The Defuse Podcast: Where Experts Defuse Real Threats

Bridging the Gap Between Security and HR with Melissa Muir

Philip Grindell MSc CSyP - The Online Bodyguard®

Send us a text

In this podcast HR and Threat Management specialist Melissa Muir discusses

  • How grievances drive issues at work.
  • How to say goodbye to employees leaving an organisation.
  • The power of multi-disciplinary teams
  • How to overcome the issue of confidentiality.
  • The power of feedback and rewards in reducing hostility
  • Communication between HR and security – what goes wrong?

 And much more which you’ll have to download and listen to learn more about.

Melissa Muir has been an HR professional in the U.S. courts for 25 years, more than 2 decades with the federal court in Western Washington. She is currently the HR Director for her hometown of Shoreline, just north of Seattle. Informed by threat management principles, Melissa is passionate about bridging the gap between security and human resources to improve the safety and health of our organizations.

Melissa has been thinking about ways to “go upstream” and prevent the harm of problematic personalities in the workplace by not hiring them in the first place. And managing problematic personalities better when we do find them in our organizations.

Melissa is the Past President of the Northwest Chapter of the Association of Threat Assessment Professionals and serves on the national sponsorship committee. Melissa holds an MBA from the University of Washington and a law degree with a focus on employment law and mediation from Seattle University School of Law. Melissa is an Instructor at Gavin de Becker’s world-renowned Advanced Threat Assessment Academy, a four-day course on advanced threat assessment concepts held twice a year.

https://www.linkedin.com/in/melissamuir/

Support the show

Subscribe to 'Defuse News', our weekly update of the week's events on our website.

Follow me on X /Twitter

Connect with me on LinkedIn


Philip Grindell:

Okay. So welcome to another edition of the online bodyguard podcast with me Philip Grindelldell. And today, my very special guest is Melissa Muir, once met, you will never forget, we've been LinkedIn for some time. But we only actually met recently at the threat assessment conference in Montana in the US. And we were set the same table together. And we were we were the two opening acts for, for the presentations of the of the two days. And I, I could remember sitting down after doing mine and sort of thinking, thank God for that it's over, I can relax now. And on you went. And I was kind of mesmerised because it was so inspirational. And I don't mean that in a kind of, you know, jump up and down Anthony Robbins software, but in the way of, I found it fascinating how you took a subject around the use of language and words, and made it so relevant to the world of security and threat maps, threat management, etc. We'll come on to that. But it was just fascinating for me. And I, you know, I said to you, before we press record that, you know, for me to say, oh, Melissa is a human, you know, human resources specialist just doesn't do you justice. Because you're clearly so much more than that. So how would you describe yourself?

Melissa Muir:

Thank you. And again, I hope we get to talk a little bit about meeting in Montana. That was fabulous. I think I would describe it. I am a security adjacent, HR professional. And then I think, Wait, no, I'm an HR focused security professional, wait, we actually are such an amazing partnership. I'm a partner in security and HR. And I think that just describing as one or the other reinforces the differences that are artificial. And they're right, I have been I was with the federal courts for 22 years. And in fact, super excited. Frederick Calhoun, is a rock star because I knew his work as a historian because he's done a lot of amazing research on the federal judiciary, independent of his security side. I am now HR director for my hometown, I had the benefit, almost 15 years ago now of stumbling into threat assessment and threat management, again, because I dealt with an HR Employee Relations matter in a way that security had other thoughts on and, and frankly, we didn't have a very good relationship. And it caused me to step back and look at it. And the moment I got there, I realised, oh, my gosh, we have the same ends, right, we are both protecting the organisation and protecting our employees. And we're doing it in ways that are often adversarial. And we're creating false claims like so for the last 10 or 15. In addition, kind of my day job of all the things that come with being an HR director is thinking about how to bring the security pieces upstream and, and really get into where I think the the joy of it is on the prevention side, right? Not reacting to the headline yesterday about the hospital stabbing, not reacting this but saying, I did something with a hire with a performance management system issue with a recognition opportunity that created an employee who is more satisfied, who's going to stay here and is less likely to become that person who comes back later angry that people insecurity are worried about right like, I have a chance to make a difference. And I I have a chance to take the tools from people like you and bring them into my world and apply them my way. So I think what I hope to be is right, I joke but in Montana the reason why we sat next to each other was the table for HR professionals at threat conferences wearing sparkly tights was false. Right so I had to come next door. And and what I hope is that that joke is not a joke much longer that we are filled with HR people at threat conferences thinking about the ways they do it I want my goal is to make myself obsolete as a as a unique person and to bring my HR community into this world because the synergies I think I've shared a few I'd love if we get a chance in this conversation to share a few your world in my world are the same at different points in the continuum. Have an employees experience in the organisation. And if I can bring the tools that you have, and the the experience that you have into upper parts of that we're just creating a better system for for all of our employees and for our organisations. Right. And the ripple effects are amazing. I

Philip Grindell:

couldn't agree more so. So you present at the Gavin de Becker is Advanced Threat Assessment Academy twice a year. Is that right? It's four days, isn't it twice a year?

