Beyond the Box: Security That Works
What do a global news and information company, a large utility, a Fortune 500 electronic commerce and payment processing provider, a diverse hospital and a local government have in common?
The security leaders of those five organizations thought ‘out of the box,’ formed relationships where they had not existed, solved business problems and in turn, showed security’s value and experienced much success. The ‘out of the box’ term is way beyond cliché, but it’s true.
“Many security organizations are entrenched in the four primary aspects of corporate security,” says Michael Lynch, CSO of DTE Energy in Detroit. “I call it ‘the box’ – physical security, investigations, access control and emergency management. These functions are arguably the cornerstone of many corporate security organizations.
Whether your specific organization is responsible for all four functions is not the point,” Lynch continues. “It’s what the CSO does outside the box and what he or she is asked to do outside of that box that determines and demonstrates the value they are bringing to the enterprise.
That we do an exemplary job within the typical functions should be a given,” he says. “That should be the minimum price of admission. But that, by itself is hardly enough.”
That’s exactly Ed Levy’s sentiments as well. Levy is vice president and global head of security at Thomson Reuters, the global news and information provider based in New York, with more than 55,000 employees operating in more than 100 countries around the world.
Since joining the company in September 2010 Levy has reduced guarding and key holding costs between 10 percent and 15 percent without sacrificing service, and has strategically partnered with the company’s head of sourcing to create and implement a worldwide plan for vendor sourcing. “We are working very hard towards a category management approach and a centralized delivery of outsourced security requirements,” Levy explains. “I counted 30 guard force vendors when I started that we were employing around the world. How do you manage that? Instead, we culled it down to regional providers, and by doing that we saved money, employed standards and increased our operating efficiencies. Our regional security directors now only have to deal with a single vendor who better understands our needs,” he says.
Levy also assessed other costs his security department was working with related to vendors. “The pricing was not that competitive, and the expected standards and guidelines varied across the globe. We have streamlined the process, allowing us to hold vendors accountable to the delivery of strict services and pre-negotiated or closely negotiated pricing,” he says.
Second, Levy opened the lines of communication between the Security function and employees. “One of the measures of success I employ as an organization is how well we reach out and communicate to all of our employees,” Levy explains. “I look at this as a metric: if someone asks ‘What does Global Security do for you?’ I want that employee to answer that the security function is an engaged business partner that communicates effectively with employees, ensuring we are able to best serve our customers in a safe, productive environment,” he says.
To increase the flow of information, Levy created an Intranet web site dedicated to providing employees with up-to-date information on emergency preparedness, workplace violence prevention, crime prevention, life safety, travel security, home security and more. Levy blogs weekly, creating a dialogue with his nearly 1,000 internal subscribers. People recognize him when he walks through hallways of offices around the world. The response and success he has experienced has been overwhelming, to say the least.
The web site, which interfaces with other external web sites, also includes information on what’s happening around the world – it’s a global company, after all. “With the flooding in Thailand, the impact to our business was minimal, but employees’ homes were significantly affected. Our employees should know about emergency preparedness. The office building we are located at in Nigeria had a fire that did impact the business, and I wanted to communicate to other employees how real the risks are, improving awareness and understanding it can happen at their office. It’s all about proactive communications,” Levy says.
The web site also includes the ability for employees to pose questions to Levy and his staff. “They ask questions about upcoming business travel, physical security at their offices, their ID badges…it runs the gamut,” Levy says. “It’s another level of measurement for security. People have a tendency to focus upwards, but it’s also important to gain an understanding at all levels of the company. It’s important when it comes to identifying resources or shaping security policies. It’s not a backroom function, but a forward-looking process with our employees and our business leaders that security is a business multiplier. Our intent is to add value to the business and its resiliency as opposed to draining resources.”
Success has come down to two major themes, explains Levy. “First, knowing that our ‘customers are first’ and employing a security culture that is in our customer’s best interests associated with the products, information, and news services we provide.” Second, he says, is “applying our customer first focus to socialize a security mindset. Thomson Reuters prides itself on providing timely, accurate news and information to its customers along with the context and tools to apply that knowledge in a productive way. Delivering the right information, at the right time, using the right channel, was critical, in my view. For example, realizing that a good proportion of the employee population is younger and had social networking savvy led us to conduct a research study with our social networking group on how to leverage social media channels for security and crisis management communications.”
