands of people.
Bryan Strawser: If you operate in the U.K. or you have U.K. companies in your supply chain, or this is your next expansion market, then this geopolitical intelligence on what’s going on over there could be important to you. If you don’t, it probably has nothing to do with you. That’s a domain, an intelligence domain that could or couldn’t be important, depending upon your business. The second area for intel is corporate and reputational intelligence that we’re looking for information and intelligence that may impact our reputation. We might see an inbound threat on our intel radar screen so to speak, where an executive make a misstatement in the media, and now this is coming back at us on Twitter and gaining steam in terms of the story.
Bryan Strawser: The third category is cyber intelligence. Here, we’re looking at kind of a whole cyber threat picture. This may not belong in a global security team. It could be cyber intelligence is being managed by your cybersecurity organization or by your CSO, but we often find the intel component in global security. Then lastly, kind of a foundational element here is just public private partnerships in the intelligence community about your connectivity between your intel team if you have one internally and the intelligence community through some of the sources that we’ve mentioned before.
Bryan Strawser: Then, our last category here on the Global Security framework is the supply chain. First, we’re looking at end-to-end supply chain security from the dock, at your vendor’s warehouse, all the way until it shows up at your organization. “What’s the security of that supply chain? Who are you dependent upon to make that supply chain secure along the way?” This could be your ocean carriers.
Bryan Strawser: It could be air freight. It could be big common carriers like UPS and DHL, FedEx and others. Second is just a supply chain reputation. “Are you sourcing responsively from vendors that are not going to compromise the integrity of your organization?” Sometimes that requires an investigative capability to really dig into that, or perhaps you’re purchasing that information through a third-party.
Bryan Strawser: There’s the investigative capability within your supply chain, so if you got a truck that gets hijacked in Guatemala and it’s got your product onboard, how are you going to investigate that, and do you have any loss to begin with, and then how are you going to investigate it? Do you have access to the experts that can assist with an investigation at a location like that?” Then lastly, there’s the Customs-Trade Partnership Against Terrorism or CTPAT, that allows you access to the priority lanes in the U.S. ports because you’re following the requirements of the CTPAT program, which are a much greater level of security of your supply chain shipments and the integrity of your suppliers and such than a normal run-of-the-mill oceangoing or air freight shipment. That’s our Global Security framework. Again, we laid this out as our view of what a global security program should look like. We left out some foundational things like budgeting and IT capabilities and some of the things that are going to kind of be there as the foundation of any organization, but they’re the same …
Bryan Strawser: Those are really the same across different functions of a company, not just unique to global security, but this is our view of things companies should think about in terms of the elements of a global security program. Again, you can go to our page for this episode and download the Global Security framework, and then you get a nice, pretty PDF that you can follow along with as you listen to the episode or use it for other purposes as things go along. That’s it for this episode of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Thanks for listening.