Unknown:

And we're rotating around but I have for the last couple of years. Yes.

Philip Grindell:

So how did that come about? And what is? What is people's reaction when they first realised as a kind of an HR element to that contact that? That course?

Unknown:

Well, let me I'll answer if you'll humour me, I'll answer in two stories. And story. One is sort of how it came about. And story two is one example I see of the impact. So I was in Boise, Idaho, speaking with a Bio Hazard expert on insider threat. Again, not a typical HR topic is super fun. And I will just like, give my punchline away. I talk about the American trader, I talk about Benedict Arnold as a worker's comp case, gone sideways and say, Look at this, from an HR standpoint, this was this was just workers comp handled poorly, like we could have handled this safety incident in a different way and in the world is changed as a result. So we're talking about that. And there were two women that came up afterwards, it said, you know, from the title of your presentation, it was a little dry, it was so much fun to start getting in thinking about these security incidents as HR opportunities, right, as a terrible insider threat. Example, in the United States, just a just a, you know, five were lost. And it was a harassment claim that was ignored by HR that possibly put this person on the path, right. So in talking with them, they both worked for Gavin de Becker. And I said, Do you know Gabby? Thompson, she's amazing. And it started a conversation. And that started the connection about the the role of HR and security and kind of deepen the connection I had with Gabby. And there, I was at Gavin de Becker. So it came about through Benedict Arnold. Right. So I thank him for that. And there we are. One of the things that I saw a twofold example we do a section on, I call it how to say goodbye, because I don't use the term fire or terminate separate, right, but how to say goodbye to employees. And we've got multiple things going on. And I offer an HR perspective, and one of them is we look at things like what I call soft landings when excerpt as very critical management, it's like, why would we reward bad behaviour and, you know, and and the hiring, you know, the managers are very opposed in general to it. And I'm saying, We're sending a message to the entire organisation, how we treat people when we say goodbye. And even if their coworkers hated this person or fear this person, they want to know that they're taken care of, for two reasons, right? They want to make sure that person is not angry at them and the organisation. And to they want to know what if it was me? How would you treat me if things didn't go well. So I talk a lot about how we say goodbye, and how and the benefits of being humane and generous and not being vindictive, or treating the person as a person, we want to have a good ongoing relationship with after they've left the organisation. At the end, there is a scenario, and I don't want to give away the punchline, because training is amazing that one of the things that one of the facilitators commented was that after I had joined in those sessions, the ending resolution that groups came up with, borrowed some of those ideas and brought some of them in and were actually what the outcome had hoped, right that people looked at the situation with a little broader perspective is, wait a minute, I forgot we have these lead tools. We have these severance pay tools, we have these tools that as security I forgot I have in my toolbox that I can use to bring to bear to these, you know, situations of concern. And so kind of just reminders like hey, think broader. And then just recently I had a conversation with a person and a lot large retail organisation. And there had been an argument over a former employee complained about a $50 held, down, forget copay that they felt they owe their former employee at this point, and they weren't owed it and they were wrong. And we were like, it's$50, right. And the security said, I'm trying to convince HR to do it. Because I think this is a real grievance in this person's mind. He's really fixated and angry at the employer for not treating him right. And I can't convince them that the policy should be waived or something. And then we'll go to HR, we also have recognition policies, and ask if we might tap into a recognition policy and use some of that funding. So we're not violating this, and we're not breaking the health benefits rules, but we are anyway, they found the money, the employee was grateful the problem was resolved. And that was an example where HR had thought about it as for rules that they didn't want to start a precedent and security thought about it as HR, you're so dumb, right? You know, you're missing the spaceship. And really, the solution was easy. And right in front of there when HR is thinking. So if you think for me, that's the reward of Gavin de Becker is helping people see, why don't you try to have a different conversation with HR, when you go back? Instead of saying, HR, you're so dumb. You call me at the last minute, you don't tell me information I need to have instead of coming in judgement, I'll come in and say, What policies do we have that might work in this situation? How could we work together? So long answer to a short question. And I just love the idea of opening the world of security, to all the tools that we really have at our, at our use.

Philip Grindell:

But it's interesting, because actually that last piece around. Rather than saying, what we can't do is, can we work out a way of what we can do it, it reminds me a little bit of the presentation in Montana, because it was about if we change our language, we can actually change the entire conversation. And I think, you know, this is something that I hear quite a bit when I'm talking to clients or potential clients around introducing a workplace violence or an insider threat team. And my view about it being a multidisciplinary team, in terms of security, HR, cyber, who, whoever else fits that legal, for instance, whoever else fits that, that that need in terms of having those multidisciplinary teams, very often what comes up is your HR are problematic because of confidentiality issues. So how do we ever come back then?

