During a recent presentation to the Canadian Security Partners’ Forum, Lisa Gordon-Hagerty, the former director of Combating Terrorism for the White House National Security Council, reminded the audience of the link between national security and corporate security. Corporations, she said, will need to approach intelligence gathering much as governments do. “If you don’t have good intelligence gathering, you won’t know what the threats are.”
Easier said than done. Many companies have yet to recognize the true capability of their security operations, and most governments are still evolving the ways in which they share intelligence with the private sector. David Burrill, the Chairman and CEO of the Burrill Green Group, has spent decades advising companies and instructing security practitioners from the military to the corporate world. He recently spoke to the Canadian Security Executive Forum about the link between business success and corporate intelligence and security. He shared some of his thoughts with Vanguard.
How well are corporate intelligence and security understood?
Corporate security is almost the flip side of the coin of corporate intelligence – you can’t have effective corporate security without effective intelligence. But if you talk to most business people about intelligence, they tend to think marketing intelligence. Business security intelligence is that intelligence that is required to ensure you really understand the risks, are making the correct security decisions and putting in place the correct security measures, processes, equipment, attitudes, policies, strategies, etc. The two disciplines cannot really be separated.
Corporate security is a relatively immature function. Most business people other than those engaged in it will not think of security being core to the business. Many see it as a rather regrettable expense. The reasons for that are largely historic, because most of the people who were brought into the corporate environment to deliver security were people who had been attracted out of traditional backgrounds – military, police, security services, intelligence services – and they were often brought in to do limited jobs against what the business thought their exposures were. They didn’t have any great ambition to understand business; being peripheral was their just reward. What value you can bring to the business as a whole is fundamentally what drives most business functions, but sadly it is not what has generally driven security within a business environment.
In truth, that was most definitely the case in the early 1990s. There has been a sea change. Most people think of 9/11 as a wakeup call. I say that was the wakeup call for those who were still asleep; 9/11 was just another example – a horrific example – of the extreme volatility that had developed following the collapse of the Soviet Union. Whatever its failings, the Cold War imposed a degree of stability across the world, and it’s collapse created new opportunities for violence, political corruption and criminal activity on a massive scale. So, in the early ’90s the description of security as immature started to be challenged by some thought leaders who recognized that the situation required more than a part-time person to be able to understand the world better and apply a greater use of intelligence. That change in attitude caused a dynamism in the thinking of some of those involved in the corporate security environment and led to the beginnings of a slow movement that realized there was so much more that security could offer business. But the business top management – C-suite, boards, whatever you want to call them – have never really understood it. There needs to be an awakening, both for the practitioners and for those for whom they are carrying out the practice.
Is the Chief Security Officer regarded much as the Chief Information Officer once was, as a mid-level IT systems manager rather than a strategic partner?
In many companies now, the CIO is in the C suite while CSOs are not (in fact, most heads of security are not called CSOs). As security becomes ever more important and value-added to business, the prospects for the CSO having greater impact increase. And those who have moved more successfully have probably reached the point where they are one step away from C-suite management. But I know of many that are two or three steps away, and the worry is that there are two or three levels through which their message can be dissipated. Security should be an investment and profits can be greatly enhanced as a result of that investment, but it requires, certainly at the early stages when companies are changing their attitudes to security, not just an investment of money but an investment of thought.
Given how quickly threats have evolved, especially in cyber space, how critical is the role of intelligence to a strategic understanding of what’s coming next?
The nature of threats has grown. Cyber is just part of a general portfolio that people are having to assess. You can do just as much damage to a company by failing to identify with whom you might be partnering. We’re really talking about threats to IT and although the threat is constantly changing, constantly getting more complicated, and defences must constantly evolve, in principle that is no different than the old business of erecting barriers to keep out criminals – the better ones will work out ways across the barriers. The pace of change is the biggest challenge.
With that pace of change, it is a brave individual or organization that can claim that they will be able use regular intelligence assessments to prevent future adverse developments. Much of it will be catch up. We are back to the assessment of risk. You have to work out which risks you can deal with and which risks you might have to live with. A degree of risk acceptance is crucial.
