Key Security Program Elements
The need to address personnel security issues, such as new-hire background checks and attrition, were cited as key items by business leaders. In our discussions with local senior management, there was a consensus that the technical employee base may tend to be transient. With the rapid growth rates of the past few years, India-based multinationals compete for talent and mid-level managers. Many of these professionals change jobs approximately every two years seeking to increase their job responsibilities and improve their pay status. Even in a tight economy, this practice continues. Thus it’s imperative to have a background investigative program in place in order to screen candidates. Ensuring that each applicant's educational and professional credentials are checked for validity should be a high priority task for organizations doing business in India. Proprietary information is best protected by properly vetting those with access to the data.
Security professionals should also focus on protection of information systems and resident data. Many Western organizations operating in India are information technology (IT) related and need special security safeguards in place to protect valuable data. Data centers and large concentrations of client information present unique risks and vulnerabilities as single points of failure. It is incumbent upon security managers to provide minimum requirements to protect such assets. To combat the terror threat, focus should be on perimeter security and access control. It is prudent to avoid the display of identifying signage at key sites such as data centers.
Security compliance self-assessment checklists provide starting points for identifying vulnerabilities and taking corrective mitigating action. It is mandatory that the physical security leader partner with his or her IT security colleague and assure converged risk mitigation. For our Mumbai reviews we utilized several comprehensive checklists, including one addressing physical security in support of information systems environments. A critical control to be considered in the Indian office workplace is the need to limit systems access to avoid the sharing of terminals and log-on credentials. During our walk-through of our employer's Mumbai offices, we noticed that the IT section was by far the largest department, and was occupied by dozens of young professionals working closely together. This reinforced the need to stress general password protection and to evaluate security around system access and use.
To implement sound security controls, managers need to remind stakeholders in the budget process of the security value equation. In India, with large concentrations of employees and IT assets, it is relatively inexpensive to implement sound security controls. However, the loss of those key assets because of insufficient safeguards results in detrimental effects, causing loss of business, reputation, and sustainability. By taking a Business Assurance and Risk Mitigation (BARM) approach, the security manager is much more successful in India. Utilizing BARM, a company matches the firm's crown jewels with an appropriate level of protection, such that risks are mitigated. Controls are put in place securing the company's most valuable and proprietary components, be they people, facilities, intellectual property, or other assets. The BARM’s approach also compares the cost of implementing sound security practices to the cost of a major security breach which may cost millions of dollars in loss of business, growth, and viability of the company. Risk-based security programs match up well with cost containment, a key factor to managing a successful business in the Near East.
Likewise, with procurement and manufacturing taking place at accelerating rates, supply chain security needs to be addressed. The security manager working on Indian product protection should focus on both technical security measures and process improvements. Criminal intelligence is key. Security professionals should stay engaged with law enforcement and industry trade organizations. Carriers operating in India, too, have strong desires to limit loss and are excellent business partners for security professionals. We recommend that security managers develop ongoing liaison with carriers and transport firms and host regular information sharing sessions amongst all players. Dell Computer Corporation's John Schaeffer, VP of Security, established a carrier program and has achieved enhanced security, loss avoidance, and cost savings.
A risk-driven program specifically identifying vulnerabilities to the supply chain, accompanying counter measures to mitigate risk, and validating the process are the keys to effective security management. The cost savings of eliminating security duplications in the product delivery chain can also become a value-added proposition. The growing Indian market attracts Western high-tech and pharmaceutical industries. These security-conscious manufacturers place significant emphasis on supply chain security, wishing to avoid both diversion and theft. Security managers working in country must glean expertise in supply risk management strategy and tactics. We suggest that manufacturing and retail industry security leaders maintain expert knowledge of the most recent packaging security features, both overt and covert.
Additionally, boilerplate physical security footprints are unsuitable in India. Devising flexible physical security minimum requirements for such locations as commercial, hotel, office, and storefront real estate is recommended. Sharing site assessment criteria based on a myriad of factors with the organization’s real estate management and inviting feedback is an effective way to promote security and local compliance. For example, technical security—referring to the sophisticated integration of intrusion alarms, electronic automated access control, and video surveillance—might be easily applied in major venues such as New Delhi and Mumbai, but not in more remote locations. While in India, the team held one working meeting with our real estate and facilities colleagues in which we gave a brief presentation advocating our sales office physical security recommendations. We stressed that our recommendations were best practice-oriented but recognized that in standing up multiple small branches quickly, some lesser security stance might be acceptable for the first day due to budget and timeline considerations.