Unknown:

I think we have a great model on the mental behavioural health side already. So I think thinking about confidentiality, I think we have a couple of tools. One, if we're in a team where we're sharing information. HR may be hesitant, right? I can't share that that's from a confidential personnel file, sometimes clarity in that multidisciplinary group over who owns the information. And who doesn't. So, hey, we're sharing this information, but the records are going to be kept, you can keep them HR, right, you can get that right. We don't have to have them let's, for the sake of this conversation, bring the information together with the written document, you can know Right? So some of it's like my fear is like, HR is rewarded for being risk averse, right? We are praised by the organisation or incentives are motivated around saying no, right? Like, if I do not take a risk, nothing bad happens if I take a risk, and the organisation suffers as a result, I've put the organisation at risk. So I by saying no to you, I kind of guarantee right, like by not giving you the file, I can't get in trouble, right. So I think some of it is shifting that away from what's the fear there? And how can we get to that? So some of it might be who owns the information? Another example might be like we do, at least in the United States, sometimes where a psychologist couldn't give the information, I can't come to them and say I'm a little worried about my employee, Dave, can you tell me you know, and they can't, however, and we heard an example in Montana, I could bring you information. Hey, I'm not asking you to tell me what's in your files. I would like to share some information I have about this employee, Dave, I'm a little concerned and I want you to know, HR suddenly can make those connections. And then we might get to that point where we can do something. So some of it might be how about if you share information with me first and reassure me and I can now put it in contact? Next, and I can probably give you something back as a result, right. And I think the great example we heard in Montana was, well, I couldn't tell you, if this person was an employee, I couldn't tell you was in their file. However, if they were, I could, I could meet with this employee before this thing that you shared me is going to happen, right? You've told me something's gonna happen, I could have a conversation with that employee, if they were in that situation about blank. So I can take some action, even without sharing the information. And I think the third piece, at least in the US, most of our confidentiality regulations, first of all, may not apply the situation. But they often have an exception, right? They have an exception for exigency. They have an acceptance for an emergency, they have an acceptance for safety. And so sometimes it's like, I know, you've got that I'm very concerned, I want to share this information about the situation. And I'd like you to look at whether there may be some exceptions under our policy. So it's, I think there are a couple different ways, share information with me and encourage me bring stuff multidisciplinary, and let me own my piece of it. So I haven't given it away to you. And let's work on whether there's some exceptions that might be important in this particular case, there are three ways there's more, I'm sure.

Philip Grindell:

So what also strikes me and and I think this is relevant for a lot of security, people as well, is perhaps the lack of understanding around the behavioural side of threat management. And how some of the concerning behaviours that we see are early indicators, potentially, of a person who is escalating towards not necessarily violent, but escalating towards causing a reputational issue or a causing a good employee to leave or an insider threat or what have you. And so I think this is this is as relevant for a lot of security people as it is potentially for a lot of HR people and others, isn't his lack of understanding about how these early behaviours, if we recognise them, now, we may be able to stop something further down the line.

Unknown:

Apologise, I'm trying to get rid of this noise in the back. Absolutely. And I think again, I look a lot to the Gallup polls, and I use them from the street safety, side engagement, I think I shared with you the happiness. One is really sobering, right, that the world is very lonely right now. And misery comes up. And misery is also connected on a lot of challenging workplace behaviours, right? Whether they are violence risks, or less ones. And people are very unhappy at work. And those two things are not going away anytime soon. And they're huge. Right. And so as you're talking, I also look and say, there's also a lot of hope there. So we're not I think sometimes we're not stepping back and thinking about like, what's happening with the people in our organisations? And how does that mean something right. And for me, again, I'll give a very simple example. Have you been complimented on your work in the last seven days? Right? And for those people who answer No, and it's about a third of the people that are surveyed worldwide, right, independent of organisation country, for those who say, no, they have not been complimented at work, half of them are going to leave within the next year, and half of them are thinking about it. And that's our group that we're worried about, right? That's the group that is got a grievance that is frustrated with their boss. And so I say things like, let's step back and say, Are we coaching our supervisors on how to give good feedback, including positive feedback? Like, are we reminding people are we walking by in the hall and saying, Hey, I really appreciated your help in the meeting yesterday, you saved me when the the audio failed, right? And happened? How much does it mean to that person? Right? Can we measure it? No. Do we know that that person is not going to become a mass murderer because of it? No. But we do know they're more likely to stay we do know they're going to be more satisfied. We do know they're going to be less likely to be that person of concern. We know that and I talk a lot about why are we trying to measure when we sell our threat programmes, the threats we averted? Why are we trying to measure the violence that didn't happen? That's hard to do, right? It's like an auditor. If the best you can do is zero findings. Your goal is zero. How about if we flip it and say, how much has engagement and return shouldn't have gone up since we put these safety programmes in place, right? Can I measure it in the bad things that didn't happen? Maybe not? Can I measure it in the good things that did, right? Because the connection between engagement and reduction in violence is real. So let's just focus on that, right, let's look at those things we can do that are easy. Easy, if changing culture is easy, right, that are that are doable, and measurable in ways that security sometimes felt like we get frustrated, like, how do I sell my programme to the C suite when the bad thing didn't happen? Or how do I sell? How do I take advantage of the bad thing that did happen? Now they're going to be interested in I was like, switch that question, how do I go in and say, engagement is connected to retention, we've got to try to keep our employees security can be a partner in doing that. That's awesome. Oh, and by the way, people didn't get hurt.

