It had been a particularly slow night. The plant security guard had just made his rounds on this Sunday evening shift. As soon as he passed the weighing scales, he could enter the guard shack and get off his feet.

Challenging a curious incident

However, on this night, he noticed the waste vendor’s truck sitting half on and half off the scale. He stopped dead in his tracks to see if the truck would back up and completely sit on the scale. It never did. The observant guard walked up to the truck and challenged the driver who seemed surprised.

Hey, you’re not weighing your truck properly.

The driver fumbled for a response before replying, “Sorry, I was on the phone with a friend. I didn’t notice it.

But this security guard had the presence of mind to demand the driver’s phone. The driver was caught off guard and surrendered the phone. The guard then pulled up the most recent incoming/outgoing calls and saw no calls during the last 30 minutes.

I don’t think so.

You don’t think so what?

The security guard was frank, “You haven’t used this phone in over half an hour.

The truck driver sheepishly acknowledged the fact.

Together with Security, they decided to install CCTV covering the weighing area and scales – no easy feat due to poor lighting
It was decided to install CCTV covering the weighing area and scales – no easy feat due to poor lighting

Preventing crime as it happens

Knowing the driver was lying, the security guard ordered the truck back on the scale for a correct weighing and advised the driver that he would report the incident.

The security guard wrote up his report and handed it off to his supervisor who, in turn, contacted the local corporate investigator. This investigator was soon on the phone with his boss at corporate headquarters on the other side of the world.

Together with Security, they decided to install CCTV covering the weighing area and scales – no easy feat due to poor lighting. However, once completed, they waited. They would not have to wait long.

For the next two months, the waste vendor trucks, filled to the brim with production waste, black-and-white paper and other waste products from the plant, would stop on the scale only for a moment and then drive the front half of the truck off the scale for weighing. It was obvious that the vendor was cheating the company by only paying for half the waste.

After two months, it was decided to catch the next cheating driver “en flagrante.” Sure enough, the next truck went half on and half off the scale and was weighed. Security then asked the unsuspecting driver to park his truck and invited him inside the building to talk to a supervisor.

It was obvious that the vendor was cheating the company by only paying for half the waste
The driver signed an incriminating statement about the scheme and his role therein. They sent him on his way asking him to keep it quiet

Waiting for the driver in a large office was the local investigator and his close friend, the Head of Security. After a difficult interview, the driver admitted to cheating on the scales over a two-year period—he claimed that some of the scale cheating was done at the direction of the vendor’s management, while some of it he did himself by “ripping off” the vendor—which he acknowledged was dangerous.

Working with authorities

The driver signed an incriminating statement about the scheme and his role therein. They sent him on his way asking him to keep it quiet—they would see what they could do for him later on.

In the meantime, Corporate Investigations had received a due diligence report on the vendor company which contained disturbing news—the company and its managers were associated with a countrywide waste management mafia.

The report suggested that the vendor had a reputation for thefts and involvement in numerous lawsuits regarding thefts and embezzlement. Shockingly, no prior due diligence had ever been conducted on the vendor.

Fortunately, the plant’s finance and audit team had maintained good records over the past 5 years and were able to re-construct the amount of waste going out the plant door and the amounts being claimed and paid for by the vendor.

The discrepancy and loss stood at a multi-million dollar figure. After consulting with the local police authorities and company lawyers, it was decided to pursue a civil case against the vendor.

Pursuing legal action

The regional lawyer, the Head of Investigations, the Head of Security and the CFO invited the vendor to discuss the problem. Some of the evidence was shown to the vendor’s CEO who became indignant and, in order to save face, promised to fire the truck drivers and to repay any losses for the last two months.

What can happen when inter-dependent entities (security, investigations, finance/audit and legal) within a company combine their resources
Inter-dependent entities - security, investigations, finance/audit and legal - combined their resources and agendas to form a unified front

That was not enough for the company and a protracted legal battle ensued which lasted several years and resulted in the vendor’s paying almost the entire amount in instalments. The vendor was dropped from the contract and internal controls strengthened—the only plant employee dealing with the waste issue left the company and was replaced by two individuals.

The plant also began paying more attention to the waste process and less to the production side.

Several “lessons learned” come to mind. First, the tripwire came in the person of an astute and well-trained security guard who exhibited some of the best characteristics you want to see from men and women in that profession. The Security Department was also adept at installing the CCTV and capturing the fraud live on videotape.

