By Nicholas A. Smith, Jr., CPP, and Scott Shaw, CPP
Last year's Mumbai terror attacks underscored the difficulties multinational corporations potentially have protecting their property and employees overseas. Two security professionals who traveled to India early last year discuss how to provide security in India while respecting its cultural traditions and norms. (Online Exclusive)
While enjoying a temperate January morning in Mumbai, we sat occupying a 5th floor conference room in our firm's offices, taking in an unobstructed view of the lush business park and the chaotic street traffic below. The day's business at hand involved final planning and execution of an all-hazards security and emergency readiness review for our U.S.-based employer’s Indian insurance and financial services operation. Because the business resides on multiple non-contiguous floors across several buildings, we anticipated challenges and were likely to encounter substantive findings. Local senior management in Mumbai had invited the four of us, a corporate security team consisting of security directors representing both New York headquarters and our Hong Kong regional office, to visit in order to assess existing security and to conduct awareness training. Because local Indian management sponsored our week-long visit, we were very desirous of delivering a quality product.
As we sat with our colleagues, drinking very strong tea in extremely small cups, our attention was drawn away from the security documents and plans to the immediate observation that vehicles of all sorts—taxis, private cars, buses, and motor scooters—were freely entering the office park. Although guards were posted and sliding gates were present, automobiles careened from the adjacent busy street undeterred through the open gates and made a beeline for the first of the park's detached mid-rise buildings. This observation reinforced our belief that any security recommendations would need to be sound and also in line with the realities of doing business in India. We knew that our security recommendations must not contradict the local culture. If we did, we would lose credibility with our local sponsors.
Confronting Deteriorating Security Head-on
We arrived in early 2008 with the mission of carrying out a multi-faceted security program in support of our global employer's local businesses. Key deliverables included conducting a security conference for senior and mid-level management, assessing executive residential security, reviewing office physical security, and training executive drivers in security tactics. Driving our visit and work program was the company’s rapid growth across India, with new office expansions and significant hiring underway.
But Western businesses expanding across India today, must also confront head-on diminishing security. The most prevalent security issues facing businesses operating in India are terrorism, crime, and emergency preparedness. Confronting these external threat factors will allow security professionals to consider appropriate countermeasures. While highlighting the current landscape across these and other categories of security concern, we will cite our team's experiences during our visit last year and note some challenges we encountered. We will also suggest key India security program elements for your consideration. Finally, we will share our cultural insights to assist other security professionals in achieving successful risk mitigation.
Terrorism. Currently, the most severe threat to organizations operating in India remains terrorism. In November of last year, Mumbai's security climate saturated worldwide media coverage when jihadists launched an organized series of commando attacks against civilian targets such as a train station, a Jewish center, and two luxury hotels. Hostages were taken, with terrorists intent on targeting Westerners. The Indian government reacted by storming the hotels held under siege, eventually routing the perpetrators. Terrorists had previously demonstrated their desire to target large numbers of people with near-simultaneous attacks in the heart of the capital, New Delhi, in September 2008. Following those horrendous bombings, attacks occurred in the militant-ridden northeastern portion of the country, with a wave of explosions striking crowded public places. Even more recently, reports describe attempted attacks on transportation, communications hubs, and authorities, some attributed to the Islamist militant threat and others to Maoist rebels.
In this climate, some travelers to India are reluctant to stay in Western-style hotels. We suggest travelers reside in corporate housing, if available, as an alternative. Visitors to India need to be cautious in the vicinity of key government locations and tourist sites and when attending public events such as religious and sporting events. Special attention should be given in hotels, airports, shopping malls, and markets. Westerners should avoid public transportation. Take note of calendar dates representing national significance, such as Republic Day on January 26, Independence Day on August 15, and Ramadan throughout the late summer. Terrorists have used such occasions to mount attacks. It is wise to refrain from taking pictures of Indian Government facilities, train stations, airports, power plants, or other potentially sensitive sites, as photography may be viewed as hostile in nature by locals.
