A Guide to Corporate Security Program
When you hear the words corporate security, what’s the first thing that comes to mind?
Some will say, “it’s the protection of executives. Others will say it’s the protection of offices and facilities, and many others will say that securing corporations is a combination of both. The truth is, corporate security is all of the above and then some. A well-rounded security plan to protect corporations should consist of several security disciplines. We will discuss some of the most critical components of corporate security and the security disciplines that can help you improve or establish your corporate security program.
So What is Corporate Security
Corporate security is the protection of assets for corporations. Some large corporations like Google, Facebook, and Amazon have their own proprietary security departments. It is also common for corporations to hire local contract security companies to augment their in-house security. According to Business Insider magazine, some corporations spend millions of dollars protecting their business assets and executives. The identification of a companies assets set the tone for the design of its security plan.
A companies assets are divided into three categories – people, property, and information. These assets set the foundation of how the corporate security plan should be designed. Conducting an initial risk survey will allow you to further determine your firm’s specific assets and what impact a loss of the asset would mean to the organization. In security talk, this is known as “Criticality.”
A well-rounded corporate security plan may have:
- An Executive Protection department for their high-level executives
- Physical security for buildings – to include access control, camera and alarm systems and security guards
- Security plans, policies, and procedures on campus
- Workplace Violence plans
- Information protection plans
- Business Continuity plans
Many corporations have a Chief Security Officer (CSO) who oversees the overall security of the company. However, it is not unusual for each security department to have a security manager who is responsible for the unit’s operation and planning but still reports to the CSO.
Making Your Corporation a Formidable Foe
To effectively protect against risks to your business, your security plan should Deter threats, Detect them when they constitute a breach, and Delay them or Deny them from succeeding. As a last resort, your corporate security plan should Defend against any threat that jeopardizes your business’s safety and security.
Once a corporation’s assets are identified and prioritized, the CSO’s job is to deliver the information in a written report to the corporation’s C-Suite executives. The CSO must be able to relay the company’s security posture by pointing out its vulnerabilities. She must also get the C-Suite executive’s input and buy-in on security measures to protect the corporation or mitigate identified risks. CSO’s often find this the most challenging part of their jobs, as most C-suite executives are usually very busy and would rather relegate the responsibility to lower-level managers and executives.
It is not unusual for some C-Suite officials to avoid security conversations altogether because security measures can often be costly to implement or maintain. Nonetheless, if you want your corporate security strategy to protect your company against risks, your C-Suite executives, department heads, legal and security teams must understand the risks and agree on measures to mitigate them. A well-written risk assessment and regular meetings with the parties mentioned above to discuss alternatives and strategies will help make your business a more formidable adversary.
Protecting People, Property and Infastructure
C-Suite executives are what insurance companies call “Key-Men,” meaning that a loss or significant injury to the executive would have grave consequences to the organization. Many corporate executives have security personnel (Executive Protection Agents) assigned to them. The agents usually accompany the executives while traveling, attending meetings, events, and public outings. Companies like Facebook and Amazon provide residential security agents and services for the executives at their homes.
Some corporations hire security agents with prior experience in executive protection, law enforcement, or military services. Other companies hire executive protection agents from a local contract security company that specializes in protecting executives. In both instances, the protection agents are usually responsible for handling travel logistics, conducting risk assessments, security advances, route planning, and providing close protection for their executives when in public places. It is also common for corporate executives to have executive chauffeurs trained in evasive driving to transport them.
Proactive companies incorporate “Key Man Insurance” policies to mitigate the losses of their most important executives. Other security measures to protect high-profile executives include Kidnap and Ransome (K&R) Insurance which this author highly recommends, especially if your executives travel to other countries.
Protecting People and Property
Physical security must be a part of the security plan for your corporation if it owns buildings or leases office space. Physical security measures protect the corporation’s people (human capital), property, and information by adding visual and physical barriers around assets and physical measures to detect and respond to breaches. At a minimum, every corporation’s physical security plan should include:
- Access Control to keep unwanted people and vehicles out. Access control measures could include fences, doors, locks, key cards, bollards, guard booths, signage, alarm and intrusion systems, security checkpoints, etc.
