The 21st Century Security Strategist

By Francisco Mateo, CPP, CFE

Many classic works on strategy deal with conflict management and resolution….  Perhaps the two best known and often quoted among security professionals, whether we recognize it or not, are Sun Tzu and Niccolò Machiavelli through their classic works The Art of War.  Even though they come from different areas, they combined deep thoughts about the meaning of conflict and their ever revolving spheres of influence from all walks of life.  As security practitioners we seek to resolve many conflicts in our efforts to protect people, assets, reputation, and brand (PARB).  The context gets evermore complex, and so must our protection strategies. Through the concepts gleaned from these strategists par excellence we can develop our own style suited to our cause.

If we look at the security problems we face today, fraud, theft, hijackings, labor disputes, workplace violence, extortion, blackmail, commercial espionage, counterfeit, demonstrations, political unrest, crisis (natural or man-made) just to name a few, all share a comment current in a socioeconomic context.  The motivations that influence the ebb and flow of crime trends are rooted on a need for survival and dominance of our human species.  As globalization and access to information became more entrenched, so did the diffusion of creative criminal ideas of how to resolve the age old problem of survival through snatching property of those perceived to have more.

The success of these deviant actors hinges on their ability to study and know our weaknesses, equally or better than we know them ourselves.  This gives them tremendous advantage of selecting the time and place for the attack.   If we stand a chance of either deterring or detecting the attack, than our security risk assessments must be in tune to the universe of possible enemies of protection that we would face.  Whether it is internal or external we should know: who they are? What are their motivations? When and where are they most likely to act? What benefits would they derive from their actions? How would they go about obtaining the fruits of their deviant actions?, etc.  Analysis like this would move us to the best strategy to counteract our enemies’ actions.

For example if we decide deterrence is the best course of action, we should consider the options available; as Mark Willoughby once mentioned “Successfully managing risk is a delicate balance between probability and impact. If we choose more security, we must strengthen countermeasures to make the probability of a successful attack unattractive. The bad guys will look elsewhere for lower-hanging fruit — and a skilled and determined foe will always find lower-hanging fruit.”  Knowing our enemy allows us to not only know their threshold for risk, but to also make a sound determination of how much resources are needed to simple deflect their attacks.

 The basic tenet of prevention would not be possible without first knowing the operating environment.  Before we can set forth strategies we must first properly evaluate the risk conditions through security assessments.  Our assessments should be design to take a deep look into internal and external factors that would give rise to risk. Our internal assessment may include how staffing and budget levels, hierarchical status fit the business operation we’re tasked to protect.  External factors for the most part turn on the particular industry axis your company finds itself. For the must part security risk depends on weather you’re in the manufacturing, oil, mining, financial, hi-tech or other industries.  

In order to remain focus on the protection mission the security practitioner must know how to differentiate between strategy and tactics. Think of strategy as the web that links all decisions of when, how and if tactics are used.  Therefore no matter how clever the tactic it should not represent your overarching security strategy.  An example of how this dynamic plays out on the field is the case of supply chain security.  Deciding whether to lay down GPS tracking on your transport fleet or use armed guards to protect cargo from theft is a tactical disposition.  Your overall strategy must include route risk assessment; analyzing crime trends; filtering all supply chain staff (direct and third-party); protecting cargo information from leaks; physical security at all idle/transfer points; guaranteeing cargo integrity through the use of security seals; procedures for managing emergencies on the road; ensuring trucks in your fleet are mechanically fit for transport.  Your strategy would tie-in all these strands in a cohesive and executable plan.

Security practitioners like many other strategy professionals have a window of opportunity to obtain maximum impact for our security programs. For that reason we must ensure error-free execution. When people’s lives are in your hand, mistakes are unacceptable. Picture a critical fraud investigation you have spent weeks on field work; countless hours researching documents in search of solid evidence that would link your suspect to the matter at hand.  Yet, the case so far lacks solid factual evidence. Just the type of factual evidence an eyewitness or person with first hand knowledge can provide. Time is of the essence in these types of investigations, but you must have a sense of proper timing to improve and strengthen your position. Your strategy is to go in with as much information as possible into the initial interview with the suspects and for that reason you must wait to interview all witnesses with knowledge of the case or the suspects. Your aim should be to get it right the first time; therefore a wealth of information would give you the superabundance of strength to keep the snake in business suit from slithering away even when tactical errors are made during the interview process.