Philip Grindell:

And, you know, you and I talked about this in Montana, that also feeds nicely into the current flavour of the ESG credentials in terms of the governance piece around that, which often is difficult to, as you say, to quantify within a, a security conversation. Because we're not talking about negatives, we're talking about positives. So actually, what is you know, and also, we know that it's hugely expensive to recruit. So why would want to keep recruiting, if we can retain our good start off and make sure that they're performing? Well, because they're happy in their content in their work, and they feel rewarded.

Unknown:

There are some measures that for an outstanding employee, you can be three and a half times their income, and all the institutional knowledge that we lose when that person goes, right. So the numbers are real. I think that's where you started this with how do we get HR into the kind of the security world? And I'm trying to give examples of how to security to the HR world? And I think back to my introduction is, wait, why aren't we in the same world? Don't we have those same goals? A healthy organisation is a safe organisation is an organisation that retains employees, we have the same interest.

Philip Grindell:

It's interesting, isn't it? Because if we actually probably looked at what are the goals that are set for a security director, as opposed to the HR director? How would they how would they look? And what would they be worded in terms of, you know, zero incidents or something, and for the HR for the security guy, or girl? And you know, and what would the HR directors, goals and objectives be? And actually, this, this kind of difference in goals, evidence is the gap between how these two are seen, when actually they should be seeing to be working together, to have closer alliances, to their goals, to be probably into interlinked. And actually everyone wants to be safe and happy. And, and content at work, because we spend so much of our time at work, why wouldn't we want to feel safe and happy and contented rewarded? So it's an interesting one there about that, about that, that goal setting of, of these departments and what their aims objectives are?

Unknown:

I think, again, if I say, Are you engaged and connected and supported at work? If you answer yes to all these, I know you're safe. Right? Like, you know, so I kind of like we don't really need to ask safety as a separate question. It is embedded in the other questions. So when we kind of recognise like, we are literally increasing the same things. And I think that ESG is Jay stuff that you talked about was really eye opening for me, because I wasn't really familiar with that. And I started reading more as you talk to him like that. Yeah, it's the same, right? Like, let's measure these positives and recognise we each have a part of it, and don't even have to ask them as distinct questions. Right. And I, I thought a lot about kind of how we get to the partnership. And before we started recording, I think we were talking a little bit about those divisions and the silos and those awkward conversations when we're really literally at the 11th hour, and you're like security do this and they're like HR do this and it's like, No, I won't. Yes, you will. Yeah, like, that's not a great place to be for anybody. And I think, okay, how do we have, how do we restart it? How instead of how do we do a better job at the 11th hour? What is our first hour conversation look like? Right, and Kevin Calder, who is a brilliant threat manager in Vancouver, British Columbia and I we did want a key tap Canadian Association Threat Assessment Professionals and we did it a scenario of how HR taxes House security talks to HR and the C suite. And we observed and I'm just gonna say this out loud. My guess is your podcast audience doesn't have a tonne of HR people on it, and may not have a lot of CEOs.

Philip Grindell:

And we'd love to attract more of those, because they are so important to the conversation.

Unknown:

And so one of the things we did was roleplay how security often talks to people like me, I think I pretended to be a CEO and an HR director, which is like two hats. And he started with, oh, my gosh, I've been to this conference, I've learned some amazing things, we need to make some changes I want to do, I got these great ideas for the programme, I'd like to sit down and kind of share some of the ways we can really increase security. And then I do the little thought bubble, and I turn to the audience and tell you what I heard. What I heard is, you're incompetent. I don't like the work you're doing. I would like to increase your already busy workload. And I want to make your job harder. And I hear that and I'm like, great. Let me look at my calendar. Right, and we ended and so and then we walk through for the next half an hour, deconstruct deconstructing having an a do over conversation, right. And so I rely a lot on Oh, my goodness, Chris Voss, who wrote never split the difference. former FBI, a lot of hostage situations which people like me and HR, like don't say scary things, right? But tell me the power of No. Hate. So we talked in, it's like, is now a bad time? Something as simple right? Because I am ready to pounce on security with a no. So come in with a no question right up front. Give me the autonomy of getting to say no. And now it's kind of off the table, and I'm ready to hear you. Right. So rather than waiting, like I've got 16 arguments to convince HR that this is the best programme ever. Shut up and listen, right? Like, ask me something, give me a no chance. Let me get that out of my system. And one of those ones, the most powerful one I have ever heard was when someone came in and said, Do you want our partnership to fail? And I went, Oh, dear, no, right. But it got me thinking like, oh, wait, what, how did we get to this point? How do we get out of this place? Right. And that's where we started. And then the next one was, hey, I've got some ideas about a partnership. I also really am not sure. I know. HRS got a lot going on right now. There's been a lot of changes. I'd love could, could I find a little more about what's happening in your world where your concerns are? And think about how I might add to them right now. I'm hearing. Okay, you're not trying to take more of my resources. I'm spread too thin. Yeah. Right. And, and just those two questions, changed the whole world, right? Like then we had this other one, I shared really worried about retention, right now we're losing people, right? They're going where they can work remotely, they're going here. And they brought in some amazing ideas that started with our orientation, how they could sell stuff, how they could be part of things how they could bring, we're not doing a safety drill, like for where the AEDs are, and where all the stuff is, and where are they aren't facilities. And doing it as a scavenger hunt. If you know me, you know, I love scavenger hunts, right. So it involves getting to know coworkers, which is connection, because I'm more likely to report if I feel connected to your coworker, I'm more likely to share, I'm more likely to call that anonymous line. If I know that you'll help. And if I'm worried about this person next to me, and I know where things are going. We built all the safety things in and we throw in prizes and ice cream. This is partnership. Did I answer your question? Yeah,

Philip Grindell:

you did? Yes. And it's in my mind is worrying because there's so many things there about kind of things that you think that would really work. And that would be a really good idea. If we if we if we go back right to the beginning of of, shall we say the recruitment of an individual. And again, an area where potentially it can be a a multi disciplinary approach to that. I know we've spoken previously around the importance of due diligence or vetting or whatever you want to call it, background checks, etc. Can you talk about you know, why that is a critical factor in in so many other areas of the employment process?

Unknown:

Yeah. So, right now, at least in the US, were under a lot of pressure to hire quickly, because we have people leaving and people have so many options. So we've had everything from They cancelled the interview that they scheduled because they got another job, or they cancelled the second interview because they got one between the first and the second, they cancelled on the start date, because they got one between the offer and the start date, they cancelled the day of the start date, because they like literally. So we're under great pressure to move quickly. So when you compress the time to hire, where do we compromise, we compromise on the due diligence, we compromise on the reference checks, we compromise and I have a million stories. And unfortunately, everyday organisations create new ones of where we didn't do the due diligence, right, the high profile CEO that lied on the resume. And now we have to, you know, publicly pay them a lot of money and go through the reputational damage and the harm to the organisation of not having checked something as simple as are they telling the truth. But the way we're doing it is to move faster and less securely. What I loved was after a conversation with our Security Wing, kind of thinking this through, they suggested, what if you did the reference checks upfront, before you got to the interview? And our response was, that's going to create a tonne of extra work. That's ridiculous. That makes no sense. And why would and people aren't going to want to give us information and have people check references. If they're not guaranteed, they're going to get the job, they're not going to take the risk. We decided to try it as a pilot and we went out. And one people were fine with sharing the information. They were open about their looking. And too, it took a little bit more time up front. And suddenly we have better information going into the interviews. We know something about the person we know where we want to focus our follow up questions, we know the red flags right up front that like so they never even make it to the interview. So we've saved that time. And then when we're done with the interview, we're literally done, we're ready to make the offer. Right? So it shortened our time by up to a week, which is real life offers and real life people in this right. And we knew more about them than we ever did. And again, when I'm at the point where I'm a hiring manager, and I've got this great candidate, do I want to hear bad news? When I call a reference check? Do I want to find out that they're a liar? I'm like, well, they used to be a liar. But I think they're a lot better now. I think they lie less than they used to. Sure. Yeah, they defrauded the employer. But they've learned their lesson. And they tell right, so all of these things that I joke, right, don't paint a red flag green that we do when we're motivated. We don't have that motivation upfront. That shift came out of a conversation and an embedding within security that did our due diligence, that meant half of those people that are coming on are not going to be the ones that either leave us or that we have to say goodbye to. So I like to think I'm reducing the pipeline of concerned employees that are heading your way.

