July 1, 2006
The need to protect people, places and things is a constant, of course. But, uniquely and ironically in this era of heightened terrorism and dizzying technology, a growing number of chief security officers, security directors and their systems integrators now embrace a business centric stance, choosing to align their programs, purchases and personalities with enterprise goals.
Such changing roles, challenging to some, will prove the best way for security to succeed as it assumes a more proactive, pivotal position.
Goodbye 32-output configurations; hello team-building cooperation. Gone is worrying about the features of the VDR-24591 DVR and welcome to the world of metrics, return on investment and “convenient controls.”
Security Magazine assembled a high level group of security executives earlier this year. Moderated by Steve Hunt, president and chief executive officer of 4A International, Chicago, and assisted by Security Magazine Publisher Mark McCourt, the group roamed fields full of missions, business demands and fond wishes for a better relationship among the CEO, IT, HR, facility and systems integrator players.
STEVE HUNTYou walk up to someone in your own organization and say “Hi, I’m the secur- ity director” but what they hear is “Hi, I’m the director of annoying layers of cost and inconvenience.” Some understand that security is not annoying, not merely a cost; it’s insurance, risk avoidance. You spend on security to avoid paying this other cost instead. But, I’m wondering if perhaps there is a higher level of enlightenment. So in your changing role, do you continue being that annoying layer of cost and inconvenience or are you achieving the goal of enabling your business?
DAVE SHEPHERDBeing here at the Venetian we have approximately 80,000 people a day that come through this property of 7.5 million square feet of space. Our job, number 1 job, mission in life, is preservation of life. Second is protection of the property. Our security has to be effective, yet unintrusive; and that’s one of the biggest problems we have in the hospitality industry. We cannot take and lock down the property like you do at the Washington Monument when you have a threat. We cannot set up an airport style security system like you have at McCarren, otherwise people will not come.
So, our security has to be effective constantly; thus the way we look at things has to be completely different than it would be in the chemical industry, petroleum industry or shopping center, or any of the facilities that allow people free access. That’s the biggest difference between a hard target and a soft target in one word, accessibility. We have to allow people access to the property and if we don’t, we lose money. Security’s no longer looked at as cost. Look at us as a way to try to help. For example, we train people here on this property in 17 different areas of security to insure guest safety. We have two medical technicians per shift; we average ten medical calls a day. We have 18% senior citizens. We want to insure they all come back.
STEVE HUNTStill, no matter a casino or shopping mall or chemical plant, there are some fundamentals that are similar. You’ve got to know who people are and what they are doing, to some extent influence or control behavior and keep track of that behavior. I’m wondering if running security at a casino is more difficult than running security for an energy plant.
DAVE SHEPHERDIf you’re looking at how a place is run, it gets back to access again. In an industry like hospitality, there are not the same standards as in other areas. The standards we have are based on convenience and safety. For example, we have to look at whatever is out there to try to protect access to our IT rooms. As an example, we have thousands and thousands a day of attempted intrusions into our systems because we have players from all over the world. If I have an issue concerning fire, one thing I worry about is the elevators. I have 70 elevators in this building, so we have to train our staff to deal with elevator emergencies, well before the event actually happens. So we have several hundred people trained just in elevator emergency procedures. We try to analyze events going forward. Any given day, we have 35 different countries in this building. So, our challenges are more than would be at energy plant. Because we have people coming in, 80,000 a day; you’re not going to get that many people coming into an energy plant.
MARK MCCOURTThe security role has changed after 911. Specifics?
DAVE SHEPHERDThe changes now start for me every morning. We have information sources to alert us concerning anything happening in the world. We also look at how we manage our business and how we manage our business is managing the people, making it still customer service friendly. So our emergency command centers are based on natural disasters, life safety, terrorism and health concerns. And that’s how security has changed now.
STEVE HUNTDo your senior executives understand the value that you and your security team provide?
JOHN MARTINICKYWe build trucks, engines; we have a financial arm; so it’s really more of a business-to-business operation. It’s very dispersed around the world. I think probably the biggest change that we made is, about five years ago, we started measuring all the security activity. We got tired of hearing security doesn’t do anything. We are not just for security, but also first responders for fire, HAZMAT responders, provide first aid, medical responders as well as a customer service interface. Those metrics really were the key to putting a whole different perspective on what we do and really raise company awareness to WOW, we had no idea. Because a lot of things we do are really behind the scenes, so when we started quantifying, in addition to the traditional – investigations, access control and cameras – the other tasks were more visible. For example, we put in a program just last year, Travel Tracker, in which we track where everybody travels. As soon as their reservation is made, we know what happens, automatic advisories go out, if there’s a crisis, whether it’s weather related, natural disaster, whatever. So, our senior management, our board of directors, I think we’ve really changed the perception of what we do and we’ve shown them those values through those metrics. Another challenge is compliance with all the different government agencies. You have to deal with them in order to grow the business so that’s been a big boost for our team as well.
