Forging a Stronger Partnership with Your CEO
When the LA Kings won the Stanley Cup last year in their hometown of Los Angeles and home ice rink, STAPLES Center, Lee Zeidman and David Born celebrated with them. Both men were not only proud that the LA Kings brought home a championship, but they celebrated the fact that during the series, the team, their families, fans and employees were safe and the facility was secure.
They didn’t celebrate for long, though, as STAPLESs Center is a busy place: in addition to the LA Kings, it is home to the Los Angeles Lakers and Los Angeles Clippers, and the WNBA’s Los Angeles Sparks. The AEG owned and operated arena also hosts major, high-profile events such as the 2004 and 2011 NBA All-Star Game, the 2002 NHL All-Star Game, the 2000 Democratic National Convention and 2009 World Figure Skating Championships, 13 of the last 14 GRAMMY Award shows as well as the annual summer X Games competitions.
When it comes to the CEO/CSO relationship, it can be one that it is vibrant, strong and respectful. Or, it can be the opposite. Zeidman and Born are definitely a success story. “We have one of the leading facilities in terms of security, and it’s due to David and his team,” says Zeidman, STAPLES Center’s Senior Vice President and General Manager. “A venue this size is a soft target, and we work to harden it the best way possible, and we’ve done that. We do it through David’s training program and security technologies.”
Born’s security program is also successful due to the strong relationship, says Born, who is arena’s Director of Security. “Lee is my biggest advocate, and that has led us to be on the forefront of security. We are always looking to the future on what we can do to improve and Lee supports that. For example, we train our security officers daily and per event to ensure that we have everyone on the same page. Our venue has more than 500 part-time employees, so there’s a challenge of consistency, but training helps to get that done. We continually train and review our operations.”
Zeidman has equal admiration and respect for Born. “I have been with this organization since day one. I was part of the team that constructed and designed this facility, so my philosophy is to hire the best and brightest out there, and David is one of them,” he adds. “Once I have hired someone, I don’t want them to become stagnant in their filed, so I’m also a proponent of outside conferences and education sessions. I expect my VPs, including David, to communicate with me on a daily basis.
“David also understands the nature of our business,” adds Zeidman, “which is 24-hour security that maintains the physical aspects and assets of the Staples Center, in addition to our assets at L.A. LIVE and Nokia Theatre. He also knows how to deal with the security directors for artists and celebrities such as Beyonce and Kanye West, who frequent our venue throughout the year.”
Born adds, “There’s not a company out there that has unlimited funds for security, so essentially, I look to develop risk assessments and determine the best avenues for mitigation and solutions and future programs. I also network with other venues to see what they do. Lee has encouraged that.”
Owner Versus Renter
CEO, President, Boss, Department Head, Owner… the title of whom you report to doesn’t matter as much as the fact that you both have a shared vision that includes securing the enterprise and not only meeting, but exceeding, enterprise goals. For Shawn Reilly, director of security and chief of police at Greenville (South Carolina) Hospital System (GHS), it’s also about growing his management style that focuses on the business.
In the last 100 years, GHS has evolved from a single free-standing hospital to an integrated delivery system and academic medical center with more than 10,000 employees, five medical campuses located throughout Greenville County and 167 affiliated physician practices. And with that has been Reilly’s growth as well, more like a revolution, into a management style of philosophy that has been effective, says his CEO Mike Riordan. “I have a real appreciation for how Shawn engages the staff,” Riordan says. “He has a mixture of being a security leader with a real movement towards personal responsibility on the part of the entire organization. So Shawn’s staff is not the smoking police. I mean, that’s a leadership issue. Safety is not just about ‘I just come in and keep you safe.’”
Riordan adds, “What I have always appreciated about Shawn is that he eats his own cooking. He went through the police academy himself. I would imagine he didn’t have to that. But he did do that, so he leads from the front and the back, almost simultaneously, which I think is a good thing.”
Riordan also appreciates Reilly’s level of curiosity. “Every once in a while I send him a few emails about what security should be doing, and rather than him saying ‘That’s not a big deal,’ he looks into it. So he just has a continual sense of curiosity. I also like how he approaches leadership. I like how he approaches how he shows up here, how he shows up in life, and I think it’s really been a terrific relationship. We have a term here, ‘Owner versus renter.’ A renter’s mentality is different than an owner’s mentality. And I think this organization has shifted more towards an owner mentality.”
Sufficiency in Today’s Economy
“I think one of the key aspects that I have come to appreciate from Riordan and his vision was sufficiency, that I’ve learned that if you take an attitude of ‘I’ve got enough,’ somehow you make it work with enough,” adds Reilly.
