Ensure Corporate Survival: Be Conscious of the Potential Threats Around You

Published by Marshal on

Andy Thompson speaks with Paul Barker, founder of Vigilance Consulting and a certified operational resilience and risk professional with more than 20 years leadership experience across education, leisure, hospitality and predominantly financial services sectors, including capital markets, private equity, banking, asset management & treasury sectors. He specialises in providing operational and cyber resilience, risk, security and continuity consultancy and training services.

How did you come to launch Vigilance Consulting?

Vigilance Consulting is a new company, launched in 2020, but built on the back of many years of exposure in predominantly Financial Services markets, but also the Education, Leisure, and Hospitality sectors. The last few years have been Financial Services-focused, but some of my early ventures in other areas were really quite influential, particularly from a training point of view, especially where you are exposed extremely early to very practical hands-on training in those industries. For example, in the Leisure industry, I was a RYA Yachtmaster Instructor. I was taking people who had never stepped on a yacht before and giving them the controls of a half £million yacht, telling them to go and park it up in a marina full of other half £million yachts. That requires a certain amount of instructor quality for you to have confidence as the instructor, but also for the learner to feel that confidence coming from you, the confidence in them to execute the assigned task competently. That makes a big difference to overall learning

There are a many such lessons taken from across the years injected into the work we do now. Vigilance is my firm, but I have a number of partnerships with other organisations who operate in a similar space, which gives us a little bit more “resource capacity”. If work comes in then we have an unofficial bench, to use a sporting analogy, to call on so that we can each compete, with slightly larger consultancy firms. By already knowing the quality of the people that might be working with, you can be assured that if you recommend someone that they are going to be the type of person who shares your ethos, integrity and values. That is key for me.

As well as onsite (and virtual!) consultancy, we offer bespoke training courses to corporate clients on domains related to risk, resilience, security, or continuity. Our courses can be delivered to individuals, teams or indeed, right across the enterprise, whatever suits the client’s need. There is no job too small, or too big to cope with. It is just a question of finding the right sort of technique to meet the audience.

We also have a B2C channel offering courses directly to individuals and members of the public, through our Vigilance Learning channel, with a mission of Making Mastery Matter. Through this channel we will offer a variety of learning opportunities direct to customers, including relevant, high quality courses from other select providers.

As an example, we have just launched an operational resilience course, a hot topic in the Financial Services industry but, coming off the back of COVID-19, is equally applicable across any industry. What we saw is an inability of many firms to reorient themselves in the face of lockdown and continue the delivery of goods & services. There is certainly plenty of opportunity for non-regulated and non-financial services firms to really focus on their resiliency as a more conscious management decision around a structured set of working practices. We have taken what is going to be done to the Financial Services industry and drawn out the key principles that could be applied more broadly. That is a valuable piece for a lot of people.

Internal controls is another area of focus. Making sure controls are operationally effective is a focus plenty of firms could make great use of right now, so we teach the COSO internal controls framework to embed good governance, clarify roles & responsibilities and implement effective controls across the enterprise.

The security domain breaks down into two distinct fields, that of information & cyber security and more recently into the broader application of Situational Awareness, which equips both individual and organisations with the skills to be more alert & conscious of events in their surroundings, be that online or in real life.

In fact, we have just agreed a strategic partnership with the Arcuri Group in the US, as the first distributor of their market leading Security Awareness Specialist® (SAS) certification programme. Originally based on the USMC Combat Hunter programme, the syllabus and context has been substantially updated and expanded to improve relevance to the civilian and corporate markets, whilst retaining core value for law enforcement, security, and emergency services personnel.

This course changes the way you look at the world around you, being conscious of the potential threats you might face, irrespective of whether that’s a lone female walking along a dark street, or cyber attackers attempting to socially engineer their way onto your network. We may not have exactly the same threat profile as cities in the US, but even though the UK threat level has been lowered in the last few weeks, there are still many threats to be alert to, from acts of terrorism on the streets of London to phishing attacks disguised as COVID-19 track and trace messages. I would actually say that there are few people in this country who would not benefit from improving their Situational Awareness and being less blind to what is going on around them, helping them to command their space.

How did you actually get into this line of work in the first place? 

