Security Magazine

2012 Security 500 Report: Earning Your Stripes

While many enterprises still have the risk tiger by the tail, Security 500 leaders are earning their stripes by taking risk head on and proactively taming it. In short, they are moving risk to their organization’s top line.

November 1, 2012
CSO top areas of responsibility

Key Trends in 2012:

The business-minded leaders in this year’s Security 500 survey have spoken: they are going beyond their enterprises’ boundaries and redefining security’s traditional role to assess and manage risk, contribute to organizational goals and to ensure resilience. But with the events of 9/11 far in the rear view mirror, many security leaders also work to battle complacency across their organizations and engage stakeholders to participate in their own security, as well as protect the physical and logical assets of their organizations.

For those business executives that are leading their organization’s global risk and security programs, the instruction from the C-suite is clear, the mission is focused and the link to enterprise-wide goals has both perceived and measurable value. Security’s leaders and their organizations are pushing enterprise-wide value across their organizations to tame the “risk tiger.” Risk presents itself in the form of myriad threats to an organization. It is the organization’s vulnerabilities that allow threats to materialize into detrimental events that harm an organization’s people, brand, infrastructure, assets, revenue and more. Success requires the organization to stay in front of risk.

 

“Our value proposition is as an independent, reliable group that conducts quality investigations the company can depend upon. We uncover gaps and risks and assist to mitigate them. We create value by getting in front of risk.”

Mark Farrell

CSO

Comcast Corporation

 

Business leaders managing risk and security are deeply embedded in their organization, their communities and an expanding list of stakeholders within their ecosystem. In many cases, their organizations have created a single, global security office to best support and mirror their global structure. As security continues to become more integrated into enterprise processes, risk management is becoming pervasive, consistent and invisible.

 

“The most important thing is that our security be rigorous but invisible. Law enforcement is visible but security should be invisible.”

Dan Mullin

Senior Vice President of the Department of Investigations

Major League Baseball

 

Perhaps the most obvious, but unspoken aspect of security’s role and importance in our society, lives and business endeavors is security’s required existence for any organization to function. Organizations would be unable to host employees, guests, students, patients or visitors, transact electronic business, ship goods, be compliant, track assets, define its brand and mission, travel, secure insurance or survive legally – without security. And due to the cost of a response driven security program, the only logical course is to proactively manage risk.

 

“In this day and age, security is not optional; it is an essential component and fiduciary responsibility of the corporation.”

Ed Goetz

Vice President,
Corporate and Information Security Services

Exelon Corp.

 

To achieve these three core goals of risk management, supporting/enabling organizational goals and resilience (that includes security response programs), organizations are clearly focused on investments in human capital, technology and policies.

Risk management includes the assessment of risks facing an enterprise’s infrastructure, assets and people. By identifying threats that may materialize as a result of those risks, they can evaluate vulnerabilities and take appropriate action to close the gaps. Not all risk is nefarious. Compliance, or lack of it, is a threat to an enterprise ability to function, including its brand, stakeholders and business partners. Recognizing this vulnerability and ensuring compliance before an audit or negative event is solid risk management.

 

“Our structure is driven by risk. If there is no risk then we are not involved. When we do identify risks or threats, we work to mitigate them.”

Eric Levine

Vice President & Director, Corporate Security

WellPoint, Inc.

 

Security is also embedded in business planning, policy and processes because business unit leaders and executive management recognize its value related to their goals. On one hand, they cannot operate without security’s participation and on the other, an effective risk management and security program offers a competitive advantage. Security technology is being applied to transcend the security function and support other functions within the organization, and it’s providing measurable value. 

 

“We focus on excellent service and security. Our holistic approach has attracted customers and grown the business faster.”

Joe McDonald

Chief Security Officer

Switch

 

Resilience includes numerous definitions across organizations and sectors, but in simple terms it means the organization’s ability to withstand disruption or recover from disruption and to continue operations. More specifically, resilience includes business continuity planning, emergency management and disaster recovery (the before, during and after of an event that tests resilience).

To execute risk management and security strategies, business leaders are focusing on three key areas: human capital, technology and policies.

Human capital includes the recruitment, training and retention of qualified individuals that have specialized skills and who can properly represent the brand. And they are in high demand. There is also a strong trend toward dismissing team members that are not up to the task through early retirement or outright termination. The investment in training and education across and outside the enterprise is also increasing. Security organizations are working with their HR departments to develop, retain and reward their best people.

 

“Our CEO expects us to ensure compliance through audits and collaboration and to identify and reduce risks effectively, which in turn enables the business to run smoothly. Our physical and cyber security and business continuity programs should enable us to respond to any situation effectively to support our people, facilities and business operations.”