Philip Grindell:

Did you did you have resistance initially when? When you were discussing this around? Why would we pay for the due diligence before we've even identified whether we want them to work for us?

Unknown:

Absolutely. tonnes of resistance. And so here was my two pronged approach. One was to try to quantify it. Here's what it costs to lose employees. Here's what our organization's attrition cost us in the last year use real numbers, right? Here's what we lost in the last six months with hires that didn't go through. Here's what the cost of that due diligence is and times, right. So showing that. But the second one is, and this is kind of my go to is like, if you call it a pilot, everybody's okay. Right? So just call it a pilot. And who cares? It could be a forever pilot. That's okay, too, right? But so just say, are you willing to try and if this doesn't work, we're going to sit down in three months, and we absolutely are going to stop this if it doesn't work. What came out was the the extra that we hadn't counted on was when the panel members said, having the information upfront made the interviews themselves so much richer, and so much better, that we all felt better about the process. So that was a bonus point, but had it not worked, we would have cancelled in a heartbeat. So that was the numbers cost benefit analysis and call it a pilot. Those are my tips.

Philip Grindell:

And what are the thoughts then around? We often do due diligence when someone is first employed. But of course people change and circumstances change over the months and years that they retained as an employee. So what are the thoughts around continuous due diligence? Because certainly when I was working for the government as an example Pull up the police and what have you. And we were vetted. It wasn't a one off process, there was a review period, you know, so that we could assess people, whether there was fresh information, whether their circumstances have changed whether potentially now they were an insider threat, because they were financially vulnerable for, you know, because of the messy divorce or whatever. So what's the what's the sort of thought process from a commercial perspective on that?

Unknown:

I think it's kind of both carrot and stick. So the six sided thing is your policy, right? So if you're in a formal and maybe you have formal reinvestigation, so every three years now that I'm not in the federal government, it's a little less of that we do things, right, like we do driver's licence, every three years, and we do those. Some of it is policy, again, on the stick side, if you're arrested, you need to report it if you have a restraint, right, so what reporting requirements we have for employees, but the carrot part is where I think the real stuff is, which is, have I created a culture of, of safety and care and community that people will come forward? offers? On the right like, Have I made it safe for you to say, to your boss, I'm really having a rough time? Can I come in late sometimes, you know, like, Can I can I work something out that recognises I'm not in a great place. Have we made it safe to share that have we made it safe to a co worker, that they're not going to get their coworker harmed, if they share that they're concerned about them? Have I created employee assistance programme that is accessible and with, you know, without a lot of bureaucracy this or that someone could really just pick up the phone and call someone and get help right away? So I think those are where and, and we had talked earlier about having faith in the process, right? And the reporting, and I look at it, I think it's in the FBI, making prevention reality publication, where they say, you know, I need to be aware of the process, I need to know how I can call anonymously who I can call what the number is, I need to trust the process. I know that if it's going to be treated in confidence, if I share it, I know that I won't be retaliated against for indicating that I might have been a partnership and something that violate, you know, and three, do I trust you? Do I trust you whether it's my manager, their organisation, and if I get those three, if that's where I put my emphasis on the carrot, then the reporting is no longer reporting. It's just the way we talk. It's just the way we take care of our coworkers. It's just the way we bring ourselves in meetings. It isn't I outed, my coworker. It's that, oh, yeah, I saw this, we have these programmes. We're working. Everything's great. Right. So I think once we can make it so the stick is do you have policies in place that require it do have procedures that are ongoing, that we're going to keep looking at people? But more importantly, have we embedded that in our culture of who we are? That that's a valued thing? Not a scary thing?

Philip Grindell:

How do you change culture? I mean, we have a scenario here in the UK, for instance, where we have a huge business organisation, which is one of our main organisations, and they've recently gone through a rocky period where it's become apparent, there has been some endemic cultural issues around misogyny etc. But, you know, in order to change cultures, it's, it's moving a tanker. And I think it's such a complex and from a threat assessment perspective, I have no knowledge of kind of that world. You know, what, how do you do that? How do you change culture of misogyny or the kind of sexual harassment or the guys going out drinking after work? And all that sort of stuff? How does that work in terms of changing a culture to make it more, a safer place a nicer place to work?

