Security 500 Report

Security 500: Profiles of Top Security Leaders

October 27, 2011
Trans

Change is Good | Bill Phillips CSO, CNA Financial

 For CNA, profitable growth – domestically and internationally – is among its winning strategies. This, combined with a more mobile workforce, has

Bill Phillips

Security Scorecard

Revenue: $9,200,000,000

Employees: 8,800

Critical Issues:

International Expansion
Loss Prevention
Mobile Workforce

SECURITY MISSION:

  • Brand/Product Protection
  • Business Continuity
  • Corporate Security
  • Cyber Security
  • Disaster Recovery
  • Emergency Management
  • Executive/Personnel Protection
  • Intellectual Property
  • Physical Security
  • Regulatory Compliance

generated new opportunities and involvement from the global commercial insurer’s security team.  Among the bigger challenges for Chief Security Officer Bill Phillips is supporting expansion initiatives while maintaining a global, yet lean organization.

At the core of this effort was a restructuring for maximum business resilience, including business continuity, emergency and crisis management and disaster recovery which – along with security and safety to enable a more effective and efficient approach – increased the value of its technology investment and resulted in overall savings across the company.

“Our leadership continues to emphasize a streamlined, simplified process and strong internal customer teamwork. They have a high level of confidence in security’s value and ability to support business goals. Our CEO, Executive and Operating committees all understand that Security addresses the overall operational risks the organization faces. Our primary role is to help enable our businesses to operate effectively, efficiently, and without significant interruption,” says Phillips.

“Security is not law enforcement, not after the fact action. Its key purpose is to prevent events from negatively affecting the organization and/or minimizing the impact of those events that can not be prevented.  This makes us a more resilient organization. Our approach to meeting this goal is through the use of risk principals. As an insurer, the same or similar risk management tools are used through out our businesses.  We are most effective supporting our business units when our processes are effectively intertwined with business processes.”

CNA is in the business of helping its customers manage risk. Its Security team drives and leads business resilience with a focus on being a business “enabler” through effective risk management.  “Our daily mission is to protect our people, our brand and our ability to provide uninterrupted service to our customers,” says Phillips.

At the center of that mission is CNA’s investment in technology and a global control and communication center. Housed within the CNA data center, the Security Control & Communication Center supports all CNA operations by providing adverse weather notifications, tracking and support for travelers, data monitoring, communication rooms and equipment, fire and emergency systems, as well as the evaluation and distribution of intelligence alerts. This single point of control enables the management of global access control and IP video systems from one place. “Our employees have universal access levels, globally, as a result,” shares Mr. Phillips. “And we can control access levels around the world and easily manage personnel changes. This is a result of a strategic decision (more than six years ago) to move to an open architecture, networked platform for our security systems.”

CNA Security not only protects employees, its team leverages intelligence, weather, and people tracking tools to alert the business units to risks and opportunities. “We use intel sources to identify various issues such as potential political risks or risk to property or marine cargo. This information can be used for enhanced decision making by our business units and, in some situations, passed on to our customers,” Phillips says.

Asked about the impact of 9/11 upon its 10th anniversary, Phillips explains, “The event drove home to corporations worldwide the changed nature of terrorism and its impact on their assets and businesses.  It is also important that we not lose sight of the many other non-terrorist risks and threats that are more likely to – and often do – occur.  Fortunately, many of the steps taken to prevent and control those threats also address terrorism risks.”

Phillips most enjoys the opportunity to work with the business. In addition to his role as CSO, he recently used his prior experience in handling kidnapping and ransom issues to work with a business unit in the development of a new product. He also appreciates the opportunity to work with great people both within CNA and the security industry. While not currently an active driver, he still enjoys racing his ’69 Firebird, football games at The U and spending time with his daughters.

 


 

Risk Assured | Scott Shaw

Scott Shaw

Security Scorecard

Revenue:      $18,500,000,000

Employees: 4,000

Critical Issues:

Budget Management
Personnel Staffin
Training

SECURITY MISSION:

  • Business Continuity
  • Corporate Security
  • Disaster Recovery
  • Drug and Alcohol Testing
  • Emergency Management
  • Executive/Personnel Protection
  • Physical Security

Aflac includes a combination of the normal and the unique aspects of risk management in their vision, structure and execution of security. A company that prides itself on keeping employee satisfaction top of mind, security is something that is not an afterthought, but an ingrained part of the company culture. As far as “the unique,” is concerned, well, with a job description that includes protecting a pond filled with white “Aflac” ducks, the job is unique, to say the least.

Senior Manager of Corporate Security Scott Shaw has been with Aflac for almost three years. In that time he’s played a key role in developing and executing strategies that have resulted in several awards and recognitions, including multiple years on the Security 500 list.

“We are calibrated to the company culture. Our job is to keep people feeling safe and we do that by identifying risks and presenting solutions that work within our company,” Shaw says. “We have a job to do, but it is also important and constructive when our employees participate in their own security and safety, which we ask them to do on a regular basis.”

With annual revenue more than $20 billion and more than 4,300 employees, Aflac is a big company, with big security needs. Aflac consistently appears on both Fortune’s Best Places to Work and Most Admired Company lists, which is bolstered by a strong sense of security that employees feel at the workplace. Aflac executive management shares a clear vision and a steadfast expectation that the security team remains in a constant state of preparedness to deal with ordinary issues and the potential not-so-ordinary security challenges.

Shaw successfully executes Aflac’s security strategy by focusing on leadership, planning and budgeting to tap into Aflac’s culture and business goals. Shaw realizes that the keen focus that Aflac places on security matters is integral to keeping public safety and keeping employees feeling safe, as well.

“Every company should make security, whether it is the personal safety of employees, customers or stakeholders, an absolute priority because employees that feel safe will undoubtedly be more productive,” Shaw says.

To maximize results, the Fortune 500 insurance company has invested in security cameras, alarms, and access systems, enabling security to monitor multi-facility campus in Georgia and worksites in Columbia, South Carolina from a single location, reducing personnel costs and providing real-time access to information in a crisis.  Also, by using security best practices in security camera deployment, Aflac has decreased the need for patrols to cover areas that are now monitored through cameras with video analytics and alarms.

To keep up with security trends and identify potential threats, Aflac employs an incident management tool that provides monthly metrics.  Security personnel reports each quarter to the Safety Committee on incidents that have occurred and identify critical areas that need increased scrutiny. But Shaw says other top priorities include educating employees on how to reduce workplace security risks and working with local law enforcement to mitigate the risk of workplace incidents.

“We conduct annual training exercises with the local law enforcement communities at multiple sites. We also work closely with Aflac’s HR and Corporate Communications Departments to create a unified emergency response if ever needed,” explains Shaw. “We plan for the worst but always hope for the best.”

Shaw most enjoys the integration of security, emergency management, and business continuity aspects of emergency preparedness. He recently sent a team to Columbia, South Carolina to train the Aflac Group Insurance employees on CPR/AED and emergency evacuation.   

“We love teaching our employees how to become a proactive part of our health and security team. It is reassuring to know that with proper planning and training for everyone, we can better safeguard lives and help keep the business going,” Shaw says.