Larry K. Atteberry

Manager, Global Protective Services

Emergent BioSolutions

 

The investment in training and education across and outside the enterprise is also increasing. For example, online training regarding workplace violence education and prevention is now common. Programs on personal safety during travel are on the rise. The number of educational sessions with external business partners and their employees on various aspects of security are also rising. The goal is to get buy-in from all stakeholders and make security “Everyone’s Job” as much as possible.

 

“Recruiting and retaining the right personnel and having those personnel placed properly are your best preparation. Good people are the best trump card against bad situations. And often the first person a visitor meets is a Deere security person, so being an ambassador for our brand is also important.”

Jeffrey S. Chisholm

Director, Enterprise Security & Preparedness

Deere & Company

 

Technology investments, especially in Operations or Command Centers (Global Security Operations Centers or GSOCs) have become the foundation for global security programs. This information hub gathers intelligence about internal (e.g. employee locations) and external (e.g. weather, political unrest or natural disasters) dynamics to keep in front of risks and proactively mitigate events that might impact people, assets or infrastructure.

 

“Supply chain management is such a vital part of a company’s ability to manage and grow their business. We spend a lot of time on educational issues for our customers. A great part of my job is to develop supply chain risk assessments and show our customers how to secure shipments and avoid high- risk shipping profiles. That requires us to understand risk beyond our part and extend security to other parts of their supply chain.”

Walt Fountain

Director, Enterprise Security

Schneider National

 

Technology investment is also being made in proprietary and contract officers to generate situational awareness on a global platform. An organization focusing on risk management requires a transparent view of its landscape to effectively assess and mitigate threats. Leading organizations are leveraging social media to both communicate with stakeholders and employees and to gather intelligence on possible threats.

Video surveillance, global identification/access control systems, personnel tracking and travel/concierge services are being implemented to ensure stakeholders are secure and able to focus on their work related tasks. Mass notification and emergency services provide two-way communication in the event of a security-related incident to support and secure stakeholders. By leveraging technology, especially global command or operating centers (GSOCs), to focus on risk mitigation, security becomes immersed within organizational processes and culture, thus becoming invisible, unless needed.

Technology investments in regulatory and audit related activities are also increasing to improve compliance, automate reporting and generate metrics to better manage the security function.

For the investment in human capital and technology to work, enterprises must have single, global policies. For example, a visitor identification and access policy that is different in various locations increases risk and reduces an organization’s ability to provide effective security. By having a single policy that is enforced globally, risk is reduced, thereby reducing the likelihood of a security-related event and eliminating the cost of responding to, investigating and reporting on that event.

Policies are the new and challenging frontier for security as they require significant education and communication with those that must change behavior, as well as, buy-in from the C-suite on through. One challenge is BYOD (bring your own device) or the consumerization of IT, where employees are selecting the devices (their smart phones, tablets, etc.,) they prefer to use, and the organization is left to assess and eliminate threats. A security or IT organization globally selecting Blackberry as the device of choice and forbidding iPhones to be used will quickly find itself outvoted and compromised.

However, certain policies – including access management and badging, background checks and travel support – are having a positive impact. They add value to the individual and organization through increased productivity to achieve goals.

The fact that the security function and its sphere of influence (and related cost) is being allowed to expand by the C-suite indicates that the successful risk management’s value to the organization’s brand, people, assets and infrastructure is positively perceived and understood. While every executive understands risk, most may not understand security. And while budgets for security related response programs have always been under pressure, the focus on risk management that enables business growth is receiving acceptance and funding.

 

“I would argue that as a CSO, if we haven’t convinced the CEO that he could not successfully run his/her company without security support, we have not done our jobs.”

Russell J. Cancilla

Vice President &
Chief Security Officer

Health, Safety,
Environment & Security

Baker Hughes Incorporated

 

In July 2006, we launched the first issue of Security magazine, “Solutions for Enterprise Security Leaders” by writing about the changing role of security. That issue included round-table and focus group conversations with the leading CSOs at the time. The best and brightest in those discussions shared what security’s role could be, if permitted.  Now in our seventh year, many of those prognostications have come to reality across the Security 500 report. And it will be exciting to watch where it goes next.

 

“It is not as easy as it looks.”

Ron Boyd

Chief of Port Police Department

Port of LA

 

2012 Key Trends:

 

Cyber Crime:

While only 21 percent of Security 500 CSOs report being responsible for Cyber or IT security in their organizations, it is the number one risk and security issue they are working to mitigate. Some organizations are attacking the problem through a management matrix that includes enterprise security working with IT on a consistent level to identify physical and logical risks, identify and address vulnerabilities. Many others are leaving the vulnerability assessment to the IT department and the post-event investigation to the security department.

