Foundational security for the 31st century: Let’s get the basics right

In this Express over Espresso episode, we talk with Casper, a Certified Security Management Professional and has two master’s degrees. 

He has extensive global security experience in a corporate, operations and field environment. He is an expert in executive level advisement, department establishment, management and improvement with very strong communications and interpersonal skills. Further expertise is in security technology & development with analytical problem solving, strategic deployment and further development of an organization’s personnel and assets. He is a specialist in global security management with an established network, corporate security department development and advanced management thereof in the office, operations, and field environments. He has more than 23 years of global experience in corporate and private security management, security technology convergence, specialized security training, operations, people & assets management, with a strong focus on the Middle East, North America, LATAM, Africa, Asia (Inc. Pacific) and Europe. This included military service in various specialized military units in three different countries (France, South-Africa, U.K.), which included 6 years in Special Forces. Casper currently work as head of corporate security for the Mosaic company, with 8 years of service so far to the company.

Podcast transcript

Khushboo: Hi Casper. Thank you so much for joining us here today. How are you? 

Casper: I’m doing very well. How about yourself? 

Khushboo: I’m doing great. Just looking forward to the weekend. I’m super excited. 

Casper: Yeah, no, me too. I’m always excited for the weekend. Even when I travel, I try to be home by Friday. 

Khushboo: Yeah, yeah. We all need weekends after that busy week, right? 

Casper: Yeah, exactly. 

Khushboo: Awesome. All right. So super excited, as I said, for the weekend and to be talking to you today about all things that you are doing in the security and corporate security, cyber security space. But before we do that, why don’t we start with a quick background? It’ll be great for us to start with your background, like where were you born and raised? What was childhood like? And also, what are your family dynamics a little bit? 

Casper: Yeah, that’s a good question and an important one. I was born in South Africa and I also went to the military there. I was in special forces for several years. And from there, I actually went to the British Royal Marines. I’ve had a long, diverse military career to start off with. And I almost followed a typical military career path. 

There was a typical path that folks followed of joining the military, afterward you become a military contractor or a private military contractor working in all these austere environments. But in my mind this kind of work was, it was more short term. And so after my military career, I actually started looking at the corporate industry. And I quickly realized that it is a very competitive space. So someone who just comes from my background in a special forces kind of environment, there was a big ladder to climb to compete with folks that’s been in the industry from the get go. 

When I started working for private companies, I immediately started studying, doing courses. And I worked project work in Africa, in the Middle East. But after hours, I was actually studying. And today I have two master’s degrees, several diplomas and course certificates. And I continue to study I’m currently looking at a PhD. And yeah, so I’m moving through the different companies, Fortune 500, blue chip companies that I work. 

I realized again, without investing in your own education, it is very difficult to be successful in the market, you know. And investing in education doesn’t necessarily need to be a degree. It can be working groups, work by experience, just short courses. But it’s important to keep on investing in that. And so, enough about my education piece. But yeah, so my family dynamics is I’m happily married with two little girls. And they make sure that I get back home on a Friday if I travel, so I don’t waste weekends and not be home with them. 

And yeah, we currently live in the United States in Florida, Tampa. It’s a great state to live in and to raise a family. I’ve been here now in Tampa, Florida for about, this would be my fourth year. We really enjoy calling Florida our home now. 

Khushboo: Yeah, I would agree 100% on that, because I was in Florida last week. And it’s just such a beautiful place to be and live. And it’s so pretty. The beaches are amazing. And it’s overall a very good state to live there. So I agree with you. Yeah, very good. 

Casper: Yeah, I really enjoy it here. I think we’ve settled in well. And we transitioned before this. You know, I worked in South Korea, the Middle East, Latin America. And it’s definitely a great place to settle in and continue to raise your family. 

Khushboo: Yeah, yeah. Awesome. All right, now you, what you shared from there, like, you are well-traveled. And you’ve spent so many years in the industry and did so many diplomas. And everything is going so smooth. But now, if I have to ask you, from where you started, when you were growing up, what were your career options then? And how did you get so much excited or interested in technology and innovation? 