 

 

---------------------------------------------

 

Communities–Collaboration–Communication | Steve Zipperman

Steve Zipperman

Security Scorecard

District Budget:          $6.5 Billion

Security Budget:        $52 Million

Critical Issues:  
  • Budget Management 
  • Staffing/Hiring v. Retirements

SECURITY MISSION:

  • Corporate Security
  • Cyber Security
  • Disaster Recovery
  • Emergency Management
  • Executive/Personnel Protection
  • Insurance
  • Investigations
  • Physical Security
  • Regulatory Compliance
  • Other: Public Safety

Our organizational goal is to be an integrated team that works closely with our Board, Superintendent, administrators, teachers, staff, students and the communities we serve. The school board and the superintendent set the vision for a safe and secure learning environment. My role is to facilitate through the team concept, the goals, strategies, mission and vision for our Department so we may work collaboratively with our partners and stakeholders. Our dedicated team of both sworn and civilian members of our Department masterfully fulfills our mission on a daily basis,” enthuses Steve Zipperman, the Los Angeles Unified School District’s new Chief of Police.

“The students in school are the same population of people in the community after school. Establishing relationships creates a community-wide effort toward safety, not just within the schools. That is the key to a successful public safety process,” shares Steve.

Getting your mind around the immensity of the Los Angeles school district takes imagination. More than 70,000 employees, including 32,000 teachers, provide education to more than 1 million K-12 and adult students utilizing more than 1,000 facilities spread over 712 square miles.

“We are focused on student safety, safe passage and teacher, staff, and community safety within and outside the school grounds. We invest the majority of our resources in the high schools and identified middle schools,” says Steve. As a result, his team is focusing on metrics to best leverage the resources they do have.

“We apply technology to augment our officers, not to replace them. The goal is to prevent crime problems first and foremost and respond appropriately when necessary. We look at new technologies through a lens of changing processes and the value it will bring. That is often hard to gauge,” notes Steve.

One example of technology augmenting public safety is the use of the district asset tracking software on school property. When 32 new notebook computers disappeared recently, the system was used to help school and city police track down and recover the laptops.

But at the heart of their program is visibility with their stakeholders. “It is important to expand into the community at large through partnerships with education and intervention programs. Leaders in the communities can change thinking and behavior, but technology alone cannot. Success comes from employing both human and technology resources effectively,” explains Steve.

As an example, the Police Activities League (PALS) program is designed to keep youths involved with positive activities during the summer, weekends and non-school hours. “The beauty of our public safety program is that we can proactively get involved in communicating and improving their environments as well as forge relationships and mentor students,” says Steve.

“The most common events that the public safety team responds to during school hours are fighting, bullying and disruptive behavior on campuses and protection of property and District assets. If a student is being bullied and is afraid to come to school, then absenteeism rises and graduation rates may decline. The Board, the Superintendent and all stakeholders agree that this cause and effect is the number one concern, and as a result we are very focused across all aspects of the district on prevention through education and communication,” shares Steve.

A 32-year veteran of the Los Angeles Police Department, Steve is enthusiastic about his new role. “School district law enforcement is a reality in this day and age, but how we deliver that service and bridge enforcement with education is critical, ” says Steve.

He is creating an ongoing communication program with the school Board, the superintendent, local district operations coordinators, principals, and the community to ensure transparency. “The more the Board, the superintendent and all of our stakeholders understands about us and what we do, the more proactive and productive we can be reaching our common goals,” explains Steve.

An avid family man with five children and three grandchildren, Steve enjoys his free time with family activities, sports events and camping.

 

 

 

------------------------------------------

 

Inspire, Nurture and Secure | Krista Osborne

Krista Osborne

Security Scorecard

Revenue:       $2.8 Billion

Budget:           $1.5 Million

Critical Issues:

  • Emergency Preparedness
  • Cyber & Electronic Threats
  • Employee Training

 

SECURITY MISSION:

  • Business Continuity
  • Corporate Security
  • Disaster Recovery
  • Emergency Management
  • Intellectual Property
  • Investigations
  • Physical Security
  • Supply Chain

We endeavor to treat all of our employees and customers with respect and dignity as a business, and that extends directly to our risk, safety and security programs,” says Krista Osborne, Starbuck’s International Director of Loss Prevention and Supply Chain Operations. “Integrating within operations is the best way for our Starbucks safety and security program to help achieve our business goals.”

The company’s core strategy is for “People Safety First,” including all stakeholders, customers and partners (employees). By integrating this vision into the company, they are able to provide an environment that is rich in safety and quality for both the customer experience and partner comfort.

A key change was the return of founder Howard Schultz in January 2008, which led to the rejuvenation and refocus of Starbucks. The refocusing breathed more life into the company to reach for a higher service level in quality and consistency. That goal included safety and security. “The positive change for us came through economic necessity in the recession. We asked ourselves ‘How can we capitalize on helping others embed safety and security into their behavior and lives versus our trying to engage or protect each person separately, one at a time,” explains Krista.

Recently, part of the refocus gave Krista the opportunity to oversee their global supply chain safety. “This has allowed me to learn about a new part of the business and work with Supply Chain Operations leadership globally. The result has been a direct and strong relationship to drive the culture of security and safety through a robust supply chain, including product custody from bean to cup,” shares Krista. Safety and Security is also integrated into food safety and food defense programs for compliance and best results.

Central to Starbuck’s program is measuring results. Starbucks measures in two ways. One is by heralding their life safety and security programs with their partners and customers. Acknowledging that events such as weather related incidents, theft and critical incidents are unavoidable, yet the manner in which the organization addresses them and responds is what makes the difference. Starbucks excels in this regard. “The hardest thing to measure is the impact of an event on a victim, our employees or customers,” explains Krista. “We address how a person feels at the moment of impact or loss and ensure that interaction is delivered with dignity, respect and support throughout the process.” Second, is the traditional return on investment measure following the investigative process, driving results in store productivity or lift as well as a change in behavior with a direct business return on investment.

As a core business process, partner safety and security regularly transcends the security silo to benefit other company programs. “Our due diligence in new markets ensures the right decisions on partners, locations, suppliers and other resources,” says Krista. “The second area is that we create a roadmap in those markets for the business to securely grow from one location to many. Local cultures, policies or laws may be difficult, but the business foundation is the same. We are able to create and implement programs to protect our partners by embedding a culture of safety and security in these new markets to deliver business growth and success.”

“Every CEO should understand the value of preparedness and consider the dynamics of human behavioral effectiveness for a successful and sustainable business in times of an ever changing global security and risk environment,” adds Krista. “Focusing a percent of resources on safety and security training and education mitigates critical risks through awareness, prevention and an effective behavioral response to events.”

Everything we do in safety and security is to make someone’s life better and safer. What I enjoy most about my job is the opportunity to make a difference in just one person’s quality of life, to help them be safe. And that helps to make a difference in our world,” shares Krista. An avid gardener and outdoors person, she loves her Pacific Northwest home. An active participant in our industry, she is a member of OSAC and participates on one of their Public/Private partnership committee, in addition to ASIS, NRF and FMI.