At Charles River Labs, cyber security is shared with the CISO, who is directly responsible for the company’s global network. Stephen Morrill works to develop strategies that ensure the network and the company’s intellectual property are secure. “This is a constant issue, especially with animal activists seeking political recognition through hacking. Their goal is typically not monetary gain. Due to the nature of our business, the most important data we protect is customer data. We host critical intellectual property of our customers for their research programs,” says Morrill, who is Executive Director of Corporate Security for Charles River Labs.

Similar to the physical security world, it is impossible to prove a negative. The fact is that macro cyber crime statistics are difficult to reduce to the organizational level for the purpose of assessing threats, identifying vulnerabilities and presenting a business case for a solid budget.

The risk and cost of cyber crime is extraordinary wide, and guesstimates are aplenty. In 2009, the Obama Administration Review identified the 2008 IP loss in the U.S. just as a result of hacking in excess of $1 trillion. The Ponemon Institute estimates the cost of a cyber breach at $194 per record, on average. A Verizon business study found that 65 percent of cyber crime victims had no knowledge of being a victim until notified by a third party, while a McAfee study showed that only 30 percent of cyber crimes are reported by businesses. And a recent Symantec study estimated the cost of cyber crime at $338 billion annually, which exceeds the illegal, global drug trade for marijuana, cocaine and heroin combined. Finally, and the most important part for enterprises – a recent Forrester identified most data breaches are the result of inadvertent misuse by employees.

           

 “Our greatest threat, like many other organizations, is cyber. Among other initiatives, the company is creating a comprehensive Cyber Crisis Management program. We aligned it to our critical response program and are based on data privacy breach notification requirements, and industry standards such as PCI DSS.  Our decision rights matrix, (RACI chart) is organized based on incident type and business impact to segregate different categories of decisions and communications that govern our actions during a cyber-crisis. The program includes an annual table top exercise to ensure the plan will be successful.”

Duane Ritter

Vice President Corporate Security

Cox Enterprises

 

While the threat is real, funding may only gain approval after an event has occurred. The challenge for organizations is to gain board approval for structural reorganization, policies and funding to understand threats and address vulnerabilities before a cybercrime and its resultant brand and monetary damages occur. For example, policies around BYOD or international travel, especially to Asia, on using clean mobile devices should be standard.  Unfortunately, most organizations find that these policies get pushback and are not enacted or enforced.  Among the most prevention-minded and acting organizations are those whose business is directly linked to the privacy and security of sensitive and valuable information, especially customer records at a financial services company (e.g. ADP, Fidelity, Bank of America) or intellectual property (e.g. SFDC, Switch, Charles River Labs). Because their unique marketing proposition is based on information security from physical or cyber crime, an incident would be devastating to their brand due to its impact on their customers.

 

“Our data centers are our tangible assets, as well as advanced patented methodologies to manage and operate the centers. Critical risk is a constant and set to evolving requirements of management. Risks are driven, pushed, and realized with increasing criticality the paradigms shift accordingly. Everything from the protection of intellectual property, the threat to unpatched programs or newly introduced malware, potential environmental or weather event, utility service delivery issues and even the next person who walks into the mantrap – everything affects risk.”

Joe McDonald

Chief Security Officer

Switch

 

2a. Budget: Money is Tied to Business Goals/Value

2b. Budget: Money is Tight, Budgets are Being Reduced

2c. Budget: Budget and Role Have Expanded

Fifty-seven percent of Security 500 organizations in this year’s survey reported an increase in their security budget over 2011, compared to 57 percent reporting increased budgets for 2011 over 2010. Sixteen percent reported a decrease in their budget in 2011, as compared to 18 percent last year. And the number of those who reported that their budget remained the same dropped to 27 percent this year from 35 percent. Those with an increase in budget realized an average eight percent increase. Similarly, those facing a budget cut realized an eight percent budget decrease. There are three distinct drivers for budgets among Security 500 organizations.

 

2a. Budget: Money is Tied to Business Goals/Value

Risk management as an integrated process and best practice related to global business development has proven ROI for business units. And those business unit leaders understand risk and are able to identify the value that security has at the table as a core component of the strategic planning and business execution. These businesses are security’s internal customer, and they rely on their expertise and advice to identify risks, make recommendations and enable business growth and resilience.

 

“We proactively stay aligned with the business and explain that enterprise security does not manage risks for them, but that we help them manage those risks. We ask the business unit presidents to ask: ‘What risks do we need to manage with this money?’ If we can start with that business question, then we succeed. Business leaders are using a more rigorous process, looking for the cost/benefit value not just the risk/reward scenarios and want to talk to a business-minded person – not merely a security person. It is the CSO’s responsibility to break the mold and communicate the business case.”

