For our latest interview in TrackTik’s influencer series, we sat down with renowned security consultant Don Aviv to discuss why everyone in a company needs to be invested in security. Don is the President of Interfor International, with extensive experience in physical security, risk management, crisis mitigation, investigations, and intelligence gathering. Mr. Aviv is a Certified Protection Professional (CPP) and a Board Certified Physical Security Professional (PSP). He is also a certified New York State Private Investigator and Security Officer and most recently attained certification as a Professional Investigator (PCI, Professional Certified Investigator).
In what ways is a company’s reputation at risk today?
Don: From my perspective, companies are facing unprecedented reputational risk, which is much more prevalent than even a few years ago. Companies must be concerned with issues stemming from their core business offerings in addition to employee issues, especially in the age of the #MeToo movement. Companies increasingly have to pay attention to employees’ public statements and their behavior while at work and afterward. An employee who exhibits poor conduct or engages in illicit activity could cause significant reputational damage even to a leading tech company or service provider.
Companies need to focus on training and advising employees about proper and improper behaviour on the clock and off the clock. That goes for business partners and vendors as well. Many companies need these policies and procedures in place for their employees in addition to suppliers and vendors. Contractors and those working from home must also be considered. It’s no longer just a matter of corporate headquarters.
For example, a Fortune 500 company we’re investigating is facing possible reputational harm because of its relationship with a PR firm that engaged in untoward activity after hours at a tradeshow. Our client is not technically involved in the altercation, but once word gets out, the public will only remember the company name, not that of the PR firm.
Internationalization is on everyone’s mind today. What special challenges do international operations pose for a company trying to protect its reputation?
Don: Internationalization clearly amplifies reputational and security risks – I would say almost exponentially because you’re now dealing with places that may not have the same rules and regulations as the company is accustomed to. You may be dealing with an employee or vendor working under different rules and regulations. A field office in India or Dubai has vastly different expectations than in Canada or the U.S. This is becoming more cumbersome and problematic as companies seek to move aspects of their businesses offshore.
Interestingly enough, companies in the U.S. are now having unique issues with Canada following its legalization of marijuana. Canadians are being asked by U.S. border control if they have ever smoked the drug. If you’re not a U.S. citizen, you don’t have an expectation of privacy; you have no rights. If Canadians answer in the affirmative, they may be turned around and potentially barred from entering the U.S. for a significant amount of time. The CEO of a Canadian company was barred from entering the United States to visit his field offices because he admitted to an act he thought was benign. This is something companies never had to deal with in the past.
Where is a business most vulnerable?
Don: My belief as a security and business consultant to global entities is that the greatest vulnerability remains what it has always been and will always be: employees. Humans, especially a company’s senior management – consider Harvey Weinstein and Robert Kraft – still represent the weakest link from a security and compliance standpoint around the world. No matter how we improve technology and systems focusing on compliance, the human factor will always be the greatest vulnerability. I don’t see how that will change as long as we rely on humans for certain jobs.
What is a company’s minimum due diligence when it comes to security?
Don: At a minimum, security should become and has to be a critical aspect of any corporation, from the board level down, with uniformity of expectations and beliefs. Our security assessments around the world show the common factor for companies not performing well in the security space is that lay employees do not have the same expectations, knowledge or beliefs about security as management. All employees should understand how secure the organization needs to be to succeed, and the appropriate steps toward that, whether it’s universal background checks, locks, alarms, training or awareness – all to be assessed and understood at the board level and disseminated throughout the corporation.
You could spend millions on training security officers and adding technology, but if employees leave back doors open when going out for a smoke, it won’t matter. Employees act this way when they don’t have the same expectations, beliefs or understanding of what is required. Uniformity of knowledge and expectations is critical when it comes to securing any organization.
A recent security assessment for a Fortune 100’s corporate headquarters that spent tremendously on security officers and technology found lay employees breaking every rule in the book because they either didn’t appreciate the severity of their actions, or simply didn’t care. Attitudes like that result in millions of dollars wasted on security.
What roles do data and analytics play in a business performing its due diligence in security?
Don: Data, in general, is the new frontier of security. Most analysts and experts in the field look at data and how powerful it is and how it could be applied in a variety of unique and interesting ways. Giants like Google, Amazon, Apple and Microsoft value the data they house almost more than their intellectual property.
It’s next to impossible to remain hidden or to bury an issue from the past, both professional and private, in an age of social media saturation. A proper due diligence program needs to identify, analyze and assess data sources around the world. Five years ago, our comprehensive due diligence investigations entailed significant time in the field and on the phone conducting spot investigations. For today’s background checks, investigators rarely leave the office because everything is found through digital means. When it comes to data and what’s coming into and out of your company, individual employees’ actions are critical and becoming a specialty field in the security world.
How are decision-makers in the physical security world using numbers to improve their security?
Don: Everything has become more numbers driven. In this age of consolidation and acquisitions, security companies and their services have become commodities. Almost every type of security company – whether software, hardware or service – has become a commodity. You’re seeing more MBAs and business executives running security companies than ever before. I think this is a pure extension of how numbers are driving the industry. In the past you’d have a rock star security professional or military general or law enforcement official leading entities; now you’re seeing business executives taking this role.
Can you give three words of advice for a CEO and three words for a CSO when it comes to physical security?
Don: For these two questions I’ll be a little cute, but for good reason. For a CEO, I would say plan, plan, plan. For a CSO, I would say collaborate, collaborate, collaborate. The reason is that CEOs are, quite frankly, rarely involved in physical security, and that’s a problem – they need to be intimately involved. It’s not sexy or exciting. It’s all about locks, alarms, doors, and guards. Guards are not something a CEO wants to deal with and that’s part of a problem we’re seeing in the industry.
CSOs have become silos unto themselves. Typically, a CSO will run physical security but not cybersecurity. A CSO will only handle certain geographies or certain business units or certain aspects of a business – which is also a problem. They’re not bringing in enough talent, intellect and skills from others, either internally or externally. I’d love to see CSOs collaborate a lot more with others and understand the importance of doing so. CSOs should to be willing to have conversations with security experts, industry movers and thought leaders who are not necessarily coming from a military, law enforcement or government background.
Closing Comments
Don: When it comes to security, organizations should think more broadly now – beyond their individual worlds in this age of globalization. That should be a focal point in coming years.
For more information about Interfor International, check out their website.
Follow Don Aviv on Twitter and on LinkedIn for more insight into the security world.