Unknown:

I talked about it when we first met in person, it's it's one word at a time, right? It's one question at a time, it's one encounter at a time because we can, it's fragile enough that I can have this great supportive culture, and then say something really kind of snarky on the side and immediately destroy all credibility and trust. Right. So building it is one thing at a time, I think it's something is, I saw an example. If I can think of it it was instead of how are you? The question was do you feel safe, sharing with me how you really feel today, right? Or something was just like it was just a very kind of vulnerable one. Are you comfortable telling me how you're really doing this morning? And I thought if someone observed that I was having a bad day, and instead of saying how are you down, the hall stopped and asked me that or started our teams meeting with that, that would make all the difference to me. Right? So I think that's right. When when people in positions of authority, vulnerability, and open up in a way, and give you the space to do it and mean it, right, because I'm going to test it. That's how you change the culture. You know, I the Equal Employment Opportunity Commission states looks at harassment and discrimination and unfortunately, right. It's not harassment that gets organisations. It's the retaliation afterwards, right, like, sure, we heard this complaint, we looked into it, and then we penalised you for raising it. So the retaliation claims the biggest, on average, people wait between 12 and 18 months before they report something of concern. If that's true, and discrimination, it's also true on safety, right? If I don't feel safe telling you this, I don't feel too safe telling you that if I can create a place where you are comfortable telling me that you are uncomfortable, my culture is changed. That's it. So I really think it's the questions we ask, and the vulnerability we're willing to show and invite others.

Philip Grindell:

And what does the pandemic then done to the workplace in the cultures that we exist in them? Because certainly in the UK, you know, we had quite a severe lockdown. We have a lot of people who now don't particularly want to go back to work because they're very happy working from home. And I would imagine that if you're an introvert, you may be happy working from home if you're an extrovert, I'm generalising you're an extrovert, you probably can't wait to get back to work. But the culture has changed. And, you know, it's people have, you know, I can remember scenarios where people say, Can I kind of work from home? And the argument was, no, no, no, we don't do that. It's not part of our policy, or there's no, there's no reason for it. Of course, now, those excuses have gone because people have demonstrated, I can be just as effective, if not more effective, working from home. So how's the pandemic changed? In your experience in the US, and probably as in the UK, of how people are feeling in terms of being safe at work?

Unknown:

You know, a lot again, as I mentioned, this study, people are lonelier than they've ever been, right? 300 million people estimate don't have a friend. And and don't have people that don't have someone that can turn to a need. So we have people that have faced incredible hardships on a personal level. And they're bringing that to their work self. We've got, as you mentioned, people who are thrilled to be at home and people who are missing the connection. We have a flexibility and mobility that we didn't have before. So we're losing people that can work, right, all of those things. So it's a huge pressures at the same time. What incredible opportunity, right? I saw it, we did a icebreaker question. What's your favourite ice cream? Okay, you've heard that twice for me now, clearly, I haven't been alright. And it turned out again, I don't know if this goes beyond the pacific northwest of the United States. But turns out all you have to do is say chocolate chip mint. And controversy erupts. Like provide, like people were committed. What was interesting was, this was one of our first leadership meetings where we had 15 people in the room and 15 people on Zoom. And, and we were trying to figure it out. Well, it turns out what we did well was take advantage for the people in the room of the things that you can only do in a room, right? Like we had treats, we physically moved around, we did some funny things right? Take advantage for the people remote or the things that can only been done remote did breakout rooms, we did chat stuff we did, and bring it together. So I think for me on the HR side, it's stop trying to figure out which is better, which is worse, meet people where they're at people are hurting. People are lonely, people are afraid. They're also thriving on the connections that are coming back there. All right, like they're also hungry for some of the things that we miss during that. So I think it's more like, okay, now I have more options than I used to have. I used to only have these things at a meeting. Now I can do six things. Let's do them all. Yeah, you're only going to participate in some of them and you're only but we get the wisdom that all of us bring back in so it Think. I mean, I, again, I tend to skew a little optimistic that may be obvious from stuff. But I also think like, we just had one of the biggest world experiments ever. And we get to take the lessons learned and apply them immediately to make things better, right? Like, what an opportunity we've been handed like, what didn't work? What did work? Let's do more of this.

Philip Grindell:

So we're kind of coming towards the end of of our, our chat, and I'm, I guess, interested in flipping it to say, Okay, so from an HR perspective, what do we need to learn as security professionals? What are the things that we don't do very well, or you think, would make life better? Would would make relationships better would make those partnerships better? What do we need to understand? What do we need to know that's going to bridge that gap?

Unknown:

Well, if I were being queued, I'd be like, stop writing in at the 11th hour and creating chaos and leaving me to clean it up for the next 18 months, right? Stop telling me that you're brilliant, and you know everything and taking one approach to all situations. Okay, let me step back. And let me say, give myself my own advice, which is, bring curiosity bring vulnerability, I think in the security world, and it's not a gender common, it's not a rank common, there is a feeling that I must be invulnerable, I must be the strongest person in the room, because you won't trust me, I won't have credibility as a security, if I can show a failing or a weakness. And I would say, challenge that right, come in, and ask me what you don't know about my world. Share your fears and vulnerabilities about the programme about the things and invite me in right that I think literally just taking off that suit of armour, and laying it at the side of the door, when you come in and saying I want to better understand what's happening from the HR side, and I want to share some of my concerns about my programme would go so far, it goes away. So asked me what you don't know. Rather than telling me how much you do,