Russell J. Cancilla

Vice President &
Chief Security Officer

Health, Safety,
Environment & Security

 

Perhaps this could have been viewed as a significant threat to the security department’s existence as budget moves from an operational allocation based on revenue to an elective purchase by unique business units. Of course, basic security policies such as identity management and access control systems are not negotiable, but the investment in risk intelligence, weather or travel related programs and support are often optional and require an understanding by the internal customer and some selling and relationship building by the security leader.

However, that threat never materialized. Incorporating enterprise risk management into the business process at the outset is increasing, as are the aligned security budgets.

 

2b. Budget: Money is Tight, Budgets are Being Reduced

The across-the-board government spending cuts at the federal, state and local levels are taking their toll on security and emergency management budgets across the government, public education, libraries and healthcare sectors. Private organizations that serve these sectors or are facing difficult business conditions are also being impacted, such as government contractors.

Spending cuts on risk management or preventative measures may increase vulnerabilities at a time when security resources are being reduced. For example, the Philadelphia School District announced it had to consider reducing its security and safety personnel by almost 25 percent due to state budget cuts. Next year the federal budget includes a 45-percent cut ($54 million) to the Safe and Drug Free Schools National Program, which will have a direct impact on student security programs.

Similarly, The Department of Homeland Security will see its budget reduced for the first time in its existence – 1.2 percent. That will have an impact of about $500 million across the nation’s states and localities.

“Budget. Budget. Budget.” A Boston area hospital security director’s answer to the question: What are the three most critical issues facing your security organization?

 

2c. Budget: Budget and Role Have Expanded

A second driver of budget increases is the restructuring of existing programs and/or the creation of new risk/security programs. Areas of responsibility and related budget that are being moved into security include business resilience and travel management. Therefore, the budget is not increasing as a result of having more dollars to perform the same services, but new dollars for new services within the security budget. Thus, the overall impact on existing programs and related spending is neutral to the current risk management investment. The majority of “Top Areas of Responsibility” showed an increase in 2012 over last year.

Globalization is a significant driver in this regard. Security 500 organizations reported significant increases in geographic responsibility versus 2011 in Asia, Europe, South America and Africa. Only Australia showed a decrease versus 2011.

 

 “The security organization touches almost every facet of the Exelon enterprise in some form or fashion, resulting in an ever-changing list of challenges to overcome, often in unique and innovative ways. Security is everyone’s responsibility. Everyone has a role in keeping our people, property and assets safe and secure. That is the reason behind our intelligence based model: to look over the horizon, to prepare and prevent. We do not want to react to events.”

Ed Goetz

Vice President, Corporate and Information Security Services

Exelon

 

Finally, regulatory compliance has increased security’s budget as additional resources are required to keep pace. For example, significant legislation implemented after the global banking crisis requires financial institutions to adhere to new regulations, including additional audits and reporting. These new budget dollars are allocated to address a new requirement, and again, remain spending neutral for the security department’s other functions.

3. Systems Integration and Management

Security systems integration and management has soared as a critical goal versus prior years. Organizations are focusing on investing in security technology to leverage new solutions that enable the timely management of risk and security related information to gain situational awareness to prevent an event from occurring or respond effectively to one that does.

 

“The maturing of security means getting the right information to the right people at the right time to provide actionable information that adds value to the business. What information to send to whom and when are the critical challenges to focus on. We are building a proactive program to ensure successful outcomes as much as possible.”

Bryan Fort

Director, Corporate Security

McCormick Foods

 

The increase in both geographic and area of responsibility, plus alignment with business or organizational goals requires the security organization to have real-time intelligence to effectively manage risks and respond to events makes the investment in security technology logical.

 

“Historically, security emphasis was placed on reactive investigations of localized security events. While these incidents still occur and must be addressed, the primary focus of corporate security has shifted to proactively identifying and mitigating national and potentially international threat vectors. The greatest threat to our company and customers is the Advanced Persistent Threat.  So it is more important than ever, as a security leader, that I focus on the use of cutting edge technology and fostering relationships with governmental intelligence agencies and industry groups to mitigate threats to critical infrastructures and national interests.”

Ed Goetz

Vice President, Corporate and Information Security Services

Exelon

 

The investment in security systems and technology is also being driven by policies and regulatory compliance issues. Many Security 500 organizations are standardizing security policies and practices across their global footprint or across diverse operations. The goal of moving to a single, global policy requires a single, enterprise security system management. Cost reduction over the longer term is also a driver. Organizations are seeking to reduce their manpower and guard tour costs through the use of remote monitoring solutions and improved analytics.

Finally, the promise of security technology is coming to fruition as a result of pervasive IP networks, better product performance and reliability (especially software) and stronger collaboration between IT and security to work together (yet, often at the expense of the system integration provider). The impact is that the value of security to the organization requires a complimentary technology strategy.