I did a business degree through which I qualified in the licenced trade / hospitality and things just snowballed from there. Having been to university and jumped out of a few planes along with the usual student stuff, I decided to, take part in a conservation expedition, spending three months living in the jungles of Belize. That introduced me to scuba diving, which is another massive training opportunity I have continued, now being a PADI Master Scuba Diver. The financial services angle is just natural if you live as close to London as I do. There is a good chance of ending up in insurance or banking just through proximity to The City, though not everyone in these sectors has the right mindset and attitude to suit this fast-paced, dynamic world

It is interesting to see that those transferring out of the military now are in significant demand in the City because, from organizing a section or platoon in Afghanistan or Iraq, these guys have got that dynamic management ability to operate under pressure. Keeping a calm head, making sensible decisions, and moving things forward. Those are key skills that people are looking for right now. “value at risk” and “probability of defaults” can be taught to anyone – they are just technical skills. For me it’s more about the character. This is both an opportunity and also an area where training often goes wrong because it focuses only on technical skills rather than developing the underlying foundations of mindset and attitude.

Have people now, as a result of COVID-19, really learnt the lessons of the need for investing in resilience – what is the market outlook from your point of view?

There are organisational lessons and individual lessons to be learned from the pandemic.

Organisationally, the resilience challenge for me, is less about COVID-19 per se, but the rapid, wholesale transformation it forced from office-based to remote-based operating models. The sheer pain organisations went through to achieve that – and some of them are still struggling to get there!, is a massive learning opportunity to draw a line in the sand, ditch the old paradigms and start afresh. The pandemic exposed widespread shortfalls in preparedness, but that forced transition has certainly made selling resilience as a concept far  easier! The Cloud has been a real boon in reshaping capabilities, though it throws up a number of challenges of its own, but where people are working through these issues it is bringing management, operations, continuity & IT security teams closer together, which is a good thing.

I would flip that on its head from the individual perspective. When you look at the scale of furlough and unemployment resulting from COVID-19, I think it is clear that if anyone was still under this delusion of a permanent role actually being permanent, that should have been dispelled now. The lesson that should have been learnt is not to rely solely on your organisation to provide you with your only source of income or security, because if your firm isn’t sufficiently resilient, you might easily be left out on a limb through no fault of your own. The same is true for individuals’ continuous professional development. People can no longer afford to rely on dwindling training support from their employers.  If you want to accelerate and develop your career, you must take personal accountability to upskill yourself to add more value and remain relevant to the employment marketplace.

Interestingly, in European markets, there is a big emphasis on the company picking up 100% of the training tab. I remember talking to some German workers, and they found it unbelievable that I would pay for my own training to learn a new skill because, in their view and experience, that is the employer’s responsibility. These days that is an extremely dangerous mindset, because what happens when the employer is no longer there? Well people found out last year as they were left high and dry at a time when the market is flooded with available people and if you do not have an edge in the skills and qualifications you need to compete in your marketplace, you will lose out.

This presents a huge opportunity for a complete shift in training. You have got universities trying to charge you £10k or £12k to do a master’s degree remotely. Then you go on to Udemy or you go on to www.reed.co.uk and you can find you can get diplomas in subjects directly linked to people’s vocations, for £200. There has to be a point where the hubris disappears and there is an acknowledgement with certain academic training that if you want more people to adopt the skills, you have to make it accessible to them, which means it has to become more bite sized, so it fits around busy lifestyles and it has to become more financially accessible to individuals, so price differentiation is a hugely interesting dynamic in the market right now.

I really hope the lesson people are learning is to take personal accountability for their own career journey and look at the offerings that are out there, such as those through Vigilance Learning, that can enable them to be appropriately skilled now for the jobs that are going to be there in three to five years’ time. This is a foundation of personal resilience.

In terms of market outlook, certainly within financial services there is regulatory pressure to improve operational and cyber resilience levels, so in the corporate training market, that should generate a need for appropriate and targeted training to improve understanding and knowledge across the resilience spectrum. Wider than this the remediation work needed to either cement homeworking as a long-term solution or settle on some form of blended operating model will also generate significant client need within the situational awareness and cyber security spaces. However, demand remains supressed due to the uncertainty of the impact of vaccination and government guidance on wholesale return to office settings. For my two cents I think COVID-19 is with us for a few years yet, even if only seasonally and the longer we sustain delivery through the remote model, the more the anachronistic presenteeism culture will be disproved.