That’s taken on increasing importance in the past few years, as the global economy has forced many organizations to rethink their spending and CEOs’ confidence has wavered. As a reinforcing example, The Conference Board Measure of CEO Confidence™, which decreased in the third quarter, improved in the fourth quarter of 2012. The Measure now reads 46, up from 42 in the third quarter (a reading of more than 50 points reflects more positive than negative responses). How a CEO feels about the business and economic conditions can have an impact on an enterprise’s security program.
Says Lynn Franco, Director of Economic Indicators at The Conference Board: “CEO Confidence improved in the final quarter of 2012, despite the cloud of fiscal uncertainty. However, CEO sentiment remains pessimistic by historical standards.”
CEOs’ assessment of current economic conditions has grown slightly more favorable, with 15 percent claiming conditions have improved compared to six months ago, up from 9 percent last quarter, said the Conference Board. About 13 percent of business leaders say conditions in their own industries have improved, compared with 14 percent in the third quarter of 2012.
CEOs’ short-term outlook is also more upbeat than third quarter 2012. Currently, 23 percent of business leaders expect economic conditions to improve over the next six months, up from 12 percent last quarter. Expectations for their own industries are also more optimistic, with 19 percent of CEOs anticipating an improvement in conditions in the months ahead, up from 15 percent in the third quarter.
Regarding his wants and needs for security in tough economic times, Reilly says, “If you’re always worried about not having enough, you’re always searching for more and not focusing on getting the job done.” Adds Riordan, “I don’t see Shawn as a passive or apathetic person. I mean, having that sufficiency mindset doesn’t mean I don’t roll up my sleeves and go after it during budget time. It just means that we work with other leaders to say, okay, here are the tradeoffs. Here’s what we’re going to do. Here’s how we’ll try to succeed on this one.”
The Guiding Principle
Whether there’s less money and fewer resources, a key to a successful security program seems to center on the successful CEO/CSO relationship and the CSO seat at the C-suite, as Reilly and Born have. Such is the case at Dell Inc., as well, where the Business Assurance team (BA) is a full partner to the executive leadership team. John McClurg, Dell’s CSO, is a member of the Chief Financial Officer’s Leadership Team, according to Dell (the company). The company also noted that, “It’s also reflected in the BA team’s makeup, with a significant number of team members holding MBAs, and in Mr. McClurg’s case, also a law degree. That enables the team to bring a broader, business perspective to the table.”
In recent years, Dell has emerged as a new company, according to Michael Dell, Dell’s CEO. He has previously said, “We have our strongest-ever product and services portfolio, and have acquired significant new skills and capabilities, reorganized our operations, and put in place a world-class management team – all to provide solutions with the best value, and flexibility.”
At the same time, the company’s leadership also said it has reached a natural point of maturation in its approach to security issues. Rather than thinking of security as an adjunct operation, the executive team sees it as intrinsic to every part of the business.
“Part of our company’s transformation includes choosing to view our efforts not simply as security, but as Business Assurance. We made a distinct choice to become a ‘converged house,’ bringing cyber and physical security together,” says McClurg. “The executive team fully realizes that one element could be attacked and compromise the other. That’s our guiding principle.”
McClurg’s relationship with Mr. Dell, he says, is valuable, although he does report directly to Dell’s CFO. “I have reported to CEOs through the years, but I do like reporting to the guy who scrutinizes the budget and who focuses on risk,” he says. “So I enjoy support for my initiatives from both Dell and my CFO, who recognize that a lot of hard work could be for nothing if certain recognized security interests went unaddressed. They looked at what they had in place before I came on board and they were willing to entertain a blank slate approach that converges IT security and physical security. That creates a different foundation,” McClurg says, “When you have a partner in CEO and CFO that are affecting that transformation, that’s invaluable,” he says.
Warren Young, CSO at the International Monetary Fund, reports to a Director, not the CEO, as well. The International Monetary Fund (IMF) is an organization of 188 countries, working to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty around the world. As CSO for the IMF, Young is accountable for developing and directing the IMF’s security and business continuity program both domestically and throughout its 188 member countries. Frank Harnischfeger is the Director of The Technology and General Services Department of the International Monetary Fund, which provides services that are essential to the effective operation of the IMF.
Young says, “The truly international nature of the IMF’s operating environment makes it very difficult, if not impossible, for top management to exert direct control over the security function; it is much more of an influencing role. This means that I need both a prominent position within the organization, so that I can be heard when required, as well as the full support of the Managing Director and other top management, both of which I am happy to say I enjoy. Furthermore, the IMF has also established a Security Policy Group, which is composed of the institutions top managers, who meet twice each year to approve new security policies and to be briefed on how existing policies are being managed within the program.