 

“We decided upon a global platform for an access control system with one badge for an employee to use across the enterprise. What has emerged is a number of other uses for the system that had not been initially planned. The badge is now being used for time and attendance throughout the enterprise, which has created savings for the company.”

Jeff Chisholm

Director, Enterprise Security & Preparedness

Deere & Company

 

4. Regulatory Compliance

From the Madoff Scheme to the global financial crisis. From PCI compliance to the recent Federal and state investigation of major American banks for failing to monitor cash transactions in and out of their branches allowing drug dealers and terrorists to launder money; the effort to increase transparency and avoid catastrophe through regulatory and voluntary compliance is on the rise. As a result, so are the man hours and cost to be compliant.

 

“By standardizing procedures across all facilities and geographies, we reduce risk and liability by having the right people in place to respond the right way. We invest heavily in compliance including FDA, SOX, EPA and other regulations. Being compliant enables the company to function.”

Larry Attebury

Manager, Global Protective Services

EBSI

As security organizations consolidate into a single, global security organization, that organization faces both U.S. and international regulatory compliance issues. Compliance and the organizations they impact are seeking to identify both internal and external threats on a local and global basis to ensure resilience, protect the brand and avoid costly losses or fines.

Globalization has also sparked additional compliance requirements for security organizations both inside the U.S. and internationally. The Foreign Corrupt Practices Act has been in existence since 1977 and has two main provisions: the first addresses accounting transparency requirements and the second concerns bribery of foreign officials. Most security organizations, however, were not global in 1977, and many are still following the footsteps of their enterprises by creating single global CSO positions to support business goals. As a result, the FCPA is one regulation that has sent organizations in search of new personnel and expertise.

Leading organizations are also gaining international compliance certifications for both risk management/security and business development purposes. By participating, auditing and apply common standards, organizations gain marketing benefits as compliant among their customers and can gain a competitive advantage.

 

“We have invested in the Customs Trade Partnership against Terrorism (CTPAT), the Canadian Partners in Protection (PIP) and were recently authorized in the UK and anticipate being authorized in France to join the Authorized Economic Operators (AEO) in Europe programs. And we are regulated by the FDA and USDA. This provides a benchmark audit that we are applying best practices and have a secure supply chain. By meeting these standards our customers know McCormick is compliant.”  

Bryan Fort

Director, Corporate Security

McCormick Foods

 

Retail organizations face PCI compliance for the purpose of secure electronic transactions. Failure to be PCI compliance can lead to banks or credit card companies to discontinue doing business with an organization. In the utilities sector, the Federal Energy Regulatory Commission and Nuclear Energy Regulatory Commission require compliance and companies in this sector must past audits and provide reports.

 

“This growing compliance issue continues to provide challenges to all lines of business particularly in the utility industry. By uniting our security and compliance programs in a synergistic effort, we have been able to close the gap between our operational efforts to secure the enterprise and our ever-evolving need to maintain compliance with regulated security standards.  This will help to reduce costs associated with potential regulatory fines and improve our compliance posture.”

Ed Goetz

Vice President, Corporate and Information Security Services

Exelon

 

5. Personnel Training/Retention/Recruitment

Globalization. Business. Risk Management. New Technologies. HR.

Each of these dramatic changes to security’s structure and goals has led to new positions being created that require different personnel skills. Both the skills and types of people being sought out and hired have changed dramatically to fill new job descriptions. The first wave of college graduates with a degree in security are or will be arriving, adding to the current selection pool of second career law enforcement members. In addition to the new coming on, retirements and early retirements have positively and negatively impacted human resources within security.

Globalization of the enterprise security office has led to global practices and standards including policies, processes and technology. As a result, the need to hire similar minded leaders in international locations to implement the strategy followed. In some areas, especially Asia, there is competition for proven managers, and the cost of trained officers has risen strongly in the past few years.

 

“Half of our personnel are in the U.S. and half are internationally located. It is very competitive in China and India to find quality people at the regional and project manager levels.”

Jeff Chisholm

Director, Enterprise Security & Preparedness

Deere & Company

 

Security’s alignment with organizational goals has had a dramatic impact the person chosen to lead the department. Leadership skills and an ability to network with business leaders and understand their issues are critical for success and longevity. Where security leaders have been successful, they have seen their acceptance and business grow and their time management erode. In many cases, they realize they do not have the right people to put in front of their internal clients and need to hire some bench strength.

Risk Management has changed the very nature of security’s mission and focus. As organizations move toward risk mitigation the hiring and training of their personnel must change.

New technologies are being acquired and implemented to support global business goals including workforce protection and supply security through Security or Risk Operations Centers where intelligence regarding both external and insider threats are gathered, assessed and mitigated. New technologies are also the backbone of enterprise resilience programs.

