How Chief Security Officers can leverage external expertise to tackle new threats

Will Plummer, military veteran and Chief Security Officer at RaySecur, provides his insight on just a few of the threats businesses are facing today, what to consider when outsourcing security, the types of security services to look for, and what effective corporate security should look like.

Will Plummer, Chief Security Officer at RaySecur

Recent political upheaval throughout the US has brought violent protests, an increase in insider threats, and many other security concerns and vulnerabilities for businesses. This trend towards angry, reckless, and sometimes violent behaviour brings new challenges to Chief Security Officers (CSOs). Corporations need to ramp up security, and many business leaders choose to do so by outsourcing security to law enforcement and private security contractors.

The threat is real

When it comes to security for businesses, cyber security is usually top of mind, sometimes at the expense of physical security. After all, everyone knows that cyber threats are common and can devastate businesses. You only have to glance at the news to see recent major data breaches, cyber-attacks, and the shutdowns they cause. In response, companies pour tens of thousands of pounds and dollars—or more—into protecting their networks from threats every year.

Despite that, in 2021, there were 1862 successful data breaches in the US alone, which was nearly twice as many as in 2020. If cyber-attacks can get through the big-budget, comprehensive cyber security measures in most companies today, how much more will physical attacks bypass the half-hearted security measures brought about by limited budgets and resources allocated to physical security? And, unlike most cyber-attacks, physical threats can be life-or-death matters.

The first example of physical security that comes to mind might be your security team that guards your front door from threats, but the reality is that many threats today are coming in through the back door, so to speak. These threats come through unprotected and sometimes virtually unnoticed verticals, like mail and package deliveries.

When we think of mail threats, our minds typically go to explosives, but other mail threats are becoming far more frequent. According to one report, 57% of mail threats last year consisted of mysterious white powders or illicit drugs. Often, the powder goes undetected until someone opens the envelope and gets exposed to a potentially dangerous substance.

This is exactly what happened when Dr. Fauci got exposed to a white powder that came through a letter in the mail last year, which thankfully turned out to be harmless. In July, a government official in Utah received a white powder threat through the mail. Most companies are completely unequipped to handle these types of threats.

Then there’s the issue of insider threats, in which disgruntled employees or former employees have taken violent steps to make their displeasure known. These events are thankfully far less common than mail threats, but it’s still important that companies take steps to protect themselves.

All of these threats make it clear that most companies need better security measures. Thankfully, there are concrete steps that businesses can take to prepare and protect their companies from physical threats.

Seeking out security services

When it comes to outsourcing security, cyber security probably again comes to mind first. Many companies already outsource at least some services, whether the company has a third-party cyber security team or consults with an outside company to inform the company’s internal strategy. Such outsourcing provides multiple sources of independent security verification.

The same principles apply to physical security. Many companies already outsource building security to an independent company. Hiring an independent security team is a great way to protect the front door from intruders, but many businesses fail to take advantage of outside expertise in more specialised areas, like executive protection and mailroom security.

Another example is “phygital” security, meaning threats that bridge physical and digital security, as when would-be attackers mail packages with digital devices that are meant to breach a company’s IT systems. This is a concept of which most in-house teams will be largely unaware.

If you have a skill gap in your company in any of these areas, you may consider outsourcing security to law enforcement and security services experts. These experts can help you, for example, fill in gaps in your current internal IT and physical security teams and help you to protect the back door. Or you could have an off-site team that you consult with whenever there’s a suspicious package or a potential vulnerability that you need to address but don’t have the internal resources available and need expertise on demand.

Image credit: AndreyKuzmin/AlamyStock

Outsourcing security

With well-publicised staffing shortages making it harder for companies to fill security positions in-house, outsourcing to external security consultants gives businesses an opportunity to leverage years or decades of law enforcement and security services expertise without hiring new employees. But there are pitfalls and risks to avoid when you’re outsourcing security services and expertise.

Providing the necessary information: The first pitfall is failing to give your outsourced security team enough information or access. Companies can understandably fear giving outsiders too much information about their business processes and day-to-day operations. However, you can’t expect security experts to give you advice and direction tailored to your company if they don’t know what your struggles, pain points, and vulnerabilities are.

For example, outsourced security experts may need to know about your company structure and about your personnel on the ground in a given day to provide them with the proper context and background. Also, the threats your company may face may be distinct to your industry and client base as well, so you’ll need to share all of that information with your security service providers If you happen to have business continuity or incident response plans they must become familiar with those. If plans and processes do not exist, this is an area where an outside security firm can assist in the development of standard operating procedures (SOPs) for responding to those specific threats.

Communicating expectations: The second mistake to avoid is failing to communicate expectations at the outset. What do you want from your security team? What do you expect from your security consulting service or outsourced security experts? Are you hoping to patch external vulnerabilities? Detect potential insider threats? Many outsourcing contracts have built-in Service Level Agreements (SLAs) to formally address and document relevant expectations, so this is more a matter of making sure to communicate openly with the service provider to develop a comprehensive SLA that accurately represents both your expectations and responsibilities in the relationship.

Consistent coverage: The third pitfall to avoid is having a lack of coverage at different times of the day or week. For example, suppose your company has different security teams throughout different areas and for different service hours. There may be an A team that is fully informed and integrated into the company, but then a few hours later your A team hands off to your B or C teams, which are not particularly informed or taking advantage of outsourced expertise. During that time, your business is more vulnerable.

Ultimately, the goal of outsourcing corporate security should be to make your in-house team more effective and utilise all your security resources to the fullest. To do that, you need to continually keep a lookout for both external and internal threats. Many security professionals have decades of experience in the field. It only makes sense to leverage that expertise to protect your business from threats, especially during a time of increased risk.

About the author

Will Plummer is 25-year veteran of the US Army, where he earned a Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) Technician, and commanded multiple Special Operations units with multiple combat deployments. He has an MA from the Naval War College and a BA from the University of California at Chico. Currently, Will is the Chief Security Officer for next-generation mail screening technology provider RaySecur. He leads the company’s physical security efforts, overseeing a team of EOD professionals, and managing clients’ threat mitigation efforts.