- Cameras and Surveillance systems to detect intrusion in specific areas or record evidence for later use
- Lighting is critical to the protection of corporate property. Appropriate lighting on the face of buildings, in parking areas, along walkways, and on the perimeter of your property must be considered. Policy and schedules for maintaining lighting are also imperative. I recommend the Security Lighting for People, Property, and Critical Infrastructure Guide written by the Illuminating Engineering Society (IES) for guidance on your current or future security lighting.
- Security guards are an integral part of any physical security program. Often corporations hire local security companies to patrol property, monitor cameras, and man doors and front desks. Whether the guard force is proprietary or a contract security company, security professionals recommend that each guard has at least three years of security experience. Security professionals also recommend forty hours of annual in-service security training to keep your guard force sharp and up to date on current policies, trends, and issues in the security industry. Finally, we recommend that your organization has a concise Statement of Work (SOW), security policies, and post orders that outline your security officers’ duties and that experienced, competent security managers lead your security teams.
- Active shooters and workplace violence is no stranger to the corporate environment. According to the Bureau of Labor Statistics, 20,870 workers in the private industry experienced trauma from nonfatal workplace violence in 2019. An additional 453 U.S. workers were workplace violence homicide victims in 2018. These statistics, coupled with the countless tragic news stories over the past decades, should concern every corporation. Corporations, CSOs, security managers should be looking at their corporate security plans, policies, and procedures to ensure they include a Workplace Violence policy. It is also wise to have workplace violence training for all employees, beginning with the C-Suite executives, department heads, and managers. A workplace violence policy should include strategies and approaches to identify behavioral, personal problems, disciplinary issues, employee conflict, and emotional problems early. It should also include mediation strategies such as early warning measures, conflict resolution, and employee assistance programs (EAP). A security consultant can assist with developing your workplace violence policy and training programs.
Protection of Information
Information, products, and trade secrets are the lifeblood of any business, so your security plan must protect them from getting into the wrong hands. Information is best protected by:
- Access control and surveillance where sensitive information is maintained
- Drafting policy for the use, handling, and disposal of company information and information with intrinsic value
- Background checks and security clearances to access certain information
- Conducting regular Technical Security Countermeasure (TSCM) sweeps of executive offices, conference rooms, and off-site meeting locations.
- Having a proactive cybersecurity team and program to identify cyber threats, malware, and ransomware before they impact the company computer network. Your information security program could also benefit from a cyber security policy and training to instruct all employees on your computer systems’ safe and appropriate use. The policy should include prohibited activities. I also recommend procedures for opening external emails and files and visiting websites.
Business Continuity Plans (BCP & COOPS)
Business continuity plans (BCPS) also known as (COOP) Continuity of Operations Plans are designed to get the company back up and running or keep it running should it suffer a catastrophic loss, i.e., fire, earthquake, hurricane, tornado, ransom of data, cyber attack, loss of a key man of the business, or other unexpected but devasting loss. Strong business continuity plans include succession plans for loss of key people, off-site backup data centers, alternate means of communication, off-site satellite offices where work can be continued if there is a loss or damage to the main offices. COOP plans can also include insurances such as K&R and keyman insurance, and other insurance products to hedge against and compensate your corporation against losses. You may be able to find a good COOP template to help develop your plan, but ultimately COOPS are specific to your organization. Your company risk assessment will provide you a baseline of what needs to be protected, it will be the CSO’s and the C-Suite executives’ responsibility to determine how.
Corporate Security is not a one-prescription cure-all remedy for the security challenges a corporation may face. A well-rounded protection plan for corporations must protect the people that work for the corporation, its property, i.e., vehicles, equipment, its buildings, and other tangible assets. It must also protect the information and processes that the business utilizes to make money. When developing a corporate security plan it must be a joint effort between the CSO, the corporation’s legal team, important department heads, and most importantly the C-suite executives. The corporation must be looked at as a whole, identifying what its assets are and ranking how critical of an impact the loss of the asset would be to the organization. Once the risk profile and vulnerabilities are identified the team can begin creating security measures to protect the organization from threats. By including a BCP or COOP your organization will also be able to recover if the business itself takes a major blow from a security incident.
For more information on corporate security measures to protect your corporation or to hire a security consultant to assess your security posture or provide security services feel free to contact us via phone at 301-423-2636 or email us at firstname.lastname@example.org