 

“We are in a very fluid and unpredictable environment that moves at a high speed. We prepare for enterprise risk management and security through training. We constantly look at what we do well and what we do not do so well. Second, we study other hospitals in the U.S. to learn about their best practices and adopt what works. Third, we prepare for every contingency from power outages to active shooters.”

Alan Robinson

Director

Protection, Security Service, Emergency Management

Atlantic Health System

 

Human Resources engaged with security to better manage human capital. Typical at the executive level and across other departments, they are actively working with security to identify those they wish to retain and invest in and connect them to appropriate training and programs that develop a career opportunity within the organization, including opportunities outside of security. Having a formal program where HR views Security as its client is a critical step in the continued success and development of a valuable partner to the overall organization’s success.

 

“As the next generation of individuals move into CEO roles, risk, business continuity and security will be a part of their education and experience. They will have a stronger understanding of the function and its value.”

Bryan Fort

CSO

McCormick Foods

 

The focus on recruiting, training and retaining the best people in the organization, to meet new and emerging business needs on a global scale is dynamic and will continue as a core focus of success organizations and their leaders.

 

6. Business Resilience

Defined, by the Security 500 as Business Continuity, Emergency Management and Disaster Recovery, Business Resilience has had a steady rise as an area of responsibility among enterprise security organizations from 81 percent to 87 percent since 2010. Among the drivers for a strong business resilience program are the strong alignment with business goals, liability, workforce protection and compliance.

 

“Anticipating potential business interruptions and working to mitigate those threats from happening supports the business organizations to remain operational and reach their goals. Resilience and strategies and preparedness drills are critical for success. Accurate risk assessment and being prepared are the biggest contributions we can make to the organization and our people.”

Duane Ritter

Vice President, Corporate Security

Cox Enterprises

 

Due to the global nature of business, the just in time inventory of supply chains and the speed of information, organizations must be well-prepared to understand their threat matrix and recognize when an event is occurring either internally or externally. It is the risk management and training that has been invested in that will enable an enterprise to respond correctly and quickly recover.

Among the best practices for business resilience include recognizing and communicating what not to do during an event. Examples of this include using the Superdome in New Orleans as a shelter in place during Hurricane Katrina, for which it was neither designed nor prepared. A result of New Orleans’ emergency management plan is that the Superdome will never be used in this manner again. And on 9/11, employees were told to stay at their desks and not evacuate. Today, emergency policies and procedures integrated with technology are very different at the new World Trade Center.

 

 “On April 3rd, CNN showed footage of our tractor trailers being thrown through the air like toys during the tornadoes in Texas. Thanks to our resilience planning, that facility was back up and running within twelve hours and there were no injuries. You have to get out in front of risk and we were very pleased with our ability to be prepared, respond, and have the best outcome possible.” 

Walt Fountain

Director, Enterprise Security

Schneider National

Most enterprises recognize that the investment in business resilience is necessary because the risk of not doing so can be devastating to both the organization and the CEO’s tenure. CSOs are engaging their peers from legal, human resources, marketing communications and IT to create a holistic plan and response program for their enterprise. The use of mass notification technology to inform stakeholders has become a best practice for leading risk management and resilience programs.

 

7. Workplace Violence

Workplace violence, especially the threat of lone wolf actors, continues its troubling rise, especially in the healthcare profession.

 

“Workplace violence is rampant in the healthcare profession and at the top of our critical issues list. The numbers say it all. 70% of the workers in this industry are female and the number one cause of death for females at work is homicide. I start every day with these statistics. We treat workplace violence the same way the hospital treats infections; they have to be controlled and eliminated. We look hard at the metrics.”

Alan Robinson

Director

Protection, Security Service, Emergency Management

Atlantic Health System

 

The traditional definition of workplace violence among fellow employees is being addressed as best possible through training, technology (access) and support programs. W. Barry Nixon, Executive Director for the National Institute for the Prevention of Workplace Violence, has identified that Employee on Employee Workplace Violence is a Performance Management Problem because rarely, if ever, does violence perpetrated by an employee just happen overnight. Nixon says: “Most security professionals are well aware of the so called ‘early warning signs’ that may precede an incident of workplace violence and definitely consider threatening behavior as a problem to be dealt with. Our experience has indicated that threats and many of the ‘early warning signs’ are lagging indicators in the process of preventing violence. Prevention is driven by identifying problems as early as possible in the violence progression cycle and intervening to interrupt the cycle. Research of actual incidents of extreme violence indicates that in many cases employees have been involved in other inappropriate or policy violation situations and that this behavior repeats itself and worsens over time. Our premise is that lax performance management means that employees are given a pass for unacceptable behavior(s), which over time will escalate into other bad behaviors.”

