Richard Hudak of Loews and other top security executives talk about the various issues and threats that keep them up at night.


Security Magazine assembled a select group of top chief security executives in New York City and also by telephone and asked them to focus on those things that keep top security executives up at night. These people include: Alexia Roberts, director of corporate security at Teacher’s Insurance & Annuity Association (TIAA-CREF); Ralph Blasi, VP, national director of security, Brookfield Properties; Carl Harris, technical deputy project manager for the Integrated Electronic Security System Program with Metropolitan Transportation Authority Capital Construction (MTA CC); Richard Hudak, director of corporate safety and security, Loews Corporation; Michael McCann, former United Nations director of security, McCann Protective Services, LLC; and Lyn Mattice, chief security officer, Boston Scientific.


Justifying budgets and establishing metrics are among the concerns of top security executives, according to a roundtable conducted by Security Magazine.

BUDGETS

Roberts:
One thing that keeps me up at night is my budget, tight resources. From a security point of view, in 2007 our biggest challenge is going to be getting training and awareness out to our company. We’re looking to train and bring awareness around some specific issues. You have to create a program that gets a buy-in from the top and then go out to a distributed workforce. It’s a big challenge. At the same time, there is a shift to an enterprise approach.

So we add value to the business through our due diligence, add value to the business around our knowledge on access controls and try to sell that back to the company while we’re not having obvious physical security events happening. So you always constantly have to become really creative about selling your program, especially right at the end of the year.

McCann:
Things always come back to the budget and how much money you have, getting the funds for training and then if you have a limited number of people then it’s a question of how do you replace people that are away on training, or overtime or hiring. So it all comes back to money. But we’re victims of our own success. Meaning, since 9/11 nothing has happened so it’s the attention deficit the further away you get from 9/11. Now people appropriately look at budgets and do we need to do all the things we’re doing? So it’s a question of becoming smarter, managing the resources better, looking at what the purpose of doing something and how does that fit into the overall security plan.

Hudak:
 From a cost center, how do you become a profit center? You take small but measurable steps. Are we spending too much time on some areas and not on others? We have to outsource a lot.




COMPLIANCE

Roberts:
It’s an issue. We’re seeing that the information is not flowing to the right places. We’re not tracking it. And therefore we’re not responding to it in a timely manner. And from a resource point of view with the compliance issues, the regulatory issues, we’re doing about a dozen audits per year and keeping up with that. And trying to hire the right individuals that have a security background that can deal with these auditors and respond appropriately.


PEOPLE ISSUES

McCann:
While at the United Nations, my concern was the quality and level of training that I could provide for the security staff to bring their skills up to the level that was required in this day and age. Now in private business, it’s to remain competitive. As people and enterprises loose focus or attention on September 11, it comes down to the budget and efficiency, too. On the private security side, how can we deliver the quality service and be competitive with all the people that may be bidding on the particular job?

Mattice:
This is everyone’s job – protecting themselves and their company. I encourage the concept that “This is your home. Would you leave your door open or let a stranger in?”




TERRORISM

Hudak:
In living and working in New York City, I think about it every day. My worst nightmare is the kidnapping of executives or employees and having them held for ransom. Whether terror or accidents or man-made events, the importance is in the responding to emergencies. The bottom line – Keep staff safe; lead them to safety. Crisis management, disaster recovery, business continuity all are now important issues.

McCann:
Access control, even though it’s probably sold in the height of scare and everything else, in my view, it’s not really to prevent Osama Bin Laden blowing up the building. You know vehicle bombs and other things, that’s their M.O. We prevent laptop theft. We’re keeping out the people that were going around to offices and stealing wallets and purses.

Blasi:   
Better preparation won’t keep the terrorists out for sure, but it gives the tenants a sense of safety and a secure environment. Everybody has a level of anti-terror protection, their blast-resistant glass and turnstiles and trained security officers, things of that nature. [The key is] once it happens, how you handle it and get the people out, providing their safety. It’s very hard to determine what’s coming our way, biochem, a van full of people with AK-47s coming into your building. There’s really no way you’re going to stop that, but you try to mitigate it, create the hard target, as they say.