Casper: Yeah, so that is a very good question that I haven’t told many people about this. So your listeners will probably learn something that very few people know, you know. So when I was in special forces in the military and in the British Royal Marines afterward, and doing contractor work, one, aren’t so exposed to the corporate world, because you typically work on a project site in a remote location. And that’s typically on a rotation basis. It could be eight weeks on, two weeks off, or 12 weeks on, two weeks off. That just depends on where it is. 

In that kind of environment, you’re not exposed much to how it works in corporate America or global corporate. You know, it’s because you’re so focused on those project environments. And a typical after-hour do is after the day’s work, folks would get together, and they would either watch movies or play games or whatever, or go to the gym. They don’t really, some people do, but it’s not often where you get someone who uses the downtime to study much. 

The part that I haven’t really told anyone is, I was working in West Africa on a big mining construction work, and we were also on difficult rotations, like 12 and three, 12 months in country, sorry, 12 weeks in country and three weeks vacation. And it was an American construction company, and I’m talking about maybe 2009, 2010, around there. 

I was the security manager for the project, physical security manager. Around Christmastime, December time, most of the expatriates wanted to go home for Christmas. And typically, the company standard, they need to have at least a manager to remain at site, because that’s what’s needed at minimum for the contract. You know, you can’t send everyone home. There must be presence there, and you need at least a manager to hold the four. 

I volunteered, because my rotation wasn’t, was, I just came back from rotation, so I was going to have to stay there anyway. But I volunteered to keep the office, since I was the security manager. And then I didn’t hear anything from the leadership there, but I’ve overheard them speaking about, oh, Casper doesn’t have any qualifications at that time. You know, he’s just from the military, doesn’t know our business work. 

They had doubt if I’d be able to do that, so they didn’t want me to run the fort there, even though I’ve proven myself over and over there and that sat with me. Something like that I’m sure happens a lot with people in the industry can go two ways. You know, you can either let it bring you down, or you can use that energy and channel it towards something positive. 

That motivated me to become a security guy with more qualifications than leadership. You know, even still today, that motivates me, that very small incident that happened there. I channel all that energy towards being successful academically. Typically, for a military person that wasn’t an officer, NCO, a non-commissioned officer, to have successful academical roots after the military is not so common, you know. But I use that incident to help me wherever I am to continue study, continue education. 

Today, it brought invaluable fruit for me in the industry. That’s really how my career started. My supercharge into technology is after I left the Middle East, I was fortunate enough to work for Samsung Engineering in their head office in Seoul in Korea. Really, there was where I was really exposed to technology and development and how fast this world moves, how much is actually being developed, and just put on the shelf until the market is ready to push it out, how this works. 

Even though I was already interested by then, but that time was really opening up my mind towards this industry we live in today. 

Khushboo: Awesome. That’s a very interesting story. Thank you for sharing that with our audience today. Now, talking about your journey and your story, you started in like 2003 with your military and then took the security roles. Today you are the head of corporate security at the company. Now, if I have to ask you to kind of sit down, look back from where you started your journey to where you are today, what would be one or two stories of your biggest wins or your achievements, something that you feel very proud of sharing today on this show? 

Casper: Yeah, I could probably start with a very recent item. Well, let me go back to my Middle East days. We worked for a large American construction company in the Middle East again, and we were building a mega mine port and rail facility. The security package for this massive project was several million dollars, almost an amount that you can’t believe, probably close to $100 million for a total start to end security package, which includes physical and cyber side of the security. Because this project took about five or six years, I started the project for the company kicking it off. Within the first year is when I left and started working for Samsung. 

By the time I left this location in the Middle East, I really didn’t even know who Mosaic were, but I just started seeing Mosaic’s name on the drawings. But at that time, it didn’t bother me at all because I’m going to Samsung now, you know. So then I worked in Samsung for about two and a half years when I got contacted by Mosaic. 

They explained to me who they were. I realized that, oh, that’s actually the company where I left, when I left Saudi Arabia or the Middle East that just started appearing on the engineering drawings. So they were looking for a security person that has been there that’s understanding physical and logical or cyber security aspects. 

They saw that I was there, I’m working for Samsung now, and if I’m willing to come back, because this project is now close to completion, they were at about 75, 80% there, and they really need someone to lead the holistic security aspects of this mega giant project, because once it’s on completion, you have $100 million worth of infrastructure that needs to be commissioned, signed off, tested, make sure everything is correct and completed. 