To effectively support security operations in India, one needs cultural sensitivity. It is critical to a security professional’s credibility that security solutions are devised with thought given to local norms and traits. Keen interest in the local culture also bodes well for gaining the trust and confidence of local management. Remember they are more apt to share information with you when you show interest.
Physical security enhancements that may be suited well in other locales may need to be adjusted in India. For example, there is a desire to use manpower to enhance security access control in India due the emphasis on the human element of security and the lower cost of labor. It is cost prohibitive in most locations to extensively use security guards. In India, however, it is often culturally encouraged, providing additional options in developing security plans.
Western security professionals in India may also become confused or frustrated due to the local cultural approach to conducting business. In general, it tends to take longer to accomplish your objectives. Factor in more time whenever possible to participate in pre-meeting social pleasantries, to build consensus, and to coordinate the completion of any complex security projects. Rushing through any development may bring resentment from all involved. Sticking with a project plan too closely will surely be a frustrating exercise. Occasionally pausing and approaching the task in a positive, thoughtful, and culturally reassuring way will bring you greater results.
In preparing for our Indian trip we referred to a very useful cultural guide, "Kiss, Bow, or Shake Hands" by Terri Morrison and Wayne A. Conaway. We found the practical references to life and business conduct assisted us in our successful endeavors in country. While in Mumbai, one of your authors innocently asked a female employee of the hotel business center for advice on shopping locations. The young lady insisted on learning what item she could help with and two days later appeared with the gift, refusing reimbursement. Through this we learned a lesson as to the deep extent of the Indian people's generosity and hospitality.
Before visiting India on business or prior to implementing security programs in country, we recommend receiving a security briefing from the OSAC Country Council and/or Regional Security Officers (RSOs) at the US Embassy and Consulates in India. The RSO in Mumbai provided us with a detailed threat assessment of local and regional issues and risks. Of particular interest is India's relationship with its northern neighbor, and fellow nuclear power, Pakistan. Existing flash points include border and territorial disputes over Kashmir that could trigger conflict. It would behoove visitors to India to have an awareness of these matters; they will inevitably become a topic of conversation in social settings. Ethnocentricity displayed by a visitor to India may be viewed as a disqualifier by local hosts and may limit one's ability to achieve desired goals. Our team, in fact, wrapped up our Mumbai Security Conference presentations by hosting the RSO, who spoke with our local attendees about the terrorism threat. As a U.S. government employee living in India for several years, his local knowledge was favorably noted by our audience.
As India continues to grow and prosper, security management needs to be part of the growth equation. Let’s look ahead at emerging trends and implications. First, India will most likely continue to grow at a faster rate than most other places in the world. In many respects, the country had been a sleeping giant for decades economically. In recent years, the country has been actively engaged in expanding its trillion dollar economy, benefiting millions of citizens with higher standards of living. Nevertheless, many will not benefit economically, resulting in increased crime. It will remain a challenge for security managers to develop security controls that protect assets from external and internal threats when economic fortunes are growing at a fast rate.
Finally, India will continue to pride itself on growing and retaining local security subject matter expertise. Should your initiatives require that you staff professional security management positions, draw from local former law-enforcement, military, or security personnel. Indian security manager roles require strong interpersonal skills and extensive local contacts to achieve the requirements.
As author Robyn Meredith makes clear in her very informative, "The Elephant and the Dragon: The Rise of India and China and What It Means for All of Us", India's growth potential for the near future is so favorable that Western business will continue to invest in many diverse industries. Security implications thus will remain fluid and dynamic. Moreover, India exhibits unique security scenarios impacting Western businesses operating within the country. Security managers and decision-makers responsible for the protection of people, assets, information, and property across this vast nation must match operational, procedural, and physical security initiatives to the climate at hand. As we have revealed, utilizing best practice programs directed against terrorism, crime, and emergency scenarios, while emphasizing the most applicable security program elements and considering cultural nuances, you may successfully dissipate risks.
Nicholas A. Smith, Jr., CPP, is the regional security director for the United States and Canada for Merck. He is also the program chairman for the ASIS International Western New Jersey Chapter as well as a member of the ASIS Pharmaceutical Security Council.
Scott Shaw, CPP, is director of corporate security, transportation, and disaster preparedness for AFLAC. He has over 25 years of security and business continuity experience with the U.S. State Department, U.S. Secret Service, Lucent Technologies, American International Group, and Aflac. He has provided security and business continuity planning in locations such as Italy, Russia, Mexico, Brazil, Korea, China, and India.
♦ Photo of the Chhatrapati Shivaji Terminus, which was attacked by terrorist commandoes during the 26/11 attacks, by Nicholas A. Smith, Jr., CPP, and Scott Shaw, CPP