 

---------------------------------------------

 

Everyone’s Responsibility | Mike Tarter

Mike Tarter

Security Scorecard


District Budget:       $110 Million

Security Budget:         $1 Million

Critical Issues:                      

  • Site Assessments
  • Site Hardening
  • Budgets

 

SECURITY MISSION:

 

  • Corporate Security
  • Disaster Recovery
  • Emergency Management
  • Executive Protection
  • Investigations
  • Physical Security

When the Rio Rancho Public School District determined that they needed a single security leader they turned to Mike Tarter. Mike has worked in a consultative role, making suggestions and recommendations to principals and district management. “They lacked standards and best practices due to the distributed management structure. Creating the formal department thrilled the principals who knew there were safety and security risks and also recognized they were not expert in mitigating them,” says Mike. The change also allowed Mike to become a problem solver for the schools.

“The people are our customers, including teachers, students and staff. The safety and security department’s mission statement is clear: To help build a safe school environment through communication and cooperation, with respect for all. Policies, people and technology are now standardized across this district of 21 school and administrative buildings with more than 18,800 students and staff.

“We work to get everyone to participate in their own security,” says Mike. He speaks regularly at meetings to enlist everyone’s help in identifying risks and solving potential problems. The district has been effective with several programs, including making the security officers clearly visible, by aggressively meeting people in and outside the school areas including businesses, parents and neighbors.

“Technology has created new risks and therefore required new responses and training programs,” shares Mike. For example, if there is a fire drill or bomb scare, the students notify parents via cell phones now. Often the parents arrive before the emergency responders and, in some cases, the onslaught of parents coming to ‘rescue’ their children can interfere with the emergency operation. As a result, we know we have only minutes to set up a perimeter in an emergency and we are trained and prepared to do so.”

Mike is also working within the district to revamp their technology policies, “It is hard to stay ahead of the curve. Cyberbullying, eCheating, Sexting are realities in most middle and high schools,” notes Mike. Physical security has been an effective tool for security and safety. They have added access control systems to their facilities, eliminating keys, false alarms and the related costs. Identifying who is in the facility and limiting visitor access through one entrance and exit has made the district safer.

The district has also been investing in surveillance by creating a hybrid system for existing cameras and adding IP cameras. Their hybrid digital system enables distributed video monitoring anywhere in the district. “Our next move will be to the cloud,” says Mike.

“We continue to make improvements as new risks are identified. For example, after the shooting at the Panama City Florida school board meeting in December 2010, we changed our meeting processes. We are a lot safer now than we were then, but the element that would come at us changes a lot too. So, we continue to evolve and prepare,” says Mike.

A few years ago, the district hosted FEMA for a drill with local emergency services. “That opened our eyes to necessary changes, including the access and video systems. It became apparent that situational awareness was critical to properly manage security in our schools,” explains Mike.

“Security is everyone’s responsibility and it simply cannot be ignored. The old way of managing risk, ‘it is not my job’ is long over. The threats are inside and outside our organization today. Not only are physical assets and infrastructure at risk, but also information. Constant vigilance is required to protect the privacy and personal information of our stakeholders,” explains Mike.

He also relies successfully on partnerships. “We identify who has the problem and bring them on board to help solve it. This is a good way to get additional resources for a project as well as more ideas on the best way to solve it,” says Mike. As a result of his success within the district, he is working to create a statewide school security association, including all 89 districts with security departments.

“The best part of my job is being able to solve problems. I enjoy collaborating with others to reach the best choice,” shares Mike.

A former bomb squad leader in Albuquerque, he is also an avid horsehair potter. “When you are potting on a wheel and make a mistake, sending the clay flying everywhere, that is kind of fun and relaxing. Because if you did that while disposing of a bomb, well, you get the idea,” jokes Mike.

 

 

---------------------------------------------

 

Growing like a Tweenager | Rob LaCommare

Rob LaCommare

Security Scorecard

Revenue:       $1,100,000,000

Security Budget:        $1,400,000

Critical Issues:          

  • Shrink Reduction/Maintenance
  • Workforce Security
  • Organized Retail Crime

 

SECURITY MISSION:

  • Brand/Product Protection
  • Corporate Security
  • Disaster Recovery
  • Emergency/Crisis Management
  • Investigations
  • Physical Security
  • Supply Chain

Justice Stores target tween girls – girls between the ages of 7 to 14. Their fashion interests are unique and Justice specialty stores have smartly capitalized on this market niche. With sales and new store openings growing despite the broader economic weakness, Justice’s popularity and growth is impressive.  Today, the company boasts more than 900 stores as one of three divisions of the Asena Retail Group (along with dressbarn and maurices).  In addition, they have launched an online only brand for tween boys – Brothers.

“There’s no doubt that the growth in popularity of our brand makes us more visible. Organized retail crime now targets us more than ever before. They are market savvy, understanding the value of our brand’s power and the desire for our merchandise and accessories. They understand it will move fast and command a premium price. However, our typical associate is not interested in in our tween fashions, keeping associate theft lower than other specialty stores,” shares Rob LaCommare, CFI, director of lossprevention (Field, Home Office, Distribution Center) for Justice.

A primary driver of the great shrink results at Justice is their integration with the Store Operations department. A solid partnership between Ops and LP has created a balance for teaching, training and infusing loss prevention behavior into the stores, reinforcing the customer experience/sales. Having input into operations enables successful processes to function.

Justice has tackled loss prevention issues despite the unique issues facing a specialty retailer. “Unlike department stores, most specialty stores do not have dedicated loss prevention personnel. The battle to control external shrink falls on our sales associates.  By using our selling programs (including LP training), associate behavior and the customer experience are identical, regardless of the shoppers intentions,” explains Rob.

All retailers are facing increased challenges with organized retail crime. While Justice is not faced with ORC issues that warrant a dedicated ORC staff, it requires attention. Justice recently created a floor supervision workshop in the store to train staff on diversionary tactics used by ORC gangs in an effort to reduce losses and keep associates safe.

On the corporate security, business resilience and life safety front, Justice is equally aggressive in achieving always-heightened goals. “We are PCI compliant in all stores,” notes Rob. “We also manage security, fire and safety for the home office and distribution center.”

“Retail is always changing. The expectation is that Loss Prevention stays current and keeps raising the bar. This year’s high point is next year’s expectation,” shares Rob. “Complacency is not acceptable.” As a result, Justice is currently upgrading their distribution center with HDIP cameras to support more than 900 Justice and 800 dressbarn stores. And their next investment will be in predictive analytics. “Our goal is to bring several key analytics together to attempt to predict where are biggest opportunities will be realized, from a shrink/loss standpoint. For example looking at what impacts past shrink results the most – store manager turnover, internal theft, ORC hits, sales results, and more. By tying this type of data together it enables us to predict an increased likelihood of loss and take preventive action,” says Rob.

Justice measures the return on its LP investment as many retailers do, with the reduction in shrink (they also look at their cash loss as a percent of sales). “We run a very tight and aggressive program,” shares Rob. “We hold quarterly meetings to review our plans, role play and review critical incidents and weather related risks and events. We engage senior leaders into the process to keep awareness enterprise-wide and top-down.”

“Our senior leaders support and understand that for security and loss prevention to continue to improve, it requires integration into the business. They understand that we add value to the company by increasing profits, being business partners and benefitting multiple departments across the organization. I enjoy the freedom to do my job while having the full backing of leadership to be infused with the business and make a significant impact on its success,” shares Rob.

