That’s how Malcolm Reid, founder and MD of Brison LLC, was described in his successful nomination for the thought leadership category in our Security and fire influencers 2018. His advocate continued: “There is no doubt in my mind that he is indeed among the most influential people in the security field globally.”
We spoke to Reid, a thought leader in risk management and organisational resilience, about his career so far, his advice for up-and-coming young security professionals, the value of continuous education – especially in business – and the shortcomings he typically observes in clients.
Find out more about Malcolm Reid MS, MBA, FBCI, CPP, CFE, CBCP on his LinkedIn profile. Brison is a full-service operational risk training and consultancy firm with expertise in business continuity and security management.
IFSEC Global: How did you get into the security industry?
Malcolm Reid: I graduated from West Point, the US military academy. After a brief stint in the military I decided to move into the corporate sector. I studied engineering at West Point but while being interviewed for an engineering job by a telecoms company, they said: “This guy is really suited for a role in security” – so they gave me a shot as security manager.
The rest, as they say, is history. I got the role and learnt along the way.
IG: Why did they think you’d be suited to the security industry?
MR: The people who interviewed me were engineers as well. My mind was quite logical – they liked the logical solutions to problems they put my way.
Security in their company was managed by retired police officers. They wanted a change, new ideas, someone with an engineering mindset. So, they found I had those skills and also had leadership potential, having been trained at West Point.
They said I had what they considered to be the look and aura of a security professional. It was about confidence to some degree and earning the respect of security staff and general employees alike. The guys you’re leading are much older, been in the company, say, 30-plus years.
IG: So tell me about your career since then?
I spent a number of years with that company and moved on to manage health and safety – so I did OSHA, IOSH, NEBOSH – as well as risk management, insurance administration and network fraud detection.
I went on to get my CFE – certified fraud examiner – then they said: “We don’t have a proper disaster plan for the company.” So, I did my research on how to transition that that disaster management mindset into a business continuity mindset. I supplemented my skills base with more certifications and graduate degrees… I studied for the Henley MBA programme from the University of Reading in the UK. And I completed a master’s degree in information assurance from Norwich University in the US.
Earlier this year, I completed a master’s in business and organisational security management from Webster University.
After working with a telecommunications company, I worked with an investment firm. My role was the head of security and continuity management. I was also responsible for all investigations, for example, those related to fraud.
I moved on after six years or so to start my own consulting firm: Brison. Within a few years, I made the decision to take Brison on the global stage and I began consulting for international clients.
“I completed an assessment of Trinidad and Tobago’s entire critical infrastructure”
One of the projects I completed was a country assessment of Trinidad and Tobago, its entire critical infrastructure: water, ports, finance, you name it. It’s an energy-producing nation.
It took a while, was a very intensive exercise. Colleagues in the US who have experience with critical facilities said it was impossible: “you should seek more resources to get this done”. I wanted to show them that it could be done within cost and within the time frame. I presented to the client and stakeholders, and everyone was quite pleased with the outcome.
They were able to use this information to guide the country’s recovery strategies in the aftermath of a disaster. In other words it assisted them in determining where should they apply resources to get critical systems back up and running in the shortest possible time should a disruption or disaster occur.
I’ve also helped global institutions do enterprise-level work in business continuity. And I’ve done security risk assessments for one of the major methanol producers.
I have done some work in academia as well. I’m very much involved in helping the next generation of leaders, straight out of university.
I speak about the dangers of engaging on the internet as a young person, but also the opportunities for a career in cybersecurity and how they tool themselves – from elementary school all the way to graduates.
It’s a very lucrative field, a field that requires the best minds.
So I’m a consultant, I’m an adviser, I’m an academic, I’m a practitioner, but I’m also an industry advocate.
IG: You’re a busy man!
Very busy. I’m on vacation and still working…
IG: What advice would you give a young person starting out in their security career?
One, find yourself a good mentor.
I didn’t have a mentor, which is at odds with what I’m saying. So I made mistakes along the way and learned from them.
But some of those mistakes, it’s like rolling a dice. If they were more serious, they could have ended my career.
I think every security professional should also pursue studies in business. Some security professionals believe the security manager’s role is to put measures in place to minimize losses. But the role of a security manager – if you look at the bigger picture – is to also protect the reputation and resilience of an organisation. Subsets of that could include protection of assets, including people, facilities, information.
We’re not just here to talk about locks, lighting, intrusion detection devices and CCTV; the security professionals of tomorrow have to go beyond that.
A young person should also pursue certification in technical security. When you’re talking to the C-suite – your CEO, CFO, chief risk officer, chief administration officer – when they ask you a question, they expect you to be a subject matter expert in security.
You also need to understand that the business is in business to make money. If the business produces widgets, your role is to protect the company’s ability to produce these widgets, and its reputation. By understanding that, you are much more valuable to the company and to the industry at large.
“The average security professional doesn’t really have a grasp of the business context”
But the average security professional doesn’t really have a grasp of the business context. They may be technically competent, based on their experience in some particular field, like law enforcement. But I think they have to be focused on business as well.
Networking with like-minded professionals also adds value to what you do. One reason that I am successful is the fact that I’m married to a fellow security and risk management professional. She is also highly qualified and certified. We met at the military academy at West Point. There is an old proverb that says : “If you want to go quickly, go alone. If you want to go far, go together.”
So our dinner conversation is not just “how was your day today”. It can be about some of the risk frameworks, or on how we are converging cybersecurity with physical security. We often present together at conferences sometimes.
It is like being in a think-tank 24 hours a day.
Horizon scanning is also very important for a young person getting into the industry. If you don’t know where the trends are going, it will be very difficult to put any plan or programme in place or be of any value to a company.
The security manager of tomorrow has to plan and invest to protect against something that may happen in the future.
IG: What shortcomings and vulnerabilities do you most often identify in your clients?
I see a lack of focus on, and understanding of, business objectives by security professionals. And a lack of focus on risk management by business leaders.
By not understanding your risk profile, it makes your system much more vulnerable, because it does not have the requisite protective mechanisms.
Technology is constantly evolving and there’s a convergence of cybersecurity with physical security, with business continuity. Ransomware can shut your company down.
I’ve seen what I would call an inappropriate balance of technology and humans deployed – having too much of one [and too little of the other].
Companies sometimes lack properly trained security staff – whether in house or outsourced. They’re [often] not properly trained in the company culture.
The weakest link in a company is the human component. You can ‘hack’ people: reaching out to someone to get an insight into the company, studying social media accounts… A ‘social engineer’ can hack people by calling them, saying: “Hi, I’m calling from Acme Regional Bank. I just saw your account is locked – please give me your username and password and I’ll reset it for you.”
They don’t understand what to avoid clicking on. Bringing your own device, BYOD [creates vulnerabilities].
Working remotely, say in a coffee shop, poses a threat without protective VPNs. There are also a host of other related risks as well.