Another aspect of the cyber threat is that it does not live on its own. Cyber fraud is conducted by people, and the counter measures eventually have to deal with that human aspect. That’s another intelligence element. It’s an element which brings in degrees of intuitive understanding as well.
That suggests a need for greater intelligence sharing. Public-private sharing has long been a challenge. Is there more willingness to pool intelligence within the private sector?
A lot of sharing does go on within the private sector. Sometimes sharing is prevented because of the competitive elements in companies, particularly with companies in the same sector. But usually there are ways around that and I think it is fair to say that there is a fundamental understanding that information needs to be shared. But that’s not intelligence – the assessment of that information is what makes intelligence.
There is also a growing understanding that there needs to be partnership between the private and public sectors. The concept of partnership and sharing information is still not something which has been refined to the point where everybody feels trust and respect in the quality of the information; there are obstacles around the source of information and whether it should be classified. But I know there have been significant steps taken in various parts of the world to create public-private partnerships that 10 or 20 years ago would have been considered inconceivable. Both sectors share a mutual interest: the public sector requires economic achievement in the commercial sector to fund the government purse; the commercial sector requires an environment which is stable to be able to generate profits, or maximise profits.
We have seen greater emphasis by government for private sector engagement in emerging markets. Does industry have the necessary intelligence as it relates to security in those markets to be able to do that successfully?
If they are big enough, many companies will often have an internal information acquisition capability of some sort. Or they may purchase that capability from a vendor. If a company can get intelligence from the public sector, which is going to ease its understanding of the risks and allow it to either eliminate or handle those risks better, then clearly the company wants that. Many governments do provide some form of assistance, but there are restrictions and cultures that prevent sharing because of the classified nature of that intelligence.
One example of partnership that I think is the model for the world is the Overseas Security Advisory Council in the American State Department. It’s been working since 1986 and is governed by a council of public and private sector members. The private sector is encouraged to feed information into this repository and various parts of the American infrastructure push information into the Council, which is staffed by highly qualified civil servants, who then work that information in a manner that can be released. It works superbly. In my view it is a great national investment. Would that other countries would wake up to the value of such investment.
In Canada, the emphasis has been more on assisting small- and medium-sized business into global supply chains. While we have risk assessment centres in various government agencies, that kind of information likely doesn’t find its way to those companies.
No, because it is not going through a central nerve. With those small companies, there needs to be a one-stop shop. If we want to look after the smaller companies, then the concept of OSAC offers the answer, even if it is not on the same scale. For governments like Canada that have a huge dependency on this SME environment, they should be encouraged to invest in creating a central, functional capability that will itself receive this information and massage it in a form that can be released.
You noted the lack of maturity within the corporate security function. Is there a natural career path for military and intelligence personnel? You seemed to indicate they might not be the ideal fit.
Historically, companies have tended to look at certain sources for recruitment – the military, law enforcement and intelligence and security agencies – and those are certainly good potential sources. However, as some companies move toward greater maturity, there is recognition of two things: One, the old approach is too homogeneous. If, for example, the CSO is ex-FBI or other service and most of the key positions in security are from the same background, then the security department is suffering from “clonitis.” I am not questioning their particular skill sets but the lack of diversity means that other equally valid yet different skill sets are denied to the company.
Second, the CSO and the team have got to interface much more substantially with the rest of the business in a whole range of activities. You need these convergences so that everyone’s view and assessment is somehow being tapped to create a greater knowledge, trust and recognition.
What is the most misunderstood aspect of corporate security?
The most misunderstood aspect from the C-suite perspective is not understanding that a truly business integrated security function can play a much greater role across the whole spectrum of business activity. Too often, security is peripheral. If security is not involved in a new market entry, for example, then who is looking after the security requirements of that project in terms of its intrinsic protection, and who is looking at the due diligence aspect of intelligence, which is separate from financial due diligence, legal due diligence, marketing due diligence. A yawning and costly gap is left.