Are companies also finally waking up to the concept that they can achieve competitive advantage from strong resilience programmes?

Slowly. Like all change, there are some early adopters who see the competitive advantage clearly, but many others see it as not relevant because regulation does not hit them, or if it does, it can be seen as just another regulatory compliance exercise….it’s not! Bear in mind that this significantly a customer-led issue. Customer expectations, particularly the millennials and the Zoomers, have grown up in a world of instant gratification & the internet, so they want digital services and they want them now! They do not want to wait for Monday for the bank to open. They want to do it on a Sunday, online.

Therefore, there is an intolerance in the consumer base, whether that is a wholesale consumer base or a retail consumer base, for failure to deliver services. Companies that fail to respond to consumer demands in the online market are going and many big names have fallen already. It is about offering products through 21st century channels, which is a complete shift for those organisations, but if you can take a multi-channel approach and continue delivery when your competitors are still struggling to cope, the opportunity in terms of customer loyalty and market share are enormous.

Sometimes it is still tough to get buy-in from senior management, regrettably the customer need doesn’t always drive organisational strategy! That is where influence stakeholders comes in, much like the recent rise in influence of ESG (Environmental, Social, Governance) themes for institutional investors. Once they see that there is potential profit & long-term security from being more resilient, investors will be pushing Boards to prioritise all aspects of organisational resilience.

What is your ratio between consultancy and your training? 

Online delivery of courses is a smaller, but a growing percentage of our book of work, but one I see changing rapidly. That shift is in part a response to adaptation to a distributed workforce model. It is a consumer-led change and it is just a matter of tweaking the delivery to better suit the online/remote model. Just last week I delivered a full day workshop to 35, 40 delegates for one firm but that is that was extremely logistically complex for them to organise, because it is not just a case of getting everyone to walk over to the big conference room. The logistics were just harder. The communication is more challenging.

For delegates it was about the equivalent of a two-day course in one day, so very fatiguing because they are constantly staring at the screen, trying to focus. You have not got that sort of vibe in the room to feed off. Staying really tuned in is more challenging. Therefore, we are looking at breaking up one day courses into two, three-hour sessions, which fits in better with teams’ working and home lifestyles and we are keen to respond to what our clients need.

There are many individual consultants, and companies, in the Resilience space – it has been a growth market. How do you stand out from the noise?

I like to think that it is about getting under the hood rather than delivering out of the box. A lot of consultancy is also about learning: it is advisory, it is mentoring for the client as well as the actual physical deliverable. You are almost teaching them how to do it in the future as well as solving the immediate problem for them, or with them.

If I am going to deliver a corporate training course, I want to know the challenges of the pain points of that client. Whether that is an individual or a team or an enterprise. What is the problem that they are really trying to solve? Firstly, because they might have the wrong training – and that has happened. I have been approached for one thing and, actually, by the time we have had some discovery calls, you actually realise it is about something else. Underlying that, you might find that X is the problem and this is where we need to focus the training instead.

It is quite often the case where an organisation has started the assessment by looking at a technical solution, but actually you realise it is a cultural problem that they have got and therefore you can change the nature of what you deliver. By doing that you have to gain an understanding of that client. Unconsciously, you have developed an empathetic relationship with them because they have poured out their professional soul to you about why they cannot achieve objective X, Y, Z. You are then there to help them find the answer – you do not have the answer. They have the answer. You are there to help them find it for themselves through it the facilitation of some form of session.

Secondly, you have got to respect the learning modalities. Is the particular audience for this cause a mixture of visual learners? If you are delivering training to “quants” you might have read/write learners; or kinaesthetic learners and others who can just sit there and listen and absorb. You cannot just do a “one size fits all” and say, “here are the slides, we will walk you through them”. You have got to think about the audience and put yourself in their shoes to receive this information.

The noise is one of the big sticking points for the training sector – so much training is broadcast, not delivered. If you just broadcast, you are putting out there, you are speaking, you are following the slides, you are running through it and then claim to have covered the syllabus – everything else is down to the student. That is no good to anyone. It is no good to the trainer because they will not come back for more, and it is no good to the audience because they will not know anything more about the subject. You have got to create a mutual understanding of the challenge and the solution.