STEVE HUNTIf you don’t measure it, it doesn’t exist. That’s a valuable lesson: To learn to communicate the value, to communicate how we’re enabling business, we have to actually measure it. Some are getting pressure to do that versus taking the initiative.
JOHN MARTINICKYThere was really no pressure, I think it was more, I knew what the team did and it was how do we get that message out there. I just thought we needed to be more aligned with other business models in the company to get what we want. So whether we need to ask for a million dollars for a new access control or command center in South America, we needed to have the hard numbers rather than go in with the doom and gloom.
MARIA GONZALEZBesides everything that we know about security, the safety issues, the insurance issues, I think that with the new technology we have today, more are seeing security as a marketing and a management tool. We have marketing companies looking to access live footage from stores to see the buying trends and what works. You’re also seeing it as a management tool.
BUTCH PRACOLEAt my casino, top management has always been sensitive to security requirements both from the point of view of regulation as well as the life safety mission within and around the facility.
JOHN MARTINICKYWhenever we put systems in, I always try to find a complementary additional benefit, non-security related, to pitch it. When we put our systems in South America, our engineers saw this and said, Wow, can we monitor some of these, when there’s a problem instead of having to fly down here all the time, can we monitor some of these processes? So they use the security video system.
MARIE GONZALEZRemotely, developers, when trying to sell their property, look to have the video surveillance as a tool to show the building being built right now. It’s a security tool to check in on the guys, make sure they are doing their work. But now they are also using it as a marketing tool for the buyer so he can see progress.
STEVE HUNTTop management is looking at different security things that should be done that are not done so they are asking questions.
DAVE SHEPHERDBut now you also have an obligation by the companies, more now than every before, because they have obligations to their stockholders, their bond holders, their employees, to the entire community where they are to insure they have things in place now and people will question where they haven’t before questioned, people will look to see if you have it. We have bomb dogs. People feel secure because they see the dogs. They look at things differently now. But some things cannot be measured. You cannot measure your feeling of safety.
STEVE HUNTConcerning technology and different uses of technology, there’s talk about IP this or IT that. But a lot of the new sounds like the domain of IT.
ROY HAYESThat creates a lot of problems for me, I’m a system integrator and primarily we take care of the Federal government and their facilities so what you have is a cross-section of people. In our hot security areas, where we’re working in real classified situations, those people are aware of security and they accept it as part of the job. But elsewhere, it’s a different story. So the government has a consistent set of rules that they like for us to apply to their facilities no matter where they are located. But I think to align to the business, or make security an enabler, we had to also show that we’re just going to make the way they do their jobs a lot more secure. After 911, we got a call, they had facilities from Hawaii to Washington, D.C. and cost was not the primary factor, safety was. A major thing that we’ve been able to do is to get the employees, the ultimate end-users, to buy into the systems and in doing so, we’ve been able to align it with their business processes.
DAVID LEVENBERGThe way I look at it, IT is an enabler for security. Relative to Katrina, we have three shopping centers in the New Orleans area that were affected by the hurricane. We had to get into certain places, we have to find our employees, we had to do a lot of things quickly. Our management people who had to accomplish those goals didn’t have the capability without the fact that we could mobilize quickly an armed group of people who had the ability to get FEMA credentials, the ability to shuttle them between places. Our security people were not there to do their job, but our people were there to make it feasible for others to do it. So, I look at IT the same way. We use a lot of security video throughout our shopping centers and we use remote video. We have our leasing people coming to us. I want to show them the adjacencies. I want to show them the traffic and we can do all that from Chicago. So, it allows now our leasing people to do a better job without spending as much money to travel to each of these 225 shopping centers around the country.
STEVE HUNTWhat do you have to learn or what relationships do you have to build in order for IT to be an effective enabler?
DAVID LEVENBERGObviously, you have to have a great relationship. The IT group has to understand what you’re trying to accomplish and it’s like any other sales job, you’ve got to be able to convince them that what you’re doing is going to benefit them.
JOHN MARTINICKYThere has to be a tremendous partnership between the IT program and physical security. It has to be that way. We have to make decisions at a moment in time, using data that comes in from the IT program or the physical security centers or whatever; we make the decisions.
STEVE HUNTWhat are the pieces of corporate security, IT and IT security that you can streamline?
