Security management is truly a global profession. Every region of the world has threats that need mitigation; every organization has people and assets that need protection. But the practice of the profession is also influenced by local conditions—culture, business practices, economic conditions, type and severity of threats—that differ from region to region. With that in mind, this new Global Management series from Security Management will highlight security managers from different regions to learn about the challenges they face and the management strategies that help them succeed.

In the first installment of this series, which appeared in our December 2019 issue, two successful security managers from West Africa discussed some of the challenges of working in the region, including funding issues and preparing for myriad threats.

In this, the second of Security Management’s Global Management articles, we interview two security managers who have extensive experience throughout the Middle East/Persian Gulf region. They cover a wide range of topics in their remarks, including the challenges and cultural issues that come with working in a region in which expats often dominate the industry workforce.

Michael J. Padilla-Pagan Payano is the founder and CEO of Al Thuraya Consultancy (ATC), a global strategic advisory and risk management firm. ATC’s area of focus includes the Middle East and North Africa markets. He is a retired U.S. Army Colonel, and in his security operations he draws upon skills learned in his extensive military career in U.S. Army Special Operations, as well as lessons learned from his immersion in diverse cultures.

You served in the Middle East and Africa (among many other locations) during your military service, and you have worked in the region since 2006, when you started Al Thuraya Consultancy. Why did you start a company here?

MP. Military service was a milestone in my life. Decision making under pressure, organization, leadership, camaraderie, and honor, but also doubt, fear, and loss were prominent during my service. The things I experienced shaped me as a person. As my military service ended, my commitment to those values and the harsh realities of life in the Middle East still stayed with me.

Of all the things I could have done, I chose the one that I thought would offer me fulfillment, one that could contribute to my view of a better and safer world, and one that would be financially sustainable.

I started Al Thuraya Consultancy as a risk management and security company to offer risk and security solutions from a different perspective: that of being on the ground, being relevant, knowledgeable, confident, reliable, and trustworthy. Those were the things that were missing from the industry at the time. I wanted to create a professional service that went beyond mere profitmaking, and more into changing and shaping the risk and security context in the Middle East.

How has the security industry in the Middle East evolved and changed in the last 15 years?

MP. At that time (15 years ago), the security industry as we know it today was nonexistent. There were only contractors, subcontractors, and lone consultants, as well as paramilitary groups, sects, and factions. There was no clear definition for security, and the lines between government forces and rogue forces were vague. A continuous striving for power defined the context; no regulatory framework existed.

That is no longer the case. Now, the security industry is constantly changing. Currently, the industry is starting to recognize the need for solutions-based approaches to customer-specific needs, through different combinations of products and offerings.

The industry is still struggling with issues related to perception, regulation, skills and training, talent management, and even legislative and regulatory shortcomings. We are optimistic, though, that the sector is moving in the right direction, toward a more sustainable model of operations.

How has prevailing thinking about risk management in the Middle East also evolved over time?

MP. It is important to highlight the cultural component in the Middle East that heavily affects risk management. Middle Eastern societies have traditionally been more comfortable with the notion of fate and kismet—the notion that things are predetermined, and resistance or interference is futile. Therefore, there is little or nothing that can be done to intervene and change what is considered as divine will or fate, even if that translates into a lack of preparedness or an unwillingness to engage in risk management.

Recently, however, through media coverage and wider visibility of risk management practitioners, perceptions are shifting. Stakeholders are becoming more receptive to risk management efforts.

You have significant experience helping companies do business in the region. Would you say that there are business opportunities in the Middle East that are underutilized?

MP. I wouldn’t say that the business opportunities are underutilized, but rather that the human capital of the Middle East is certainly underutilized. Most companies fail to see the value of building a lasting organic relationship with the area in which they operate. They fail to connect with the local community and utilize local human capital effectively.

You cannot operate in the Middle East and Africa as if these regions are colonies that should be run and managed by foreigners. This old, archaic approach will not and should not be used, by any means. You need to employ respect and be ready to realize the opportunities that will allow you to thrive, even under adversity.

Do some Middle East countries suffer from history, in that they are perceived to be more unstable than they really are because of past conflicts?

MP. There is always a gap between reality, perception of reality, and depiction of reality. What exists, what I think exists, and what others tell me exists are never identical. That is why it is so important and valuable to have eyes on the ground and an ability to assess and manage both perception and deception.

Whoever wishes to operate in the Middle East needs to do their homework in order to see through a different lens and understand the critical cultural dynamics. This can be done through strong local partnerships.

Let’s say I am a security manager for a multinational firm, and I am being transferred to the Middle East. What advice can you give me on how I can avoid making mistakes when it comes to cultural issues that influence employee relations and the workplace?

MP. Good question. Here are some things I have instilled in my teams:

Be interested. Get to know your team, and I mean really know them—build an understanding of them and their backgrounds and knowledge bases.