A married father of three, Rob spends his free time immersed with his family and especially enjoys supporting his children’s activities and interests.

 

---------------------------------------------

 

The Power of IT & Security | Bernadette Morris

Bernadette Morris

Security Scorecard

Revenue:       $2,000,000,000

Budget:           $20,000,000

Critical Issues:

  • Protection of Corporate Data

 

SECURITY MISSION:

  • Business Continuity
  • Disaster Recovery
  • Intellectual Property
  • IT Security
  • Regulatory Compliance
  • Other: Security Architecture

Conair is the brand name leader of quality health and beauty products and also owns top kitchen and electronic appliance names, including Cuisinart, BaByliss and Interplak. A significant part of ensuring business continuity and brand protection is regulatory compliance. “To ensure a secure business environment, you need to follow the data. The protection of corporate data is the number one goal. You cannot secure networks per se. It would be fascinating to take a ride on a piece of data and see where it goes. We are responsible for that data and therefore, it has to be controlled,” says Bernadette Morris, head of IT Security and Compliance. “Our business includes processing credit cards, so we must adhere to the Payment Card Industry Data Security Standard (PCI DSS) regulations. PCI compliance is a fluid process; therefore we focus a lot of time and attention on the changing regulations and the new technologies that will help us to achieve and manage compliance.”

In addition to PCI compliance, the Global IT security and compliance role includes meeting different state regulations, international regulations and Sarbanes-Oxley (SOX). “Even though we are privately held, SOX compliance is a best practice and we are working to achieve this goal,” explains Ms. Morris. The sheer volume of security work has increased significantly. Security is involved in every project in IT, and even some outside of IT. Among the increased vulnerabilities is the consumerization of technology. People have their own favorite devices that they want to attach to the network and access enterprise data and applications. “The significant introduction of ‘emotional’ devices like Androids and iPads is shaking the foundations of our infrastructure. The business has challenged IT to create a new environment that supports this new way of working,” shares Ms. Morris. As a result, Conair now has policies and controls for devices that enable business to be conducted securely.

“You cannot do this job without strong C-level support,” Ms. Morris notes. The company recognized the need for this position managed by a certified professional. “Jon Harding, CIO created the position and hired me. I am fortunate to be in an organization that understands both the security necessity and the business value of my work,” says Ms. Morris.

For all U.S. companies, eDiscovery became a significant cost and process issue in 2002 when the Federal Rules of Civil Procedures (FRCP) were changed. Companies were obligated to save and search through certain data. Once a discovery request was made, IT was brought in to identify the data and help with processing. Working with legal, Conair created both a retention policy and a data map to adhere to the FRCP.

Conair’s enterprise risk management strategy focuses on identifying and mitigating risks so they do not have an adverse impact on business. “One area of investment has been in IT disaster recovery. Both 9/11 and Katrina brought business resilience to the C-Suite’s attention. Some businesses ceased to operate after these events and others were greatly challenged to continue,” says Ms. Morris. “CEOs and other C-Suite executives have come to understand that risks exist and the security programs to mitigate them are not optional. It is a cost of doing business. But done correctly, organizations gain a better understanding of their business processes and the ability to better control process and make them more effective,” says Ms. Morris. Bringing this strategic thinking to Conair has truly integrated the security process into organizational goals. 

An avid golfer with five children, Ms. Morris focuses her time on family celebrations and vacations when not at work.

 

---------------------------------------------

 

Securing Your Payday - Globally | Roland Cloutier

Roland Cloutier

Security Scorecard

District Budget:                    $10,000,000,000

Security Budget:                    Confidential

Critical Issues:                      

  • Insuring the protection of client data
  • Insuring the protection of client funds
  • Assurance of business operations/resilience

SECURITY MISSION:

  • Brand/Product
  • Business Continuity
  • Corporate
  • Cyber
  • Disaster Recovery
  • Drug & Alcohol Testing
  • Emergency/Crisis Management
  • Executive/Personnel Protection
  • Insurance
  • Intellectual Property
  • Investigations
  • Information Technology
  • Physical
  • Regulatory Compliance
  • Supply Chain

As Roland Cloutier, ADP’s Vice President and Chief Security Officer, and I spoke, Hurricane Irene was bearing down on his company’s headquarters in Roseland, New Jersey, and our respective homes. “ADP is a 60-plus year old company that pays one in six Americans. We have a global view. There is always a weather, political or other event occurring and we are continually focused on disaster preparedness and getting payroll delivered,” explains Mr. Cloutier. From their security operations centers, where they employ full-time crisis management teams leveraging the triangle of crisis planning, emergency management and disaster recovery, “We are up, running and good to go. Hurricane Irene is just another day at the office,” he says.

Mr. Cloutier joined ADP 18 months ago, and he has put his expertise and energy into meeting with and discovering how his team could support the efforts of the various business units. “We developed a new risk and privacy roadmap and received board approval to implement it,” he says. “Part of that roadmap is consolidating twelve independent security groups into one global organization. Core to the plan is the Trusted Platform Security Initiative, a global governance, risk and compliance technology platform for our operations workflow.”

The investment will create a single workflow across the company with an anticipated 18-month rollout. “We will run more than 50 applications and those will roll out over the next 18 months. This converged solution will support our policy management, risk analysis and compliance assurance goals. It will also help us continue to be proactive versus reactive. Programs including workforce protection will benefit from analytics and intelligence to identify risks and prevent events more readily,” explains Mr. Cloutier.

This new ADP security organization is the first with global operational responsibility. Security “lives” in the finance department, and Mr. Cloutier reports to ADP’s CFO. “We believe that risk is a critical finance issue. Previously, the business units and divisions  had programs. We now have a global service organization with dedicated practitioners serving the businesses,” says Mr. Cloutier.

While its revenue is impressive at approximately $10 billion annually, the sheer scope of ADP’s involvement in payroll, people’s lives and confidential information is staggering. The company is the largest holder of Social Security numbers outside of the Social Security Administration. More than 570,000 businesses rely on the company for payroll and other administrative services, meaning ADP is the aggregate repository for their business information. The company is the fourth largest payer of taxes in the U.S. and second in Canada. Overall, more than $1 trillion moves through ADP annually.

“ADP is very important to the world economy and to those whose paychecks rely on our services. It is absolutely critical for our clients to be able to pay their employees,” explains Mr. Cloutier.

While many organizations are looking backward for ROI metrics, ADP’s new organization opened the door for creating the business case prior to approving their new security roadmap. “We were able to look at business operations and how they responded in the past to different events,” he says. “With the new platform, we looked at major applications such as fraud detection, workforce safety and compliance. From an ROI standpoint we asked, ‘Can we detect more events now than in the past?’ And we measured how we would apply information to prevent events versus how we would deal with post-event response in the past. Finally, we evaluated the total load of each metric. The business case outcome was very favorable for this investment,” explains Mr. Cloutier.

The investment also had a direct positive impact on revenue. “It has helped close more than $40 million in sales this year by providing pre-sale risk, compliance and asset protection analyses for prospective clients,” he says.