Young also relies upon a “Security and Business Continuity Accountability Framework” that spells out the institutional and individual roles and responsibilities incumbent on all those working for, and on behalf of the IMF. Key to its success, he says, was having the Accountability Framework” personally signed by the Managing Director, Christine Lagarde, leaving no doubt about Management’s endorsement of security requirements, or of their expectations that everyone will comply with provisions contained within it. This “top-down” policy document has been fundamental in changing the culture of the IMF to recognize the need for security to be factored into all aspects of the IMF’s business at the earliest stages of planning, he says.
Why does the relationship between Young and Harnishgefer work? “I think trust tops the list because it underpins the faith management and staff has in every aspect of our security program,” says Young. “It’s imperative that top management has a clear understanding of their most dangerous security threats and that they trust me and my team to be able to alert them to risks on the horizon and offer appropriate policy and operational advice or support where and when it is needed. In order to win this trust it has been important to demonstrate that we take an enterprise wide view of security risks and that we are seen as business enablers who understand the IMF’s core business needs. While acknowledging that there is no such thing as a risk-free work environment, particularly considering the many post-conflict countries we work within, it is important that our management and staff trust us to put the safety and security of our people first and foremost in our risk mitigation planning.”
Adds Harnischfeger, “I would like to think of success of our security operations along two lines: one is whether we are successful in keeping Fund staff safe and second: what kind of acceptance we have for what we do and how we do it from stakeholders across the organization. The former is pretty clear: over a long time frame the security team has been very effective in protecting staff. But at the same time we need to be aware that we can never rest or become complacent. The second element is closely related to trust. Overall trust is the result of personal trust in the people that are responsible and a more systemic component, in other words how do they approach problems and how they come to a judgment. I think people fully trust the professionalism and 24/7 dedication of the security team.
“The second point is a particular challenge in an institution that is dominated by experts most of who have a PhD after their name,” Harnischfeger continues. “Their jobs are also about aggregating vast amounts of information and boiling it down to a judgment and recommendation just like the security staff. So they are going to be quite critical about how security reaches certain conclusions in an area that ultimately relies on judgment. I have to say that security has managed to instill trust in their analytical and conceptual approach to develop recommendations as much as our staff trusts the security professionals to act in the face of danger – always strength of security professionals.”
Adds Harnischfeger, “When I joined I knew nothing about security. Six years later I know I only scratched the surface. One of the things that impressed me about security early on was their ‘can do’ attitude that always dominated in a bureaucratic ‘cover your back’ environment. Warren always says that it is our job to enable the IMF to do what it needs to do. If that means going to very dangerous places, we will protect staff on their mission. But it also means to help departments assess whether the risk is really worth the result that we will achieve by being on the ground. Most of Warren and my discussions today center around how to influence decision making and communication with the senior leaders as well as the people we protect in a productive way.
“My objective is to develop a conceptual approach that is the foundation of our communication with clients,” he adds. “The better and quicker we can explain our reasoning, the more successful we will be. The ‘just trust us’ times are over, there is just too much data available on just about everything these days, and all at everybody’s fingertips. We need to demonstrate that we can develop insight and foresight based on this confusing and often contradictory data. The team is doing a great job at this but they are equally good at making the right decisions, initiating the right measures and speaking to all of the rank and files at the IMF.”
This article was previously published in the print magazine as "Are You on Thin Ice or Solid Ground? What Does Your CEO Think About You?"
The 2012 SecurityDreamer Research
Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. According to Hunt’s research, narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.
The 2012 survey asked leading CSOs about topics such as: Budgeting/Spending, Business Continuity, Executive Buy-in, Identity Theft, Operational Best Practices, Penetration Testing, Social Engineering, Strategy & Planning, Technology Lifecycle Management and More.
Approximately 50 companies participated in the survey, representing 11 industries.
Summary of Findings
While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included:
• Security operations centers
• Virtual command centers
• Security information management systems (SIEM, PSIM)
• Networked cameras and sensors at high-risk facilities
CSOs and CISOs complained that their greatest business challenge is metrics, says Hunt. “Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders.” Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments, according to the research.
Most Surprising Finding of 2012
The most surprising finding, says Hunt, is Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys, he says. Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know-how of security operations resides in the heads of its local security managers, says Hunt. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.
Least Aware of This Threat
Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least, says Hunt. “Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.”
Least Prepared for This Threat
Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks. Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
• An unauthorized visitor tailgating into the building
• An attacker bypassing security controls at doors and fences
• Rogue employees or contractors
• An internal attacker of any type