How to Manage Security Halfway Around the World

Tips for managing security in a global company

Different cultures. Unstable political environments. Language barriers. CSOs in global companies face many a challenge as they try to manage security worldwide. One of the biggest challenges? A good number of your security managers reside in functions other than corporate security, so security is often a part-time gig managed by people with part-time security training. There's no ironclad set of rules or policies that all those employees can follow.

"The key I keep in mind when developing our security standards is don't try to pound a square peg into a round hole," says Anton Bommersbach, head of global security at gum maker Wm. Wrigley Jr. Co. This story outlines best practices and useful tips on how to maintain effective security around the world, particularly in making the most of those folks from other departments who serve as your feet on the street in distant locales.

Determine What Kind of Security Department You Are

The first step to take when thinking about global security strategy is to ask the question, What kind of security department do I have? Jim Brooks, senior VP of crisis and security management at Control Risks Group, says a traditional department tends to have a larger staff, a facilities-oriented approach and a predilection to do things in-house. The current trend, he says, is toward an advisory-oriented department that is smaller in staff and strategic in its thinking, and acts as a risk management function; for example, the security head would likely be involved in business continuity and disaster recovery.

Brooks believes the latter type of security department is better suited to a global environment. "I think the most efficient department from a pure business sense is scalable without permanent mass," says Brooks. "It's inefficient for multinationals to think they can cost-efficiently house all the experts in-house to treat all global exposures. It doesn't make sense to employ all that staff." However, he adds, if transforming your security department from old guard to new guard is culturally unpalatable, don't force the issue.

Form Security Partnerships with Business Units and Even Other Companies

If Brooks is right, and large companies with lots of global operations typically don't have enough security personnel to parcel out to every factory, office or site, that means that managers or directors from other functions also man the security post in addition to their other duties. And that's all the more reason for CSOs to keep in close contact with those employees to understand the unique conditions of that location.

"In some countries, electrified fencing and canine units are very effective, but in others their use is not culturally acceptable or legally permitted."

- Anton Bommersbach, head of global security, Wm. Wrigley Jr. Co.

At 3M, David Schrimp, director of corporate security services, has a full-time staff of 15 overseeing security both in the United States and at more than 60 locations abroad. At a given site, "we may have a full-time security manager, or someone who wears that hat 10 percent of the time, and everything in between," he says. "We work closely with them in partnership to gain insight into local conditions and apply the corporate policy in the way that makes the best sense for that local environment."

Bommersbach says Wrigley has established corporate security standards around the globe, but most are "objective-based" rather than "solution-based." In Wrigley strategy-speak, that means that a regional security managerat Wrigley there are four such managers, responsible for the Americas; Russia; Europe, the Middle East, Africa and India; and the Asia/Pacific regionworks with the local security coordinator to establish security standards that meet corporate objectives. Bommersbach cites an example of protecting a perimeter. "At some locations this objective is met by the installation of an 8-foot stone wall supported by infrared cameras, while another site may use an array of photo-electric beams, cameras, sensor lighting and guard patrols with no wall or fence. In some countries, electrified fencing and canine units are also very effective, but in others their use is not culturally acceptable or legally permitted," he says.

By sharing ownership with the local security representative, a CSO can respect the local culture and not seem like the corporate heavy, swinging into town to rap local knuckles. "When I first came here, the department was perceived as much more of an auditor of standards; it wasn't always well-perceived," says Bommersbach. "So I completely removed the whole audit function from the scope of our responsibility. Now we're more of an ally with local management in putting an action plan together. The whole process has been modified to be more of a partnership."

Happily, this collaboration doesn't just pay off in better security; it also leads to greater business efficiencies. At 3M, Schrimp did joint risk assessments of plants last year with the company's EHS (environmental, health and safety) organization. EHS assesses the safety of plants (using American Chemistry Council voluntary guidelines for chemical plants) while Schrimp's group looks at security risks. "We found that by combining our skill sets to conduct facility reviews, we satisfy both safety and security requirements during the same visit," notes Schrimp.

In the same vein, partnering internally helps make security a corporatewide responsibility. That was not a goal easily achieved in the past, when security departments were siloed, with little integration among other business units. Today, more and more CSOs understand the need to proactively offer advice and help educate other business units about how security can add value and lower risks, says Brooks, noting that CSOs increasingly sit on working groups and committees with other execs. "That's also leveraging a relatively small security staff into a global company. By sitting on groups and committees they're educating the business unit decision makers on security and risk issues. That multiplies the staff throughout the company," says Brooks.

CSOs can also form partnerships with other companies in their local area. When 3M's regional security managers travel to subsidiaries abroad, "they set up benchmarking visits with peer companies in their area for the purpose of educating those [local] managers, sharing best practices and promoting liaison that helps solve common problems," says Schrimp. He cites benchmarking meetings in Brazil with six other multinational companies that resulted in an agreement to share information instantly by radio (using telephone as a backup) to report suspicious behavior in the companies' industrial locations. The companies also decided at the meeting to gather at a later date with civilian and military officials to discuss crime. "They formed kind of a neighborhood watch," he says.

Educate Your Global Security Staff

Training is a critical component of any global security program, especially given that many security managers in foreign locations come from nonsecurity functionssuch as HR or engineeringand thus wear multiple hats.

One of the ways Schrimp trains his local security managers is by sending them to another country to learn at the side of a more experienced person. "We'll send that new person to the country where there's a best practice in place and let them learn from a colleague in a similar situation," he says.

Another way 3M does onsite training at global locations is through tabletop exercises in crisis management, which include business unit leaders.

The company also offers training at corporate headquarters, in St. Paul, Minn. Key security reps spend a few weeks learning about access control issues and infosecurity practices, and may team up with regional security managers to visit U.S. facilities similar to theirs.

Both Schrimp and Bommersbach encourage their security staffs to join or attend meetings of professional groups, such as ASIS or OSAC. "If we can heighten their awareness to particular risks and make them feel confident in fulfilling their duties, there's a good chance they will have a successful and sustainable security program," says Bommersbach.

In addition to training, Brooks advises CSOs to actively communicate with security managers abroad and keep the information flowing. That also means soliciting their feedbackit needs to be a two-way street. "People responsible for security need questions answered. For example, if someone makes a recommendation on how to secure a facility, let them know why it was or wasn't implemented. When using [other] people, not direct reports, you have to get their buy-in; they have to feel valued," he says.

Let Your Managers Assess Their Own Security

Bommersbach's team typically conducts security reviews annually, and the regional managers work directly with the local security representatives to develop an action plan. But as previously noted, Bommersbach has made the process more collaborative so that corporate security isn't viewed as the big, bad audit guy. Part of that change involved letting the local reps do more self-auditing, in which they can identify their own strengths and weaknesses.

Schrimp's team developed a self-survey tool, which he refers to as a "lite" version of 3M's full security survey. The security reps fill out the survey of their own facilities and send the results back to St. Paul. "Based on the scores, we are able to identify risks, prioritize travel and put resources where they're needed most," he says. His regional security managers also do full surveys when they visit the site to complement the self-surveys.

Copyright © 2005 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022