Nestle’s Chairman, Peter Brabeck once announced to the organization that in order to maintain the high ground of competitiveness the organization alignment must go from “Supertanker to fleets of swift and agile ships” an excellent analogy reflect on how an organization with a global footprint must remain malleable to change in order to maintain the advantage.  The security strategist must remain focus on major external and internal developments and changes influencing the organization they protect.  The reason is simple when we design our security mitigation strategy we make major assumptions about the risk (based on past and present events) the organization is exposed to. 

The structural alignment in an organization is a major influence on how internal and external threat vectors play out.  For that matter any changes in the functional configuration should trigger an automatic redefinition of the risk scenarios. Almost all major global organizations are evolving from traditional to flexible and dynamic networks.  A Bain & Co. study of 37 companies in industries ranging from consumer products to financial services to energy shows that strategically trimming and reconfiguring support functions such as HR, finance and security is often smarter than making wholesale cuts. Done right, it can actually improve effectiveness as it reins in costs. The security practitioner must analyze the intrinsic strengths and weaknesses of these restructuring initiatives and stay at the forefront by making strategic changes before they are imposed on them.  It would show a willingness to be in lockstep with major business innovations, as well as, a superior level of understanding of risk can be leveraged and controlled.    

Now more than ever before the security practitioner needs to learn important lessons about change.  We must not only adapt to change, but we must embrace it.  Our turbulent world demands a level of comprehension about change which at times seem uncomfortable even unbearable and traumatic.  An example of such change can occur during the merger and acquisitions (M&A) between two organizations.  The security strategist must not only participate in the due diligence process to ensure minimal risk to the acquiring company, it must go beyond to determine how the new structure would affect the security organization at all levels.  My own change management ritual involves the study of the different industries that impact my employer to ensure that I have the least blind spots possible about potential risks.  It ensures that I can manage possible change scenarios, which in turn minimizes their impact since having awareness automatically triggers strategic plans to mitigate undesirable effects. It also increases internal and external understanding of the forces that influence my environment increasing my effectiveness and as my role becomes more significant I become a change agent which helps influence transformation.

To the basic level of operation we always preach that habits are our worst enemy.  Whether it is conducting patrol routes around a compound or supervising staff in remote locations there is a simple maxim “don’t be predictable”.  In essence strategy encompasses the use of stratagem to obtain results without alerting our enemies.  As the “Lord Fabrizio Colonna”, Niccolò Machiavelli’s alter ego in his classic work “The Art of War”, which details how an army ought to be raised, trained, organized, deployed and employed; a security practitioner should be able to postulate and articulate a cohesive security strategy and structure. For that purpose the security strategist should actively recruit talent, design and developed industry/company appropriate training and subsequently position staff to tackle the company’s toughest PARB protection challenges.  It is in Machiavelli’s concept of “Virtù”, whereby he describes the “strategic prowess of the general who adapts to different battlefield conditions as the situation dictates”; that I draw upon to lend credence to the fact that the security practitioners must possess many layers of knowledge and personality to succeed.       

It is incumbent upon the 21st Century Security Strategist to learn how this skill can be used to set strategic plans, which “At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.” It would require that you’re in line with business “big picture thinking” or its long term over-the-horizon plans to get to know which direction the business is going.  This would enable you to develop roadmaps and compass to guide through the right development path.  This is followed by conducting risk assessments; whereby you identify the weaknesses and strengths of your operation in light of your gaps and exposures.  The risk assessments are a good opportunity to test the vulnerability present in existing countermeasures as well as gage what is needed to close those gaps. Next you need to make your team part of both the strategic, but also the tactical plans.  For that reason you need to “Set measurable goals” that would anchored you plans on solid business grounds.  Remember that information generated by security efforts that is not “measurable, doable and repeatable” would blunt your impact. In other words security metrics must be collected, analyzed, applied and disseminated to the business leadership. 