Away from the office, Mr. Cloutier enjoys family time with his two daughters, who are avid equestrians. He is very involved in veteran organizations, including the American Legion and the 100 Nights of Remembrance program.

 

 

 

 

 

---------------------------------------------

 

Capitalizing on Risk | Tim Janes

Tim Janes

Security Scorecard

District Budget:   Confidential

Security Budget:  Confidential

Critical Issues:                       

  • Fraud/Ethics
  • Regulatory Compliance
  • Business Advisory Services and Value

 

SECURITY MISSION:

 

  • Brand/Product
  • Corporate
  • Emergency/Crisis Management
  • Executive/Personnel Protection
  • Intellectual Property
  • Investigations
  • Physical

We think of ourselves as a business function that specializes in security,” says Tim Janes, CSO of Capital One. “This perspective inspires us to provide proactive solutions to our partners in the organization so they can make informed business decisions. That, in turn, generates credibility and demonstrates our focus on partnership. As a result, our lines of business actively seek us out for advice, including risk consulting.”

His “Next Generation” initiative is an example of this focus on serving – and driving – the business.  “My team and I sat down and asked, ‘What will security look like 3-5 years from now?’ and developed a vision of the future across five critical areas,” he says.  Those areas include internal fraud, physical security, continuous monitoring, talent management and flexibility.  “In each area, we’ve pushed ourselves to innovate; to set the standard for our industry, and to enable the lines of business to grow the bottom line. We recognize that being able to respond and change at the speed of business is the key to success.”

Capital One measures the value of their security investment in several ways. Because they are significantly risk-/prevention-focused, and because no organization can prove a negative, measuring value can be challenging. The organization does rely on several data points, including:

•  Regulatory Compliance

•  Business Resilience

•  Typical ROI on capital investments such as alarms and cameras

 

   They also focus on key values as an ROI measure, including:

•  Associates’ peace of mind as a driver for productivity and morale

•  Perceptions of controls and governance that are currently in place

 

But at the core of their Next Generation program, Tim and his team take ROI measurement to a different level. “The key to our success is being a true business partner; and responding in a way that the business units can understand,” says Tim.  “By being a partner with our lines of business, we are able to provide risk management and security through them, not to them,” he says.

Much of this focus has been driven by outside forces such as the economy and the financial crisis, which has led to recent significant regulatory changes for public companies in general and banking regulations specifically. “As a result, compliance and regulatory issues top our list right now. The volume of requirements has increased tremendously and we must ensure that the proper programs are in place,” explains Tim. “In addition, the economic environment can drive concerns about job security among employees, necessitating strong processes for workplace violence prevention and internal fraud detection and prevention.”

Reflecting on the 10th anniversary of 9/11, Tim also traces much of their Next Generation strategy back to those terror attacks. “There were two routes after 9/11: the ‘sky is falling’ view, or a measured, risk-based approach to real threats and vulnerabilities. Those who used fear, uncertainty and doubt to get a blank check at that time may have ultimately come out behind,” says Tim. “But many organizations, including ours, that focused on real risks and appropriate solutions gained credibility and got that ‘seat at the table’ that we all want.  That approach has taken us a long way toward being viewed as a business partner within our company. The good business case is what sells budget approval.”

He encourages all CEOs to look to their security organizations as business partners, innovators and contributors to overall goals. “Set your expectations in these terms,” he says, “and allow security to demonstrate its value.”

Away from the office, Tim is an avid traveler, photographer and scuba diver.  To date, he has traveled to more than 180 locations on five continents.

 

 

---------------------------------------------

 

 

The Art of Security  | Bryan Warren

Bryan Warren

Security Scorecard


Revenue:       $1,800,000,000

Budget:           Confidential

Critical Issues:

  • Behavioral Health  
  • Patients
  • Workplace Violence
  • Emergency Management

 

SECURITY MISSION:

  • Corporate
  • Emergency/Crisis Management
  • Executive/Personnel Protection
  • Investigations

The acuity levels for behavioral healthcare patient issues are off the charts,” says Bryan Warren, director of corporate security at Carolinas HealthCare System. And it is not just at our organization. The problem is skyrocketing across the healthcare industry impacting healthcare organizations everywhere. It is a business, not a security issue alone.”

A business issue and a business opportunity, as it turned out, for Carolinas HealthCare to develop value-added services. The behavioral healthcare issue is driven by two populations of patients, those with existing conditions that have been treated with medication and those who have new conditions not yet treated. These patients go to emergency rooms for help. Unfortunately, ERs are primarily designed to treat physical trauma, not mental health. This increase is occurring just as government funding, especially for behavioral healthcare issues, is being reduced. Compounding the issue is that the patient may end up in an ER bed for days until treatment and a facility are in place.

Mr. Warren and his team developed two programs that benefitted the organization and created a new cost avoidance and savings opportunities through security services via behavioral health patient transports and related healthcare security services.

First, they identified the cost of an unmoved mental health patient in an ER bed at approximately $400 per hour with an average wait time (for a traditional law enforcement transport of the patient) of up to eight hours at times. Next, he created a service with memorandum of understanding with the local county to quickly transport behavioral health patients from an ER to a dedicated behavioral health facility. In 2010 his organization transported more than 1,400 such patients with reduced wait time that translated into approximately $2.25 million in annual savings. “There is lost revenue when you have an ER bed that cannot be used for an ER patient,” explains Mr. Warren, “plus all of the intangible benefits of getting the behavioral health patient appropriate treatment in a timely manner.”

Another issue is the increase in violence by behavioral health patients against healthcare employees. Workplace violence continues to be a critical issue for the healthcare sector overall, including Carolinas HealthCare System employees. “In healthcare, there are 8.4 reported workplace violence attacks per 10,000 employees. That is four times higher than the average of approximately two per 10,000 across the general workforce. And the important word is ‘reported’ as many acts of violence against healthcare workers are underreported. We are working to educate employees that being a victim of violence is not just part of the job. We need to change the culture that healthcare workers should expect to be in harm’s way,” explains Mr. Warren. 

The security program has been so successful internally, that other healthcare organizations have taken notice and requested Carolinas HealthCare to manage security for their facilities, creating a revenue stream in the form of monthly charges for these CHS officers.

“How do you prove value or the impact of a preventative measure?” asks Mr. Warren. “That is a challenge. But by using benchmarks and metrics we identify incident trends and the numbers attached to those incidents. Then we propose specific processes and policies to reduce the number of incidents and the related costs while ensuring compliance. That translates into dollars for the financial discussion. We also survey patients and employees asking about their perception of feeling secure. That generates the value discussion.”

“Security is more of an art and less of a science. A good security leader should be able to translate the art into numbers and metrics, which makes security a science. A security leader who does so understands their craft. And every CEO should recognize that security is its own skill set and profession and that it needs to be staffed accordingly. And they should expect their security organization to deliver value,” says Mr. Warren.

“I truly enjoy making a positive difference for the people at Carolinas Health Care specifically and the industry as a whole,” he shares. He is a frequent speaker at leading conferences (including the Security 500), as he enjoys teaching and sharing best practices with others. He is also an avid traveler and photographer.

