Balancing People, Processes & Tech for Better Security

November 19, 2015 - By Ray O’Hara, CPP

Tags: , ,

As all of us in the security industry know, good security depends on striking the optimal balance between people, processes and technology. Over reliance on one element—to the detriment of another—creates imbalance and the potential for program failure. And of course, failure in our business is much less tolerable than it is in others: You can win the World Series after a .500 season, but you can lose lives, fortunes and reputations with just one security breach.

The security tripod is as strong as its weakest leg—and that’s rarely technology

Just as a tripod is a very stable structure as long as all three legs are equally strong and working together, security systems rely on three component parts—people, processes and technology—in order to provide the stability that corporations depend on. This applies to all aspects of security, be they physical, executive protection or cyber.

Take the tech leg of the tripod for starters. Technology is changing so fast that we have a hard time keeping up. Where we used to ask “Are you ready for the future?”, a more relevant question for many corporations would be “Are you ready for the present?” Just when we’re beginning to get used to grappling with the internet of things, we have to start thinking about the internet of everything. Toys-R-Us has arguably adapted more quickly to advances in drone technology than most legislators and corporate security teams. Cyber-security? Just ask major corporations like Target and JPMorgan Chase how hard it is to keep up.

R&D efforts by security technology companies provide some interesting perspective. Competitive forces and incremental tech improvements keep the innovation flowing and tradeshow organizers in the money. But will new cameras, for example, really boost a corporation’s overall physical security? Probably not on their own. Combined with new ways of working with people and processes, however, they just might.

Better dialogue between R&D and practitioners? Yes, please

Smart companies are moving beyond tech for tech’s sake and involving practitioners in their development processes to better understand the ever-changing contexts (read: including people and procedures) in which their products and services are used.

We learned this for ourselves, in our own modest way, with our own ADVANCE app. Focus groups with some of our clients delivered important insights into how the app can meet their security needs, and led to some significant tweaks and new features that improve the app.

Involving end users in tech development processes isn’t just good sense. It’s also good business. And it always entails understanding tech solutions within the broader context of how people organize their procedures.

More of the same security isn’t necessarily better

To better understand the importance of getting the balance between tech, people and processes right, let’s take a look at a security situation that everyone is familiar with: airports.

Airport security has changed dramatically since 9/11, as well it should. But as a recent article in The Economist points out in the wake of the air disaster over the Sinai Peninsula, “more of the same” is not necessarily going to improve airport security and prevent similar incidents.

In the US, for example, the TSA has gargantuan budgets and plenty of the most sophisticated detection equipment available.

One of their signature procedures has had every man, woman and child passing shoes through scanners for years. But it would seem that no one but Richard Reid, whose hapless precedent has reduced us to our socks for more than a decade now, has since been caught with any kind of shoe bomb.

Successful or unnecessary procedure? It depends on how you look at it. Despite the TSA’s technology and procedures, it failed to detect 67 out of 70 fake bombs and weapons in a recent red-team exercise. Think about those numbers for a moment. The weakest leg in the airport security tripod probably isn’t tech—it’s people practicing procedures that might give the illusion of security, but don’t actually deliver it.

Compare Israeli airport security, which uses an altogether different mix of people, procedures and tech. But that’s the stuff of another blog.

Success breeds complacency

Those of us working in corporate executive protection know that complacency can be one of the biggest obstacles to program excellence. After all, if we’re charged with protecting an individual and nothing happens to him or her, then we’re successful, right? Not necessarily. Maybe we’re just lucky.

Just as state-of the-art security firewalls won’t protect the integrity of an organization’s IT systems if just one employee falls for a phishing scam, the best tech available won’t keep the principal safe unless the team using it is well trained and its procedures are spot on. If the team grows complacent, then that’s a good sign that either its training or procedures—or both—need to be shaken up.

To paraphrase Andy Grove of Intel, “Success breeds complacency. Complacency breeds failure. Only the security team whose training and procedures are imbued with a vigilant sense of urgency can hope to stay ahead of ever-changing threats.”

Change is the only constant, and all of us in the security industry need to adapt to changes that are both incremental and disruptive. In my opinion, we can only do this if we look change squarely in the eye—embrace it even—and keep the lines of communication open across the manpower, procedural and tech divides. This also applies to the generational changes that surround us.

Make way for generations X, Y and Z

Like practically every other business around the world, demographic changes are impacting our industry, too. We baby boomers might be responsible for a lot of things now, but we will soon be handing over the keys.

Many top executives these days are in their 40s compared to the 50s or 60s of just a decade ago. Our principals are getting younger, and are now often “Generation Xers”, born between the mid 1960s and the early 1980s. Some tech industry principals are even younger. These younger execs have different expectations than their parents. While they might not have an image of the ideal security driver in their minds, they are certainly not expecting a scene out of Driving Miss Daisy. They are avid tech users, but still might ask a teenage son or daughter to set up their new phone or iPad for them.

Meanwhile, many of our recruits in executive protection belong to Generation Y, and were born between the 1980s and the year 2000. And yes, a growing number of our principals are also card-carrying members of Gen Y. Also referred to as “Millennials”, this generation grew up surrounded by technology, and the younger ones were indeed “born digital” and can’t remember a world without the internet and mobile phones. They saw their boomer workaholic parents getting stressed out, and they’re looking for a different work-life balance.

A lot has been written about Generation Y’s work ethic: They arrive at a new job with a sense of entitlement and don’t want to do the grunge work; they question authority and are individualistic job-hoppers; they’re needy whiners who are used to Mom and Dad smoothing out the bumps on their paths…Yes, these characterizations are things we recognize in recruiting younger agents, and our hiring processes filter out those who are not likely to succeed in modern corporate EP teams. But there’s way more to the mix than that. EP companies must change to accommodate Millennials just like the corporations whom we serve.

And Generation Z? We don’t really know how they’re going to impact the workforce yet. But the first of those born after 2000 will soon be entering internships…

Toward EP 2.0

At AS Solution we like to talk about “corporate EP 2.0”.  For us, it is a kind of EP that goes beyond the first generation of corporate security which was dominated by people not unlike myself. The security industry used to be second career for many of us. We started out in law enforcement, the military or with government agencies, and now we’re working in corporate security or for companies that sell security products and services. That is still the case for many people even today, but things are changing.

EP 2.0 is an approach that goes beyond the old ways of doing things. It’s about adapting our procedures and people to the corporate culture and individual preferences of our principals, rather than making them adapt to ways things are done in military or police environments. It’s about taking the very best technology and integrating it intelligently into our programs. It’s about increasing professionalization, and building bridges rather than fences between the security team and other corporate stakeholders, between vendors and practitioners, and even between generations.

For a while at least, boomers and Millennials will share the stage, even if we don’t always share the same views. At some point the Millennials will be the old guys. And around we go.

Ray O’Hara, CPP

Executive Vice President

Prior to entering the corporate security sector in the late 1970s, Ray was a supervising detective for the Los Angeles Police Department. He led corporate security for Weyerhaeuser and GTE, and headed Garda World Security Corporation’s (formerly Vance) security consulting and investigations projects worldwide.

Ray has served ASIS in numerous capacities: Chairman of the Board and President of the International Board of Directors; President of the Professional Certification Board; and Chair of the ASIS International Investigations Council. Board certified in security management by ASIS International, Ray is considered a risk and vulnerability expert, and is a sought-after consultant in business vulnerabilities, homeland security initiatives, terrorism and political threats.