Episode #7: NGO Security Management
In this episode I have the pleasure to chat to Liam Strang, the Global Head of Security and Crisis at Sightsavers. Sightsavers is a pretty cool organization. It's an international NGO that works to prevent and cure avoidable blindness, and it promotes equality for people with visual impairments mostly in developing countries.
Now, this is obviously cool in and of itself, but what I find really interesting is because of the success in relatively stable parts of the world, their mission is now compelling them to work in increasingly riskier jurisdictions. And to cope with this Sightsavers has evolved highly integrated program and security functions. Listen as Liam shares his experience working within this sector.
Information about this episode and other industry news and insight can be found here on our blog, the Trubshaw Tribune. If you'd like to be kept up to date about future episodes, please subscribe to our newsletter.
Audio Transcription
[00:00:53] Sean: So, on that note, Liam, welcome. Thank you for joining us. How are you doing?
[00:00:58] Liam: Yeah, I'm good. Thanks, Sean. How about yourself?
[00:01:00] Sean: Yeah, yeah. Not too bad. Not too bad on this cold, cold morning. Liam, so I guess the first question that everyone is wanting to know is how did you get into NGO security?
[00:01:12] Liam: Yeah, well, thanks. It's an interesting question. It's one I actually get asked quite a lot. You know, I think, NGO security is very much within a niche, but it's obviously quite popular. There are a lot of very talented, very committed people who want to use their skills in the NGO business. To be honest, I got into it through a little bit of luck. I was looking around for the next steps in my career and I, I remember saying to my wife at the time, you know, I'd love to do security for NGOs. At the time, honestly, I didn't really have any idea how to get into it. I'd never worked in the humanitarian or the development sector before, so what I did and what I was fortunate to be able to have was quite a few contacts who had made that jump already. So, I spent a bit of time just catching up with them and I was looking to make my next move and I'm learning a little bit about the sector and everything like that and learning what it was actually like in practice and, some of the pointers of where to look. Even then, I would say it took me probably a good seven to nine months of job hunting before I actually found an opportunity. You know, there aren't a huge amount of opportunities in the field, necessarily. It does take a little bit of time. It does take a little bit of patience. I certainly would have moved maybe to something more corporate for a while if nothing was coming up. But I was quite lucky, and I was a little bit of right place, right time but certainly things like LinkedIn and all the, the job boards, you know, GISF, relief Web, um, et cetera, all that kind of stuff are good for, for finding this, but it does, it does take a bit of time. It's not the kind of career move I think you can make overnight just because of the, the scarcity of the positions.
[00:02:39] Sean: So, for those who haven't worked in the NGO sector, there is actually quite a bit difference between managing security for NGOs as opposed to others say projects or, or corporate security. how would you describe that difference?
[00:02:54] Liam: Yeah, it's interesting. I mean, I think a lot of the time, you know, there are actually obviously some core fundamental principles of security management that go across and hold true in all sectors, and, and in some ways, don't get me wrong, I love NGOs and I love working for the NGO sector, but they love to invent new things sometimes. And they do love to, to do things just in a slightly different way. And sometimes you do look at it and say, well, okay, just because it's a large corporate doing it doesn't necessarily mean it's not going to work for us, you know, from first principles. So, they do like, they do like that, but it is a very different industry. All industries have their, you know, specifics. There are some different ways of doing it. I mean the first one has honestly got to be resources. Your resources in an NGO are going to vary massively depending on what you're working on. Obviously maybe like a small kind of rights-based NGO with 200 staff versus a large, multinational, humanitarian response agency are worlds apart. They're both NGOs but really, I mean, if they were corporates, you wouldn't necessarily compare them, but they're worlds apart in terms of the resources. But I think as a, as a general principle, you obviously have to try and make do with a little bit less than what you might otherwise have available. And also, some of the traditional approaches that we might use for example, hard targets, really hardening the target, armed security, armoured vehicles, really kind of visible deterrence focused security measures, they're not really suitable for NGOs. Both for a cost reason, but also from a profile and a branding standpoint. NGOs are obviously very conscious about the position that they have in the communities in which we work, the work that they're trying to get across and getting that acceptance and buy-in from the community organization. Now, obviously going around with armed security and being that kind of very visible standoffish security model, it just doesn't work for them. You couldn't even apply it even if you wanted to, you know, it would fatally undermine all the projects. Your own staff would hate it. It would just run absolutely counter to the ethos. So, if you're going in, you have to kind of really go for this sort of low profile, community-based acceptance risk management. Now sometimes obviously you have to do that with resource constraints and things as well, but there's also a fundamental some stuff that you would normally use, even in quite high risk and extreme environments is basically off the table because your key partners, your key customers, your own staff members they just won't go for it.