Levy admits that it took some ‘thinking out of the traditional security box’ on what the company was expecting by starting an internal web site. “Is it security’s role?” he asks. “When it comes to mitigating risk and adding value to the business, we see this as a responsibility.”
Levy also talked about his security team and how proud he was of his organization, who embraced his vision and were collectively part of the strategy to provide safety, security, and risk management services around the world. He was very keen to share the importance of recognizing talented people and providing the leadership and guidance on allowing people to succeed.
What advice would he give to a colleague looking to do the same? “Truly understand the nature of your business and develop your security program and team to best support the business needs,” he recommends. “Craft your message in a manner where you have a clear vision and mission, and get leadership buy in. Mission accomplishment for the security group is important on a day to day basis, commensurate to the company’s mission. Then, communicate, communicate, communicate with your respective stakeholders.”
Above and Beyond
At DTE Energy, as well, CSO Michael Lynch sees value in communicating with stakeholders and crafting creative ideas to show Security’s value.
DTE leadership has routinely asked more of Lynch. Only two years ago leaders recognized a significant issue with the theft of electricity and natural gas. They called on Lynch to think ‘outside the box’ and implement solutions that would send a strong deterrent message. As a result, Lynch came up with a plan that enabled corporate security to capture never before seen video of individuals stealing electricity and gas. The result? The video was used as evidence in criminal court and 135 arrests were made in 2010, up from two the year before. Because the evidence was so strong all but one of the defendants pled guilty to their crimes. Local news affiliates created more than 10 news stories which, in combination with the arrests and convictions, sent a strong deterrent message.
In May 2011, after a massive home explosion, the president of DTE’s gas utility called on Lynch once again. Like energy theft, gas explosions were not a primary responsibility of DTE’s corporate security department.
Lynch learned that the gas explosion occurred after thieves broke into empty homes and stole appliances such as water heaters and furnaces. When they ripped an appliance from the wall, they would break the appliance’s (natural gas) fuel line. When the right mixture of gas is combined with oxygen and a heat source, an explosion is inevitable.
Lynch came up with the idea to rent unoccupied houses that were stocked with appliances and apprehend thieves while they were in the act of stealing the appliances.
He found agreeable landlords, ones who had previously been victimized by individuals who had broken into their properties and stole appliances, plumbing fixtures and anything else they could. At the prospect of solving a terrible and yet old problem, the landlords were more than happy to offer houses to rent for $50 a month. Lynch purchased gas stoves and water heaters, and installed hidden surveillance cameras in the houses and covert GPS devices inside the appliances. GEO fences were created around the house.
The hard work, creativity and investment paid off. Thieves broke into the houses, stole the appliances and set out to make as much as $100 for a water heater and $200 for a furnace.
But little did they know their every move was being tracked. The cameras alerted DTE’s Corporate Security whenever the house was broke into. The GPS devices tracked the appliances, and when the position of the appliances moved, Lynch and the Detroit Police Department responded.
“None of this would have been possible had it not been for the rich relationship we have developed with the Detroit Police Department,” Lynch says. “The partnership works because the initiative not only addresses a DTE issue; the prevention of house explosions, but also helps law enforcement. It’s a proactive approach to home invasion. We also don’t expect law enforcement to do all the heavy lifting. We do as much detective work that a civilian can do. We understand there are other crimes occurring that compete with our issues. So we call them only when we have our facts straight or the crime is flagrante delecto (the crime is blazing).”
Within two months as many as 10 arrests were made. None of the thieves were stealing the appliances for themselves. In fact, says Lynch, they either had customers lined up to buy the stolen goods or were planning on taking the appliances to a resale shop to make a quick buck.
“The initiative has been so successful that we plan on continuing it for the foreseeable future,” Lynch says. “The word is spreading. Both HUD and the Detroit Housing Commission are involved and supplying DTE houses to use.”
Yet, beyond the arrests and news reports, says Lynch, is that he was asked by DTE senior leadership to solve a business problem, not a security problem. “I wasn’t given a roadmap of what to do, and to some people that might be frustrating, but to me, it’s not. I can show my creativity.”
In this success story, Lynch solved several business problems for DTE Energy. “I don’t have any responsibility for gas explosions, obviously,” he notes. “But corporate security has dramatically changed in recent years. Technological advances alone have created astronomical opportunities for the way we do our work. As corporate security leaders, we need to consider why and what we do and its relationship to the overall enterprise.”
