Will You Be Ready Next Time

COVERING ALL FORMS OF WORKPLACE PROTECTIONIN TODAY'S ENVIRONMENT

lomasINSTITUTE of FINANCE &. MANAGEMENT

SECURITY DIRECTORS REPORTISSUE 12-03 WWW.IOFM.COM/SECURITY MARCH 2012

Will You Be Ready Next Time?9 Crisis Lessons LearnedNo business is pleased about the increasing number and scale of global crisisevents, but these major disasters do yield one benefit. More disasters, plusbetter information sharing, equals unprecedented insight into lessons learned.

One of the best forums for information collection and sharing is the GlobalRisk Network (GRN) coordinated by New York University's International Cen-ter for Enterprise Preparedness. The GRN recently hosted summits to engagepublic and private sector thought leaders in a series of facilitated roundtablediscussions (New York City, June 2011; London, Oct. 2011). Discussions fo-cused on the earthquake and tsunami that struck northeast Japan in March of201 1, instability in the Arab world, the growing threat from "hacktivists" andcybercriminals, the English Riots of 2011, and other recent events that have

. CONTINUED O N PAGE 11

Grade Yourself onthe UltimatePerformance MeasureIn looking back at our coverage ofsecurity management advice overthe past year, one recommendationwe seem to have heard as much (ormore) than any other is to interactwith other department leaders. Tolead security, you need to also be a"team player."

Recent stories, in fact, have shownthat inter-departmental coordina-tion is a key to success in goals asdiverse as creating a security manualto cutting workplace violence. It has

CONTINUED ON PAGE 12

SqueezingConfessions inInterrogationsWe recently profiled the interview prepthat investigators for WaltDisney Parks and Resortsgo through to make surethey're as ready as pos-sible to get the confes-sions they seek. We alsopromised to share theirinterviewing tricksandif there is one strategy forsecuring confessions theyrely on most it's this: stopdenials in their tracks.

CONTINUED O N PAGE 14

ALSO IN THIS ISSUESo You Want to Moveto Contract Officers?Transition Tips 2Is this the year you makethe leap? You'll need thesemigration tips.Calling the Cops?ConsiderationsBefore Picking Upthe Phone 4Pros, cons, andconsiderations for bringingin law enforcement toInvestigate.Research Round-Up:Domestic Violence,Terrorism & MindGames 6Practical implicotions fromrecent academic research.

News Briefs 8I Retail scam requires morephysical inspectionsI Console operators reach anew salary plateauI New regulation limits pre-hire credit checks

Calendar 14

Hourly Starting Salary for In-HouseConsole Operator

see News Briefs

SH.OO

$16.32

SO S5 SIO SI 5 S20

(Source: lOFM)

SECURITY DIRECTOR S REPORT

9 Crisis LessonsCONTINUED FROM PAGE 1

caused widespread business disruption.

Lessons learnedSo what did experts and participants

come up with? What advice do they havefor security and other organizational crisismanagers about better preparing theirorganization for the next major disaster?

1 . Deploy flexible plans. A majority offirms saw their Business Continuity Plansfunction properly in the wake of the mag-nitude 9.0 earthquake and accompanyingtsunami that hit Japan. "Failures came whenthe plans were inflexible, or too specific,"according to GRN roundtable proceedings.Too-rigid business continuity plans leftsome firms unable to adapt to the shiftingchallenges produced by the tsunami, itconcluded. "Flexible plans (especially thoseattuned to unique firm vulnerabilities) weremost likely to succeed."

2. Account for lower-tier suppliers.The earthquake caused the hobbling ofsome companies' operations because theydid not cover supply chain partners in theirplanning. While major suppliers held upreasonably well, many small and mediumsize enterprises were knocked out of com-mission, leading to a cascade of supply chainfailures that caused harm to firms that hadexcellent crisis plans for themselves. Saidone roundtable participant: "You have tomake sure second, third, and fourth tiersuppliers have crisis plans in placethesame plans you do."