So a long story short, I agreed then to start working for Mosaic back at my old location. I think one success story that I’m really proud of is I commissioned and accepted that major, major security infrastructure that was built in Saudi Arabia for that project with a very small team. We worked very hard, several long months, but we managed to go through a massive project like that in less than a year and push it into acceptance. 

That’s probably one of my first big achievements. It’s not only talking about commissioning access control gate this is cameras, security network, access control, physical infrastructure of the cameras, motion detection, fencing, security buildings. It’s a very big undertaking that we had to do there. Then successfully handing it over to the end users the local folks that would operate it, is another aspect to train them on all this technology that we just commissioned for them. 

That was probably about a good 10 years ago, and the second big success story for me is more recent. It started during the COVID pandemic outbreak, where in our company in Mosaic, they were looking at keeping people at work because we can’t, in Mosaic, they can’t just shut down the facilities. It’s a critical need to the world, making fertilizer and the agriculture industry, because we need to continue to produce food for the world, and Mosaic helped to achieve that. So we had to continue to work, but do it safely. How would we do it? 

At that time, we were looking at touchless entry, having 100% accountability on sites for the business, so that you can do effective contact tracing, and then also to have a way to try and identify if someone comes to work with a high fever or temperature, and to integrate all those aspects into one required some thinking and some ingenuity. 

So what we did was we tested as many thermal-type cameras as you can think. We looked at physical identity access management, which is a software system that ties in your access control, your camera systems, your… Any system that you use in your company regarding security ties it all into one. So we selected a vendor for that, and we tied all the… We installed a whole network of thermal cameras, and temperature-measuring devices in the company, and our company, North America, have a very large footprint. So we managed to automate this whole concept of someone coming to work, scan their temperature, tie it into access control, and have automated access so that they don’t have to touch anything. 

So that was another very large undertaking that I think, under the circumstances, my team and I executed very well. Again, very little, very few people, as common in the security world. You don’t have a large amount of staff. But, yeah, we managed to do… I think we managed to implement successful touchless entry with being able to identify someone that come to work with a high temperature or have elevated temperatures, and successfully being able to do contact tracing. So those are probably the two biggest success stories for me so far, if I have to connect, like, a dollar amount to it. 

Khushboo: Yeah, thank you for sharing. It’s amazing, both the stories. I mean, I’m sure this is definitely something that must keep you proud, right? So thank you. Now, while we’re talking about the successes and the wins, failure is also part of life. We’ve all failed at some point. So if I have to ask you, like, what are most… What are your most epic failures where you have failed, but then also those failures have taught you what not to do? 

Casper: Yeah, so that is a very good question. I think not many people like to answer those kinds of questions truthfully anyway, because it’s so difficult to talk about failures. But for me, if I look through my whole career, I think the biggest failure would be is if you did not manage to help someone, or if someone in your group or your organization didn’t want to do something, so they didn’t want to help someone. So for me, we provide a service to our customers, which is the rest of the business, and we need to help enable the business. 

So in my mind, a failure is if we couldn’t succeed with helping someone, or even sometimes you’re so overwhelmed just time goes by, and you couldn’t help people. So really those kind of things is what I learned from. If there was a reason for us not being able to assist someone or help them or protect the business we, I focus a lot on doing a good case study about it and dissect that why did we fail or why did something go wrong? 

Yeah, so there isn’t any single big event that I would say was so bad that that we incurred a big hack or a big significant risk on a physical side. But every time we have to turn around a customer is something that I see as a failure and that I work every time to correct so that we don’t turn the next customer around that comes with the same issue or problem. Awesome, all right. Now talking about like how important it is for people to look into their professional and personal development and continuous learning. So if I have to ask you, like, why is continuous learning essential in today’s rapidly changing work landscape? 

We cannot forget tools like generative AI, which are like more powerful in today’s space. So how does it contribute to one’s career growth and adaptability? Yeah, I would actually start by asking if you have any older listeners I don’t want anyone to give away their age, but anyone that’s like on the 40 years plus who’s got smaller kids or even grandkids for that matter, have you ever heard or actually said, oh, I don’t know how to do something on my mobile phone, but I’ll give it to my little kid and he or she will show me how to do it. You know, so that’s an example of why continuous learning is so important in a rapidly dynamic and changing world. 

