Wednesday, November 13, 2013

Security Weekly: Selling Security, November 7, 2014

By Scott Stewart

In last week's Security Weekly I briefly mentioned that one of my mentors had taught me some important lessons on selling security to people who mistakenly believe they do not need it. Some of the people who read last week's analysis have asked me to talk a bit more about selling security, so this week I will endeavor to do so.

Like most security professionals, I have faced the challenge of selling security throughout my entire professional and personal life, in a wide variety of contexts. In my capacity as a Diplomatic Security Service special agent I was responsible for the security of many diplomats, aid workers, family members and Peace Corps volunteers who believed that security was antithetical to their respective missions. As a member of a corporate executive protection team I protected a CEO who was young, had a very young family with active lifestyles and who did not want himself or his family to be encumbered by security. As a church board member and short-term mission team leader I have had to work to convince people that taking practical steps to protect yourself is not an indication that you lack faith. As a dad -- and now father-in-law -- I have also had to convince my kids to take prudent security measures. And finally, as an author and a Stratfor terrorism and security analyst I have spent many years trying to help educate people regarding the need to practice appropriate and sustainable situational awareness, adopt the proper mindset regarding threats and prepare contingency plans for instances when things do go bad.

Throughout this time I have had the good fortune to have worked for, and with, many people who have shared a great deal of wisdom concerning how to sell security. However, I want to make it clear up front that while I can lay out a few key principles here, selling security is not some sort of simple three-step process; it is really a complex art that cannot be fully delineated in a few pages.

First Things First

Undoubtedly the greatest problem that disconnects security programs from those they seek to protect is communication. To quote Strother Martin's warden character in the movie Cool Hand Luke, "What we've got here is a failure to communicate." Perhaps this communication gap is due to the personality types who tend to be drawn to security and security management jobs. Or maybe it is because so many security managers tend have military or law enforcement backgrounds. But no matter what the cause, security managers tend to be poor communicators.

This communication breakdown is perhaps most evident in the fact that many security professionals do not feel the need to explain the "why" behind the security measures they institute. In a law enforcement or military context, rules and regulations are normally the law of the land and are beyond question. A police officer writing a traffic citation or a military non-commissioned officer enforcing a military regulation does not need to explain "why" the law or regulation is valid. It is what it is and it must be complied with. But security regulations are different -- especially in the non-governmental security setting. This is because security directors in most companies set and then enforce security policy and standards.

Setting and enforcing company security policies is very different from enforcing the law of the land passed by a state legislature or a regulation passed by the Department of the Army, but in many cases security managers fail to make this distinction. I refer to company policies here, but the need to make this distinction is also very relevant to post-specific security regulations at an embassy or consulate that are set by the regional security officer, and this obviously applies to non-governmental organizations, too.

Security managers who hold this law of the land attitude tend to adopt a "you will do this because I say so" mentality, and then attempt to force people to comply with security measures without explaining the reason why they are instituting such a rule. Now, this approach is generally acceptable when you are dealing with an infant -- or an army recruit -- who needs to be told they can't do something they want to do, but most adults deeply resent being treated in this manner. This resentment creates a lot of hostility toward security -- a deeply ingrained attitude that is readily apparent in many people and widely reflected in television shows and movies.

So, the most critical component of selling security is communication, and the most important things that must be communicated are: 1) the nature of the threat facing an institution and its people, and 2) how the security measures being implemented will help protect the institution and its people.

Basic Questions

Of course, before security managers can explain the threat to others, they need to take the time to understand it for themselves. This understanding needs to start with some very simple questions that unfortunately sometimes are not asked. The first question should obviously be, "What are we trying to protect?" For example, an embassy or a development laboratory where there is classified or proprietary information requires measures to protect information. A consumer products company may be extremely focused on protecting its product in a warehouse or in transit, while a school or missionary organization has little to protect in terms of information or material goods, but is very concerned about protecting its people.

