The 21st Century Security Strategist

By Francisco Mateo, CPP, CFE

Many classic works on strategy deal with conflict management and resolution….  Perhaps the two best known and often quoted among security professionals, whether we recognize it or not, are Sun Tzu and Niccolò Machiavelli through their classic works The Art of War.  Even though they come from different areas, they combined deep thoughts about the meaning of conflict and their ever revolving spheres of influence from all walks of life.  As security practitioners we seek to resolve many conflicts in our efforts to protect people, assets, reputation, and brand (PARB).  The context gets evermore complex, and so must our protection strategies. Through the concepts gleaned from these strategists par excellence we can develop our own style suited to our cause.

If we look at the security problems we face today, fraud, theft, hijackings, labor disputes, workplace violence, extortion, blackmail, commercial espionage, counterfeit, demonstrations, political unrest, crisis (natural or man-made) just to name a few, all share a comment current in a socioeconomic context.  The motivations that influence the ebb and flow of crime trends are rooted on a need for survival and dominance of our human species.  As globalization and access to information became more entrenched, so did the diffusion of creative criminal ideas of how to resolve the age old problem of survival through snatching property of those perceived to have more.

The success of these deviant actors hinges on their ability to study and know our weaknesses, equally or better than we know them ourselves.  This gives them tremendous advantage of selecting the time and place for the attack.   If we stand a chance of either deterring or detecting the attack, than our security risk assessments must be in tune to the universe of possible enemies of protection that we would face.  Whether it is internal or external we should know: who they are? What are their motivations? When and where are they most likely to act? What benefits would they derive from their actions? How would they go about obtaining the fruits of their deviant actions?, etc.  Analysis like this would move us to the best strategy to counteract our enemies’ actions.

For example if we decide deterrence is the best course of action, we should consider the options available; as Mark Willoughby once mentioned “Successfully managing risk is a delicate balance between probability and impact. If we choose more security, we must strengthen countermeasures to make the probability of a successful attack unattractive. The bad guys will look elsewhere for lower-hanging fruit — and a skilled and determined foe will always find lower-hanging fruit.”  Knowing our enemy allows us to not only know their threshold for risk, but to also make a sound determination of how much resources are needed to simple deflect their attacks.

 The basic tenet of prevention would not be possible without first knowing the operating environment.  Before we can set forth strategies we must first properly evaluate the risk conditions through security assessments.  Our assessments should be design to take a deep look into internal and external factors that would give rise to risk. Our internal assessment may include how staffing and budget levels, hierarchical status fit the business operation we’re tasked to protect.  External factors for the most part turn on the particular industry axis your company finds itself. For the must part security risk depends on weather you’re in the manufacturing, oil, mining, financial, hi-tech or other industries.  

In order to remain focus on the protection mission the security practitioner must know how to differentiate between strategy and tactics. Think of strategy as the web that links all decisions of when, how and if tactics are used.  Therefore no matter how clever the tactic it should not represent your overarching security strategy.  An example of how this dynamic plays out on the field is the case of supply chain security.  Deciding whether to lay down GPS tracking on your transport fleet or use armed guards to protect cargo from theft is a tactical disposition.  Your overall strategy must include route risk assessment; analyzing crime trends; filtering all supply chain staff (direct and third-party); protecting cargo information from leaks; physical security at all idle/transfer points; guaranteeing cargo integrity through the use of security seals; procedures for managing emergencies on the road; ensuring trucks in your fleet are mechanically fit for transport.  Your strategy would tie-in all these strands in a cohesive and executable plan.

Security practitioners like many other strategy professionals have a window of opportunity to obtain maximum impact for our security programs. For that reason we must ensure error-free execution. When people’s lives are in your hand, mistakes are unacceptable. Picture a critical fraud investigation you have spent weeks on field work; countless hours researching documents in search of solid evidence that would link your suspect to the matter at hand.  Yet, the case so far lacks solid factual evidence. Just the type of factual evidence an eyewitness or person with first hand knowledge can provide. Time is of the essence in these types of investigations, but you must have a sense of proper timing to improve and strengthen your position. Your strategy is to go in with as much information as possible into the initial interview with the suspects and for that reason you must wait to interview all witnesses with knowledge of the case or the suspects. Your aim should be to get it right the first time; therefore a wealth of information would give you the superabundance of strength to keep the snake in business suit from slithering away even when tactical errors are made during the interview process.