 

---------------------------------------------

 

Bridging Security & Business | Rick Fisher

Rick Fisher

Security Scorecard

Revenue:       $4,500,000,000

Budget:           $3,000,000

Critical Issues:

  • Globalization
  • Workplace Violence
  • Travel Management
  • Business Resilience

 

SECURITY MISSION:

  • Brand/Product
  • Business Continuity
  • Corporate
  • Disaster Recovery
  • Emergency Management
  • Executive/Personnel Protection
  • Investigations
  • Physical
  • Regulatory Compliance

The strategic shift from an international water tank and steel plate structure company to an engineering, procurement and construction company opened up new markets and opportunities for CB&I and with the growth, new risks. “The recognition of responsibility to the company’s stakeholders including employees, customers and shareholders led to the creation of the first global security department and my new role,” says Rick Fisher, vice president of global corporate security at CB&I.

Having started the security department at Burlington Resources, Rick found the opportunity to do it again at CB&I. “Starting and building a global security organization is an exciting and rewarding opportunity to identify and manage risks,” shares Rick.

Being a relatively new security department, tracking and calculating security value is also new to the company. The security function has two areas of focus: The internal corporate facility structure and the much larger external business projects. For example, the corporate Administrative headquarters in Houston is one area while a major new client project in Colombia is another. Corporate Security reports into Operations, providing an excellent structure to support the company’s 16,000 global employees and business goals.

“The headquarters had almost nothing in terms of security four years ago. Limited access control, no video, identity or parking structure security. Now there is a robust security program with zero incidences since being implemented,” says Rick.

In this global economy, it is may not be a surprise to learn that CB&I is a 120 year-old Dutch owned company with its U.S. Administrative headquarters in Houston. This leading technology, engineering, procurement and construction service company designs, engineers and constructs some of the world’s largest energy infrastructure projects.

Core to CB&I’s business goals is the support to plan and secure major client projects around the world. Their business model requires project specific risk and security planning. “Each project has needs based on size, scope and regional threat levels. Our mission is to create a safe and secure work environment for our employees,” explains Rick.

“The mere creation of the department and this position demonstrates the company’s determination to make security a priority and support business goals,” explains Rick. The Colombia project is a great example. Rick has been active in Colombia since 1982 and his expertise was a perfect tie-in with CB&I’s business needs.

 From this strong risk management platform, people and intellectual property, security is able to move and work fluidly to meet changing requirements. “Globalization will continue as a priority and challenge for us. Once Libya opens up for oil and gas exploration, for example, there will be a major business opportunity and security risk for CB&I and other companies. We will be ready to move fast and support business goals,” explains Rick. Other emerging areas include Iraq, Egypt and Japan. Our role is to support business growth in those areas,” explains Rick.

The very nature of CB&I’s business requires a strong focus on compliance and business resilience issues. He is an active participant in the BCP and Crisis Management process dealing with international government and law enforcement agencies, as well as OSAC. “Whether political action, civil unrest, weather or natural disaster related, we ensure we can get people out when necessary and back in when able.”

“Today, CEO’s recognize that security brings value to the table and that there is an ROI. They see the return and have gained a respect and trust for the role. It is important  that they understand what security can do for their organization and communicate it. That is often not understood but needs to be,” explains Rick. “I am fortunate at CB&I where the need and value for this function was recognized and created to support business growth.”

Married for 37 years with two children, he mostly enjoys family time, snow skiing and lake sports during his personal time.

 

 

---------------------------------------------

 

Master and Commander | Domenic Ceccanecchio

Dominic Ceccanecchio

Security Scorecard

Revenue:       $748,000,000

Budget:           $10,100,000

Critical Issues:

  • Theft
  • Unattended Property
  • Bicycles
  • Retail

 

SECURITY MISSION:

  • Community Outreach
  • Crime Abatement
  • Disaster Recovery
  • Emergency Communications
  • Emergency/Crisis Management
  • Event Security/Safety
  • Fire & Life Safety
  • Investigations
  • Law Enforcement
  • Physical Security Consulting
  • Regulatory Compliance
  • Safety Education
  • Security Officer Services
  • Security Technology

Drexel University is expanding its footprint with outreach to the community while building its brand with outstanding academic, cultural and social programs. Our institutional success requires the highest level of service and best practices in public safety,” explains Domenic Ceccanecchio.

The Drexel University Department of Public Safety is responsible for providing security for Drexel’s three campuses. To meet this obligation, the department collaborates with many governmental and private public safety organizations along with University entities to address safety and security concerns. The Department is made up of six operating units that report to Domenic. They are: Police, Security, Operations, Fire & Life Safety, Training & Accreditation and Finance & Administration. The Department is staffed by 64 fulltime employees and more than 150 contracted AlliedBarton security personnel.

“Drexel has made a serious and successful commitment in the last three years to ensure the campus is as safe and secure as possible,” says Domenic.  The changes show an integrated investment in people, policies and technology, including the creation of the Drexel University Police Department, total revision of the Drexel University Emergency Preparedness and Communications plans, implementation of the DrexelAlert emergency notification system, the improved quality and responsiveness of the security officer force, expansion of the blue light phone and CCTV systems, the expansion of escort services and heightened emphasis on crime prevention programs and victim support services.

“In the past Drexel University relied on contracted security and the Philadelphia Police Department (PPD) to abate criminal activity and respond to emergency situations on our campuses,” Domenic says. “Our  goal was to create and maintain a dedicated, professional Drexel University Police Department that has full law enforcement recognition and capability and provides the highest level of service to our community by using the best practices of modern policing.

The investment includes solid metrics and measures on performance including benchmarking through Educational Benchmarking, Inc. The company completes population surveys with students to identify their perception of campus safety.

Beyond stakeholder perception, Drexel Public Safety measures the mitigation of crime as a performance indicator. Their community outreach program includes a five part program to expand the university’s footprint beyond its traditional perimeter and to become part of the fabric of the community.

“We are not just creating short range programs to enter and exit the surrounding area,” explains Domenic. “We are creating sustainable regional programming to breakdown barriers and improve safety in the community by reducing risks for all stakeholders.”

Underlying these visionary goals is Domenic’s unique skill set and focus on excellence. With more than 40 years of law enforcement, security and life safety experience and holding a Master’s Degree in Organizational Dynamics from the University of Pennsylvania, he used his expertise to reorganize the Drexel Department of Public Safety and built the business case for a dedicated police force. “We are in the final stages of obtaining international accreditation through CALEA for both our police department and communications center. Certification shows that the Public Safety Department has raised and reset the bar here. It is also important that our public safety team is innovative and thinking creatively to identify new strategies and solutions. This is imperative for effective short and long term planning” says Domenic.

Key to achieving this goal is attention to critical issues at Drexel, including:

•  Emergency preparedness and business continuity

•  Safety and Security training and awareness for public safety personnel and our community

•  Crime abatement

•  Information sharing and resource coordination with public and private police and security organizations

A family oriented person with two grandchildren, Domenic enjoys skiing, golf, tennis and travel.