But a far greater lesson was learned—of what can happen when inter-dependent entities (security, investigations, finance/audit and legal) within a company combine their resources and agendas to form a unified front. The results speak for themselves.

Download PDF version

Author profile

In case you missed it

Why moving to a risk-based approach helps business
Why moving to a risk-based approach helps business

Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks on a daily basis. Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business. In order to resolve these challenges, a security leader can apply a risk-based approach to their security program. According to  dictionary.com, risk is “exposure to the chance of injury or loss; a hazard or dangerous chance”. Risk is broader than a security concern and involves the entire business.  Through utilising a 3R model - considering resources, risks and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure.  A business determines what resources it wants to protect, what risks it needs to protect the resources from and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence. Free online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach The 3 Rs The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure or valuable equipment, knowledge-based - such as intellectual property, or organisational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge and processes. Second, determine what the resources need to be protected from. Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime) or business risks (compliance or legal issues).  Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at riskFree online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organisation’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment.  The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact to resources if an event does occur and also assist the organisation in recovering from an impact more quickly or easily.   The first step in the 3R model is to figure out what resources need protection, this could physical such as buildings or critical infrastructure  The path forward Understanding what risks a business faces in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organisation’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions. Metrics can also help business leaders understand the cost/benefit of resolutions C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk. The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision. Measuring success A risk-based approach aligns the security mission with the organisation’s mission. Security leaders should have these conversations with their business leaders on a regular basis. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program Determining a baseline of acceptance gives a foundation for security leaders to point out when the organisation is not meeting its own requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited. Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting Defining risks and vulnerabilities Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk.The approach puts the security risk decisions in the hands of the ones impacted by those risks And it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources. Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities. Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.

Why regional? Inside ADT's mergers and acquisitions of US security integrators
Why regional? Inside ADT's mergers and acquisitions of US security integrators

