G4S leaders discuss critical infrastructure security
James Thorpe
Share this content
James Thorpe, Editor of International Security Journal, chats critical infrastructure with G4S’s Noah Price, Alistair McBride and Jane Fairweather.
What is G4S’s involvement in critical infrastructure security and what are the risks and threats faced by your customers?
Noah Price (NP): Critical infrastructure is something G4S specialises in.
The risks are higher and there’s more complexity, thus requiring a mix of skills and the ability to pull together the right controls, people, processes and technologies to develop an integrated solution.
In this sector, it is important to set the right conditions for success.
By its nature, if things go wrong in infrastructure, they go badly wrong. Therefore, customers require the highest quality services partner.
G4S offers every conceivable security service when it comes to creating the overall deterrence effect. We provide access control, guarding, alarm monitoring, fire suppression and more.
We have 25 categorised services, but when it comes to critical infrastructure nothing is off limits.
The whole team will be able to tell you about the variety of requests we’ve had from critical infrastructure customers because they require a quality level of service.
When delivering that integrated service, it all comes down to partnership, meeting customer needs and keeping them safe and secure at all times.
Alistair McBride (AM): There’s no limit on what customers will ask us to do.
Jane and I are often surprised by the short notice requests we receive, often for challenges we were never expecting.
A key part of our customer relationships is the partnership arrangements we build with them. What the customer is buying is not just our services, but our expertise.
If they wanted to provide the solution to a challenge, they would have to source this expertise, which is costly and inflexible.
As a result, we have been asked to provide a range of services, from vetting, incident response and drug and alcohol services to medical response and other emergency control activities.
Not only are we seen as a company that can go and get the information required to build the intelligence for a particular scope, but we also provide the people needed to offer total protection.
While threats in the UK are categorised by the government, risk varies from customer to customer.
It all boils down to protecting reputation. You may have a relatively minor incident that only breaches one layer of security, but this may still have the ability to undermine trust in that organisation.
To ensure effective protection, the security overlay has got to be sufficient.
Although somebody may only have breached the first layer and another seven haven’t been compromised, we have to be conscious about what the perception is.
How does G4S ensure compliance with regulations and standards related to infrastructure protection?
Jane Fairweather (JF): If you’re looking to work at large nuclear power stations as an example, you will go through the normal G4S application process and progress through a vetting process to ensure that only those that meet the specified criteria come and work on that particular site.
We also engage with the customer in the vetting of contractors on some contracts.
Engaging with customers and contractors to ensure that we’re all working together to meet standards is very important to us.
The audits that we do are detailed and we work closely with our own Assurance Team.
My mornings are often taken up with discussions around assurance, making sure that in delivering our services we are able to evidence that the steps that we are taking are the right ones.
Knowledge of the rules and regulations of the industry is crucial as is being open to development and learning from any mistakes.
We encourage this transparency from the ground up.
We have what we call our ‘Site Manager Application’, where our officers are encouraged to report any issues – safety issues or security incidents – and the customer has sight of this.
It’s not just a case of our team reporting these incidents and then passing it to the customer on a monthly report, we are reporting them daily, onsite and in real time.
NP: Transparency is so important. I can’t emphasise how important partnership is when it comes to securing critical infrastructure – that’s G4S’ real distinction.
If you look across the spectrum of service delivery from a tick in the box insurance job right up to critical national infrastructure delivery, at the latter end of that spectrum, you have to have partnership because it’s got to have trust both ways.
We often deliver to an output specification or an outcome specification.
Our major nuclear project has got just a small handful of KPIs which are resourced and delivered to these effects; they’ll be measured against nuclear standards and more.
It’s up to us as experts – and we’re trusted by the customer because of the partnering – to resource in the most appropriate way.
AM: In practical terms, the customer’s got the same information we’ve got.
When we’re dealing with something that a customer can see, they understand the processes we’re using and are free to ask a couple of questions.
However, we also understand what our limits are – when we get to the edge of our decision making, we can then refer to the customer and get their perspective. It goes both ways.
