If you go way up in the air and look down, welcome to mother earth, with hundreds of thousands of countries, cities, neighbors, laws, regulations and cultural differences. Back here on earth, for security executives with responsibility for protecting a global enterprise, the assignment blends consistency of policies, procedures and technologies with a measure of tailored operations in far-flung locations.

There is the need to protect the brand and the enterprise’s reputation across thousands of miles; the need to work with local, dispersed staff and distant outsourced companies; a requirement to face and handle regulations foreign to U.S. ones; and the ability to create levels and implementation of security technology from global to local.

For Microsoft, its Global Security team must protect resources at hundreds of sites. This task includes monitoring more than 27,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms and additional devices and sensors. Global Security manages more than 185,000 active holders of access cards and more than 30 million system events each month, for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters.

While Microsoft is an influential world player, there is no bigger and more important a global, mobile and ever-changing operation than the U.S. military, including the Navy. In a telling example of handling its “always on the move” personnel, it has tailored a security system to each individual at a unique housing facility. For instance, at Pacific Beacon apartments in San Diego, the first privatized community in the world for enlisted single sailors, “We wanted to provide the best possible services at every level, including appliances and security,” says Sam Bellas, development associate at Clark Reality Capital. The integrated Pacific Beacon security installation includes card access controls, video, a fiber backbone and the Navy’s common access card (CAC), which provides secured access anywhere worldwide.

While America’s Navy is “a global force for good,” there are other earthly assignments that involve special sports and entertainment events.

And in today’s rough economy, firms such as IMS Research predict that such world-impacting events stand out as a Petri dish of the future of security. From the 2010 Winter Olympics in Vancouver to horse racing at Churchill Downs, venues now embrace security systems to reflect the dangers that come from events’ global spotlight.

Another Olympics security twist is a long range acoustical device, which directionally broadcasts sound and spoken instructions at long distances. At closer range, it can also broadcast incapacitating blasts of earsplitting noise. There also is concern in Vancouver that a cyber terrorist could disrupt the Games. Avoiding such incidents is the charge of Barry Caswell, director of information technology operations for the Vancouver Organizing Committee, who, with the help of firms such as IBM, is building expensive protection.

Keeping Olympics’ viewers and participants safe mirrors the need for higher level security at other venues such as Churchill Downs for its guests and four-footed runners.

Home of the world-famous Kentucky Derby, “Churchill Downs is an open environment,” says Chuck 

Millhollan, program management director for Churchill Downs, Inc. “Even during non-race days, it had been common for people to walk about the facility freely. At the same time, we need to maintain a high level of protection for our employees.” So the facility upgraded to a higher level security management system, including proximity cards and readers.

What such global enterprises share when facing their common and unique security requirements can be summed up in two words: strategic planning.

Different than business planning and security planning, strategic planning is an organization’s overall process of defining its strategy, or direction, and making decisions to allocate resources to pursue the strategy, including capital for technology and people. Strategic planning is a living thing that changes and evolves, especially in a global environment.

He points out that things must be somewhat different at different locations. “If you come to Redmond, Washington, security is different than in Istanbul, Turkey, where there is harder security.” In a campus environment such as Redmond, “There are access controls for entry and egress, outer perimeter protection for flow of the traffic, biometric edge devices for higher security needs, scanners, digital video and other edge devices such as sensors,” to name a few.

From local to regional to international, it is not surprising that Tuskan sees infrastructure as essential. “You must have a good, strong, robust network. With the right infrastructure and right connections, you can manage anywhere,” he says.

One of the biggest strategic decisions that Microsoft Global Security made was to have its physical security focus take advantage of strategic IT convergence.

At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world.

Uniquely, through the establishment of three regional Global Security Operations Centers (GSOCs) and the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other.