[00:05:08] Sean: I think Sightsavers itself is a really interesting example. You guys have had such success in what you're doing. For our listeners, can you explain what you guys do?
[00:05:19] Liam: Yeah, sure. So Sightsavers is a kind of medical and health-based NGO. We focus on about three main areas of work. So, the first is your kind of classic eyecare. So, things like refractive error, cataract surgeries, that kind of stuff, and ocular health. The second is looking at what are called neglected tropical diseases. So that's a subset of tropical diseases which are, clue's in the name, which are neglected, which we're working with a lot of other NGOs and the WHO to try and eradicate. And that's increasingly in some more challenging and adverse environments. And then the last major strand of our work, which a big strand for us now, it's looking at rights for people with disabilities. So, things like inclusive education, inclusive workplaces, things like that. That's the kind of third strand of our work. So, we're in about probably over about 40 countries spread across Africa and South Asia. I've been working on the team now for a couple of years and yeah, it's a great organization. Does a lot of great work. I think.
[00:06:14] Sean: And I think, when we've chatted previously, what really blew me away is that because of your organization's success all of the low hanging fruit has already been achieved and you’ve really hit your mandate you're having to go to more higher risk areas where the public services just haven't been there. Which then necessitates more of a security preparation, which your organization is quite progressive in its application of. But it's also quite interesting, you chat a bit about acceptance being a key part of NGO security. The flip side to acceptance is really providing something tangible for the community. Because the community is only going to support you and provide you with that security if they're feeling that they're getting something from it which kind of helps Sightsavers, I would imagine, because it's that tangible benefit. It's quite neutral. You're saving someone's eyesight and you're there for quite a while as well and so, I can imagine that you have to invest quite a lot of time in your local resources, your local human resources as well.
[00:07:17] Liam: Yeah, absolutely. I mean the interesting thing about acceptance is, and I think you're right, you know, based on the kind of work that we do, we probably do benefit from a fairly high level of acceptance generally. We don't really work in very controversial subject matter areas where we might be encountering tension between certain parts of the communities and things like that. The work we do inherently comes with quite a lot of buy-in. I think there can sometimes be a bit of a risk for NGOs that we kind of assume that we have that acceptance, and we think, okay, it's NGO work. We're doing development work and humanitarian work, it's all great. We're going to have this level of acceptance right from the off. And that's not necessarily the case. In fact, to be honest, it's not the case at all. You need to be really sure that you've got it in advance and what you're saying about the local resource, it needs to be maintained. You can't just start off a project and say, right, we've got very high levels of acceptance ‘let's get started’ and then, four or five years later, you're still working on the basis that everything's the same. You need that dialogue, that understanding of the real local environment, of the national staff you're working with, the national partner organization you're working with, all the key actors that are present for you. You need that and you need to really be on top of it. And it needs that local resource, and it needs that local understanding. For the best will in the world, you know, someone like me, I'm on another continent several thousand miles away, et cetera. I can't give you that kind of flavour of the local dynamics and really have my ear to the ground on that. So, it's something that needs to go through all the project teams, that goes through all your, all your staff who are operating in these places. Having their awareness about that and just maintaining that buy-in and relationship. Because if you just assume that you're going to have it just because you're an NGO and you've got an NGO agency sticker on the side of the vehicle, that's a recipe for disaster actually.
[00:08:54] Sean: And I would imagine that some NGOs, as you say, rely heavily on acceptance, and go almost to the extreme of issuing and, and voiding security management either as an ideology or as a cost saving mechanism. But Sightsavers invest quite a bit of time and effort and incorporates that into its program planning, doesn't it?
[00:09:18] Liam: Yes. Well, I'd like to think we do. I mean, I, we don't always get it perfect, but I think we do pretty well and I'm very fortunate when I arrived here to have come into an environment that already had a very great security culture in place. So, it's a big thanks to my predecessors who started the security function in Sightsavers over the past 10 years who've kind of really helped that.