Editor's Note: Video of the appliance thefts can be viewed at Security TV at www.securitymagazine.com
Taking on Fraud
“Every year our security department shows an increase in improvement. But only when we run security like a business,” adds Charles Andrews, director of security for TeleCheck, a First Data company. First Data is a payment processing company headquartered in Atlanta. It provides electronic commerce and payment solutions, and its portfolio includes merchant transaction processing services; credit, debit, private-label, gift, payroll and other prepaid card offerings; fraud protection and authentication solutions; as well as Internet commerce and mobile payment solutions. The TeleCheck division, based in Houston, provides electronic check acceptance services.
“In seconds, we decide whether a merchant accepts or doesn’t accept a check,” Andrews explains. “Sometimes it is up to the merchant, based on how the contract is written, and they accept the liability, but the majority of our check acceptance business is warranted, which means that we guarantee the transaction. Because we assume so much liability, we have a certain amount of fraud. And that’s where I come into the picture.”
Andrews, whose background includes law enforcement, honed his business acumen at The Dow Chemical Company and a financial services organization. “There, I developed a business skill set of how big global companies work. No matter what kind of business you’re in, relationships are always key,” he says.
He’s never lost that valuable lesson. At Telecheck, he and his team take intelligence from fraud events and develop metrics to help risk analysts make better decisions in the retail environment. While fraud doesn’t completely fall within his role, Andrews embraces it. “I enjoy it because it goes beyond security; it goes into the business,” he notes.
Second, he maintains close relationships with the 370,000 merchants and their security directors that the company calls its customers. “I not only maintain relationships, but I get to get involved in the business of security, finding fraud solutions and managing risk, and I enjoy that role very much,” he says. “So when a check goes bad or is counterfeit, I become involved with the criminal process and receiving restitution that is ordered by the courts.”
In 2010, he says, he worked with 800 federal, state, county and local agencies and task forces and special operations teams to reduce fraud and risk. “The key is that it starts and ends with relationships,” he says. “You have to find them and then maintain them. When someone with whom you have a key relationship asks for something, you deliver it.”
Meeting a Public Challenge
At the heart of the Hennepin County Library system, Minneapolis Central, is recognized as one of the top libraries in the US. Hennepin County has a 41-library system that offers more than 5 million books, CDs, DVDs, electronic resources and other items in more than 40 languages, and has more than 1,700 computers available to the public. In 2010 there were an estimated 5.8 million in-person visits and almost 20 million visits to the library web site. Kirk Simmons, security manager for Hennepin County, Minn., is responsible for securing the library system, among other county buildings.
The Minneapolis Central Library (MCL) is more than 350,000 square feet with an atrium more than 8,100 square feet. The atrium is open several hours before the rest of the library and makes for an appealing location to “hang out.” There are several homeless shelters in the downtown area near the library that require individuals leave by 7:00AM that therefore push those individuals into the MCL for shelter.
A few years ago, Hennepin County assumed the responsibility for the Minneapolis Library System and with that Hennepin County Security and Simmons and his staff was responsible for an additional 15 libraries. One of the community libraries, North Regional is located in north Minneapolis and in an area that has a history of higher crime. With this library came many incidents and issues that received unwanted attention from the community, including illegal drug sales, loitering and gang activity.
“Libraries are public buildings that differ from private buildings that the public go to and we may not be able to set all the same rules,” Simmons says. “There have been times when local law enforcement have been called in to help with teen problems and they suggested ideas that have worked in other locations such as limiting how many teenagers are let in the building at any one time. Another suggestion limited access to computers or social networking web sites. Since these types of suggestions would not work for the library we needed to be proactive and find workable solutions with the local law enforcement agencies.”
He adds, “Libraries are challenging to secure because the people who work there don’t think that security is their responsibility. Plus, the landscape draws a host of issues: it tends to be a social scene for kids, pedophiles use the computers and homeless people hang out there. We actually apprehend a lot of people on our felony list at the library.”
Initially, library staff was apprehensive of the change in security and the new officers, Simmons says. “In order to mitigate these fears an officer was assigned to each of the departments at the library and would be their liaison with security,” he says. “The officer would go to the team biweekly meetings and discuss any security related issues with staff. When assignments were made we identified officer talents and paired them with the appropriate library unit.”
A plan had to be developed and implemented to deal with the incidents at North Regional Library. Security management worked with local community groups, law enforcement agencies and the politicians for the area. In addition, since many of the individuals involved were teens, Simmons and his staff coordinated the effort with the local schools and park board to work together with the teens in the area.