Approaching security as a unified initiative enables Microsoft to monitor and protect more assets by using fewer resources. Global centers for security monitoring can deliver total interoperability, including failover capabilities as necessary. To effectively monitor and protect its resources, Microsoft Global Security built its solution on ten essential design principles to provide a layered security model.
It focused on:

1. Deterrence value: Security measures must strike a balance between security and functionality. By simply making people aware of monitoring devices and other physical security measures helps to deter theft or trespass.

2. Remote monitoring: Monitoring security systems from a remote location provides the ability to centralize the administration and response. The firm also takes advantage of remote functionality to maintain and troubleshoot the physical security equipment over the network.

3. Precision response: Closely related to remote monitoring, the solution must provide for precision response. If the design philosophy calls for remote monitoring from a central location, it also must ensure that the proper resources can be dispatched on site in a timely manner when an event is detected.

4. Off-the-shelf infrastructure: By using standard off-the-shelf hardware and software, the Global Security team made a conscious decision to adapt its processes to the infrastructure and not the other way around.

5. Use of partner products: Wherever possible, the design of physical security relies on Microsoft products, including third-party products such as those built on Microsoft technologies, including Microsoft SQL Server database software, Microsoft .NET, and Microsoft SharePoint.

6. Remotely managed IP devices: Microsoft uses the existing global IP network to handle rapid changes in hardware and to achieve faster and more cost-effective scalability. Using IP-based edge devices also enhances the ability to monitor and maintain the equipment.

7. Defense in depth: Defense in depth provides for multiple layers of security at a facility that is appropriate to asset risk. A threat that infiltrates one layer is detected at another layer, giving Microsoft multiple opportunities to detect and respond to an event.

8. Forensics/investigative model: A critical component of the design philosophy is to ensure that video data, access logs and other pertinent information are properly captured and stored for investigation if a physical security incident occurs.

9. Reliability: An infrastructure must be reliable and work when needed. Leading edge technologies may promise additional functionality but can be a hindrance if they do not have a consistent expectation of availability. Microsoft evaluates all new technologies against this core ability to provide a consistent level of expected uptime.

10. Sustainability: Sustainability is the ease of which a new infrastructure or device can be maintained and supported. As the environment increases in size and complexity this element is crucial to keep support costs low.

Microsoft Global Security has comes a long way. Originally, site security was the responsibility of the real estate and facilities group, which hired security labor or contracted guarding services at individual facilities and campuses. There was no strategic, regionally coordinated security operation. The company maintained a life safety control center at its main campus in Redmond, and established separate security operations at other domestic sites in the United States, but security at international Microsoft sites was almost entirely uncoordinated.

“Office InfoPath 2007 is the backbone of our security operation,” says Tuskan. “We’ve used it to change the way we collect point-of-contact data for sites around the world, develop emergency response plans, and manage day-to-day operations.”

Using InfoPath forms on their computer desktops, each site manager can distribute real-time updates on point-of-contact, facility headcount, response plans and other important information to a centralized SharePoint Web portal. When personnel at one of the GSOCs receive an event alarm or intelligence of a critical incident at any facility, they can easily access the form through the Web portal and combine the data with other information to develop an event advisory using another form.

GSOC teams then convert the form to a .pdf format and quickly distribute it through the Outlook messaging and collaboration client to executive decision makers’ computers or mobile devices, usually within minutes of the event. The decision makers first get information about the event, such as which facility is affected, how many employees are involved, whether local airports, roads, or other resources have been affected, and then they can develop a response plan.

In addition to residential units, the facility includes a pool, rooftop terrace, barbeque area, poker room and café. To meet the challenge of helping protect this facility and the active duty men and women who live there, Clark Realty Capital and the Bergelectric Corporation, the project’s integrator, selected Facility Commander to serve as the main security system. Pacific Beacon represents the first large-scale deployment of the InfoGraphics architecture integrated into Facility Commander under the Microsoft Windows platform.