ADT Inc.’s acquisition of Red Hawk Fire & Security, Boca Raton, Fla., is the latest move in ADT Commercial’s strategy to buy up security integrator firms around the country and grow their footprint. In addition to the Red Hawk acquisition, announced in mid-October, ADT has acquired more than a half-dozen security system integration firms in the last year or so.  Here’s a quick rundown of integrator companies acquired by ADT: Protec, a Pacific Northwest commercial integrator (Aug. 2017); MSE Security, the USA’s 27th largest commercial integrator (Sept 2017); Gaston Security, founded in 1994 as a video surveillance integration company and whose services have since expanded to include intrusion, access control, and perimeter protection (Oct. 2017); Aronson Security Group (ASG), which delivers risk and security program consultants and offers advanced integration services, consulting and design engineers and a National Program Management team (March 2018);  Acme Security Systems, among the largest privately held security systems integrators in the Bay Area, focusing on electronic security systems, access control, video networks and more (March 2018); Access Security Integration, a regional systems integrator specialising in design, delivery, installation and servicing of electronic security systems including enterprise-level access control, video and visitor management solutions, perimeter security and security operation command centers (Aug. 2018); In addition to their moves in the commercial integrator space, ADT has also sought to expand their presence in cybersecurity with the following two acquisitions: Datashield, specialising in Managed Detection and Response Services (Nov 2017); Secure Designs, Inc., specialising in design, implementation, monitoring, and managing network defense systems, including firewall services and intrusion prevention, to protect small business networks from a diverse and challenging set of global cyber threats (Aug. 2018). ADT has acquired more than a half-dozen security system integration firms in the last year or so For additional insights into ADT’s game plan and the strategy behind these acquisitions, we presented the following questions to Chris BenVau, ADT’s Senior Vice President of Enterprise Solutions. Q: ADT has been actively acquiring regional integrators this year – more than a half a dozen to date. Please describe the history of how ADT came to embrace a strategy of acquiring regional integrators as a route to growth? ADT's acquisition of Red Hawk is set to close in December, and brings premiere fire and life/safety solutions BenVau: Our acquisition strategy started at Protection 1 when we embarked on our journey to build out our commercial and national account business and add enhanced integration capabilities to our portfolio. The merger of Protection 1 and ADT brought that foundation to ADT which up to that point was primarily a residentially and SMB-focused company. After the merger, we set out to identify and acquire additional regional integrators that would continue to build on that foundation and deliver enhanced technical solutions, advanced technologies and an expanded service, install and support footprint. Through our acquisitions we now operate two Network Operations Centers and three Centers of Excellence. We are also unique in the industry with the number and variety of certifications, like Cisco and Meraki, our engineers hold which ultimately allows us to offer Managed Security as a Service. They have also enhanced our operational capabilities. Q: What criteria do you use to evaluate whether an integrator is a good “fit” for ADT? BenVau: First and foremost, we look at the culture of the companies. The companies that we target for acquisition must be metrics- and customer service-driven. Secondly, we look at the leadership teams. ADT view their acquisitions more like mergers and take a patient approach to integrating them into their business We have been fortunate in the fact the leadership of the companies we acquired remain with us today in key management and executive positions helping to drive continued growth within their organisations. We also evaluate their current customer base, unique solutions and their ability to complement and enhance our portfolio with the goal of becoming a leading full-service, enterprise commercial provider. Our acquisitions have bolstered our network capabilities, brought enterprise risk management services, and a broader solution set in high-end video and access control solutions. Our most recent acquisition – Red Hawk, set to close in December – brings us premiere fire and life/safety solutions. Q: What changes are typically needed after an integrator is acquired in order to adapt it to the ADT corporate model? BenVau: We view our acquisitions more like mergers and take a patient approach to integrating them into ADT while taking into account their culture. We want to ensure that we find the right positions for their people, embrace the right messaging and put the right processes in place. We acquire these companies because they are the best in their respective businesses and geographies and bring their knowledge and experience in markets or with solutions that we may not have had previous access to. ADT can support clients with their own in-house technicians which helps to ensure a consistent security program Q: How can regional integrators benefit from the ADT brand? Have your newly acquired integrators realised additional growth? BenVau: The companies we have acquired, generally, have exceeded expectations and surpassed initial goals. ADT brings expanded opportunities for these companies as well with our national footprint. Our National Account Sales Team has seen impressive growth over the years and are only limited by our ability to deliver. These integrators help to deliver on that. In the past, the regional players may have had to rely on sub-contractors to service their larger clients. With ADT, we can now support those clients with our own in-house technicians which helps to ensure a consistent security program across multiple locations.Our National Account Sales Team has seen impressive growth over the years and are only limited by our ability to deliver" Q: Are additional integrator acquisitions planned this year and into 2019? How much is enough and when will it end (or slow down significantly)? BenVau: We expect to close on our latest acquisition, Red Hawk, before the end of 2018. Red Hawk brings a national footprint focused on fire/life safety and security to ADT. While ADT already had a robust security offering, Red Hawk will contribute significantly to the fire side of the business. In addition, we will continue to evaluate the companies in the industry to determine if additional acquisitions make sense. Q: Do you expect greater consolidation of the integrator channel in the industry as a whole? Why is this a good time for consolidation? Is it a good M&A market for buyers like ADT? BenVau: We will continue to evaluate companies in the industry to determine if further acquisitions make sense. As for the industry, we can only speak for ourselves. Our focus is on investing in our field organisation, in particular our service technicians, engineers and project management teams" Q: What other trend(s) do you see in the industry that will impact ADT (on the commercial side) in the next year or so, and how? BenVau: In addition to their moves in the commercial integrator space, ADT has also sought to expand their presence in cybersecurity Networking is a big one. As we continue to drive integration of devices and services, from AI, “the cloud,” machine learning and even analytics, there will be more focus on the network they ride on. A deeper knowledge of network design, bandwidth impact, and system integration will be critical. As part of our acquisition strategy, we focused on talent to add to the team and have been able to add to our bench strength in this area. Q: Any other comments/insights you wish to share about ADT’s strategy, future, and role in the larger physical security marketplace? BenVau: Our focus is on investing in our field organisation, in particular our service technicians, engineers and project management teams. The cornerstone of our success lies in our ability to deliver outstanding customer support and service. It starts with sales and the ability to deliver security and life safety technologies, but it ends with a delighted customer who partners with us to help secure the things that matter most to them. Our recent acquisitions have more than doubled our commercial field operations teams and are key to establishing the ADT Commercial brand as a leading full-service provider of enterprise solutions to the marketplace.

Does “security technology” cover the broader application possibilities of today’s systems?
Does “security technology” cover the broader application possibilities of today’s systems?

The concept of how security systems can contribute to the broader business goals of a company is not new. It seems we have been talking about benefits of security systems beyond “just” security for more than a decade. Given the expanding role of technologies in the market, including video and access control, at what point is the term “security” too restrictive to accurately describe what our industry does? We asked the Expert Panel Roundtable for their responses to this premise: Is the description “security technology” too narrow given the broader application possibilities of today’s systems? Why?