Philip Grindell:

that's brilliant, isn't it? Because it's such an interesting perspective, in terms of our role is to identify the vulnerabilities in many cases, and solve them. But we never look at ourselves as being the vulnerability. Or we never look at ourselves as being. And sometimes it is, I think it is potentially a gender thing. But so and sometimes I think it is because the background of many of us has been involved in different worlds in terms of military, law enforcement, etc. Wherever hon disease is perceived differently, which I think again, is wrong. But I think that's that's such an important aspect. And I think that's really, really strong advice. I'm just thinking, I'm sure I'm speaking while thinking about myself and thinking about, you know, how how we would apply that because I think I always I always well, like, yeah, and I always go back to I always get back to well, I always go back to the the, The Seven Habits of Highly Effective People. And, you know, the the one which talks about, you know, Seek first to understand, which is such an important one, but one that, you know, probably isn't necessarily practice as much as it might be. But, yeah, I think that's a hugely important one around around being as a security professional as a threat. Professional, being vulnerable, being being able to be vulnerable, being able to ask advice, being able to, to approach HR, and rather than demanding something, asking advice and asking guidance, or even asking, you know, I'm not sure what to do, what would you do?

Unknown:

Yeah, I think, in my experience, working closely with security, the times that has happened, has shifted everything right, that has been the difference at kind of opening up a partnership that neither of us fully appreciated how much we could have, I don't think it was that vulnerability, and I do think right, like, All joking aside, like, take off that coat of armour when you come in the door. And, and we'll have a different conversations.

Philip Grindell:

Yeah. And how do we get more HR professionals then to threat assessment conferences and to the security conferences and those what, because I think that's it Another another important aspect, you know, having you at that conference I thought was invaluable because it brought a whole different dimension. And it was fascinating how every person who spoke after you was so conscious of what she'd said. They, they consistently were stopping and thinking, hang on, I can't say that I need to reframe or rephrase what I'm going to say.

Unknown:

I wasn't trying to like, stop you. I appreciate that. I think I think the simplest way is focus on describing what you're doing in these conferences, in ways that doesn't terrify people like me. Right? I don't want a case study. I don't want run hide fight. I don't want active shooter. I don't want whatever it is, right. I don't want you know, protective intelligence, counterterrorism insider threat. I'm not even sure I know what those means, even though I'm in that world a lot of the time. But when you say, you know, again, I with Dr. Brooks, we started how not to hire a psychopath. I did that as a joke. But now it's a real thing, right? Like, because HR people thought that was funny and came to the presentation. How not to hire a psychopath has a lot about problematic personalities and security stuff that HR people were willing to listen, because it was like, Oh, that's not as scary, right? Because that's funny. So I think just the naming conventions, all joking aside is you had like, one word at a time, if you call that, how to increase retention, through your security posture, right? I'd be like, Oh, that sounds way cooler than a case analysis of the latest, you know, shoot up at a at a at a workplace. So I think some of it is help speak my language. Yeah. Have like, wouldn't be fun. Take your conference topics, take your articles, and send them to an HR person who just rewrites the name doesn't do anything to your content doesn't change anything else. But just like, would you write this as an HR person and see if it wouldn't change the world?

Philip Grindell:

Well, that's what I'm going to be doing. I'm going to be sending you all my articles from now onwards, then I'm saying, Can you change the title?

Unknown:

Play with your title?

Philip Grindell:

Let's Melissa, it's been it's been as always fantastic chatting with you, and listening to your expertise and advice and guidance. I think it's it for me, it's one of the biggest changes we can make. And I think one of the most effective changes that we can make, if we can have more collaboration between HR Employment Relations, whatever, whatever different terminology, it's called, and the security threat assessment, whatever conversations that's called, because I think we've all got the same intention, which is to make work a safer place. And we can do it much better by doing it together. So thank you so much for spending some time with me, I will definitely, definitely do this again. Because I think it's kind of opened up a whole My mind is spinning with a whole different whole lot of new topics to talk about and think about and, and yeah, so I just think it's going to be a huge topic, something that I think is so important. And I think it's a real problem also for lots of security professionals, particularly some consultants about how do I approach the HR team? How do I even engage with them, to get them interested in what I want to talk about? And maybe maybe again, that's about asking a question rather than rather than posing a solution to them.

Unknown:

I think it's great. And again, I'm so grateful for the time we had when we got to talk in person and meet now and just like to be in the company of people like you and Rory and veteran like it's, it's amazing. And I just think the the greater voice. I hope I will take this view will let me and share it with every HR person I know and say, hang out with this guy. It's amazing.

Philip Grindell:

Brilliant. Well, thank you so much for listening, and we will speak again very soon. Thank you. Take care.