Currently, the system guards common areas and individual apartments for more than 1,800 residents, integrating more than 1,000 access control readers, 300 fixed and dome cameras and numerous entry and exit points into a single, unified system, operated through a central monitoring station. Additionally, the system will be compatible with the Navy’s new Common Access Card (CAC), which will allow personnel the convenience of using their existing CAC cards.

Louisville-based integrator Ready Electric Company, Inc. installed the initial proximity card reader system at the Churchill Downs administrative building, where all track operations are managed. The system will ensure only authorized personnel can access the building, while continuing to allow easy public access to the rest of the campus.

System operators can assign appropriate access privileges to individual cardholders. Additionally, badging capabilities allow designated Churchill Downs employees to manage the credentialing process for all cardholders as necessary. The software will allow staff to expand the overall security system in the future as needed. For example, the access control system can add an unlimited number of doors and encompass multiple buildings, as well as advanced video technology.

Jill Knesek, chief security officer at BT Global Services, has a different perspective on brand and reputation. “I believe that in most instances brand and reputation are highly overrated, especially for a global company that doesn’t enjoy the type of brand recognition as, say, a McDonalds or Microsoft.

“In most cases, a security incident that impacts the brand and reputation of a company will be fairly localized to a country and probably not have a global effect on the company,” she says. “The more critical indicator of security is risk and that should be the driving force behind implementing certain security measures. Whether a company is limited to a single country or is a global enterprise, a mature risk management program is the key to ensuring the right amount of mitigation is applied to protect not only the brand and reputation of the company but the assets that drive the business.”

When viewing the differences securing a global enterprise as compared to a more typical organization, Knesek says, “There are quite a few differences that impact not only management of the security team but management of compliance with security policy and enforcement.”

There are complexities no doubt, she says. “In many cases, the language barrier alone can be enough to add significant complexities. Consider a security awareness program with mandatory security training that must be rolled out globally. The awareness messages and training modules must be translated accurately in many different languages to ensure that everyone receives the same and consistent message and fully understands the security policies they must comply with,” observes Knesek.

For example, according to a survey by market research institute DT&P International, the combination of user name and password remains the most commonly used authentication method (99 percent of respondents authenticate in this way) for remote access among European firms.

In the background, Public Key Infrastructure (PKI), in the form of digital certificates, is making headway, showing real momentum as a means of granting remote access. In fact, 77 percent of those surveyed use PKI as a preferred method for remote access security in addition to user name and password. It’s catching on worldwide.

The survey highlights that businesses see high levels of security as a necessity when accessing data remotely. Other selection criteria that were depicted through the survey results as being essential to remote access security include low administrative overheads, access locking capabilities and reasonably low training requirements. On-demand certificate management services users have been able to benefit from these functions as well as the ability to quickly and safely replace lost, defective or forgotten access tokens.

Serwin points out that, as data become increasingly regulated, it is creating new exposures, particularly in the areas of data privacy and reputation risk. “In some ways, it is up to the customer when it comes to the culture of privacy. Do they have a reasonable expectation of privacy.” On the other side, “It’s important to understand that data can be monetized.” So, especially in a global arena, there may be business reasons in terms of collecting and offering personal information.

Adds Christine Carron of Ogilvy Renault, “Once you move out of the U.S., Canada and Europe, all bets are off with respect to the extent that privacy legislation exists or is enforced. In many jurisdictions there is no one law or regulatory framework governing privacy. Instead, laws or regulations relating to privacy are often found as a subset of sector-specific or constitutional laws.”

Carron adds, “Although efforts are underway in many regions to harmonize legislation, privacy laws around the world still differ in many respects. For U.S. firms, outside of Canada and Europe, privacy legislation is either non-existent or a patchwork of sector-specific laws and regulations. U.S. organizations conducting business in these regions should use the most stringent legislation as the lowest common denominator in order to establish an effective privacy policy.”

A security anecdote to privacy intrusions may be global use of biometrics.