Terrorist targets are often public in nature, and therefore the attacks are seemingly indiscriminate. Yet, as was experienced in the Mumbai attacks, Westerners, specifically American and British passport holders, were singled out by the assailants. During our visit, we learned that security professionals are concerned future terrorist attacks will target Western business. Our employer's American-branded company name served to potentially raise its profile in a negative manner. Signage and local common knowledge served to readily identify the firm with Wall Street. To mitigate these risks, some companies operating in India partner with local firms and utilize local corporate names, thereby attracting less hostile attention.
In response to this terrorist threat posture we conducted a detailed site review of our company's Mumbai location, evaluating items to include stand-off perimeter protection, structural design (blast protection), guard postings, procedural security, and video surveillance. Among our findings we noted that the British-era grounds included a 7-foot-high perimeter wall, but trees had been allowed to grow over this barrier, easily allowing a would-be intruder access by simply dropping off a limb. Shrubs also allowed concealment opportunities and could offer an opportune place for an improvised explosive device. We discussed this threat with the property management and raised their awareness to the vulnerability. They reaffirmed guard force roving patrols at the perimeter as a solution.
To address physical security concerns, we made recommendations to management to deploy a "Concentric Rings of Security Model." This methodology centers on redundant security measures designed to defeat intrusions or attacks. Security managers may deter terrorist targeting through the use of adequate stand-off perimeter protection and tight access control. Satisfactory perimeter dusk-to-dawn lighting, guard posts, and vehicular control should also be considered. Interior security may be heightened through conducting fluid security applications (such as avoiding routine and thus predictable security officer shift change schedules), which serves to confuse terrorist planning. We believe that this approach matches well with the precise terrorist modus operandi in India, as intense hostile surveillance precedes attempted attacks. Alert security personnel may detect preoperational surveillance and disrupt the attack cycle.
We stressed to our Indian colleagues the importance of staying abreast of the current threat climate by developing local security intelligence. Monitoring the local news, being engaged with private and public sector sources of information, and remaining attentive to government warnings promote understanding of a fluid risk environment.
Accounting for employee whereabouts and status is critical in the aftermath of a terrorist attacks. Due to the frequency of attacks in India, this is a recurring concern. Private sector intelligence and security firms offer useful services which alert security management to terrorist events in India. Security, in turn, coordinates with their Business Continuity and Disaster Recovery counterparts to determine if there is any negative impact to employees or operations. The emergency notification process is enhanced when firms possess the ability to communicate quickly with employees and management. Tools such as automated access control and visitor management software are helpful in providing data of building occupants whereabouts in the aftermath of an event. Mass notification software and calling trees are also recommended to communicate to employees during emergencies. It is imperative that Western businesses possess developed and exercised continuity plans addressing remote work sites and work from home scenarios.
Crime. In addition to terrorism, India projects a serious criminal threat scenario. One of the authors spent time in New Delhi in the late-1990s as part of a U.S. Secretary of State visit. At that time, pick pocketing and street scams were the most significant criminal modus operandi to watch for when "off duty" and in search of dinner or shopping. Today, crime represents an escalating threat for Western businesss and for Indian nationals. One Fortune 100 security manager, who resides in India, told us that his multinational corporation is very concerned about rising crime in country. India’s crime problem, he says, stems from religious and ethnic clashes, social events gone astray, and large inequities of wealth. Kidnapping is fast becoming a serious concern, with business leaders randomly abducted. Crimes against non-Indian and tourist women, known as "Eve-Teasing", are occurring more regularly, and involve groping or other forms of sexual assault. Theft remains the greatest threat to corporations.
Acquiring current and accurate Indian crime statistics is difficult. due to crimes going unreported and discrepant gathering of metrics across the country's states. To overcome this obstacle, we sought out a formal security briefing from a colleague at a publishing firm who travels to India often. Our briefer shared crime prevention tips and spoke with us about hotel and street scams. Likewise, visitors who are unfamiliar with the terrain in India should seek out professional security advice, focusing on personal safety, medical, and security awareness tips and tactics.