 

 

 

---------------------------------------------

 

Globalizing Peabody Energy | Jeff Larner

Jeff Larner

Security Scorecard

Revenue:       $7,100,000,000

Budget:           Confidential

Critical Issues:

  • Crisis Planning
  • Business Continuity and Resilience
  • Travel Security

 

SECURITY MISSION:

  • Brand/Product
  • Business Continuity
  • Corporate
  • Cyber
  • Disaster Recovery
  • Emergency/Crisis Management
  • Executive/Personnel Protection
  • Intellectual Property
  • Investigations
  • Information Technology
  • Physical
  • Regulatory Compliance
  • Other: Corporate Aircraft

Peabody Energy created a Security Department to support its global growth strategy,” explains Jeff Larner, CSO at Peabody Energy. “We have a very broad role, which is still being defined.” The company offers a compelling growth story with security and business resilience among its areas of focus.

“In 2003 only 1 percent of our EBITDA came from international operations. A decade later, that percentage reached more than half,” Jeff shares.

Prior to the creation of a global security organization and leadership position, the security role was spread among the business units, which managed risk independently. Under the leadership of Peabody Energy Chairman and CEO Greg Boyce, the company increasingly centralized crisis and business continuity planning while growing globally. The security group is part of Peabody’s administrative function, reporting to the CAO. Jeff also frequently presents to the Board of Directors’ Health, Safety and Environmental Committee.  

“My focus is on risk management and mitigation. I find that I am using the word ‘security’ less and less,” says Jeff. “Our role is to identify and mitigate risk by putting processes in place – not programs. Processes are proactive and preventive. Programs tend to be reactive.”

Among Jeff’s first steps was to analyze and implement physical security enhancements to protect both people and assets around the world. The security team assesses each operation and makes recommendations to implement new security processes or enhance measures already in place.

“Job one was to sit with the business leaders and ascertain their business goals. We used our enterprise risk management model to identify the key security risks such as travel, crisis planning and due diligence. Then we created the processes to enable the business units to succeed,” Jeff explains.

As important as its risk mitigation strategy is, crisis planning and business continuity also play significant roles.

“Events will occur; that is a certainty. Therefore we hold table-top exercises with executive management to demonstrate that the response plan is in place and will provide the level of resilience necessary to maintain or regain business operations,” Jeff shares. “Among our first efforts was the work to understand critical business interdependencies to ensure our plan would be successful.”

As part of their globalization, travel security has been a major focus. “Security and risk management are not new to our company, and the decision to formalize risk management is no surprise. This is a 128-year-old company that has always put its employees first. What is new is taking this culture global,” says Jeff. “Our travel policy includes support, tracking and training. It has been very successful.”

Peabody has implemented a measurement program to measure return on security investment. “Our reorganization and refocusing is still new. As we progress we will implement measures and metrics tied to value. At this time, the business units are viewing our contribution positively and they are reaching out to us for assistance,” says Jeff.

One example of security’s direct value is the company’s business continuity plan. Too often, Jeff argues, companies emphasize crisis management but neglect to plan for business needs after an event. At Peabody, the security team collaborated with key functional and operational groups across the company to review key interdependencies and reliance among critical areas. The result was improved planning and clearer roles and responsibilities to ensure the business recovers and returns to normal operations as rapidly as possible.

A focus on employee health and safety has always been valued at the company, and Peabody continues to cooperate with MSHA, a function of OSHA and BATF, the area of ATF focusing on explosives related to the mining business. “On any given day we may have seven MSHA inspectors performing routine checks at our operations. Our safety vision is to have an incident-free workplace every day,” explains Jeff. “In 2010, Peabody achieved the best safety record in our history.”

An avid military historian, Jeff enjoys weight training, family time and travel to warm and sunny places.

 

---------------------------------------------

 

The Power to Know Risk | Alan Borntrager

Alan Borntrager

Security Scorecard

Revenue:       $2,430,000,000

Budget:           $6,924,000

Critical Issues:

  • Communicating Value
  • Executive Endorsement
  • Business Resilience/Crisis Response

 

SECURITY MISSION:

 

  • Corporate
  • Disaster Recovery
  • Emergency/Crisis Management
  • Executive/Personnel Protection
  • Investigations
  • Physical

When you enter the SAS Institute Campus in Cary, North Carolina, you feel more like you have entered a college campus than the bleeding edge global IT company’s world headquarters. Behind the $2.5 billion company created, built and still managed by Dr. Jim Goodnight, is an aggressive risk-based global security program led by Alan Borntrager.

“During the past few years our focus has shifted from local to global. In order to leverage synergies as one global enterprise, the company reorganized so that all global operations flowed through Cary. This change created a single, operational structure that moved our view from being Cary-centric to global.  That required security to become a more proactive risk management and business enabling organization,” says Alan. “We created an enterprise-wide standard of care for all employees.”

An example of the change can be seen in the Cary security organization’s involvement during the Japan earthquake. Previously, this event would have required minimal involvement from the Cary security organization. Under the new structure, Cary was the center for crisis management and response to support employees, protect assets and critical infrastructure and restore business operations.

The strategy to succeed in this new role included not only reorganizing, but hiring subject matter experts in key areas. For new responsibilities, such as personal safety awareness and countermeasures for employee travel, the company enlisted the services of firms like Frontier MEDEX and Control Risks Group.  

“We are a fairly flat organization. Security reports into the Corporate Services Division which includes security as well as travel, flight operations, logistics and real estate. We work together and rely on each for our overall success. We have pulled together a diverse group, with different areas of expertise, who work well together to identify the best strategies and get the best results,” shares Alan.

The SAS culture is unique and the company is heavily invested in and focused on the well being of its people. And until the reorganization, most of the focus was on the Cary campus, so measurement of global security risks was not a priority. That has changed under Alan’s leadership and global role.

“SAS’ security department has always been focused on the safety and well-being of its employees, and it has been my job to take that to the next level by establishing a more ‘formal’ program for us and the company.  This means being able to benchmark positively against other IT companies – not just colleges, which we have in the past because of our strong academic roots. By shifting heavily from standard security measures to SAS’ risk analysis tools, we have implemented a benchmarking program that enables us to identify how we operate against IT companies, as well as against our business goals. We are continuously working to translate our successful U.S. model to international operations,” explains Alan.

SAS Institute has been recognized by Fortunemagazine as the “Best Place to Work” in 2009 and 2010 and are hopeful to be the first company to ever win this award three years in a row. But they are also winning similar awards in international locations. “Security and safety is the key enabler to minimize distractions and allow employees to feel safe and do their jobs well,” shares Alan.

A key area of focus has been in crisis management as the company’s focus became global and the shift in thinking changed to strategic from tactical issues. “Crisis management has a huge impact on our people and the business. We do significant analysis on risks and responses by asking, what would the impact be on us? What is our organizational resilience? How do we adjust for impacts to the business units to ensure redundancy? A significant outcome of these discussions is the elimination of ‘plausible deniability’ across the business units. Having awareness of risks, responsibilities and the obligation to own the solution as a business leader has been powerful,” says Alan.

In addition to leading global security at SAS, Alan has been married 22 years and has two sons. He is passionately involved in child advocacy and family matters. In this regard, he is a member of the Haven House Service (NC) Board of Directors. He is also an avid supermoto rider.

