• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Security Executives

    Challenges in Starting up a Physical Security Program for a Multi-National Corporation

    Dec. 9, 2024
    Global security programs face challenges as rapidly growing companies expand internationally, requiring security strategies to align with business needs and operational growth.
    Credit: roberthyrons
    Designing and implementing a robust physical security program is a significant undertaking, even for a single-site organization. However, when scaling these efforts globally, security professionals in multinational corporations face a unique set of obstacles that demand meticulous planning.
    Designing and implementing a robust physical security program is a significant undertaking, even for a single-site organization. However, when scaling these efforts globally, security professionals in multinational corporations face a unique set of obstacles that demand meticulous planning.

    Having the experience of rolling out numerous global security programs, we have witnessed rapidly growing and mature companies expand their operations across international borders and the associated challenges with security keeping pace with business needs and operational growth. The difficulty in establishing and maintaining an effective physical security program grows exponentially in situations where security cannot keep pace with business growth.

    We have also seen surprisingly large organizations with a mature environmental, health and safety function but little physical security. For multinational corporations, safeguarding people, assets, and operations across diverse locations with varying threat levels, cultures, and regulatory environments is complex. It requires a strategic, adaptable, and well-coordinated approach that can take years to build and roll out.

    Designing and implementing a robust physical security program is significant, even for a single-site organization. However, when scaling these efforts globally, security professionals in multinational corporations face unique obstacles that demand meticulous planning. This careful planning is crucial to ensure readiness and control, despite the most significant challenges in setting up a global security program. Some of these challenges include:

    • Understanding that the risks of the host country do not translate to other countries.
    • Adapting to security regulations that may not even be well-known or centrally documented.
    • Having to implement physical security processes without security professionals assigned to every location. This is just not a benefit even the largest companies experience.
    • The importance of security systems and ensuring devices are approved for network connectivity.
    • Travel Security and emergency planning.

    Risk Analysis

    The risks of the host country do not necessarily translate to other countries. For example, in the U.S., active attackers or active shooters are often the most significant concern from leadership, though statistically improbable. The active shooter risk hardly exists when you look at countries like Canada and the UK. The Canadian government’s workplace violence definition doesn’t even include the term weapon (Workplace Violence Definition Canada). Nor does the UK (Workplace Violence Definition UK). In the UK, there is more likelihood that the active attacker term is a better fit because there have been incidents of edged weapons and vehicles being used to cause mass harm, and the mitigation strategies for those risks are significantly different from that of a firearm. It gets even more complicated when trying to operate in countries without reliable law enforcement and organized criminals exert a lot of control over activities.

    Security Regulations and Standards

    Global companies must contend with local, state, provincial, national, and international regulations impacting physical security requirements. Laws and codes can vary widely, even within a small geographic region, necessitating careful attention to detail and customized security plans and protocols to maintain compliance. Failure to comply with these regulations exposes companies to fines or, in extreme cases, the suspension of business operations.

    Unfortunately, there is no central repository of security regulations. In a recent project, 200 global sites in over 50 countries were surveyed to identify local security regulations impacting their operations. The answers were all over the board and there was very little reliability in what was reported back, underscoring the difficulty for sites without a security professional to understand the local regulations that may apply to them. This is even true in the U.S. where it is common to find sites that are bulk shipping hazardous materials unaware of the transportation of hazardous material regulation found in 49 CFR 172.804 and the requirement for a security plan and training. A similar regulation exists in Canada under Transport Canada. It would benefit its members for an organization like ASIS International to take on the initiative to create a centralized repository of security regulations.

    Global companies must contend with local, state, provincial, national, and international regulations impacting physical security requirements.

    Security standards face similar challenges to regulations as far as a centralized database is concerned. Security consultant Michelle Chace compiled the most comprehensive list of regulations and standards. Michelle created a 10-page listing of security standards, which is quite helpful in this regard.

    In the U.S., the OSHA General Duty Clause 5 (a) heavily influences security programs 1, which requires employers to provide a workplace free from recognized hazards that could cause serious physical harm or death to employees. In the security space, this counts and applies to criminal and terrorist hazards. When you move outside the US, there is the concept of “Duty of Care,” which is a common law principle, arguably more inclusive than the OSHA General Duty Clause but with international applicability. Duty of care is generally enforced through civil litigation with damages determined by the courts versus a federal agency. Duty of care shares many of the same tests as the OSHA General Duty Clause and Tort Law Premises Liability application:

    • The existence of a relationship creates the duty
    • Reasonable foreseeability of harm
    • Proximity between parties
    • Fair and reasonable to impose a duty

     Achieving Effective Security with “Part Timers”

     Security is best developed and executed in a centralized manner rather than decentralized by region. It is more efficient and doesn’t leave individual sites or regions to solve the same problems and develop similar processes, which are inefficient and waste scarce resources.

    Once management establishes and approves the program, the challenges shift to implementation. It is nearly universal that most business locations do not have a dedicated security professional, so getting the program up and operational must occur through non-security professionals who have a “day job.” An entire article was recently published on this topic (SIW Training Article). The article provides insight into third-party sources of training.

