A CSO's Guide to the World

Is it possible to adhere to local business customs without compromising security? Only if the CSO has a little creativity and a lot of trust.

August 01, 2005 — CSO — I'm usually not one who gets into bumper sticker logic, but I like the idea of a CSO acting globally but thinking locally. By that I mean a CSO needs to devise and enforce global security policies, but also put some thought into how those policies will be implemented locally around the world. Otherwise, variations in national customs and culture can short-circuit even the most well-intentioned security policies.

I found that out the hard way, when I once tried to standardize the global procedures for the forms of identification that visitors to our facilities had to show. Based on my experience in the ol' U.S. of A., I thought that a policy requiring a driver's license, government-issued picture ID or passport would be sufficient. Surely most visitorsâ¬no matter the countryâ¬would have at least one of these forms of identification. Not so. In Tokyo, some visitors never carry government-issued picture ID cards. Not only that, but the Japanese routinely rely on business cards as a means of identifying themselves. This custom works very well within the culture of the Japanese business world, because it would be unthinkable for someone to print a false business card.

The last time I checked, al-Qaida was not listed in the Japanese business directory. This procedure would never do. After much discussion with the Japanese security guards and the receptionists, I compromised and altered the policy so that if a government-issued picture ID was not available, then business cards could be used to identify visitors. However, those visitors were not allowed into the building until the employees who they wished to see came to the lobby and physically escorted them inside. The policy thus adhered to local business customs without compromising security.

Then there was the issue of the guard force. Security guards in Japan are taught to be deferential toward visitors, and it is actually illegal for them to use force or try to restrain people in any way. I discovered this when I did a penetration test on the physical security of my company's Tokyo office. I pretended to be someone off the street and then sneaked past the guards and into the building. As the guards spotted me, they called out "sumimasen, sumimasen" (excuse me, excuse me), but when I didn't stop, they remained at their posts and took no further action. Needless to say, we retrained the guards to react by keeping contact with the intruder and simultaneously reporting the intrusion to police.