And I think like a lot of NGOs, I mean, we didn't used to have a security team. And what happened was, obviously we started off with some consultants and then we brought in an in-house advisor, and then from there that sort of expanded into a more traditional, still fairly small, but a more traditional hierarchal, global, regional country level security structure, which you would be familiar with. But that has taken a long time, that did not happen overnight. That took over a decade really, of that kind of evolution, but I think that's a fairly normal journey for a lot of NGOs to go on.
I think one of the, pressure is maybe the wrong word, but one of, one of the drivers behind this and the drivers for a lot of NGOs who aren't, I wouldn't say that Sightsavers is unique in the sector for investing more in security management now, you know, this is now something that external parties are really expecting. Nowadays it is very much standard. Obviously, it varies from, for example, donor to donor exactly what their specific requirements are but if you say that you're going to try and do a piece of programming in a very high risk environment most donors nowadays, particularly big institutional ones, they want you to have shown your homework. They know realistically if you say you're going to work in Northern Burkina Faso or something like that, it's a very difficult place. There's a lot of security challenges and never minding obviously the issues around security threats and program staff and everything. There's a program delivery angle to it as well. They want to know if you say we're going to do this for the next five years, and it's in a very high risk environment, they don't want to be agreeing to a project and to find out that 18 months later it's all shut down because of the security threat which was known about at the start.It's just the way the environment now is. Just more professionalized, expectations are just a bit higher. As NGOs, we're not exempt from all the legislations and all the standards and everything that would be expected of other actors in a similar environment. And that is the way it's going.
[00:11:19] Sean: And do you think, perhaps this may be a loaded question, but if an organization doesn't have that support and buy-in from right at the top, board level through to operational program, you know, delivery, how likely is it that down in the field, right on the ground, that there's going to be a security aware culture and good security practice.
[00:11:40] Liam: It's a difficult thing to put the finger on, obviously, but I think it does start at the top. Obviously, leaders have to lead by example and obviously if you have senior members of the organization, maybe who don't follow certain procedures or something like that, then that might have a negative impact.
Fortunately, it's not the kind of thing that I have to handle on a daily basis, but I think really, you can't have security in a silo. That's the fact of it. You can't just have this, okay, you've got a security team. They're off a little room, and then when something goes wrong, it's like break glass in case of emergency. And then these guys will come in and sort it out. That's not how it works. You know, you need to have that security go all the way right up from the management level all the way down to your administrators and program field staff and everything.
If people are thinking about it and they're aware of it, and you have an environment that promotes open discussion around security issues. Security is a contentious subject, risk as a concern. Not everybody perceives risk in the same way. Different people have different levels of risk appetite. So, what you want is to have an organization where people feel confident to, if they have concerns, to raise those concerns, that people can have open and honest discussions, where sometimes there might be disagreements obviously, but open and honest discussions about security issues and kind of demystify it in a way. Security can be sometimes quite scary to people who aren’t used to it. When it comes with a lot of implications, you're talking about potentially serious incidents impacting staff. You're talking about things like program suspensions and shutdowns or, or where we start, et cetera. In some ways, I find just kind of, if everyone can tackle it and everyone can have an open discussion about it and tackle the issues, that's the best. If you can kind of get that culture in place, then that'll help you out a lot.
[00:13:14] Sean: I couldn't have said it better. You've recently, or your organization recently, re-examined and overhauled their crisis management and incident management. And this is a huge topic within itself, but for other organizations out there, this is a difficult thing to do from an organizational change point of view, but also technically it's difficult as well. Are there any lessons learnt that you would put out there or top tips that you wish you knew before you started the process?