 

---------------------------------------------

 

Securing the Most Diverse City in the World  | Dwaine Nichol

Dwaine Nichol

Security Scorecard

City Budget:              $4,000,000,000

Security Budget:        $18,000,000

Critical Issues:          

  • Decreasing Budget
  • Sustainability
  • Lone Wolf Terrorism

 

SECURITY MISSION:

  • Corporate
  • Executive/Personnel
  • Investigations
  • Physical

In a city, security is always a delicate balance of safety and accessibility of access to public facilities and public servants, especially politicians. Toronto has 44 City Council members and a Mayor. We have to identify risks and communicate intelligence so informed decisions can be made to protect assets, infrastructure and people,” explains Dwaine Nichol, manager of Security and Life Safety for the City of Toronto.

Toronto is the fifth largest city in North America with more than 2.6 million citizens in the city proper and 4.5 million in the Greater Toronto Area. The number of persons in the city during the business day swells to an additional 1 million persons commuting. More than 45,000 city employees work in more than 1,500 facilities ranging from facilities such as recreation centers, parks, social services offices, museums, shelters and daycares; to critical infrastructure facilities such as their train and bus transportation hub, Union Station, (which manages twice the passenger volume annually as Pearson (Toronto) Airport) or water treatment plants; and to the architecturally important and vibrant City Hall.

“It is important for the employees and the public that we have a clear mission statement related to security transcending its function,” says Dwaine. The mission statement is that security is committed to supporting and enhancing the safe delivery of City services. “We make certain that we manage risk and respond to events in a manner that supports services for the departments within the city so they can in turn safely provide their services to our citizens and visitors,” he says.

As we spoke on the Friday afternoon prior to Labor Day weekend, Dwaine provided straightforward examples of his Unit’s critical value. “Swimming pools seem simple, but ensuring their availability through proactive and reactive security measures is required. There will be significant use of our outdoor facilities this weekend and our pools must be remain fully operational, undamaged and secure for continued service delivery for the awaiting public users. Ensuring the pools are fully available as anticipated and that public members feel safe enhances increases usage and the delivery of this service for the parks and recreation department,” shares Dwaine.

The diversity of facilities across the city led to a significant change in 2009 when the city instituted a corporate security policy through the City Council. Included in the policy is a framework detailing enterprise-wide responsibility for all aspects of proactive and reactive security. Each division of the city, such as water, emergency services, parks and recreation were required to have a strategic 5-year security plan.

“We provided a risk assessment, gap analysis and a needs analysis for risk management and security. We also educated each division on security for their areas including threats, incidents, existing counter-measures, future mitigation strategies and security management processes. Important to the framework is presenting metrics and the outcome of events in their divisions,” says Dwaine. Because the policy outlines the rules and responsibilities for all city employees to secure city property, there is a good sense of ownership and accountability within the divisions for security issues.

The city-wide initiative also created a way to measure, compare and generate metrics. Reporting all incidents and events is part of the new policy. That enables security to track events and measure how investments are performing.

Our focus has to be directly on the most critical issues we need to plan for and mitigate. Shrinking budgets within the divisions make it challenging when issues are identified, the appropriate solution proposed, but the available resources may not be able to fully address it. This is a management challenge to discuss these issues and motivate the team to provide a counter-measure that is affordable but not necessarily optimal,” notes Dwaine.

Dwaine particularly enjoys the satisfaction of helping others by providing a secure environment that improves a person’s experience in the city. When not working, he enjoys reading non-fiction and staying actively involved with his son and daughter’s activities.

 

---------------------------------------------

 

Mission Possible  | Lou Barani

Lou Barani

Security Scorecard

Projected Revenue:             $3,600,000,000

Budget:           $100,000,000

Critical Issues:

  • Situational Awareness
  • Terrorism
  • Business Resilience

 

SECURITY MISSION:

  • Brand/Product
  • Business Continuity
  • Cyber Security
  • Disaster Recovery
  • Emergency Management
  • Executive/Personnel Protection
  • Physical Security
  • Regulatory Compliance

By developing an All Hazards Risk Management (AHRM) program across the new World Trade Center we created an unparallel level of situational awareness,” shares Lou Barani, Director of Security for the World Trade Center with the Port Authority of New York and New Jersey. “It is not just for security. It gives us a single rules engine beyond typical capabilities integrating surveillance, access and ID, building management, fire alarms, HVAC and CBR information management.”

“We are product agnostic and work with many different vendors and integrators. The open architecture gives us the flexibility to migrate to new products and solutions without a complete retooling. Each building has its own security command center, building management and security program. My role is to come over the top and create situational awareness across the entire project. We have successfully worked with a number of building managers and contractors and integrators.”

Lou’s team created the policies and interoperability for all systems to communicate and for the Port Authority to have the intelligence and awareness it needs to identify and manage risk.

“First we do the risk assessment. Then we do the cost benefit analysis. As the dollars go up, the risk does go down. But at a certain point, additional spending no longer reduces risk. You reach a point of diminishing returns. Our risk/threat assessment program has been critical in our planning and business case for the programs we have implemented,” explains Lou.

Reduced risk is central to the World Trade Centers’ economic viability. “A key element of our planning is to balance security with business. A lack of security would not encourage businesses or individuals to come here. And an overburdening of security would be too intrusive for doing business here. The strategic security plan leverages technology and best practices to create trusted access and a secure environment while ensuring the ability to do business easily,” shares Lou.

A third area of focus is being prepared through emergency management planning and testing. The World Trade Center’s robust program has moved from table top planning to full scale drills during the past 18 months.

As significant and complex as the project is, Lou has mostly been surprised by the positive support from all stakeholders, especially executives, for all of his ‘new ideas’ to create an unparalleled level of situational awareness. “Both the police and fire department leadership have been very cooperative and helpful in developing these programs to reduce risk and improve security,” says Lou.

A core element of the AHRM is metrics and measurement. “There is a numerical value for each risk that exists and for each asset protected,” shares Lou. “The risks might be terror or theft. For example, a hurricane risk to a subway can be predicted. It may be flooded at level 1, delayed at level 2 or destroyed at level 4. And costs to protect, repair or replace along with the economic impact of each result can be calculated prior to an event. The best practices here are unique and powerful. I am very proud to be a part of the World Trade Center and especially to lead the security program.”

At the 10th Anniversary of 911, Lou reflected on fate and his personal experience a decade ago. “I was surfing. I had a meeting at the World Trade Center scheduled that morning, but the waves were great. So I called in and said I would be late and went surfing. I was mobilized that day as a Navy reserve against other attacks and then we stood down. I came into the city later that day to help.”

Lou earned his Master of Science in Homeland Security Management degree from the Homeland Security Management Institute, Long Island University where he currently teaches. He earned a Bachelor of Science degree in Business from St. John’s University. He also brings 19 years of military experience with the U.S. Navy, serving in Naval Special Warfare, Naval Coastal Warfare and Naval Intelligence units, and holds the rank of Senior Chief Petty Officer. Since September 11, 2001, Lou has been activated for military service and deployed four times in support of combat operations. He will retire from the Navy in February 2012.

 

 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

July 2014

2014 July

In the July issue of Security Magazine, read about how the NFL is balancing security with fan experience to make sure sporting events are running smoothly. If you're doing any traveling this summer, be sure to read the 5 hot spots for business travel security, also, employers can track on-the-go employees with new mobile apps. Also, check out the latest news and industry innovations for the security industry.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+