One must be particularly attentive to personal security when traveling outside of the major cities. Employee security must be considered when planning domestic air and train travel as well as organizing international travel commencing from India. We recommend that security managers working in India identify internal business stakeholders, such as a travel manager and a risk professional, and develop a travel security program. Pre-trip security briefings may assist in heightening the business traveler's sense of security awareness, thereby diminishing the likelihood of criminal victimization. Using sources of intelligence and media reporting, the security manager can rank the risks associated with certain travel destinations.
Here are some standard security practices we practiced during our stay in India. While dining out, shopping after-hours, and touring the City, we felt less conspicuous and most comfortable when accompanied by a local colleague. We opted several times to travel in an Indian host's private vehicle instead of a hotel van or car service. One colleague wisely protected his wallet while entering a secure jewelry store via door-buzzer, as street people crowd about when shoppers were admitted.
The growing criminal phenomenon of stealing proprietary data also concerned our company's local senior management, both from a business protection and a personal security standpoint. Securing one's client data and business practices are mandatory in India’s financial services sector. Our review noted that physical protection for information systems was vital. We observed that access card programming levels were in need of review and that the access database required a clean-up. Additional card reader locations were identified to better protect computer rooms. In consideration of the transient workforce in India, these measures were especially important. Absent regular access database review and badge issuance and deletion protocols, former employees could possibly maintain unapproved access to your Indian business.
To best counter local assault, kidnapping, and robbery risks, we conducted a training session for our firm's executive drivers. Due to the significant amount of time spent commuting to and from the office and the diverse driving difficulties in India, many higher level employees employ professional drivers. Although most drivers in India are adept to the local traffic patterns, some may have limited training in security awareness.
Drivers need instruction on how to identify a potential terrorist attack as well as ways to avoid becoming a target. In addition, drivers should be introduced to the significance of surveillance detection which further emphasizes preventing an attack from taking place by changing routes and times. Practical exercises reinforced skills learned and enhanced driving safety. Also don’t discount acknowledgment: chauffeurs can be motivated to perform well when they receive personalized recognition, such as training certificates.
To further combat criminal risks, the corporate security team visited several executive's homes and assessed home safety and security. We identified fire hazards, such as blocked stairwells along with inoperable door locks and other easily repairable security discrepancies. One unique prevailing theme we observed was that Mumbai high-end apartment skyscrapers employ many support staff, such as cleaners, doormen, and repairmen. This is likely due to cultural considerations and the low cost of unskilled labor. Because of this, there are numerous individuals with access to the residential floors. Western business residents should be educated to report any suspicious individuals to building management or to the responsible security department.
As we conducted our residential reviews, executive spouses were present two times and gladly participated in general family security awareness discussions. Executive protection must be considered as security managers devise programs appropriate for their firm's India-based businesses. With house burglaries and home intrusions on the rise, it is imperative that security managers conduct residential security surveys and implement physical security measures that protect residents and property.
Additionally, as more Indian women enter the professional marketplace, working often for U.S. firms, additional gender specific security issues may arise. The authors developed and launched a "Women's Personal Security Workshop" in 2006. This half-day participatory course of instruction serves to elevate attendee's security awareness while maintaining the theme that business travel security is manageable. Similar training is appropriate in any environment, when matched to the local culture and threat climate. Topics contained in this class include “Personal Security Awareness,” “How to Detect Hostile Surveillance,” and “Tips & Tactics for Mitigating Personal Risk.”