Because technology changes so fast that if you don’t keep up with it we’re gonna be at that stage where we ask our kids, hey, how do you do this again on your phone? It’s actually something simple, but because the kids keep up with it, they play with it every day so they know how to do all of this. So in my mind, that’s why it’s so vitally important for us to keep up to date, especially in the security world. You know, the bad actors or the bad people out there it becomes so much easier these days to commit online crimes and with the tools that’s available. 

I’ve recently been to a very interesting FBI seminar where they’ve spoken really about this aspect of the development of crime, how fast it’s changing, and and the technology that assists people in that, where the FBI said to us that there’s actually two significant groups that you see in this. The typical hardline criminal that used to deal drugs and run guns and that kind of thing, that industry is very dangerous for them. 

They’ve realized that with modern technology, you don’t have to be very smart to do nefarious online activity. So a lot of those hardline criminals are moving towards online crime just because technology is making it so much easier for them. Then the other group that they have is obviously your young aspirant teenager type folks who wants to prove themselves or to someone, but by far the old hardened criminals are starting to take over the space. So if they, so they can’t, for example, just go and execute a warrant thinking that, oh, it’s gonna be some youngster. They actually have to be very careful when they try and arrest someone that was up to no good in that space. 

So that said, with technology changing so much, if you do not stay up to date with the industry, you will be left behind. You will leave your organization exposed in the sense that you won’t know what the new trends are, what the latest patches are, or in a physical side, what is the latest crimes being committed? How do they do it? That who, what, where, when, and what their after aspect will be lost for you. 

We all know prevention is better than a reactive measure. So if you can continuously improve or continuously keep your education or your knowledge, at least up to date with the industry, and I know security is a very big industry because you have all the aspects of physical, you have all the aspects of logical. And so it’s a very wide area to stay abreast of, but focus on at least the key things that’s happening. I think it’s critical, critical to do that. 

Also, alongside that is to have a great relationship with law enforcement’s arm in that field. For example, your local police department might not have such a great cyber-orientated security aspect, but when you go more on a federal level or in the military side, they are very much focused on that. 

The public provides a great sense of partnership for them in that field. So partnerships, it’s a very important thing to have. That helps you to stay abreast of the latest cases that’s being dealt with, even before it hits the news. But yeah, again, I would reiterate that if you don’t stay up to date with these things or continuously improving, you’ll be lost and you’ll continuously ask your kids to show you how your phone works. 

Khushboo: Yeah, absolutely. I couldn’t agree more. Now, again, in the cybersecurity space, if I have to ask you with the rise of smart buildings and IoT devices, the attack surface for both physical and cyber threats has expanded, right? We were talking about all these threats with the online, things available online can be scary. So how can organizations effectively address the security risk posed by these interconnected systems in your opinion? 

Casper: Yeah, no, that’s a good question. Actually, not just a simple one-line answer. With everything becoming smart these days, even your suitcase when you travel is these days a smart suitcase. How many times do we hear the airline says to you, if you check in, take the batteries out of your suitcase. So buildings and cars and everything is just rapidly becoming automated and technology smart. It’s a very critical world to stay abreast of the protection side of this. 

Organizations that are more seasoned in the approach, I think the first great approach is if they combine the physical and cybersecurity department. So many organizations or companies I see out there, they still have the physical and cybersecurity groups and the separate groups reporting to separate business lines. 

In my opinion, we are far past that time where these two organizations or departments are working in separate silos. The first step that any company should do is combine this. Even if you’re a small company that have one physical security and one cybersecurity person, the group should be combined and they should have the same reporting structure because many of these attacks that we see today for nefarious activities start with a physical event. 

After the physical event, the cyber events take over and it can be as simple as an employee bringing a physical thumb drive into the organization system and your insider risk is probably the biggest risk always out there. So having your physical security and your cybersecurity team combined is the first step that any organization can do. And I’m not talking about reducing your staff because these two groups do very different functions. 