In conclusion both classic works “The Art of War” from Sun Tzu and Niccolò Machiavelli are instrumental for the 21st Century Security Strategist to develop and implement protection theories today.  Whether we’re applying tactical dispositions to tackle specific protection issues or implementing an overarching security strategy we have a wide range of knowledge to draw upon to enrich and improve our protection efforts.



Hunting Down Fakes

This is a significant and insidious global problem.  Consumers’ lives are put on the line for dirty profits from these merchants of death.  Sadly many consumers lack the ability to differentiate authenticate drugs from fakes.  Worst of all corruption officials are paid enough to look away and act like the problem does not exist.  My hat is off to the Interpol and Customs Enforcement task force working to attack this death supply chain.

Crackdown Targets Counterfeit Drugs
Washington Post (11/20/09) Mui, Ylan Q.

Law enforcement agents from around the world have cracked down on counterfeit pharmaceutical products as part of a new global effort to prevent these medications from reaching patients. The operation, known as Pangea, has already uncovered nearly 800 alleged packages of counterfeit or suspicious medications in the United States, including imitation Viagra, Vicodin, and Claritin. Officials say these counterfeit medications pose a serious patient safety risk, as some have been found to have as much as three times more of the active ingredient than is usually prescribed. Other medications may be placebos and some have been found to contain potentially toxic substances including drywall material, antifreeze, and yellow highway paint. In addition to seizing these medications, officials also shutdown 68 online pharmacies believed to be trafficking in fake pharmaceuticals. The National Association of Boards of Pharmacy maintains a list of approximately 4,000 Internet-based pharmacies that it says are questionable. It also certifies legitimate sellers through its Verified Internet Pharmacy Practice program. Thus far, 17 Web-based pharmacies have met the requirements for certification through the program. In an effort to further prevent the sale of counterfeit drugs, Rep. Steve Israel (D-N.Y.) recently proposed a bill that would increase penalties for counterfeiters and enhance the Food and Drug Administration’s ability to track them. However, the bill is currently stalled in committee.


Recession Sparks Global Shoplifting Spree

A few days ago I came across an interesting article from describing a growing, global shoplifting trend.  Here is an excerpt:

 “The global recession isn’t just making jobs scarce and tightening spending — it’s also turning more people into thieves. According to an annual survey released on Tuesday, incidents of shoplifting rose nearly 6% over the past year, representing nearly $115 billion in losses for businesses. One of the more surprising findings: a growing number of new shoplifters are outwardly reputable, middle-class people who are walking off with French cheeses, quality meats, cosmetics, mobile phones, clothing and other goodies that they feel they need to maintain a quality of life they can no longer afford. “

Read more:

It brought home the point that a new prevention-focus approach is needed to attack this problem.  As a Security Practitioners I’m challenging myself to come with creative ideas to attack the underlying causes of shoplifting.  You’re welcome to share your own ideas.

Global Illicit Economy’s effect on the Real Economy

It is not hard to imagine that counterfeit money would be pumped into the legitimate economy using sophisticated money laundering networks targeting consumer products companies.  Purchasing products destined for export from the US can be done with these fake currencies. By the time the exporting companies realize they have been duped it would be too late to revert the shipment.  The complexity of the shipping network and the way counterfeiters move these funds make it difficult if not impossible to trace back to the original source.  Colombia for its part is one of the world’s hot spot for counterfeiting banknotes. It is no coincidence that some Colombian importers have also relied on sophisticated drug money laundering schemes, whereby they buy and sell products with the proceeds of drug trafficking, pumping the dirty money into US companies’ coffers.  They same channels are used to funnel counterfeit banknotes.  

Colombia Seizes $6.2 Million in Counterfeit Greenbacks

BOGOTA – Agents with Colombia’s DAS security service found a clandestine printing press in a southern Bogota neighborhood on Wednesday, seized a little more than $6 million in counterfeit $100 bills and arrested one person, authorities said.

The fake money was almost ready to be placed on the market and was going to be sold in Ecuador, Peru, Venezuela and the United States, said detectives from the DAS anti-counterfeiting unit.

The printing press was discovered after a raid on a house in the La Fraguita neighborhood, where the DAS found the forged $100 bills to be “of excellent quality.”