[00:11:40] Liam: I'm sure there's plenty that I wish I knew before I started it. It was a lot of work. Last year it probably took up about a good nine or 10 months of my time last year to get it across the line and to be honest, it's still not finalized. We've still got some stuff to tweak on it. And it's a, a bit of an evolving process. You know, where, where we started, I think like a lot of places, we had a very hierarchical crisis management model. While it wasn't explicit in the plans, there was an unwritten assumption that all of the senior management would be in an office together, probably in the UK and they would be in there Monday to Friday, nine to five. And then if a crisis happened, we would be able to rush everybody into a room, get a whiteboard up and turn it into a crisis management cell and base the CMC out of there. Now you know what, to be honest with you, I mean go back maybe about 10, 12 years and that's probably fairly accurate to how we would've worked. Nowadays we are a very flat organization. You know, we're spread out across a lot of countries, and everything like that, as well, our senior management, the key people who would be involved in crisis management exercises are spread around. Many of them work from offices other than the UK. Sometimes it's difficult to tell exactly who would form a specific CMC. That's going to vary massively based on the region and the type of incident. So, everyone is kind of spread around and as well nowadays, post covid, you know, remote working, we've leaned very heavily into that like a lot of places. We are not going to be in a position, I can't see a position where we'd have of all the key players in the CMC actually in the same place together. We might have some of them, but they're never going to be together to run a room, to be in a CMC crisis room like that, it's not going to happen.
[00:15:15] Liam: So, we really focused on rewriting the plans on the basis that frankly, we're going to be using things like MS Teams, and we're going to be spread out. That we're going to have to have inputs from lots of countries and stuff like that. And as well, you know, try to flatten it down a little bit, sort of push things down a wee bit so that, for example, a CMC doesn't necessarily need to be led by the CEO or the COO or someone right at the top. That we could have a CMC that's led by a regional director or something instead of the idea that it's all right the way at the top. It could be all throughout the structure and all throughout the organizational structure that way. And it could flex across based on regions and things like that. So that's what we went for. It did take a lot of work. I think we've landed in a pretty good place on it. We tested it back in the summer with a global crisis management exercise. I think when I counted up, I think we probably had about seven or eight people from seven or eight different countries participating. But the funny thing is that actually felt pretty natural. I was looking at everybody. It was like, this is how we would run a CMC in practice. So, this is obviously how we should test it and this is how we should write the plans and this is how the setup should be because we are all over the place all the time. So, I think that that was a big one, was just kind of trying to tackle that. It’s not perfect. We've still got some work to do on it, but I think we're in a good place on that. Now obviously the next step is just about that testing and experience. I mean, that is the key thing with crisis management. Thankfully we don't have to do it very often, crisis incident management. It's very easy to read a policy and a plan once, and then you know when you actually have to use it a couple years later if you're not dealing with it on a regular basis, people will have very much forgotten about it. So, it's all about that kind of incident management, just getting people just a little bit familiar. They don't have to be experts in it. Realistically, for most of my management incident management is one of their many responsibilities and far from the most major or frequent one, but it's just about people having that awareness and familiarity so when it does happen and unfortunately something really bad has happened at 3:30 in the morning, everybody knows the roles that they're going to step into and has an idea of the playbook to start with and put some kind of, you're never going to get it perfectly, but put some kind of order around that chaos.
[00:17:20] Sean: Really, really interesting. A central theme from what you've been talking about is, is really empowering all levels, but also the levels closer to the ground with security management and decision making. Which kind of allows me to segue into my next kind of main question, which is something I'm always fascinated on. You come across security managers of all different backgrounds, opinions and suedes. And there actually isn't a central security management canon. So, the question I ask myself and, and people, and the question I put to you is, in your opinion, what makes a great security manager?