The next question is, "What are we protecting against?" Different types of institutions will require very different security plans and, depending on where the institutions are located, the threat against them could be extremely diverse. There is also a vast difference in security measures depending on whether you are protecting against a terrorist threat, a criminal threat, an intelligence threat, or even a combination of all three -- not to mention natural disasters. Even when analyzing criminal activity, an environment where armed robbery, carjacking and kidnapping is common is different from one where the main threat is pickpocketing. So quantifying the threat requires some homework in order to dig into the complexion and character of the various dangers. If security directors do not intimately understand the threat they are facing, there is no way that they can rationally and reasonably explain that threat to others. Besides, if a security manager does not intimately understand the threat, he or she is in no position to institute security measures to guard against it.

Once security managers and their staffs have studied and thoroughly understand the threat, they are then in a position to educate their constituencies, either through briefings, written bulletins or by some other means. I have personally found informal brown bags or "come have coffee with the security director" meetings to be very effective. This educational process is an important part of selling security and must be approached seriously instead of in a cursory manner. Such briefings, and other communications such as security alerts, need to be presented in a professional way. Professional presentations not only educate people about the threat but they also allow employees to see that the security staff understands the risk. It is important that the security measures being put in place are thoughtful and based on a solid understanding of the threat rather than something haphazardly slapped into place. If you know what you are talking about, that goes a long way in building trust. By being accessible and making themselves available to the employees, security managers can build relationships that allow people to see their competence.

Honesty and candor are extremely important during this education and communication process. Hyping up or embellishing a threat will quickly erode people's trust in a security manager -- as will condescension. As a security professional, trust is critical; if people can't trust you to accurately portray the threat, there is no way they are going to trust the measures you are instituting to guard against it.

When it comes to security measures that are put into place, security managers also need to explain to people how specific measures will help prevent or mitigate a threat. The rationale behind measures such as the requirement to display employee identification badges would seem to be self-evident, but some people simply do not make the connection between the threat and security measures, so it is important to explicitly explain such linkages in a non-condescending fashion. When it comes to security measures, security managers need to be reasonable and logical in light of what is being protected and the threat environment. The security measures also need to be as unobtrusive as possible. Providing security for a corporate CEO is very different from providing security for the U.S. president or secretary of state, and the security measures surrounding the CEO should reflect that reality.

Another problem that confronts security managers is denial. "Sure, they had a workplace shooting there, but it can't happen here." Overcoming this sense of denial is difficult. As Fred Burton and I recently discussed in a video, denial can be deadly, and it is hard to counter such a mindset. Perhaps the most effective way to counter denial is with objective evidence. Whenever possible, security education materials should include credible third-party studies on occurrences like kidnapping or violent incidents in the workplace. Media reports of crime in the area, or of criminal activity directed against a similar institution elsewhere, can also be helpful. When possible, the use of photos and videos can also be very powerful. A video of a person entering a facility and stealing a purse or a laptop, or footage of a person being express kidnapped off the street, are powerful ways to convey a threat that exists.

As noted above, people generally have a bad attitude toward security, and those holding such attitudes tend to be resistant to security measures -- especially when the measures are inconvenient. They like to be able to sneak out the back door, propping it open with a trash can during smoke breaks, because they don't like to walk all the way around the building to where the card readers are. People don't want the hassle of asking a person who tailgates them through the door to show an employee ID badge. But by educating people about the threat, security managers can help explain why such actions are potentially harmful to the company -- and to the employees' own safety.

Will there be some people who blatantly disregard security rules and regulations even when there is a valid threat, and even when the reason for the security measures has been thoroughly explained? Sadly, yes -- but hopefully company management has given the security manager some means to address employees who flagrantly ignore security policy. If not, it is time to look for another security manager position. Additionally, if a security manager does a good job communicating and educating people about the threat, peer pressure from concerned colleagues can be a good way to help counter problem people.
Selling Security Copyright: STRATFOR.COM

No comments:

Post a Comment