3. Develop a network of trusted con-tacts on the ground in each region ofoperation. One consensus of American-based firms impacted by the Japan tragedywas both the lack of access to informationfrom the Japanese government and a lackof trust in the information that was being

shared. Even access to U.S. Embassy officialswas difficult, according to affected firms.The media wasn't any better, according toroundtable participants. "In the absenceof clear information from official sources,organizations turned to the news media fora clearer picture, but found the informationthere even more confusing," concluded thereport. Generally, the media painted a farworse picture of the situation than busi-nesses were actually experiencing on theground in Tokyo. Firms that managed thesituation best were ones that had estab-lished a network of trusted contacts on theground that they were able to consult to getan accurate picture of the local situation.

4. Participate in peer networks. Al-though you can't do this on your own, an-other suggestion to emerge from the groupwas for crisis professionals to participatein peer networks, which could then meeton conference calls to share informationand coordinate during a disaster. This isespecially important because decisions bysome companies can disrupt the crisis plansof others, including those in other industrysectors. For example, when Delta decidedto cancel flights, many firms' evacuationplans were wrecked.

5. Make provisions for transportationdisruptions. The inability to get workers totheir posts because of transportation infra-structure damage was an underappreciatedrisk, according to the roundtable participants.Several firms activated their pandemic con-tinuity plans because their employees couldnot get to work due to power outages andtransportation disruptions.

6. Pre-arrange security operations.In the roundtable on political uprisings inthe Middle East and North Africa, a clearwarning emerged: You can't try to enlista security company to assist you once thesituation is unraveling. One company said

AAARCH 2012 www.iofm.com/security 11

SECURITY DIRECTOR S REPORT

it tried to hire a firm to evacuate its person-nel from Tripoli but that the security firmcouldn't get in to get workers out. Othercompanies were simply turned down bysecurity firms, 'because last minute callsrequire to much heavy lifting,' accordingto one security firm.

7. Participate in inter-organizationalgroups. Groups like the Overseas SecurityAdvisory Council (v\Avw.osac.gov) and theInternational Security Management As-sociation (www.isma.com) provide forumsfor public and private sector partners toaddress security issues of mutual concernin different regions across the globe. Thesegroups provide a chance to share crisis in-formation, benchmark against other firms'actions before and during a crisis, develophelpful personal relationships, and facilitatethe creation of mutual assistance arrange-ments. For example, during evacuationsfrom Libya, the group noted that "charteredplanes with empty seats were coming inand out. Organizations tried to get theirempty seats to people who needed to getout, but the message never really got out."The report concludes: "Key to sustainingoperations in a security crisis is participationin inter-organizational groups, which helpfoster personal connections that can be thesource of vital mutual assistance plans."

8. Raise awareness of targeted cy-berthreats. When discussing hactivitstsand cyberthieves, roundtable participantsexpressed concern that defending againstthe targeted attacks used by them is madedifficult by employees' failure to appreciatethe level of deception in social engineeringattacks. "The targeting is much better now.People even call by phone to get sensitiveinformation from you: they knowyour man-ager, they know who you work with, andthey know who your friends are," said oneroundtable participant. To create a moreattentive security culture at their firm, one

company said it sends targeted phishingemails to staff; workers who don't click onthem receive positive rewards and thosethat do get a warning letter from humanresources.

9. Conduct scenario planning tocombat social unrest. Civil unrest is agrowing global concern and has a diversityof underlying causes, as exemplified bythe rioting in London and other parts ofEngland in the summer of 2011. To betteridentify and track indicators that mightpredict the occurrence or intensity of socialunrest, roundtable participants singled outscenario planning techniques employed byShell Global as a worthy model. (More infor-mation at www.shell.com/home/content/aboutshell/our_strategy/shell_global_sce-narios/what_are_scenarios/.) U

Performance MeasureCONTINUED FROM PAGE 1even infiltrated the purchase of securitytechnology, where it is becoming increas-ingly important to work collaboratively withother departments to identify technologythat services mutual requirements.

Ensuring the safety of employees whotravel for work is just one example of whyprotection requires coordination betweenmany departments. A department man-ager, security staff, human resources, riskmanagement, and a travel departmentmay all have a role to play in the singularmission. Security executives need to reachout to many parts of the organization in aneffort to formalize intelligence sharing andcollaborative decision making between allfunctions that hold security responsibilitiesand impact security operations.

So How Are You Doing?Security management experts unani-

mously believe that the silos of security

12 www.iofm.com/security MARCH 2012

Copyright of Security Director's Report is the property of Institute of Management & Administration and itscontent may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder'sexpress written permission. However, users may print, download, or email articles for individual use.