JASON GONZALEZWe talk extensively about convergence, integration, accountability, preservation, networking, both in the physical and electronic sense of the word. We talk about merging skill sets, investigation, protection, redundancy, partnerships, dynamics, synergy and then you ask for a clear line between physical security and data security and personal safety. We sell management and increased productivity. We sell a very, very severe impact on bottom line. I am an ambassador between organizations from a security world, whether they are physical, data or loss prevention. Before you can define where there’s a line between physical security, IT security and departmentalization, I think, you first have to define what the assets are that you’re trying to protect.
ROY HAYESWe define the roles; we tell IT security, you’re going to still have control of your assets; and physical security, you’re going to still have control of your assets. But you’re all going to work on a common platform and what we also have to do is take out all their technical jargon. And then gradually people get educated, get the buy in. And then you’ll get the conversion that you’re talking about. But it won’t happen at once.
DAVID LEVENBERGWe are still talking about silos within a company -- a security function, the IT function. A couple of weeks ago, there was a very interesting speaker who made a point that really brought it home. He said he knows a VP of security for a company and when this guy introduces himself, he introduces himself as the vice president of ABC company, not the vice president of security. And the expectation of our CEO is that the security function is aligned with the company vision. Every one of our companies is in the business to make money. Upper management wants to see us as business people, not as security directors or IT directors. So, our company, from a marketing standpoint, has realized the real critical role that the uniform security officers play in our businesses and how that creates value for the company. So I think in order to progress in this industry, I think we have to talk more about how we’re aligned with the company and not simply, this is my role, this is IT’s role, this is marketing’s role. We have to understand how we bring value to the company.
JOHN MARTINICKYConvergence is similar to what occurred maybe five or six years ago with risk management – is security and risk management going to converge? On the technology side, there is some commonality with the IT operation. But there are so many different things. We run all the background checks, we do the drug tests, and we do the travel advisory, we do the safety. There are so many different components so that to say convergence makes sense, it only makes sense as a team. I put together a group and I didn’t call it a committee or a task force, it was kind of an informal group called emerging issues and I pulled people into this group, once a quarter, and everyone takes turns hosting it so there’s no one person. It’s really a good team environment so there’s no turf issues or you’re encroaching into my silo.
JASON GONZALEZConvergence will occur when we stop looking at it as IT and as security. It’s one in the same; we’re all part of a corporate team and a corporate structure.
STEVE HUNTWhat’s on your wish list? What technology do you wish someone would invent? What service do you wish someone would provide to you?
JOHN MARTINICKYMy wish is simple and that is honesty from the (security) sales people, from the integrator. We’re thirsty for the technology; we’re thirsty for the creativity and the new stuff that’s going to make it better for us. I would say 85% of the time there is something that they’ve told us it will do that it will not do and so we’ve all wasted our time, our efforts.
DAVID LEVENBERGI would like a kind of a consumer reports of security technology that actually takes the spec sheets and puts them side by side. That would be great.
JOHN MARTINICKYI think there needs to be some standards, almost like a nutrition label of security, that says this is the bandwidth, this is the minimum of what it will or will not do. I mean, it was just all over the map. I mean, basically we had the software issues, we had different technologies, and we waited until it stabilized, but I think some standards and consistency between all the products would help.
MARIE GONZALEZWe’re meeting with IT and they’re full of standards, that’s all they know and we don’t have any so they are saying, what do you mean. IT and open architecture are bringing a lot of those standards to the table and letting us be more IT-friendly and being able to play on their turf.
DAVID LEVENBERGWhat makes things difficult is that the new toy looks so much better than the old toy. But get to a point, give us all you’ve got, instead of waiting for the next year and the next year.
ROY HAYESWhat I would like to do is extend the life cycle of the systems. Then we can better utilize the existing infrastructure as much as possible and still get the improvement of the new technology.
JASON GONZALEZIf we have guidelines and rules that were created by all sides of the table – the manufacturer, end-users and systems integrator, then we could hold their feet to the fire.
SIDEBAR: To Everything There Is A SeasonAnd in the early spring, Security Magazine assembled a top-notch group of security executives who interacted with each other and Security Publisher Mark McCourt and columnist and convergence guru Steve Hunt. The topic -- the changing role of security. Participants were:
Systems Engineering, Inc.
David Levenberg, CPP
Vice President of Security & Loss Prevention
General Growth Properties, Inc.
John Martinicky, CPP
Director, Corporate Security
International Truck and Engine Company
C. David Shepherd
Executive Director of Security
Venetian Resort Hotel Casino
Four Queens Casino
Visual Management Systems