A number of organizations are expanding their duty of care outside the workplace to employees 24/7 through support and outreach programs. Employees that are able to express stress or challenges before they reach a crisis stage have a significant impact on the overall organization by preventing a threat from materializing.

 

“Workplace violence continues to be a critical issue. We proactively employ web-based training programs and partner with local law enforcement to bring awareness and understanding to this issue. It is important people know they can seek help or that others speak up to help someone who is struggling before an event occurs.”

Stephen Morrill

Executive Director, Corporate Security

Charles River Labs

 

Not all workplace violence begins at work. In a recent case, the premeditation of violence existed well before being hired. At a Pathmark store in Old Bridge New Jersey, Terence Tyler killed himself after allegedly killing two other employees. His family says he was discharged from the Marines suffering from depression and had tweeted about killing “everyone I see.” He had also tweeted, ““smh is it normal to want to kill ALL of ur coworkers? Maybe but I’m actually in a position where I can, smh,” (smh=shake my head). Therefore, stronger background screening including reviewing social media posts may become a required practice for hiring organizations to reduce risk related to violent intentions.

Further, the workplace violence definition is expanding for enterprises. When six people were killed and 12 wounded, including Congresswoman Gabrielle Giffords at a Safeway store in Tucson, Arizona, the story fell within the confines of workplace violence. Similarly, the Aurora, Colorado Century Theater shootings did not occur at the workplace of most of the victims, but is technically a workplace violence event. Identifying new vulnerabilities and liabilities, especially with the challenging advent of lone wolf shooters, has challenged organizations from the C-suite to legal to security and beyond.

A recent study by the Society of Human Resource Management and Hireright identifies how their member organizations would respond to threats of workplace violence.

 

8. Asset Protection

The definition of Asset Protection has expanded to include the traditional concepts of physical property and goods and services for resale, especially at the retail level. It has also come to include infrastructure, facilities and mobile assets against events from weather, fire, chemical or bio-hazards, natural disasters, political action and fraud. Organizations are addressing risks and building resilience to prevent loss and successfully respond to events, from the simple to the complex. 

As a result of the complexity of the criminal organizations, public/private partnerships between private security and law enforcement have become a core element for successful asset protection programs.

In March 2010, thieves cut a hole in the roof of a Connecticut Eli Lilly Warehouse and spent the next five hours perpetrating the largest prescription drug heist, $80 million, in US history. Over the next 18 months, Eli Lilly worked with law enforcement to not only solve this crime, but to capture a criminal organization tied to other major robberies including a GlaxoSmithKline warehouse. Beyond the financial cost, this group posed a serious threat to patient safety and the integrity of the drug supply chain.

“My team immediately began working with our internal partners to include distribution and manufacturing united around our main priority, patient safety. The Enfield Police Department conducted a detailed crime scene investigation. And the FBIs initial engagement was based on the assumption that the stolen property would be transported across state lines,” shares Bob Reilley, CSO at Eli Lilly.

Perimeter and facility security may seem a basic security process for most organizations. But getting sufficient funding to address identified risks is an ongoing challenge for many organizations and their security leaders.

In May 2012, a man trying to steal copper wire from a Southern California Edison electrical relay station died after he suffered a 33,000-volt shock and caused a power outage for thousands of San Bernardino residents. Protecting infrastructure assets cannot not only be valued at the cost of the actual asset (in this case copper wire) but the assessment of overall cost to the facility, down-time, investigative and labor expenses.

Another way to address asset protection against fraud is to know who you are doing business. Organizations are investigating prospective customers and partners prior beyond the traditional credit check. 

 

 “There is the threat of insurance fraud and other illegal activities, so we investigate to avoid accepting business from fraudulent entities.”

Walt Fountain

Schneider National

 

Leading programs are also implementing third-party oversight of their procurement process to ensure compliance and reduce the risk of receiving fraudulent goods or engaging in business with unknown entities.

 

“We deliberately changed from an ad hoc to formal process with our business stakeholders. Our goal is to evaluate third-party risk to ensure their security controls are adequate during the duration of the contract. We developed a third-party due diligence triage process based on the relative risk posed by the third-party relationship. For example, the risk when buying commodities such as office furniture is low, but the risk related to cloud services that process private data is high. The question is simply, ‘Who are we doing business with and what is the relative risk the relationship poses to our organization?’ and by answering that question, we ensure adequate due diligence on our third-parties.”

Duane Ritter

Vice President, Corporate Security

Cox Enterprises

 

            “We differentiate entities through a strategy of placing them in ‘risk tiers’ and perform due diligence commensurate with the risk they pose to our firm,” says John O’Connor, Executive Vice President for Corporate Risk & Security at of Fidelity Investments. “For example, if they utilize any of our data, we perform an external security review as well as a business review regarding their viability and reputation. We are always working to make this process better and more consistent throughout all geographies.”