Also seized in the raid were assorted other items, including a lithograph, inks, 26 plates with the obverse and reverse of the $100 bill with the series numbers of the original bills, the watermarks and the security filaments.

One of the plates found in the house had the shield of the U.S. Treasury Department on it, DAS said.

On Oct. 7, the DAS seized $6.16 million in counterfeit $100 bills in Soacha, near Bogota, and $3.75 million worth of phony dollars in the southwestern city of Cali, where agents dismantled several illegal printing presses. EFE

What Does Money Laundering Means for Multinational Corporations (MNCs)?

“The Black Market Peso Exchange system is the primary money laundering conduit used by Colombian narcotics traffickers in repatriating revenues to Colombia and is the single most efficient and extensive money laundering scheme in the Western Hemisphere…between $3 billion and $6 billion is laundered annually”

Prior to the notable money laundering scandals involving major financial institutions, many in the Multinational Corporation community did not take money laundering seriously or even associated the problem to their operations.  Recent incidents and regulations have forced a major shift in perception about how money laundering can present serious risk to their operations and reputations.   

The methods used by money launderers go as far as their imagination can drive them.  There is really nothing they’re not willing to try to achieve their aims.  According to Michael D. Shepard “MNCs, as well as any export companies are exposed to the risk of money-laundering schemes. Criminally derived funds may already be in the financial system, but that does not make them “clean.” Purchasing goods from a multinational corporation — or any company for that matter — can be considered money laundering if the ultimate source of funds is illegal activity and the requisite intent is present.”  In other words companies must be aware of the sophisticated schemes devised by money launderers disguised as clients in an clever attempt to funnel dirty money from illicit activities.   

One such money laundering system targeting manufacturers and distributors is the Black Market Peso Exchange (BMPE). According to Bonnie Tishchler from the US Customs Service, “The BMPE process starts with a peso broker. For a fee, these brokers arrange the financial transactions necessary to launder the drug cartels’ money. Broker activities include receiving and coordinating orders for money, locating sources of U.S. dollars, arranging pickups and directing placement of funds. Within the broker’s network are others who perform various services for a percentage of the broker’s earnings. Those working for the brokers pick up cash, buy money orders and checks, open checking accounts, transport and smuggle money, among other things.”

The primary market in Colombia for large blocks of U.S. dollars is Colombian importers. The Colombian government has strict currency controls and the only way to get US dollars in Colombia was to buy them from government banks. These government banks also asked lots of questions about what was being bought with the dollars and whether import tariffs would be paid. So a nascent black market economy flourished with importers eager to get cheap goods circumventing the heavily regulated foreign exchange market, as well as the customs tariffs, and drug traffickers, not the ones to give up an opportunity to turn their dirty dollars into clean pesos.

Together a motley crew of characters has turned some of the most well known MNCs into unwilling participants of their schemes.  The authorities first became aware of the elaborate system by studying trade patterns in the Tobacco Industry, but anti-money laundering (AML) authorities soon began to track drug money to the bank accounts of many of the Largest US MNCs. Companies in the global trade of appliances, cigarettes, liquor and other products are exposed to this mode of money laundering.  A common thread among the products and industries targeted is an apparent appetite for high end products which would normally pay high tariffs in Colombia.

The most likely scenario in which MNCs can fall victims (willing or unwilling) to money laundering is through the payments for goods made with illegitimate funds: The corporation and/or its products may be used by criminals in the process known as “layering” — distancing the ill-gotten gains from the criminal activity by moving it further from the illegitimate source.  

For their part the MNCs have argued in court that they were innocent owners of the drug funds and the government gave the money back. The US Justice Department has taken the tactic that it is better to seize the money, educate companies and try to get their cooperation to fight the black market peso exchange. In some cases, the Justice Department asked companies to sign a “Consent Decree” saying that the company now understood this problem and would never be able to claim innocence if it happened again. 

Thereafter MNCs could be charged with and convicted of money laundering under federal statutes that make it a crime to engage, or attempt to engage, in a financial transaction knowing that the property used in the transaction represents the proceeds of some form of unlawful activity. Furthermore; according to former IRS investigator Michael McDonald, “there’s a legal principle called Willful Blindness, which means if you totally disregard all the facts and circumstances that would lead you to believe and know that this is illegal money, that’s the same as knowing it’s illegal money.”