Be approachable. Talk to your team every day, even if it’s just a “good morning” and “How are you today?” I do it with as many staff as possible, including drivers, kitchen staff, and cleaners.

Be flexible. Understand that not everything will go according to your watch.

Listen. Give people your full attention. Truly listen to what they say instead of what you think they’re saying.

Adjust your style. Understand the home culture and the organization’s culture, and be malleable enough to shift without surrendering your management and principles.

Don’t just hire talent, develop it. I am a big believer in this last one. We hire locally; we build capacity and advocate that career paths depend not only on one’s ability to succeed but also on one’s ability to help others succeed. If you are being respectful, attentive, eager to learn, observant, and inquisitive, you can adjust easily to any situation.

In terms of threats, what do you see as some of the major threats in the Middle East? Has the threat landscape changed?

MP. First, every company has a different definition of what constitutes a threat. So, the first step would be to define and understand your threat landscape (both opportunistic and direct), and then look for the triggers that may ignite events that will have an adverse impact on your business.

That being said, I would say cybersecurity and privacy risk, terrorism, geopolitical uncertainty, social instability, changing consumer behavior, climate change, and the speed of technological change are issues that affect the whole world and global businesses, including the countries of the Middle East.

ASIS has been advocating for enterprise security risk management (ESRM) as a valuable tool for security managers. Has the concept of “security manager as risk manager” caught on in the Middle East?

MP. Even in the West, we see that the concept of approaching security from an enterprise perspective is often just a theoretical topic for discussion in workshops and conferences, rather than a practiced reality in corporations. So it would be premature to expect that it has already taken hold in the Middle East.

We first need to establish the framework of risk management and security, and then address ESRM as a tool for security managers. As more and more educated, certified, and experienced practitioners enter the sector in the Middle East, I expect the answer to this question to become self-evident.

John Cowling, CPP, CBCI (Certificate of the Business Continuity Institute), works in the private security industry across the Middle East, where he advises multinational clients and governments. Since 1990, he has worked in the profession in a variety of roles, including operations, corporate security, training, and consulting. He has undertaken projects around the globe, including within Africa, Europe, Asia, Australasia, and the Middle East.

You have worked in the Persian Gulf region since 2005. How has the security industry evolved and changed in the last 15 years in that region?

JC. This region continues to remain dynamic, with geopolitics influencing the movements of personnel around the region. This affects the success of projects and operations. The countries in which I continue to operate have large proportions of expatriate workforces, and this adds to the complexity and challenges facing the security function. There’s a diverse application of standards, methodologies, and opinions in this region, and this continues to provide challenges that require innovative thinking in a manner aligned to the local culture.

Since my arrival in this region in 2005, I have seen increased regulation and standards driven by regulators rather than end users or suppliers, whose security budgets are often driven by cost rather than function.

However, the organizations that have embraced security as an enabler in a manner aligned to their mission and vision have greater success integrating their security functions into their operations and business model. This results in a leaner and more efficient company producing better results for its shareholders and stakeholders.

You hold a few security credentials, including the CPP and the CBCI. Is the recognition of security credentials growing in United Arab Emirates (UAE) and other Gulf countries?

JC. This region continues to generate mega projects, each with its own opportunities and risks, requiring security professionals to have a diverse range of skills—from strategic to tactical, and from security management to operations to training. Expectations of the capabilities of security professionals has significantly increased. Security credentials such as the CPP are well-regarded in this region, most notably in Saudi Arabia, where the ASIS International board certifications are recognized by the government security regulator, the High Commission for Industrial Security.

Overall, there is a high expectation of learning and self-improvement here in the region, so attaining a security credential is important in terms of balancing your education and experience as well as demonstrating your commitment to continuing your education and staying current to new trends and methods.

You have experience leading training programs in the Gulf region. What advice would you give a security manager who is new to the region and now leads training programs there?

JC. Firstly, listen and acclimate to the environment—not just to the weather, but also the parameters in which we operate. There is a tendency for expatriates—whether they are trainers, instructors, or subject matter experts—to adopt the approach of lecture, rather than train, when they first arrive in the region. This isn’t advisable; this region is ideally suited to a competency-based training approach.

Understanding local culture, regulations, and operations is essential, as is realizing that there is no benefit in reinventing the wheel. If there is already something in place (or not), spend the time to learn how and why the current situation developed. This region has been receiving foreign advisers providing specialist advice for many years, so we need to understand the environment in which we operate and adapt our style to deliver the most practical solution that is in the best interest of the student and the host nation.

What are a few of the common challenges that a security manager may face working in the Persian Gulf region?

JC. Geopolitics often drive many discussions and needs relating to security here. Although this may not be openly discussed, we need to understand how regional and global events drive strategy as well as operations. From civil conflict to earthquakes and even volcano eruptions in Asia—all will affect the personnel around you, your international travel plans, and your daily operations.

