301.519.9237 exdirector@nesaus.org

6.12.23 – SIW – Brogan Ingstad

The actual process of termination is carried out by HR, but information security and physical security teams also play important roles in monitoring risk

The U.S. economy finds itself in a wave of industry-wide mass layoffs, this time affecting the technology sector. In recent months, announcements from Google, Microsoft, and Amazon alone mean these HR departments have terminated upwards of 40,000 employees. Layoffs of this magnitude bring a whole slate of considerations affecting multiple departments, with security teams at the forefront of keeping an organization safe and secure. Already some of the most trying times for companies, the reality is that insider risks from intellectual property theft to workplace violence are more likely to manifest during these restructuring efforts.

Perhaps the biggest challenge surrounding the execution of mass terminations is that so many departments that may not regularly interact with each other suddenly must work in tandem around critical, time-sensitive issues. While the actual process of termination is carried out by HR, information security and physical security teams together play important roles and must be well integrated before, during, and after these events take place.

The Three Pillars

What is the role of each during a large-scale termination event? A brief examination helps illustrate the important areas of intersection.

In addition to notification to an employee of their termination from the company and communicating the next steps, HR serves as a critical conduit for ingesting, recording, and analyzing behavioral threat information. Preemptively reviewing employment records to understand issues of concern and disciplinary history helps risk rank employees during the planning phase. Taking note of adverse reactions or veiled threats during the notification, as well as after the event, is essential as these representatives are often the only points of contact likely to interface and receive such information.  

Physical security teams, for their part, serve as in-house subject matter experts on threat assessment. As this team is responsible for the physical security of corporate assets, it usually owns important security technology and directs any guard force the company may employ on-site. To the extent that augmented security controls or an enhanced security guard footprint are needed, security teams should manage these efforts, ensuring they are proportional to the threat.

The act of terminating an employee is emotionally charged for all involved and imparts a major lifestyle stressor on the individual receiving the news.
The act of terminating an employee is emotionally charged for all involved and imparts a major lifestyle stressor on the individual receiving the news.

Monitoring user access and use of information systems is a primary role for information security teams. Upon termination, access to these systems should also be immediately revoked. Enhanced monitoring of corporate networks for anomalous behavior using analytical tools and data loss prevention is also critical. In the aftermath of these events, IT security teams facilitate the return of company assets if terminations are conducted remotely.

Depending on the size and complexity of the company, other departments may play a role throughout the process. General Counsel ensures everything occurs on a sound legal footing. Finance, ethics, and operations may all serve as data providers for insider risk programs. Managers of terminated individuals are critical in identifying and communicating to HR those that may pose a higher risk to the organization given observed factors and behaviors during their tenure. However, these three functional areas are the core pillars, working in lockstep across each phase of these disruptive events.

Fostering Improved Integration

What are good strategies for conducting complex terminations cross-functionally? Generally, these can be broken down into planning, execution, and follow-up.

During the planning phase, it is important to bring together representatives from each of these functions regularly to go over timelines and expectations. While these meetings from a C-suite perspective are understandably confidential and the instinct is to be exclusionary to avoid leaks, leaders from these three functions must be involved from the start. Each is likely to require several weeks to properly pool resources and ensure they are ready the day announcements are made. Information security teams will want to ensure user behavior analytic (UBA) tools are configured correctly. Trained protective officers will likewise need some time to organize and deploy.

During terminations, it is worth considering what representatives are present in the room. Managing these reactions during termination events is critical and doing so effectively can help deescalate potentially violent behavior. Any security presence should at the very least be nearby and able to intervene quickly if needed. Information security should be on standby for each employee, deprovisioning access during each notification. All information from employee responses to equipment returns should be captured on employee checklists for centralized recordkeeping.

A joint effort around continuous monitoring after termination is also important. While the risk to an organization declines as days and weeks pass, the threat remains in the aftermath of initial notification. This begins with HR, ensuring any threatening contact made by previous employees is recorded and communicated to security teams. Security should make photos and other details surrounding employees considered high-risk available in lobby areas for security guards and other front desk personnel. Information security should continue monitoring networks for unauthorized access. It may also be relevant to conduct social media monitoring on people deemed higher risk, as this can provide insights into aspirational threats or adverse content that may prove damaging to the company brand.

The act of terminating an employee is emotionally charged for all involved and imparts a major lifestyle stressor on the individual receiving the news. Getting the process right is essential. The fact remains that the risk of workplace violence and other insider-related issues is at its most critical point of inflection in the moments during and after a termination event, as many unfortunate cases have shown over the last decade. Mitigating these risks comes down to clearly defined roles and proper coordination between these functional areas throughout the entire process.

Brogan Ingstad is a Vice President with Teneo Security Risk Advisory.
Brogan Ingstad is a Vice President with Teneo Security Risk Advisory.

About the author: Brogan Ingstad is a Vice President with Teneo Security Risk Advisory. He supports Fortune 500 clients with security and intelligence program development, business resiliency frameworks, and risk mitigation. Brogan brings a decade of experience conducting CSO organizational reviews, site-level physical security surveys, and threat and vulnerability assessments of global security programs.

Previously he served as a strategic security and risk management consultant at The Chertoff Group in Washington D.C., addressing the varied security, risk, and business continuity challenges affecting international companies with dispersed people and assets. Before Chertoff Group, Brogan was a head of research at global business intelligence and country risk firm Oxford Business Group, based in the Middle East, Africa, and Latin America. Brogan has additionally supported public-private sector collaboration through the United States Department of Homeland Security’s Analytic Exchange Program (AEP), focusing on the nation’s critical cargo and port security challenges.

Brogan received his bachelor’s degree in international business from the McCombs School of Business at the University of Texas at Austin and a Master of International Public Policy (MIPP) at Johns Hopkins University’s School of Advanced International Studies (SAIS). Brogan is a Certified Protection Professional (CPP) with ASIS International and a Certified Risk Management Professional (CRMP) with DRI International.