Emergency Preparedness. Beyond acts of terrorism and crime, our host management team said that emergency preparedness ranked highly on their list of concerns. As our site in Mumbai consisted of a very large urban office complex with thousands of employees residing on multiple leased floors in several detached buildings, we maintained special interest in developments such as contagious disease, demonstrations, HAZMAT leaks or spills, power disruptions, severe monsoon weather and resulting floods, telecommunication interruptions, and urban unrest. Inherently, leased environments complicate the development and execution of consistent emergency response operations, such as evacuation or shelter-in-place. While our employer had pioneered a global Best Practice Chemical, Biological, Radiological, and Nuclear (CBRN) response initiative, accomplishing some program deliverables in India proved difficult, in great part due to tenant status. During the team assessment, we found ourselves concerned over how to apply successful emergency response protocols in Mumbai. Our colleague responsible for this global initiative determined that a detailed review of all aspects was needed and went about emphasizing floor warden identification, landlord liaison, and drills. He worked with local stakeholders to successfully complete an emergency preparedness checklist and ensured appropriate follow-up to achieve all recommendations.
Security managers need to address emergency readiness in tiers. Focus first on fire safety. We observed fire safety issues such as obstructed hallways and over-stacked file cabinets and immediately corrected them, but fire safeties requires a full assessment and follow up where needed. Additionally, review any existing emergency evacuation plans, a critical but often overlooked tenet of emergency readiness. Do employees know the evacuation routes and remote areas of refuge locations? Does the security department communicate effectively to new employees on fire evacuation? By having a fire safety communication plan and planned evacuation drills, the emergency readiness component becomes part of the business culture. Lastly, develop shelter in place as an option for employees when the threat lurks outside. Each business unit should have adequate water and non-perishable food on hand in case shelter in place is longer than 8 hours. Due to the threat of random acts of violence that may impact employee’s ability to depart a building or campus, shelter in place is a viable scenario.
Emergency readiness for H1N1 swine flu is critical at this juncture as it is expected to peak during the winter tourist seasons in Goa and elsewhere in country. India has, to date, experienced over 3,000 cases of the virus. Both the Maharashtra and Pune state governments have previously closed schools, movie theatres, shopping malls, and other public venues. When traveling to international airports in India, visitors will be screened at a health counter and will need to fill out an information sheet declaring if they have flu symptoms before being cleared through customs.
Having an employee communication plan and pandemic plan goes a long way in reassuring and retaining employees. Organizations operating in India should have a pandemic working group with security at the table. The committee should have specific trigger points for when to implement social distancing, restrict business travel, and cancel meetings. Telecommuting and generous leave policies to care for family members who have flu conditions are sound recommendations.
Do not discount emergency planning in India. In the aftermath of past terrorist attacks and monsoons in Mumbai, the city and its people bounced back. The resiliency of the local economy and people is noteworthy: in short order they were able to return to a relative measure of stability. It may thus be tempting to disregard emergency readiness, relegating it to the back burner. However, by incorporating low-cost emergency planning in your business, Western firms can safeguard their assets and create competitive advantage because many competitors lack emergency readiness planning. It was this message that we conveyed to our audience during the India Security Conference.
Key Security Program Elements
The need to address personnel security issues, such as new-hire background checks and attrition, were cited as key items by business leaders. In our discussions with local senior management, there was a consensus that the technical employee base may tend to be transient. With the rapid growth rates of the past few years, India-based multinationals compete for talent and mid-level managers. Many of these professionals change jobs approximately every two years seeking to increase their job responsibilities and improve their pay status. Even in a tight economy, this practice continues. Thus it’s imperative to have a background investigative program in place in order to screen candidates. Ensuring that each applicant's educational and professional credentials are checked for validity should be a high priority task for organizations doing business in India. Proprietary information is best protected by properly vetting those with access to the data.
Security professionals should also focus on protection of information systems and resident data. Many Western organizations operating in India are information technology (IT) related and need special security safeguards in place to protect valuable data. Data centers and large concentrations of client information present unique risks and vulnerabilities as single points of failure. It is incumbent upon security managers to provide minimum requirements to protect such assets. To combat the terror threat, focus should be on perimeter security and access control. It is prudent to avoid the display of identifying signage at key sites such as data centers.