Nestle’s Chairman, Peter Brabeck once announced to the organization that in order to maintain the high ground of competitiveness the organization alignment must go from “Supertanker to fleets of swift and agile ships” an excellent analogy reflect on how an organization with a global footprint must remain malleable to change in order to maintain the advantage.  The security strategist must remain focus on major external and internal developments and changes influencing the organization they protect.  The reason is simple when we design our security mitigation strategy we make major assumptions about the risk (based on past and present events) the organization is exposed to. 

The structural alignment in an organization is a major influence on how internal and external threat vectors play out.  For that matter any changes in the functional configuration should trigger an automatic redefinition of the risk scenarios. Almost all major global organizations are evolving from traditional to flexible and dynamic networks.  A Bain & Co. study of 37 companies in industries ranging from consumer products to financial services to energy shows that strategically trimming and reconfiguring support functions such as HR, finance and security is often smarter than making wholesale cuts. Done right, it can actually improve effectiveness as it reins in costs. The security practitioner must analyze the intrinsic strengths and weaknesses of these restructuring initiatives and stay at the forefront by making strategic changes before they are imposed on them.  It would show a willingness to be in lockstep with major business innovations, as well as, a superior level of understanding of risk can be leveraged and controlled.    

Now more than ever before the security practitioner needs to learn important lessons about change.  We must not only adapt to change, but we must embrace it.  Our turbulent world demands a level of comprehension about change which at times seem uncomfortable even unbearable and traumatic.  An example of such change can occur during the merger and acquisitions (M&A) between two organizations.  The security strategist must not only participate in the due diligence process to ensure minimal risk to the acquiring company, it must go beyond to determine how the new structure would affect the security organization at all levels.  My own change management ritual involves the study of the different industries that impact my employer to ensure that I have the least blind spots possible about potential risks.  It ensures that I can manage possible change scenarios, which in turn minimizes their impact since having awareness automatically triggers strategic plans to mitigate undesirable effects. It also increases internal and external understanding of the forces that influence my environment increasing my effectiveness and as my role becomes more significant I become a change agent which helps influence transformation.

To the basic level of operation we always preach that habits are our worst enemy.  Whether it is conducting patrol routes around a compound or supervising staff in remote locations there is a simple maxim “don’t be predictable”.  In essence strategy encompasses the use of stratagem to obtain results without alerting our enemies.  As the “Lord Fabrizio Colonna”, Niccolò Machiavelli’s alter ego in his classic work “The Art of War”, which details how an army ought to be raised, trained, organized, deployed and employed; a security practitioner should be able to postulate and articulate a cohesive security strategy and structure. For that purpose the security strategist should actively recruit talent, design and developed industry/company appropriate training and subsequently position staff to tackle the company’s toughest PARB protection challenges.  It is in Machiavelli’s concept of “Virtù”, whereby he describes the “strategic prowess of the general who adapts to different battlefield conditions as the situation dictates”; that I draw upon to lend credence to the fact that the security practitioners must possess many layers of knowledge and personality to succeed.       

It is incumbent upon the 21st Century Security Strategist to learn how this skill can be used to set strategic plans, which “At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.” It would require that you’re in line with business “big picture thinking” or its long term over-the-horizon plans to get to know which direction the business is going.  This would enable you to develop roadmaps and compass to guide through the right development path.  This is followed by conducting risk assessments; whereby you identify the weaknesses and strengths of your operation in light of your gaps and exposures.  The risk assessments are a good opportunity to test the vulnerability present in existing countermeasures as well as gage what is needed to close those gaps. Next you need to make your team part of both the strategic, but also the tactical plans.  For that reason you need to “Set measurable goals” that would anchored you plans on solid business grounds.  Remember that information generated by security efforts that is not “measurable, doable and repeatable” would blunt your impact. In other words security metrics must be collected, analyzed, applied and disseminated to the business leadership. 

In conclusion both classic works “The Art of War” from Sun Tzu and Niccolò Machiavelli are instrumental for the 21st Century Security Strategist to develop and implement protection theories today.  Whether we’re applying tactical dispositions to tackle specific protection issues or implementing an overarching security strategy we have a wide range of knowledge to draw upon to enrich and improve our protection efforts.