He also implemented IP cameras and assigned security dedicated to the system to monitor and take corrective action on discovered unwanted behavior on the spot.
“We also met with different agencies in Hennepin County and provided them with education on the library services and how they relate to freedom of speech and right to access,” Simmons says, one of which included a trespass law. “Since we have done that the relationship between library staff, including security and law enforcement officers, has drastically improved. By assigning specific security officers to work directly with staff and not only interact with them when there was a security event happening, the relationship was strengthened. Not only were fears of the librarians put at ease, but the security staff took ownership of their areas and security and the library now work as a team.”
Mitigating Human Elements
Similar to libraries, hospitals are open communities, and no longer immune to increasing violence. Hendrick Medical Center, one of the largest hospitals in the West Texas area, serving referrals from 16 smaller hospitals in surrounding counties, continues to research and implement security technologists to keep patients, employees, visitors and physicians safe.
“People usually can’t pick the day they go to a hospital,” says Roger Dickey, director of security at Hendrick Medical Center. “You can’t predict whether or not there will be a gang related event in the city and both victim and suspect factions arrive in the ER. While the Hendrick campus experiences a low crime rate compared to the surrounding neighborhoods, we do have to deal with societal problems that are a direct reflection of the community we live in. There are so many human elements and Security has to mitigate all of them.”
With its Level III trauma center, the 503-bed acute care medical center is currently undergoing a multi-million dollar expansion, which includes the upgrade of its security surveillance operation, and a transition from analog to IP cameras. The new security video system will eventually include 200 IP video cameras, and a conversion from barcode to proximity card readers.
The expansion will also include a workspace for the security guard monitoring staff with a console from Middle Atlantic Products with first destination radio, video, access control, infant protection and alarm management.
Dickey’s security staff includes a proprietary guard service, with 19 uniformed and armed officers. All of the security guards are commissioned by the state of Texas and most are former police officers. They receive and answer 3,600 calls per month in the medical center, ranging from moving financial assets to domestic disturbances to the arrival of a helicopter. His officers share a radio system with the local police and fire department, so it functions much like a police agency.
“As we began to contemplate this huge construction project and keeping security and the safety of our staff, patients and visitors in mind, we did not want to put old technology in a new building, which has state-of the art clinical technologies,” Dickey explains. “All of our existing cameras were analog, and we needed to be more efficient in terms of how we monitor. Also, with 200 cameras it’s difficult for a dispatch officer to monitor all of them, and IP provided the necessary mechanism through event monitoring.”
Dickey understands how security is a business function, and he kept that in mind when he sought to transition from analog to IP. “You gain business advantages because you save money in wiring, the video management system is more efficient and flexible, higher quality video, as is the playback of the system,” he says. “Essentially, the advantages are cost effectiveness, greater efficiency and effectiveness resulting in a more secure facility and reducing overall risk.”
Adding to that overall risk reduction is the new workspace.
“This is a $92 million building project, and we needed a system that would still be in the game three to five years down the road,” Dickey says. “We went strictly with IP because of all the benefits available to our staff. There’s no way that a single security officer(s) sitting at a console can view all of those cameras and be effective. So we really like to take the views the console gives us and spread them out, so we can quickly pull up the parameters or salvos we want to view at the push of a button.”
“In a nutshell, our purpose is to make people feel safe and secure when they come to our hospital and to reduce risks that can be demonstrated to our stakeholders,” he says. “In criminal cases, we assist local law enforcement by providing high quality video evidence to support filing charges when appropriate for offenses occurring on our campuses. From another business standpoint, when people report a risk management concern, we may have captured that on video and often can provide that video, which is helpful in identifying a cause, or challenge a claim. Our combination of electronic security systems and well-trained and dedicated staff result in lower risks and vulnerabilities, which translate into greater value to the organization.”
Five Security Success Stories
Thomson Reuters– Has reduced guarding and key holding costs between 10 percent and 15 percent without sacrificing service and improved communication of security’s value through an Intranet web site.
DTE Energy– CSO Michael Lynch has solved business problems for the utility through creative use of video and thinking ‘out of the box.’
TeleCheck, a First Data company – Has created partnerships with 800 federal, state, county and local agencies to reduce fraud and risk.
Hennepin County, Minn.– Has taken on a leadership role within the large and populated area and reduced crime and risk and thus, transformed a community library to one where patrons want to visit once again.
HenrickMedical Center– Has successfully moved from analog to IP video and gained business advantages.