Security compliance self-assessment checklists provide starting points for identifying vulnerabilities and taking corrective mitigating action. It is mandatory that the physical security leader partner with his or her IT security colleague and assure converged risk mitigation. For our Mumbai reviews we utilized several comprehensive checklists, including one addressing physical security in support of information systems environments. A critical control to be considered in the Indian office workplace is the need to limit systems access to avoid the sharing of terminals and log-on credentials. During our walk-through of our employer's Mumbai offices, we noticed that the IT section was by far the largest department, and was occupied by dozens of young professionals working closely together. This reinforced the need to stress general password protection and to evaluate security around system access and use.
To implement sound security controls, managers need to remind stakeholders in the budget process of the security value equation. In India, with large concentrations of employees and IT assets, it is relatively inexpensive to implement sound security controls. However, the loss of those key assets because of insufficient safeguards results in detrimental effects, causing loss of business, reputation, and sustainability. By taking a Business Assurance and Risk Mitigation (BARM) approach, the security manager is much more successful in India. Utilizing BARM, a company matches the firm's crown jewels with an appropriate level of protection, such that risks are mitigated. Controls are put in place securing the company's most valuable and proprietary components, be they people, facilities, intellectual property, or other assets. The BARM’s approach also compares the cost of implementing sound security practices to the cost of a major security breach which may cost millions of dollars in loss of business, growth, and viability of the company. Risk-based security programs match up well with cost containment, a key factor to managing a successful business in the Near East.
Likewise, with procurement and manufacturing taking place at accelerating rates, supply chain security needs to be addressed. The security manager working on Indian product protection should focus on both technical security measures and process improvements. Criminal intelligence is key. Security professionals should stay engaged with law enforcement and industry trade organizations. Carriers operating in India, too, have strong desires to limit loss and are excellent business partners for security professionals. We recommend that security managers develop ongoing liaison with carriers and transport firms and host regular information sharing sessions amongst all players. Dell Computer Corporation's John Schaeffer, VP of Security, established a carrier program and has achieved enhanced security, loss avoidance, and cost savings.
A risk-driven program specifically identifying vulnerabilities to the supply chain, accompanying counter measures to mitigate risk, and validating the process are the keys to effective security management. The cost savings of eliminating security duplications in the product delivery chain can also become a value-added proposition. The growing Indian market attracts Western high-tech and pharmaceutical industries. These security-conscious manufacturers place significant emphasis on supply chain security, wishing to avoid both diversion and theft. Security managers working in country must glean expertise in supply risk management strategy and tactics. We suggest that manufacturing and retail industry security leaders maintain expert knowledge of the most recent packaging security features, both overt and covert.
Additionally, boilerplate physical security footprints are unsuitable in India. Devising flexible physical security minimum requirements for such locations as commercial, hotel, office, and storefront real estate is recommended. Sharing site assessment criteria based on a myriad of factors with the organization’s real estate management and inviting feedback is an effective way to promote security and local compliance. For example, technical security—referring to the sophisticated integration of intrusion alarms, electronic automated access control, and video surveillance—might be easily applied in major venues such as New Delhi and Mumbai, but not in more remote locations. While in India, the team held one working meeting with our real estate and facilities colleagues in which we gave a brief presentation advocating our sales office physical security recommendations. We stressed that our recommendations were best practice-oriented but recognized that in standing up multiple small branches quickly, some lesser security stance might be acceptable for the first day due to budget and timeline considerations.
To effectively support security operations in India, one needs cultural sensitivity. It is critical to a security professional’s credibility that security solutions are devised with thought given to local norms and traits. Keen interest in the local culture also bodes well for gaining the trust and confidence of local management. Remember they are more apt to share information with you when you show interest.
Physical security enhancements that may be suited well in other locales may need to be adjusted in India. For example, there is a desire to use manpower to enhance security access control in India due the emphasis on the human element of security and the lower cost of labor. It is cost prohibitive in most locations to extensively use security guards. In India, however, it is often culturally encouraged, providing additional options in developing security plans.
