Monday, 23 January 2012

“Resilience”

The January 2012 article in ASIS International’s Security Management magazine has an interview with Dr. Stephen Flynn,  who is a major “think tank” guy and professor at Northeastern University in Boston.  Here’s one of his answers:

The Obama administration has not changed far enough. They’re tilting in the right direction, but I think more movement needs to happen more quickly.  To the credit of the administration, they’ve embraced the concept of resilience  - a public acknowledgement that every act of terror cannot be prevented and some capacity to respond and recover from them is necessary.  That’s difficult for political leadership to say, but the president and Homeland Security Secretary Janet Napolitano have said it, and that’s a necessary dose of reality.  The Obama administration has also gone a bit further than the Bush administration with the all-hazards recognition of the importance of what FEMA’s Craig Fugate calls the “whole community approach.”  I give them credit for recognizing that homeland security needs to expand beyond a narrow focus on terrorism risks to include the broader issues of all hazards and that there needs to be a greater degree of outreach and engagement of communities.”

Couple that with the latest issue of Inside Home land Security (Winter 2011) issue in which Dr. Dave McIntyre, VP for Academic Affairs at the National Graduate School and Visiting Fellow at both the Homeland Security Institute and WMD Center, wrote in his article: Reducing the Risk of Risk Management.  He said:

The traditional approach sees risk as a product of an attacker’s intent, the vulnerability of a target and the consequences of a successful attack.  In forecasting the risk of a natural hazard, likelihood of a disaster may be substituted for an attacker’s intent and capability.  Whatever system of calculation is adopted, someone (or some team) must place numerical values on each aspect of the calculation and then adjust the weight of factors for qualitative differences.  For example, if the calculation of risk to a warehouse and an elementary school turn out exactly the same, you might want to weigh the loss of children more heavily in terms of consequence, than the loss of materials (consequences).  Are Risk Management and management of risk the same?  Many experts say yes. But if Risk Management deals with cycles, processes and allocation of resources over time…then what do we call the day-to-day manipulation of available resources to meet threats?  Are police or security on patrol really risk managers?  Or are they managing the day-to-day risk?  Perhaps we need two different terms for these two different activities.

Thursday, 5 January 2012

Remember our fallen friends and colleagues

Last year, January 2011, two security professionals lost their lives and here is the brief I sent out. I am reposting it for all of us to remember our fallen friends and colleagues.

Mexico Intelligence Brief January 2011

Over the last month there has been another escalation with regard to supply chain security issues. Unfortunately the ongoing battle on the borders has claimed the lives of two security professionals. These gentlemen have been attempting to create a safe haven system in Mexico. The idea was to identify several key routes leading to the Mexican and U.S. borders.  Once these routes were identified the next step was to then create a network of safe havens. The safe haven approach is similar to the secure parking areas used in Europe.  It was conceived to protect company drivers (mostly U.S.citizens) should the driver perceive he/she was in any danger. The safe haven was to be stocked with food and additional suppliers to support a driver for several days and allow enough time to enable a response, in the form of a security extraction team, to arrive. It also was to have sufficient space to discreetly hide a semi truck and trailer.

The company the individuals worked for has had several security incidents during this past year.  The result was that they lost several priority customer loads. Regretfully the company's security efforts were being thwarted by an insider...an employee that had been co-opted and working for the cartels for nearly a year.  This co-opted employee was responsible for route planning and dispatching drivers to pick up loads. Security had asked the “trusted” employee to develop a list of misinformation with regard to route plans to try and confuse the cartels.  The misinformation was purposely leaked to individuals that were known to have been working for the cartels.  Of course, this approach was not working because the cartels knew all the true details from the co-opted insider. Information that was being disseminated related to high value loads.

Belatedly, after the two security personnel were killed, the company realized there was an inside leak and that is why they had been suffering losses in spite of their countermeasure efforts. They conducted an investigation and identified the insider who had been providing information to the cartels.

During an interview, the employee finally confessed to working for the cartel but claimed that his family was under threat by the cartel. This was sibseqiemtly found to be untrue.  In fact, the co-opted employee's family is currently living in New York and works in a Catholic Church, operating a child day-care service for the parish. The family is fine and under no threat according to authorities at the Church.  Church authorities explained they had known the family for years and they never displayed any sense of fear or appeared to be threatened in any way. Because this happened in Mexico the employee has not been brought up on any formal charges and the local police have claimed they have no idea what to charge the employee with, even though he is clearly involved in theft and murder. Since the interview with company security, the employee has "disappeared."

Details of how the cartel was able to target the foreign security personnel is not clear but both bodies have been recovered.

Analysis

What lessons can we learn from this unfortunate incident.

First, it is important for security personnel operating in Mexico to understand that if they are threatening or impeding cartel operations, they are potentially subject to being killed.  Security personnel operating in Mexico must take precautions and practice all security measures commensurate with the risks.

It is unfortunate that the company did not realize there was an insider earlier.  As is often the case, too many of the high value thefts were viewed, incorrectly, as being "bad luck" on the part of the company.  It is important to thoroughly investigate each theft and incident.  A good investigation could have uncovered the insider and potentially prevented two deaths and multiple high value cargo losses.

In fact, the majority of thefts and incidents in Mexico involve "insiders” who provide details to the cartels to enable them to successfully carry out their operations.  As in this case, when caught, the drivers or other insiders who have betrayed the company will claim they were under duress.  While duress does occur, in the majority of cases there was no duress.  The primary motivation for their actions is, very simply, greed.  Company security personnel should know that the "duress" claim is one the cartels recommend and train their personnel to use if caught.  They have determined that Western companies are sympathetic and are too often willing to accept this excuse.

Additionally, it was worth noting that the Mexican police are either incapable of, or unwilling to, adequately respond to insider betrayal.  If the individual has an opportunity, they will "disappear" so it is important to take immediate action and not plan on subsequent interviews or contacts.

Finally, it was sadly interesting that the "safe haven" concept was one that the cartels felt had enough merit that the individuals responsible for setting it up were killed.

A threat to supply chains in Mexico still remains a major security issue.