[00:17:59] Liam: I mean, it's a bit of a. It's certainly a bit of a loaded question, and I'm sure, uh, yeah. I mean, I, I'm sure the, the comments on this one will be vociferous and, and very clearly there will be quite a lot of disagreements on this. I think. Yeah, there's a lot of things that go into making a good one or, or a great one. And certainly not necessarily seeing that me and my team are anywhere near that, but I, I'd like to think we're all right. I think in the NGO field specifically, and this would be some good advice for a particularly any new professional who's starting out in the NGO security management or anything, I think is understanding the language in many ways. I don't just mean the country language. Obviously, that's very important if you're working in a particular environment. But I mean the organizational language in the sector, specific language, you know. NGOs, they do sometimes have their own way of doing things. They have lots of things that they talk about which can be a little bit unfamiliar. And one of the most valuable things I think I did when I moved into the sector was just trying to spend a few months understanding actually what they were talking about in all these meetings. I know that sounds a bit facetious to talk about like that, but it really like understanding when they are talking about the program lifecycle for NGOs, when they're talking about the interactions between us and, the communities we're working in, our local partner organizations, government ministries, all this kind of stuff. You know, it's, it's quite complicated. It can get very complicated sometimes in very large consortium bids and things like that. And there, there, there can be a huge web of different agencies working and everything like that, and figuring out who is ultimately responsible for what, et cetera. It's very confusing. So, I think investing a bit of time and just actually understanding how they go about their business and actually how they structure a program and how, for example, program bids work with institutional donors and everything like that. And figuring out at what point in your organization you need to input in that. I think there's a lot of value and then it means that when you're in meetings and things like that and you're talking about advice and stuff, you can kind of speak to them on the same level and kind of maybe speak the NGO language a little bit because it's not something that security managers necessarily learn. And there are some concepts that don't really cut across and I certainly, when I went into it, I knew very, very little about it. So, I think I would say for any, any new NGO security manager who's starting in the sector, investing in that time to understand that would really, really pays dividends.
I think as well, particularly for NGOs, a lot of it is understanding that the more difficult environments are where the work is in terms of the nature of risk and where they're willing to work and stuff like that. The more difficult and more adverse places that is where a lot of the programming needs to happen. And if, you can't really manage this. You can't send people just to visit a capital city and then come home, because that's not necessarily where it's happening. So, the whole purpose of the organization is sometimes to go out to these, communities where there is a need and with the risk and everything in the environment that, that brings with that. So, you need to find a way. Certainly what I always do and try and find a way is to be facilitative, and understand this is the organization's goal. This is the whole reason that everybody gets up to work in the morning, is to try and accomplish these objectives. And that doesn't necessarily mean that everything goes, but what it means is that if I want to say no to something, if I have some concerns about something, you know, I always find it quite healthy to come up with alternative solutions and be like, well, I, I wouldn't recommend doing it this way. What I would recommend is maybe that we, we adjust it slightly and maybe we get the same objective. What's the end goal here? And maybe we do it in a slightly different shape or something like that. I think if you can come with that kind of problem-solving attitude, I think that also goes a long way and it shows that you're on the same team as everybody. You're pulling in the right direction as the rest of the organization. What you don't want to have is that ‘security says no’ reputation, because realistically, we know how this kind of stuff works. People just conveniently forget to tell you about stuff. You only find out about program bids at the last minute, all, all this kind of stuff. People just accidentally leave you off email chains, et cetera, et cetera. or you end up in a real, face-to-face disagreement about some fundamental stuff. I think a little bit of flexibility sometimes goes a long way in getting that buy-in because you know, your customer, your client base is a little bit of a weird way to say it, but really that is your staff, the other staff in the organization, you are providing a service to them, which is security and risk management, but they need to want it. And you need to make them see your value and see the value added and see what you're bringing to that.
[00:22:19] Sean: So, know your domain and avoid security says ‘no’. So often I've seen especially that last one where a lot of security managers might either lack the confidence or local understanding as to explain the real justification behind the caution or the 'No'. Sometimes security managers they have a bit of a power trip, and you know, when I say no, it means no. So, you're quite right. it's not about avoiding risk entirely. It's about helping your organization remain effective and present in their work and achieve their objectives as much as possible.
Really fascinating.
[00:22:56] Liam: And I think, the thing is obviously there are things that you have to say no to. I think if most of the time you can get that reputation or you can get that buy-in for being known to be onside and be flexible and facilitative. People understand that you get it and that you're on the same team. You want to help the organization achieve its objectives. When you really do have to draw a line in the sand and say, nah, this is absolutely, this just can't happen for all of these reasons, people are more inclined to take you seriously. It's like the boy who cried wolf, right? If you're not doing it every single minute of every single day, when you really do have to stick your line in then people will respect that and understand it but it's about sometimes keeping that in reserve I think is quite useful.
[00:23:35] Sean: Liam, I could talk to you all day about this and geek out for hours. Thank you so much. I really enjoyed this conversation. and I can't wait to have you on again. Thank you very much for your time. I really appreciate it.
[00:23:46] Liam: Absolutely. Sean, thanks very much. I have enjoyed it.
[00:23:49] Sean: Well, that's the end of our episode for today. Thank you very much for listening.