With concerns growing over the incidents of bank card fraud and identity theft, a majority of people globally would accept biometric authentication to verify their identities, according to recent research from Unisys Corp.

In the UK, for example, 95 percent of those who said they would be willing to provide biometric data said they would be willing to provide fingerprint data; 90 percent said they would provide an eye scan; and 82 percent said they would agree to a facial scan. High acceptance rates for these types of biometrics were also reported in other countries.

U.S. Department of Homeland Security (DHS) activities and requirements often cross borders. At a panel presentation at ISC East in New York City late last year, moderator Peter Harlick of Global Elite Group, put together a group including Maryann Goldman, special agent and InfraGard coordinator with the FBI, and Joe Tadrick, protective security advisor, N.Y. District, DHS. Among take-aways: Training of guard force members is key, according to Goldman. The private sector all too often focuses on the bottom line dollar. There needs to be a balance between cost and quality. Look for security firms that invest in ongoing training to educate their guard force to be at their best. Join organizations like InfraGard and other local security organizations to network with peers, she added.

According to Tadrick, “Complacency can all too often occur. Stay alert and maintain a level of readiness at all time. Training courses like the Surveillance Detection Class, offered by the Department of Homeland Security, is one to look at as continuing education is so important in the private security sector.”

Circling back to the importance of strategic planning when it comes securing the global enterprise, David Nicastro, senior vide president at GlobalOptions, says that the “level of strategic planning is much greater as compared to other organizations. There is also a factor of the number of stakeholders in the organization and how global security fits into the overall business.”

Nicastro believes there is a lot to gain and to lose when it comes to brand. “It’s a very significant part of the company. Concerns plug into the chief financial officer, risk management, communications, crisis management and investor and public relations, to name a few.”

Much has changed overall, Nicastro says. “Back then security had to wear many hats. Now, with global views and specializations, the C-suite looks for dedicated security professionals on the strategic side, with just enough people to do the job while outsourcing to specialists here and abroad.”

Strategic planning is the formal consideration of a future course. All strategic planning deals with at least one of three key questions:

• “What do we do?”
• “For whom do we do it?”
• “How do we excel?”

In many organizations, this is viewed as a process for determining where an organization is going over the next year or more – typically 3 to 5 years, although some extend their vision to 20 years. In order to determine where it is going, the organization needs to know exactly where it stands, then determine where it wants to go and how it will get there. The resulting document is called the “strategic plan.”

Creating social media guidelines for the company and its security operation does not have to be difficult. Once you get clear on the core message you want to send out and the dialog you want them to engage with, use the following tips to create guidelines that your staff can use to shape their posts around the strategy, according to Dan Burrus, founder and CEO of Burrus Research, and one of the world’s leading technology forecasters and strategists.

• Transparency. When participating in any online community, your employees should disclose their identity and affiliation with the organization, clients, and professional and/or personal interest. When posting to a blog, they should always use their real name, not an alias.
• Be direct. When creating posts and content, your employees should be direct, informative, and brief. They should never use a client’s name in a posting unless they have written permission to do so.
• Give due credit. If your employees post copyrighted materials, they should identify the original source. This includes sources for direct or paraphrased quotes, photos, videos, and anything else they did not originally create.
• Self-edit. Your employees should always evaluate their posting’s accuracy and truthfulness. Before posting any online material, they need to ensure that the material is accurate, truthful, and without factual error.
• Responsibility. Make sure employees know that they are responsible for what they post. Negative or questionable posts will not be tolerated.
• Be professional. When posting comments, employees should refrain from writing about controversial or potentially inflammatory subjects, including politics, sex, religion or any other non-business related subjects.
• Privacy. Employees should never disclose proprietary or confidential information. This includes product releases, service updates, and employee information not made public yet.
• Obey the rules. All employees should follow local, state, federal and other country laws and regulations where applicable as well as the company’s internal and security rules and the rules established by each social networking venue. Ultimately online activities will be a reflection on the company.