Even virtually, which is more difficult than in the room, because sometimes in the room you can get that energy, you can feed off that energy when people are there and engaged. Even virtually you just see around the room, these light bulb moments going off at different stages of the day, you can say that the penny suddenly dropping for one more delegate and, afterwards, their interaction is just light years ahead of where it was before. Slowly you just see them get it like pins falling in a bowling alley. That is a powerful moment when that happens.

How do you view accreditations?

I am having a quandary at the moment, over accreditation or badge collecting. If you look at my LinkedIn – the irony of it – it is an alphabet after my name! I am split because, in some respects, the accreditations help build your credibility and gain exposure, but at the same time I do not call myself an expert, an influencer or guru. I believe that I have a valuable contribution to make, so if people want to listen to what I have to say, then I welcome a conversation. If accreditations help that I am all for it.

Certainly, within some of the industries that I work in, and particularly cyber space, the accreditations do unlock doors. They do serve a purpose, but it is a sign of how far you go up the mastery scale, and what they mean at each level – because it differs. I think that the accreditation is helpful when you are trying to build a profile and a presence, but the ultimate goal is to not have any badges on a scout uniform because you are already identifiable as an authority.

Ultimately I would love to dispense with the accreditation letters, because I am sufficiently identifiable from my contribution to the sector or steering direction of travel, that they no longer serve any purpose. It is very like martial arts, you start at a white obi (belt), then progress through a range of coloured obi’s until eventually the Sensei is back wearing a white obi, as he no longer needs to advertise his mastery.

What you want to avoid though is badge -chasers, who just take courses to collect the letters, but rarely does the material stick for long after they have finished, as they move on to the next new thing before cementing their knowledge with experience.

What training evolutions and innovations have you seen in the market – is it more method over product, or the other way round, perhaps? 

I have a different perspective on technology – its misuse! Technology has been abused by training teams, whether it is third party consultants driving it in-house training teams I do not know, but the misuse is from trying to solve a problem of engagement through activity. If you work in risk management in Financial Services, you will be very familiar with the annual compliance training and it used to be that everyone would just go straight to the test, do the four questions and be done in five minutes. Quite rightly, they realised nobody was paying attention and just go straight to the test because it was the same irrelevant content as last year!

Instead of make the training more relevant, they just got clever about how many clicks were needed and where, to get through the course. Suddenly you now have to click on this cloud to see more information… and then this one… then this one. Somebody somewhere is convincing people that this means people are engaged in your cause, but they are not. They are paying even less notice to the content. What you have introduced is a game of “whack a mole”. All they are trying to do is go around the screen and see how quickly they can find all the places you have hidden the clicks in order to get through this thing as quickly as possible. It is a completely false economy. That is completely the wrong way to use technology.

Where technology can be a force for good is alignment with a more social media style. A lot of this is actually being used in schools now – like Class Dojo & MS Teams operating on a Facebook-like structure where you have a feed. If you break up your training into behavioural nudges and drop these things into feeds through the course of the day, then you can actually do the same as an hour’s worth of training without anyone actually leaving the desk or even knowing that they have been trained.

A really clever use of psychology, a behavioural nudge, puts a little reminder in the back of your brain as you are doing something else – an email, a DM message, a little video. If you scroll through LinkedIn, you have got articles, videos, adverts, and links to other documents. You can use all of these techniques as ways to engage with an audience whose life is now controlled by scrolling with their thumb. People are doing work on their phone so have got to build the training to suit that environment.

That leads on to the more cutting-edge stuff, which is the gamification and the game design, which is a very innovative space at the moment. A lot of it comes from military wargaming. Certainly, from a risk, security and crisis management perspective, the ability for proper game theory and game design to improve what is largely conducted at the moment as a role play exercise – and we know how everyone feels uncomfortable doing a role play exercise. Instead, if you can use psychology to embed not the experience of the scenario, but the learning, the skills and the muscle memory of going through a scenario and making intelligent decisions, you are informing naturalistic decision-making skills by going through a simulation. It is still an emergent skillset right now, but there are a few people out there doing it and it is incredibly powerful because even in a relatively short space of time, you are setting this stuff in people’s brains rather than just putting a load of information into their short-term memory. You are teaching them the skills for themselves. It is the “teach them to fish, don’t give them a fish” analogy.