The costs of a money-laundering conviction can be significant. Penalties can include a fine of $500,000 or up to twice the amount of the criminally derived property involved in the transaction (whichever is greater), and/or imprisonment of up to 20 years. Legal and post-event remediation costs can be staggering. Reputational damage can be incalculable.

Prevention Strategies

Like financial institutions, MNCs should adopt AML programs that include policies and procedures, training and compliance protocols in their mitigation strategies.  More importantly under the Federal Organizational Sentencing Guidelines, implementation of corporate compliance and training programs can help avoid or minimize prosecution and civil money penalties when employees commit wrongdoing in violation of those policies. 

One of the most effective risk mitigation factors in an AML program, especially for MNCs in light of the trade-based schemes often used by money launderers, is a comprehensive and risk-based “Know Your Customer” due diligence program.  When evaluating the risk for money laundering, MNCs should consider at least the following factors when dealing with potential customers, clients, vendors, business partners and even outside sales representatives:

  • Who are the owners of the entity?
  • Is there any negative news about them or the entity?
  • What is the entity’s source of funds?
  • Is the entity located or operating in a high-risk area for fraud, corruption, drug trafficking and/or money laundering?
  • How long has the entity been in business?
  • Does the entity have a physical address?
  • What are the entity’s business model, sales volume and revenue?
  • Who are the entities customers?
  • What is the entity’s level of transparency and willingness to provide information?
  • What is the entity’s legal structure?
  • Can the entity’s existence be verified through searches of publicly available documentation and databases?

As far as reporting is concern Once KYC due diligence has been performed and documented, monitoring transactional activity will help detect unusual patterns of customer behavior. Questions to consider:

  • Is this transaction unusual in and of itself?
  • Is this transaction, when aggregated with the customer’s other transactions, unusual or suspicious?
  • Is this transaction comparable to transactions for other customers in the same geography?
  • Is this transaction comparable to transactions for other customers of the same size/business model?

As for financial institutions, MNCs may be able to use existing systems, create risk-based rules against which to evaluate transactions, generate alert reports showing patterns of activity that should be of interest and develop investigative protocols to determine if the activity is indeed suspicious and possibly tied to money laundering or other illegal activity.

AML programs require a multi-discipline approach, which means a that subject matter experts from legal, finance, security/investigations, compliance as well as sales should be part of a team working under the direction of the executive board.  The working team should have long term objectives, as the risk of money laundering to MNCs don’t simply go away with the stated countermeasures, but morphed into different M.O.’s as organized crime has been notoriously able to do. 

In closing, MNCs may have been caught by surprise by clever money laundering schemes, which are indeed very subtle in their execution.  But once the veil has been lifted, MNCs can no longer claim ignorance and would instead face hefty fines and even criminal prosecution under AML laws, if such regulations are in place in their home countries.  To avoid the eventual damage to their reputation that may result from prosecution MNCs must gain superior knowledge of their organization’s transactions through due diligence and know your customers program. 


Have They No Shame?

Making emphasis this week on the global illicit economy, this Times Online article by Jane Macartney highlights how low counterfeiters are willing to go in terms of the deadly products they’re willing and able to spew out of their bowls.  They are true merchants of death. I’m sure they’re making a Killing, peddling unsafe condoms.

Chinese police raid workshops producing counterfeit condoms

Safe sex may not be quite so safe in China. Police have uncovered underground workshops churning out fake condoms in the latest expose of China’s counterfeit industry.

Globalization Boosts Europe’s Gangsters

Much has been written about globalization and organized crime evolution, but rarely do we see mainstream media focus on the boom that trade liberalizations has had on the illicit economy the following BusinessWeek article touches on very significant trends.  As I have described in previous posts, the global illicit economy would rice to challenge legitimate business.  Notice how organized crime has been structured to profit under any economic circumstances.  The effect is akin to Darwin’s natural selection or more appropriate survival of fittest.

Globalization Boosts Europe’s Gangsters

Trade liberalization, fewer borders, and cheap air travel all are contributing to a rise in organized crime from the south and east of Europe

By Leigh Phillips