    Another tactic that many companies choose is to develop their own internal training that can be loaded onto an internal learning management system. This allows for better control of the material, internal tracking of completion, competency assessments, and updates when needed.

    It is not enough to appoint someone as a security coordinator by title alone. It is vital that there is a proper program in place to ensure and verify competency in the minimum physical security skills to support the company’s program.

    Establishment of Security System Standards

    Setting security system standards is recommended for many reasons. Establishing standards around security systems will provide a consistent security posture across all global locations. A standard security system can efficiently manage and maintain the system and enable centralized monitoring, reporting, and incident response. Standardizing security platforms can result in cost savings by enabling discounts to be negotiated with software providers, leveraging economies of scale for procurement and deployment. Standardization reduces redundant investments and operational expenses (e.g., repetitive head-end software platforms). Standardizing on software platforms also better positions an organization to leverage a global security operations center (GSOC) This provides visibility into the organization's global security posture, facilitates proactive risk identification and mitigation strategies through alarm and video monitoring, and undoubtedly achieves risk reduction.

    It is common to find companies that have sold security devices unsuitable for network connectivity due to cyber security concerns. In the U.S., this has been addressed by the National Defense Authorization Act (NDAA), which cites certain brands of security devices that could threaten an organization’s network. The NDAA does not apply outside the U.S. Still, global companies would be well served to leverage system standards and limit devices connecting to a network globally without referencing the NDAA outside the U.S.

    Setting security system standards is recommended for many reasons. Establishing standards around security systems will provide a consistent security posture across all global locations.

    Concerning vendors, standardizing technology allows for vendor consolidation and the potential to identify a single provider who can serve as a global prime contractor for security installations. With a single prime contractor (sometimes called a master integrator) companies can establish a master service agreement (MSA) to govern the relationship taking care of both the commercial terms and the technical requirements. When an approved technology list is developed and made a part of the MSA and workmanship standards are included as exhibits, the MSA also significantly reduces the amount of work necessary when a specification or statement of work must be written for a project. One MSA exhibit essentially replaces Construction Specification Institute (CSI) Part II (Products), and another exhibit replaces CSI Part III (Execution). In some cases, it makes sense to have multiple master integrators where the workload is significantly demanding or requires a geographical focus. This may also preserve some competition otherwise removed from a sole source arrangement. From a vendor perspective, there is no question that standardization simplifies contract management and service-level agreements.

    It is important to ensure that any security technology proposed for use is coordinated through an organization’s IT department if it is connected to a network. Implementing standards allows widgets to get approved once without having to revisit the approval process many times for the same type of technology. From an interoperability and integration perspective, a standard solution enables seamless integration of disparate security systems and technologies and facilitates data sharing (e.g., identifying the source of truth).

    Finally, carefully selecting and standardizing technology allows for scalability, supports the organization's global growth and expansion initiatives, and allows for adaptability to changing security requirements and threats.

    Travel Security

    A global enterprise is going to mean global travel for employees. A physical security program should include provisions for keeping employees secure when outside the boundaries of facilities, an obligation under the OSHA General Duty Clause and Duty of Care. Common components of a travel security program would include:

    • Pre-Travel
      • Risk assessment and approval process.
      • Real-time enrollment capabilities (e.g., linking approved travel agencies to the program to monitor air travel).
      • Pre-departure education for travelers to advise of the threats and crime situation at the destination and to provide some basic behavioral “dos and don’ts.”
      • Provision of emergency contact protocols.
    • Travel Support
      • Tracking mechanisms to know where all traveling employees are at any point in time.
      • Security updates and alerts (for developing threats).
      • Transportation security.
      • Emergency protocols and potentially medical support for injuries and illnesses.

     Conclusion

     Global organizations face various challenges when trying to establish an effective physical security program. One fundamental challenge of a global physical security initiative is ensuring consistent standards, processes, and protocols are implemented across all sites, regardless of location.

    The path to building a quality physical security program for a multinational enterprise is paved with complex hurdles which include understanding that the risks of the host country do not translate to other countries, complying with potentially obscure regulations and standards, lack of security professionals, the work associated with establishing technology standards and having to protect employees traveling to potentially high threat locations. 

    However, global companies can proactively identify and address these challenges by engaging a security director or consulting firm with experience in these areas. Security advisors can develop and get approval for a security posture that protects the organization and enables global growth and operational resilience. By aligning security systems, processes, and protocols, companies can foster a security culture, enable greater visibility and control, and position themselves to respond effectively to evolving risks and challenges.

    About the Author

    Frank Pisciotta | Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc

    Frank Pisciotta is president of Business Protection Specialists, Inc., a global independent security consulting firm specializing in developing global security programs for multi-national organizations. The firm supports global clients with risk assessment and security design services including the specification of security technology in various sectors. Frank has managed over 5,500 security-consulting engagements in his more than thirty-five-year consulting career. Frank possesses a master’s degree in public administration and a bachelor’s degree in criminal justice and was board-certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He is a past President of the International Association of Professional Security Consultants. Frank was the eighth person in the United States to achieve the Certified Security Consultant designation.

    www.securingpeople.com