Western security professionals in India may also become confused or frustrated due to the local cultural approach to conducting business. In general, it tends to take longer to accomplish your objectives. Factor in more time whenever possible to participate in pre-meeting social pleasantries, to build consensus, and to coordinate the completion of any complex security projects. Rushing through any development may bring resentment from all involved. Sticking with a project plan too closely will surely be a frustrating exercise. Occasionally pausing and approaching the task in a positive, thoughtful, and culturally reassuring way will bring you greater results.
In preparing for our Indian trip we referred to a very useful cultural guide, "Kiss, Bow, or Shake Hands" by Terri Morrison and Wayne A. Conaway. We found the practical references to life and business conduct assisted us in our successful endeavors in country. While in Mumbai, one of your authors innocently asked a female employee of the hotel business center for advice on shopping locations. The young lady insisted on learning what item she could help with and two days later appeared with the gift, refusing reimbursement. Through this we learned a lesson as to the deep extent of the Indian people's generosity and hospitality.
Before visiting India on business or prior to implementing security programs in country, we recommend receiving a security briefing from the OSAC Country Council and/or Regional Security Officers (RSOs) at the US Embassy and Consulates in India. The RSO in Mumbai provided us with a detailed threat assessment of local and regional issues and risks. Of particular interest is India's relationship with its northern neighbor, and fellow nuclear power, Pakistan. Existing flash points include border and territorial disputes over Kashmir that could trigger conflict. It would behoove visitors to India to have an awareness of these matters; they will inevitably become a topic of conversation in social settings. Ethnocentricity displayed by a visitor to India may be viewed as a disqualifier by local hosts and may limit one's ability to achieve desired goals. Our team, in fact, wrapped up our Mumbai Security Conference presentations by hosting the RSO, who spoke with our local attendees about the terrorism threat. As a U.S. government employee living in India for several years, his local knowledge was favorably noted by our audience.
As India continues to grow and prosper, security management needs to be part of the growth equation. Let’s look ahead at emerging trends and implications. First, India will most likely continue to grow at a faster rate than most other places in the world. In many respects, the country had been a sleeping giant for decades economically. In recent years, the country has been actively engaged in expanding its trillion dollar economy, benefiting millions of citizens with higher standards of living. Nevertheless, many will not benefit economically, resulting in increased crime. It will remain a challenge for security managers to develop security controls that protect assets from external and internal threats when economic fortunes are growing at a fast rate.
Finally, India will continue to pride itself on growing and retaining local security subject matter expertise. Should your initiatives require that you staff professional security management positions, draw from local former law-enforcement, military, or security personnel. Indian security manager roles require strong interpersonal skills and extensive local contacts to achieve the requirements.
As author Robyn Meredith makes clear in her very informative, "The Elephant and the Dragon: The Rise of India and China and What It Means for All of Us", India's growth potential for the near future is so favorable that Western business will continue to invest in many diverse industries. Security implications thus will remain fluid and dynamic. Moreover, India exhibits unique security scenarios impacting Western businesses operating within the country. Security managers and decision-makers responsible for the protection of people, assets, information, and property across this vast nation must match operational, procedural, and physical security initiatives to the climate at hand. As we have revealed, utilizing best practice programs directed against terrorism, crime, and emergency scenarios, while emphasizing the most applicable security program elements and considering cultural nuances, you may successfully dissipate risks.
Nicholas A. Smith, Jr., CPP, is the regional security director for the United States and Canada for Merck. He is also the program chairman for the ASIS International Western New Jersey Chapter as well as a member of the ASIS Pharmaceutical Security Council.
Scott Shaw, CPP, is director of corporate security, transportation, and disaster preparedness for AFLAC. He has over 25 years of security and business continuity experience with the U.S. State Department, U.S. Secret Service, Lucent Technologies, American International Group, and Aflac. He has provided security and business continuity planning in locations such as Italy, Russia, Mexico, Brazil, Korea, China, and India.
♦ Photo of the Chhatrapati Shivaji Terminus, which was attacked by terrorist commandoes during the 26/11 attacks, by Nicholas A. Smith, Jr., CPP, and Scott Shaw, CPP