A Concept of Corporate Security

Knowing is not enough;

We must apply.

Being willing is not enough;

We must do.

Leonardo Da Vinci

Allow me to share my thoughts on the concept of corporate security from a standpoint of a former intelligence operator. From this perspective, essentials would be the identification and definition of the probable and potential threats from the broad spectrum to be narrowed down to the specific quadrant taking into consideration the specific peculiarities of the concerned corporate entity. Relatively, the corporate security intent must be translated into clear decision in order to capacitate for purposes of preempting, denying, mitigating, and/or acceptance of the threats or subsequent corporate cost of it.

If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

 Sun Tzu

These would be valid questions if we paraphrase Sun Tzu: How are the corporate security packages designed? Were these security packages designed to address the identified and defined probable and potential threats or a simple layout for purposes of crowd and visitors control and pro forma measures? Were these security packages static and reactive in nature? Does the corporate entity capacitate for proactive activities?

Easily observed when visiting corporate installations are the seemingly appropriate number of uniformed security personnel, availability of communication equipment, human and electronic monitoring and access system, electronic metal detection portals (others have portable metal detectors), and appropriate lighting system for visual as well as electronic observations.

Based on the aforecited, the primary question that needs to be satisfied is whether this type of security layout is apt and responsive to the identified and defined threats to a specific corporate entity. Corollary, in the tactical sense this type of security layout is commonly referred to as ‘target hardening’. ‘Target Hardening’ in the sense that it affords the secured installation limited ready capabilities to repel and withstand limited detrimental activities. It would be ideal though if the security service provider could incorporate in their ‘target hardening package’ active preemptive and denial security programs. Off the top thought of preemptive and denial activity would be the utilization of ‘profiling’ through readily available modes and sharing the acquired data with law enforcement agencies through established intelligence exchange channels (INTELEX channels).

Moreover, the corporate entity and its security service provider may take into account other discreet active security measures such as but not limited to: appropriate vetting procedures for personnel occupying sensitive and threat prone positions, capabilities to identify and define probable and potential threats through available INTELEX channels or initiate the establishment in the absence of one, and other innovative preemptive and denial actions.

An interesting recent incident that comes to mind relative to threat identification and definition was the much publicized cyber attack on Bangladesh Bank wherein a local bank figured prominently due to purported involvement of the bank and its personnel. As published in the media, this incident may epitomize the classic violation of basic security protocols. It appeared that the bank failed to identify and define the peculiar threats against it or if it did, the actions taken were not commensurate to preempt, deny, or mitigate the threat.

It is assumed that in the domestic banking industry, there are separate security layouts for the bank installations and on financial operations. From what could be gleaned from the media published information it may be also safe to assume that the concerned local bank failed to provide the critical synapse between its security for bank installation and security for financial operation. This probable operational vacuum may have deprived the bank from utilizing its integrated resources to ensure its own security. The probable operational gap may have caused the bank’s failure to timely rectify its human and system vulnerabilities. The outcome was an apparent security failure.

Mr. Sun Tzu being designated as corporate security consultant recommends that the client must be able to identify and define the probable and potential threats on the corporate as an entity, on its personnel, corporate critical data, vital installations, and other threat prone resources and properties.

The identified and defined probable threats must be collated and synthesized to determine the overt security measures to be instituted as well as the design of the necessary discreet active preemptive and denial actions.

What are the elementary realities of these security thoughts?

First must be the acceptance of the fact that the usual weakest link in any organization is the human component.  The corporate may have the best security plan, may be able to afford the most advanced technology, most accurate weapons, highly sophisticated hardware, and other necessary equipage but the operational effectiveness of the plan and these material resources shall be dependent on the man that implements them. This realization must be primary in the security planning.

Second, most of the corporate security practitioners may have noticed the portion relative to the discreet active denial actions. In the perspective of an intelligence operator, effective security arrangement is that situation wherein and whereby the security apparatus emplaced, as much as possible, shall not reach a point that it shall be required to perform its designated reactive functions. Ideal is that capability to preempt the threat at its inception.

The discreet denial actions pertain to effective identification of threats and thereby affording appropriate security actions such as but not limited to: timely rectification of vulnerabilities, exposure of the threat, requested law enforcement assistance, and other necessary preemptive activities.

Third must be the assurance that security elements are capable of performing their respective designated functions in an event that the threat was not timely and effectively preempted.

Security operation is a dynamic undertaking that necessitates periodic evaluation and timely rectification or intervention on identified vulnerabilities.