They just need to bring them together under the same leadership direction in the company. From there, I would say it is very important to look at synergized technologies between the cyber and the physical side. I mean, one thing that I alluded to earlier is physical identity access management, where on the cyber side, you have logical identity access management. 

These days you have platforms that can vary with the best technology and security protection out there. These two aspects are combined these days and you can implement the logical and physical identity access management together. What that will do is it will tie your physical side to your logical side and give that overview to the folks working in there. 

You know, then I don’t want to use this time to promote specific companies, but I do want to encourage folks to spend the time and look at these PIAM solutions out there and then ensure that your leadership is supporting these two groups, or hopefully you’ve managed to make them one group in your organization, but leadership support is so vitally important for the success of these two professional type of people. 

And I know I’m not telling you exactly where to put your firewall or anything like that, but these professionals will know exactly what guardrails to put up and where to put them. But for them to be successful, they need to have at least these minimum steps in place that can help them. 

Leadership support is so important because if it’s that good old saying that people look at if leadership is saying this, but they don’t do this they’re not going to really follow. And if you want your employees or the workforce to comply or the organization to comply with your guardrails or your technology that you implemented, it starts at the top. Even if something slows things down a lot of the times if you work in an operations capacity where production is essential, they don’t want more guardrails because time is money for them. 

The more they can produce, the faster they can produce it, the more money they make. So it’s the same with health and safety. Every time you put a guardrail in that might slow them down, they resist tremendously. But then if you have an incident and maybe there was a ransomware attack and they locked out of their account, then they can’t work at all. So however long that’s going to take to get resolved, they’re going to get zero income. So having the right leadership structure to support the security team or teams is so critically important. 

And then making sure that they have the resources to use. It doesn’t help you. You have a great security team, but you don’t want to invest in technology. If you don’t want to invest in technology, it’s going to be almost impossible for these folks to protect your organization properly. 

I don’t say buy the Cadillac or the Mercedes of everything, but at least have the minimum software or technology available and invest in that. Ask your cyber and physical folks to give you a plan. You know, if you don’t have anything yet, get an incremental plan where you’re going to incrementally start investing in technology. Talking about this, it came back to me. One of the things that the FBI mentioned to us of organizations that is mostly targeted is not by the industry they’re in or the name of the company. 

These actors go on the dark web and they actually scan through the dark web, all the networks that they can find and that’s available. They look at what companies or what addresses don’t have the correct patches or up-to-date patches or security gaps. They can actually see that. If they find any one of those addresses or companies that have a gap or a non-updated patch or anything like that, they will focus then on that organization without even knowing what the company does or who they are. 

Just because they picked up a vulnerability is because that’s where they’re going to focus on. So again, it’s very hard for folks to stay abreast of these things if your organization don’t invest in technology. So yeah, I know I’ve said a lot and a lot of it sounds like, oh, I know all that, but really it starts at the basics. If we can’t get the basics right, then we won’t get the rest right. 

Khushboo: Yeah, no, this was super insightful. And I think a lot of audience from our podcast will get benefited from this conversation. So Casper, thank you so much once again for coming on the show and sharing these amazing insights and nuggets from your experience and your expertise around security and operations. Before I let you go, if I have to ask you, if people want to reach out to you and talk about or consult about the work they are doing, or you are doing, where can they find you online? 

Casper: Yeah, the best is probably to look me up on LinkedIn. At Casper, Casper Eloff, there’s not many people with that name and last name. So it’s pretty easy to find my profile on LinkedIn. And I think if you post maybe my LinkedIn link afterwards when your podcast go live, then it’s an easy way for them to get ahold of me. And my private email will be there on people that I accept. And yeah, people feel free to reach out to me. And if you have, for example, if you need to make a big major technology decision in your company and you just need a spare set of eyes or someone’s brain to pick or a reference check or anything like that, feel free to reach out. And yeah, LinkedIn is for sure the best starting point to get a hold of me. 

Khushboo: Sounds good, sounds great. All right, Casper, thank you so much. I wish you nothing but the best. Enjoy the weekend ahead. 

Casper: Thanks so much. I hope you also have a wonderful weekend. It was great talking to you and hopefully the audience find this very useful. 

Khushboo: Yeah, I’m sure. Thank you.