When it comes to assessing risk, John Torres has the experience and global credentials to speak to the subject. Heading Guidepost Solutions’ Security and Technology Consulting Practice, he has directed multifaceted internal financial investigations for global and domestic clients; coordinated and oversaw the development of comprehensive compliance policies for international and tribal nation clients, and resolved numerous complex immigration and customs cross-border issues for clients. He has also overseen and participated in a host of investigative and fact-gathering assignments for private entities related to allegations of employee dishonesty, fraud, corporate compliance and governance, money laundering, human trafficking, and material support for terrorism.
Prior to joining Guidepost Solutions in 2013, Torres served as the Special Agent in Charge for Homeland Security Investigation in the District of Columbia and the Commonwealth of Virginia. His professional background includes more than 27 years of experience providing investigative and security management for the U.S. Department of Homeland Security (DHS) and the U.S. Department of Justice. Torres has served in numerous senior leadership roles for U.S. Immigration and Customs Enforcement (ICE). As its Acting Director from 2008 to 2009, he oversaw 20,000 employees and a budget in excess of $5 billion. In 1998, Torres was assigned to the FBI’s Usama Bin Laden Unit. He also led an INS Contingency at the 2002 Salt Lake City Winter Olympics.
I caught up with Torres in a recent phone interview where we discussed how the world is morphing as a result of the COVID-19 pandemic. He shared his perspective on the impact of global supply chains, risk preparedness, and C-suite strategies as the novel coronavirus shapes the new normal.
Steve Lasky – Right now we are seeing historic business disruptions from the enterprise level on down to the mid-size companies and the service industries. How do you assess the current COVID-19 situation in the context of the business as it relates to security?
John Torres -- In the context of my past career of 27 years as a federal agent and running offices in big cities from Washington DC, in Chicago, Denver, and New Jersey, I look at this from a security perspective and have seen it evolve over the years, especially after 9/11, where the security function was being elevated into the C-suite. The chief security officers should have had a seat at that table to help with the decision-making process. What you're seeing today in a crisis like this, especially when you're looking at a global pandemic, is that the security function comes into play with regards to protecting your people, the health and safety of your employees, as well as the health and safety of your business. You want to make sure you have protocols in place with regards to access control, visitor management. I’ve seen that evolve too; from limiting and restricting access to no access. But they included communications and ultimately, all facets of the business overall as we go forward because decisions are having to be made requiring a security assessment.
Lasky -- When you consider an enterprise security risk management strategy, what should the C-suite be looking to convey related to security and risk in order to keep the business functioning and to keep the product or services moving and also keeping staff safe?
Torres – You are seeing companies developing leadership response teams that work hand-in-hand with incident response teams. If some sort of incident were to take place that involves employees or assets today, we are seeing a leadership response team that brings in all facets of the business that now includes security. Security is taking a front and center role in providing guidance and protocols …. whether it's internal to the employees or external to your customers, your vendors, your suppliers.
Communication is a big deal. But you've got to take a look at your human resource department and assess if HR is coordinating hand in hand with security to ensure that people are following the new protocols that are in place restricting travel. That has evolved from limiting international travel to now restricting travel for most people domestically. Security is playing a big role in working in coordination with HR now.
There is another dimension related to new access control procedures. If you want to limit your vendor or supplier's contact, what protocol are you putting in place? For example, do you want to have a drop off outside the facility or set up for drop-offs where staff can disinfect or wait a certain amount of time before actually picking up supply materials and products? Security must be aware of what is being delivered and what is coming into the facility. Are you restricting visitors? Are you creating a separate entry and exit points?
In some instances, we have multiple clients approaching us now asking for help with temperature and thermal scans: looking at temporal scanning, mobile temporal scanning, or even passive scanning to restrict people who may be trying to enter a facility, including employees if the facility is still open. We recommend staggering shift times to decrease the amount of traffic that you have in the facility at any one time, and then perhaps limiting or restricting hours. Some of that can be done remotely. We have a managed services division in our company that helps with access and visitor control. Depending on the type of software or badges that people use, you can limit when those badges can access your facility. You can turn them off and on in shifts if you really need to get down to that level of control. It's an unprecedented time we're living in and we're basically putting a lot of things on the table with regards to security with the goal of keeping your employees safe and healthy.
Lasky -- When you create a formal ESRM plan, how do you leverage business with a GSOC or SOC to take all that operational intelligence and create an environment of situational awareness that can help formulate a plan to combat both the virus crisis and also outside factors that are going to impact their business and their people?
Torres -- As I mentioned, a lot of companies are already establishing leadership response teams that are requiring, at a minimum, a daily phone call. You may start a day with a phone call with the team that includes the leadership from all your offices globally or across the country where everyone weighs in with any change in status in operating conditions. As you go through the daily calls, the information is bound to change hourly, let alone daily, so we start the day gathering that intelligence and communication in order to make adjustments and pivot if necessary to get through the business day. This is all done while you're still trying to build contingency plans and plans for the future of your business, and while also managing the health and security and safety of your employees.
The second part of the answer revolves around you and a lot of other people setting up protocols for the continuity of operation. Any group plan is different from just practicing ESRM. A lot of people will spend a lot of time putting a plan together, but if they don't practice those plans and incorporate them into the entire enterprise then what you have is simply a document; a protocol that's really just a bunch of words on a paper that you won't have time to read in the middle of a crisis. You want to have a good solid enterprise-wide solution that you practice once or twice a year so that some of this becomes more like muscle memory. In a crisis, you need to know what each person's role is supposed to be and move forward with it because, in a pandemic, each day that you waste trying to figure out what you're going to do next could have serious ramifications going forward for your business.
Lasky -- How do you think what we are experiencing now, from a business and security/risk perspective, is going to impact the way people go to business following this pandemic? What is going to be the new normal?
Torres -- I think the new normal will see people taking crisis planning much more seriously because they now realize that things can happen very quickly. It's not always about a natural disaster like an earthquake or a tornado or a hurricane. It may be more isolated or more focused in a specific area or, like today, a crisis that is affecting us globally and shutting down commerce across all these countries. People want to be able to plan for this type of an emergency so that they are prepared and can maintain some semblance of continuity. Businesses that have realized that they can still operate remotely are going to want to be even more prepared for the next crisis.