Can you highlight any key partnerships G4S has with government agencies, other firms or technology providers in the sector?
AM: In this sector, the customer holds all sorts of relationships with the government as part of their duty.
If you take the nuclear new build sector, for example, G4S will work on behalf of the customer with the Office of Nuclear Regulation, to help them understand what it is we are doing to keep that site secure.
Obviously, the customer leads on that relationship, but there are many occasions where we speak directly to the regulator.
Outside of a nuclear setting, we have to work with, for instance, building contractors to manage the flow of people, resources and materials around these particular sites.
If we did these projects without partnering with organisations, then the whole thing would fail and become very inefficient.
What training programs does G4S provide to personnel to prepare them for the challenges of protecting critical infrastructure?
JF: High level G4S training starts when somebody does their first day of work, whether it’s on a critical national infrastructure site or whether it’s for one of our smaller contracts.
We have a series of mandatory training modules that everybody is expected to do.
But, we also have bespoke packages for each different contract that can be tailored to what our staff need to deliver.
We have specialist courses for enhancing our security professionals.
Here in the UK, they’ll have their normal SIA licence, but we will train them to a higher level and we’ll give them great instruction when it comes to physical intervention or dealing with conflict, for example.
We’ll help them focus on threats that we face in that particular area, which aren’t the same in every piece of work.
In addition, we have our own libraries and online toolboxes that we can use to brief our personnel on key issues.
We’re constantly re-engaging our teams in what we need to refresh and upskill them in.
The purpose behind this is to make sure they can do their role with confidence.
We utilise agencies for training and have a whole gamut of online resources for G4S as a whole that people can dive into.
What we find is that sometimes leaders aren’t the best to train people because they aren’t the experts in a particular area. It’s about tailoring training and process to the people that you have on board.
We have robust training procedures which we monitor and these are subject to audits.
AM: One of the things I want to jump in and mention is the Enhanced Security Officers (ESO) Standard which Noah bought into the business.
This standard was designed to meet the needs of infrastructure customers who wanted something different from the standard SIA training.
This is accredited and can be delivered by any organisation that has the correct accreditations.
It’s designed to give security professionals the ability to manage and respond to incidents in a better way.
NP: Enhanced Security Officers understand the unifying purpose of what they are there to do, rather than just responding to a set of assignment instructions.
Things will go wrong – this is inevitable in any scenario. But, because they understand the ‘why’ and they understand the parameters within which they can operate, they can find solutions around problems.
This massively enhances the productivity and overall service that our ESOs are capable of providing.
Is there anything else you would like to add?
NP: I feel that the spectrum analogy I mentioned is valuable.
The attrition at the other end of the spectrum is high.
The industry standard is 30-40% attrition, year on year, of staff.
For the World Security Report we surveyed 1,775 Chief Security Officers globally and it showed that resoundingly CSOs want a different calibre of security professional as we become more technically enabled.
These individuals are harder to attract and harder to retain.
On the critical infrastructure side of the spectrum, the attrition is less than 1%.
There’s a huge difference between both ends of the spectrum. It speaks to the engagement of the ESO training.
Leadership is a critical factor. Everyone in Jane’s world is well-led. It’s not just about pay, it’s about multiple factors that lead to retention and engagement.
One thing we hear from customers, when we take over contracts from the other end of the spectrum is: ‘I’m too busy because I’ve got to manage my security company and get them to do what they should be doing’.
What we’re doing, however, is releasing the customer to get on with their job.
This all comes back to partnership. The customer can focus on what they need to do and we’re empowered and trusted to do what we need to do.
Some of our nuclear customers have adopted what the IT industry calls the ‘Thin Client Model’.
There are far more Tier 1 suppliers than there are of them. They’re utilising the power of the Tier 1 partners’ knowledge base.
AM: Another incentive for our security professionals is that they can see a career path.
People diversify; they go from working as a security professional to working in screening and access control. Towards the end of their career, they start becoming heads of security and resilience.
We work closely with our customers to map that security career out and establish a clear path for people.