What challenges are you encountering at the moment? What are you seeing as the challenges ahead and what makes you frustrated with the training environment?

I mentioned courses being broadcast not delivered. I would also include exploitation. There is definitely some band-wagoning, where people are putting out really low-quality products because the tools are readily accessible.

You could produce a very slick looking production, in no time at all, which says nothing, but it is shiny. It has got the logos on it; the graphics on it are embedded in video and it has got enough sparkle that people who do not necessarily know what they are buying can be tempted into it. It is more about a marketing exercise to get people through the door.

It is quite insidious, and it is preying on people’s vulnerabilities. With high unemployment as a result of COVID-19 you have got even more people chasing fewer jobs in the markets. You look at your professional competition. If you are one of five thousand, how do you stand out? You get yourself some accreditation, you get yourself some training. Therefore, there were people who sat there with a fishing rod, catching you. You did a half hour course and you paid £30 for it. It is not worth the paper it is printed on. The last thing you need is to spend £30 that is precious to you and at the end of it, you do not feel like you can move forward or move towards your goals. That is pretty harsh. Unfortunately, that is society these days.

How do you equip people to spot this? There is an awful lot of material and content that I put out for free to anyone who will listen to it. Before people even come to talk to me about a training course, you can see my thoughts through my free content. You can see my integrity, you can see my attitude towards things because it is there in a post an article, the webinars, and interviews and podcasts that I do, none of which are income generating to me, but it is because I do feel that I have got something valuable I can impart to people. This is a really good way for people to validate who they are taking advice and training from because training can be informal. It does not have to be around a slide deck. It is about a learning experience. If you can get a learning experience – whether that is an individual mentorship or a physical training course or some sort of online learning that directs you to resources for independent learning – all of these are completely valid, but they do not all need to be generated because, after all, what is my goal? My goal is to help and support organisations and individuals become more resilient and aware of the risks that they face on a day-to-day basis. There are many ways of skinning that cat – some are paid, and some are not. It is just part of part of being a good citizen within the industry.

Who would you identify as a standout leader in training delivery?

I would have to start with the Arcuri Group, my strategic partners in the US. They have got an incredible track record and body of ex-military intelligence and security service personnel with phenomenal track records in situational awareness and delivery of a really thorough programme of training that really makes a difference. To have the foresight to take that out of the kind of typical law enforcement, military security environment and adapt that into what is suitable for the rest of the world to adopt, I think is a really a really timely evolution in that space. I look forward to seeing that programme expand and also gain greater reach in the year ahead.

I would highlight the International Crisis Management Conference, a US based organisation, that has huge expertise, run by ex-British military chap Rob Burton. They have a huge amount of personal experience that they bring as a company, but also in terms of the people that they bring in to support the different modules within their overall training catalogue. Some very experienced people with great track records and stories that can bring those topics to life. They are quite keen on tailoring – and not only can they do the training delivery, but then they can bring that to life through consultancy, into real life simulation running as well as learning. So, it transfers nicely there.

Finally, I would mention Ian Murphy at CyberOff in the cyber training and eLearning space. Very down to earth, and very matter of fact and he uses satire and humour well. Some of his cyber security posters are quite risqué for certain corporate environments! However, if you saw them, going down the escalators on the Tube, you would not forget them. They address things like mobile security and passwords and so on, but it is highly impactful. It is very different from the standard cybersecurity awareness. It is probably not to every corporate taste, but from an individual point of view – and there is a whole aspect of it that is directed towards individuals and families – I think that is a really interesting direction: companies are also becoming less wedded to a suit and tie and embracing that, actually, in this remote world where we are not suited and booted, but we’re still doing the same work, we can have a better work life balance, so why not introduce some more human elements into what we deliver. Those guys are really good.

Paul can be reached via email at paul.barker@vigilance.global 


Marshal is a powerful, exclusive digital marketing platform that helps to simplify and scale access to the complex Security Risk Management and Resilience market, in order to develop opportunities, drive growth and achieve objectives across conflict zones to cyberspace.

Categories: Training

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *