Embed Size (px)
Citation preview
CIO Asia - Post-9/11 Security
January/February 2007
Printer Friendly
Email this story
Alarm! Post-9/11 Security
Too many business enterprises, despite the current war on terrorism, suffer the consequences of failing to plan for crises.
By Ross Storey CIO Asia In recent months, the world’s biggest medical and security assistance company, International SOS, has been involved in major mass evacuations in Nepal, East Timor, Lebanon, Sri Lanka and the Solomon Islands.
CIO Asia recently spoke to former Australian SAS soldier Tony Ridley, who is now International SOS’s regional security director, Asia-Pacific. Ridley is in charge of commercial and corporate security for clients from Pakistan to China and all the way down to Australia and New Zealand.
He worked as a security consultant in Iraq shortly after the US invasion, and as operations director for a major company across Indonesia with security projects in the oil and gas, forestry and hotel industries. The following are his thoughts on current corporate attitudes to security.
How good is the security business these days in this uncertain world of hot spots?
It’s not necessarily just the hot spots, but an increasing temperature in the warm spots as well. The Asia-Pacific has been somewhat volatile with transitional governments, rule of law and expanding economies.
With that comes a certain amount of growing pains. That’s contributed to the security industry, which is also riding on the back of the expansion of services, since the Iraq and Afghanistan privatisation of a lot of the military elements.
Security is not necessarily about catering for an organisation’s need in a hostile environment; it’s about identification of risk, which may manifest in a host of business processes. It may originate from angry communities, travel processes or business practices. Security is something that is not only needed in a hostile environment; it exists across the entire business spectrum.
So you are also dealing with internal issues for organisations, where they might have a problem as part of their business processes?
That’s correct. Particularly in Asia, probably between 80 and 90 per cent of vulnerabilities for organisations exist internally. This is because of service-level agreements, hiring backgrounds, the profiling of individuals or just the exposure to potential financial anomalies and things like the structure of buildings that were designed in a different time.
For example, hotels in Asia are very curb-centric and they’ll be open, permitting easy open access. This obviously doesn’t sit very well in high-terrorist environments.
The high-end elements or risk are on the increase, particularly when the disparity is increasing between the ‘haves’ and the ‘have nots’ in impoverished countries, or in communities that are trying to gain a foothold in the so-called ‘middle class’.
But, on a day-to-day basis, it’s usually 100 times more likely to be more subtle elements of risk, such as internal thefts or extortion against companies, the counterfeiting of products and those sorts of things that are prevalent.
What are the key security and risk management issues you have to deal with?
We have very much an ‘all hazards’ approach to security so it’s not about being a specialist in any one particular area. It’s not
http://www.cio-asia.com/PrinterFriendly.aspx?articleid=4364&pubid=5&issueid=108 (1 of 3)14/02/2007 16:10:22
CIO Asia - Post-9/11 Security
about being IT-focused on concentrating on biometric security. It’s about being holistic and that’s the growing trend. Previously there were sub-divisions between various skill sets.
Now there’s significantly more convergence. Managers are increasingly being expected to be able to handle all of these departments and sometimes they have no exposure to it, no previous training, it’s just an overnight expectation.
Certainly, as we see the downsizing and the outsourcing, that’s where some of the biggest risks are emerging. The risks arise when people are moving from one particular skill set to another and are becoming responsible for business units or processes, with which they have no experience.
What is the current corporate attitude to services like yours?
Essentially a lot more companies and corporations are expanding their duty of care to their employees, both in a corporate environment and in private travel. The Asian tsunami was a particular example. When people first called for help, they called their corporate entities for assistance and we execute those services.
It’s not just about travel, terrorism, or health and safety. It’s an all-hazards process. Obviously being an integrated service provider, looking after people as well as assets, we’ve certainly been very busy in these aspects over the last couple of years.
What particular industries do your clients come from?
Industry sectors that are not necessarily ‘risk averse’ but are ‘risk aware’ are typically the finance and insurance industries, oil and gas, manufacturing and production and distribution. These would be the top-core sectors we regularly deal with, which is obviously most of the multinationals.
Overall, security is something of a pre-conceived idea. Particularly here in the Asia-Pacific, security for a lot of people is a retired police officer or military guy in his late 50s, perhaps with a shotgun outside a jewellery store. That’s not security. Security is a complex mix of things.
Certainly no company can operate in the Asia-Pacific with assets such as people, facilities, equipment, and sensitive information without some form of security management system.
Organisations can reduce their crisis exposure and turn it into a day-to-day incident management process. If they have an incident plan for information compromise or a missing person or a hostile takeover, then it purely becomes a process. When something happens, they activate that process in accordance with their rehearsals and their reactive plans.
Otherwise, if they are unprepared, they have to respond as well as develop a plan as they go along and, typically, that’s when mistakes are made.
So what should an organisation budget for, to make sure their overall security and crisis preparedness is on track?
Typically, it’s anywhere between three and five per cent of operational revenue. Depending on their distribution of assets and their operational exposure, it can vary.
For some organisations, it can be a few thousand dollars, others invest millions. They have disaster recovery sites, plans, contractors and inhouse talent. For many in the finance industry, for example, there are compliance requirements when it comes to business continuity. There’s choice in how much they spend, but no choice on what they have to spend it on.
These business continuity requirements are imposed by the monetary compliance bodies and therefore they are mandated to have certain preparations in place.
They have the higher budgets, as do the oil and gas industry, because they potentially have the most to lose.
Executives might say: ‘Nothing’s going to happen to us. We don’t need that’. What is the value of your services to these organisations?
Typically, these are the type of companies that are now out of business as a result of the 9/11s, the tsunamis, train derailments, extortions, plus a whole host of Enron-type activities. Unfortunately, waiting for government compliance is the biggest problem with the industry.
When people are forced to wear helmets and seatbelts and there’s a fine if they don’t, they tend to comply. With security-related issues, if there is no compliance imperative, it’s considered a luxury in a lot of cases.
But many companies simply do not recover from significant events such as compromise of information, bombings and these
http://www.cio-asia.com/PrinterFriendly.aspx?articleid=4364&pubid=5&issueid=108 (2 of 3)14/02/2007 16:10:22
CIO Asia - Post-9/11 Security
sort of things, or even hostile takeovers.
So, the best business continuity practice is to be prepared for it, hope it doesn’t happen, but if it does, implement a pre-prepared plan.
CONTACTS
Websites hosted by Pacific Internet
http://www.cio-asia.com/PrinterFriendly.aspx?articleid=4364&pubid=5&issueid=108 (3 of 3)14/02/2007 16:10:22