We also have a high percentage of expatriates in the region’s workforce, which brings a host of challenges across many different jurisdictions. These challenges include travel security concerns; conducting due diligence on customers, providers, and suppliers; and executing reliable cost and efficient background checks as part of the recruitment process.

Let’s say I am a security manager for a multinational firm, and I am being transferred to the Dubai office. What advice would you give me about how I can avoid making mistakes when it comes to cultural issues and the workplace?

JC. You need to immediately adapt. First, realize that we are in a new jurisdiction surrounded by a number of other jurisdictions, with different rules in each, some of which we may not agree with. When acting in an advisory role—to our CEO, a client, or an organization—we need to enable solutions and support the mission and vision of the organization.

Second, this region is diverse in nationality, language, gender, race, and religion, and therefore it is diverse in opinions and approaches to solving problems. Flexibility in approach is crucial. Understanding why we need to achieve the task matters more than how we achieve the objective in the end.

Third, relationships are everything, more so than in other global locations. Without solid relationships with your team and stakeholders, problems will grow, not diminish, and you will ultimately not be as effective as you desire or are required to be.

In terms of threats, the Persian Gulf countries have long had the reputation of being stable, commerce-focused countries. What are some of the major threats there in the region? Has the threat landscape been changing?

JC. Major threats are likely to revolve around regional geopolitical issues, usually outside our control. For example, the price of crude oil fluct­uating over the past few years had an impact on many regional org­an­izations, both those dependent on its revenue and those touched by the wider economic impacts.

Uncertainty over regional sanctions, supply chain routes, civil conflict, and regime stability are all factors in the changing threat landscape. Having a stable security environment is crucial to being able to operate in the region. To flourish, organizations require stability of government, bureaucracy, and process. Any uncertainty often causes doubt, which influences business decisions.

Commerce between regional countries is intertwined with relat­ionships, so understanding the drivers behind your organization’s customers, employees, suppliers, and interdependent relationships will assist you in managing the security needs of your organization.

The regional threat landscape will continue to change, whether this be in a cyclical fashion, or as an evolution based on geopolitics or an unanticipated event. The key is to remain open-minded and flexible, with an unbiased viewpoint. It’s best to be mindful of the misinformation that surrounds us while instead relying on solid, verified information, and not jump to conclusions.

Has the concept of ESRM caught on in the Gulf?

JC. Over the past 10 years the idea of ESRM has evolved in the region, as has risk management in the broader sense. Many organizations now undertake studies to benchmark their security capabilities against the broader industry, with the aim being continuous improvement and a strategic advantage. ASIS International’s support of ESRM helps provide a platform for security professionals to enhance their security function and operations.

As the nations in the region continue their localization programs, and encourage their ESRM programs, ESRM awareness and standards will continue to be raised across the industry. However, on occasion, a security manager may prefer to apply their own national standards instead of what is suitable for their organization. This is not surprising; such managers know and understand their own national standards from whence they originated. Regardless, it is key for managers to remain flexible and maintain a diverse skill set so one can adapt to the region and meet the organization’s needs.

Overall, the application of ESRM and the nomenclature has been a benefit in this region. Many organizations understand risk and related concepts, so the ability to speak the language of the C-suite, understand their risks, and adopt a risk model that interacts with the wider enterprise risk strategy is crucial.

Have managerial practices in Dubai been changing? Is the “old school” command-and-control style of management still popular? Are younger employees pushing for change?

JC. Historically, many senior management positions in the region were filled by mature expatriates who had an old school approach. However, some organizations have recognized the benefits of localizing the workforce and creating locally-delivered security management programs, and as a result, remarkable improvements have occurred.

We now see an increasing number of local nationals attaining degrees in security management, as well as certifications such as PSP or CPP. Those professionals are advancing upwards through the ranks of security in corporate security operations positions and specialist roles, such as cyber, threat analysis, and investigations.

Positive change is being driven by several sources, including younger employees and forward-looking mature management, as well as via the adoption of new technology and best practices. Overall, many organizations have adopted a proactive approach to managing security which integrates personnel, procedures, physical components, and technology. This integration has driven standards and performance upward.

From what you have seen recently, is the role of the security department changing with some companies in the United Arab Emirates? Is it becoming more involved in business activities?

JC. When security is seen as an enabler and not an inhibitor, then security becomes more involved in business activities, such as strategy, as the perspective from the C-suite is one of positivity and a willingness to listen and engage. This is one of the regional (and I am sure global) challenges for security professionals—having the trust of a C-suite that is willing to listen to the security experts, knowing that they have the best interest of the company at heart.

Strategically those regional organizations that embrace security as an enabler will undoubtedly perform better in terms of performance, share price, and business operations. However, the security manager needs to be able to communicate in a professional manner with the CEO and C-suite, as well as apply metrics in a manner they will understand and appreciate.

Mark Tarallo is senior content manager for Security Management. Connect with him on Linkedin or email him at [email protected]. What unique management challenges do you face in your region? Share them with us on LinkedIn or email Mark Tarallo directly.