O’Connor says that Fidelity has always dedicated significant resources in this area, but recently have been working diligently to weave the process together and make it nimble and highly transparent. “There are many types of risk that can spawn from third parties,” he says. “You need a rigorous process that ensures controls remain in place during the life of the contract or relationship. Third-party relationships can be fluid so you need to stay informed, remain current and be prepared to react quickly to protect your company’s reputation.”

 

9. Workforce Protection

Once only the focus of the executive suite, the move toward enterprise risk management includes human capital and Duty of Care policies for all stakeholders, especially employees. “Duty of Care is the legal and moral requirement to protect the health, safety, security and well-being of their globally mobile employees,” says Peter Crittenden of International SOS. He notes the recent,  Duty of Care and Travel Risk Management Global Benchmarking Studyby Lisbeth Claus, Ph.D, at Willamette University, which surveyed  628 global companies and found that “Managers who fail to pay attention to employer’s duty of care responsibilities, especially for their employees crossing borders, are failing in their commercial, fiduciary, legal, moral and social responsibilities as managers.”  

Protecting employees from workplace violence within an organization’s facility has expanded to global 24/7 protection, including both business and non-business related activities. Technology and solution programs have enabled organizations to build global operations or command centers and utilize services for intelligence about weather, terror, kidnapping, political instability and other threats plus services to support their people in times of need. That includes services that educate and train employees to be prepared as well as physical support for travel, medical or evacuations.

While the larger threats loom in our view, the more common issues employees face and require support for might include pickpockets and other petty crimes, for which the victim has few local resources. Workforce protection programs are invaluable at these sensitive times.

 

“Baker Hughes is most focused on the critical risks generated by geopolitical instability, industrial and state sponsored espionage targeting our people and intellectual property. We also protect the enterprise from cyber terrorism, theft, corruption and fraud. We have strong programs in place, invest in our technology and have sophisticated, special procedures in place for both the duty of care of our people and for protecting our assets/critical infrastructure and IP.”

Russell J. Cancilla

Vice President &
Chief Security Officer

Health, Safety, Environment & Security

Baker Hughes Incorporated

 

Crittenden of International SOS notes that when security situations arise with travelers abroad there is a measurable difference in response between trained and untrained individuals regarding duty of care programs and personal security awareness training. The increasing globalization of Security 500 organizations and increase in expatriate employees will continue to increase relative risk and require appropriate mitigation strategies.

 

“Regardless of the complexity of an organization, you have to deliver peace of mind first and foremost. Our stakeholders tell us that ‘we are glad you are here’.”

Eric Levine

Vice President & Director, Corporate Security

WellPoint, Inc.

 

10. Emerging Market Risk

Emerging market business growth has restructured enterprise business models into single, global entities. The heightened risks associated with emerging market expansion were supported regionally by many Security 500 organizations. However, this model did not keep pace with business growth goals due to myriad policies, technology platforms and management teams. As a result, single, global security organizations have been created with a single, global CSO office mirroring the business structure. The purpose of this strategic change includes faster business growth, true enterprise risk management, uniform compliance and audit programs and unified reporting.

Cultural issues and basic business protocols can also be risks to an enterprise unless clearly understood and integrated into business planning.

 

“International games are fun to do and I enjoy being a part of the team that is growing the business around the world. The complexity grows when working with the venues and law enforcement teams in other countries. As an example, local law enforcement in Tokyo is not as sensitive to terror threats as we are, because they have not had a 9/11 event. Another issue is emergency medical treatment and staffing. In Japan, ambulances are purely used for transportation, while in the U.S. an EMT will be treating the patient during that trip to the hospital. So we really needed to understand the local people and resources and supplant them to meet our requirements and mitigate risks.”

Dan Mullin

Senior Vice President of the Department of Investigations

Major League Baseball

 

Most CSOs interviewed for the Security 500 report point out that they love their jobs because there is “something different every day,” and working in international locales supporting organizational goals fits that description.

WellPoint, for example, created its first global CSO office in 2008 where it centralized including physical, technical, procedural, travel security and its Corporate Situational Awareness and Response Center (CSARC) or command center. In 2010, security moved from being a shared service within operations to the General Counsel’s office due to the recognition of its importance and its international business role. And in 2012 WellPoint further developed its International capabilities in the CSARC.

           

“Security now touches our business in so many ways beyond just security from travel support to potential business disruptions on a global scale. We work across the organization to enable business units to succeed. The key is finding the right answers to eliminate threats and reduce risk.”

Eric Levine

Vice President & Director, Corporate Security

WellPoint, Inc.

 

As the U.S. and European economies continue to falter, the requirement to expand into emerging markets will more highly integrate risk management and security programs into the global enterprise to support organizational goals.