CUSTOMER SERVICE

Harris:
We must always keep our eye on the customer – over ten million between the tunnels, the bridges, subways, buses.

Blasi:   
Many times, security is definitely tenant driven. If they want turnstiles or secured access, they’ll get it. But typically attorneys or legal companies, they want they’re clients coming right in and not having to hassle with showing I.D. and getting scanned and things of that nature. So certainly here in New York, it’s a different culture.




DISASTERS

Blasi: We’re in the real estate business so our primary concern is life safety law, tenants and providing that safe environment. And being a national company, we find that different areas have different priorities to some extent. Here, in New York, naturally it’s the terrorist threat. You go to the southern cities, it’s more of a natural disaster, hurricanes and things of that nature, especially after the effects of Katrina. So we’re trying to create a consistent policy, corporate policy, making sure that even though certain cities may not see a terrorist threat high on their list, they have plans and procedures to cope with disasters and emergencies that may come their way.

Getting people out of buildings is a major concern; making sure we have our evacuation plans all set up and making sure we get the people out in a timely manner without panic so that our security staff and building personnel know what they’re doing. We have frequent meetings with tenants. They’re part of our security plan and hazard plans. They’re all in the loop. They’re part of the building team.




Getting management’s attention has its advantages and challenges, say members of the Security Magazine roundtable.

PROJECT MANAGEMENT

Harris:
That’s exclusively pretty much what I’m focused on. Because we have a mandate to meet certain deadlines to do something that is really unprecedented, it’s really difficult. Having not done it before, operating in an environment where you have a railroad, the environment that’s running 24/7 so you don’t get a chance to shut the system down to implement the system. So when you take the operating hurdles into consideration, it really makes it a tremendously difficult task.

But nevertheless, it comes down to extensive planning and re-planning, re-planning, re-planning. But we have very hard deadlines to meet. There is funding from Homeland Security and FEMA, and a lot of it is ‘use or lose’. And that’s a very difficult position to find yourself in. So we have to come up with a lot of strategies to mitigate risk as it relates to schedule, piloting and prototyping. And trying to meet that deadline, it’s really what keeps me up.

I face a lot of structure coming out of the gate – engineering, project management. And we have a strong matrix organization where resources matrix to us from different agencies, different consulting entities. So it’s really what infrastructure needs to be in place so we can operate a safer environment.

Blasi:   
 With my company, [my building] managers know virtually just about every contractor out there, every vendor out there that’s reputable and get the right person for the job. Again, we’re not working independently. If something needs to be done, we just pick up the phone. Still, everybody is an expert. Now the big thing is NYC Local Law 26 and all of a sudden everybody is an expert in fire safety and fire codes and photo-luminescence in stairwells. You need to separate the good from the bad.

Roberts:
We have an integrator per each corporate site. And then we have a smattering of different integrators for our regional offices so it’s a lot to manage. And we’re just slowly moving through, first, the corporate centers and then the regional offices and making sure that they’re the right integrator for the job. And the job has changed. We have to give them an opportunity to respond to those changes. But if they don’t respond, we have to move on.




METRICS

Roberts:
And one of the issues that we’re faced with, trying to figure out is, what are our metrics? And what kind of resources or tools can we tap into to get these metrics together so we can report to executive management, to the board in a concise and clear way and in language that they understand? What do they understand? Well, they understand numbers, right. They understand something where there’s a high level of risk. They understand that red light.

What also helps is incident tracking, doing the trending, looking at those types of patterns. And that’s what we’re trying to do. When I look at those instant management or instant tracking tools, I think of, wow, we want to be able to track the types of incidents and the location of those incidents so that we can see where is the message getting out and where is the message getting blurred as far as security and safety awareness. I think there’s something really valuable we can do with that information.<p>

There are two reasons for metrics. I think everybody knows that’s kind of the responsible way to manage the program, in any program, is to have some solid metrics and some really good data around that, right. And the other reason is you want to have that solid good data to say that’s why I’m asking for the budget that I’m asking for.

Blasi:
We use our Internet reporting system for quarterly reports. They break it down and see exactly what’s going on if one area is experiencing a higher percentage of slip and falls, what have you. It becomes very useful to them. The big thing, of course, is having the risk management folks have more input. We got them more involved.




MANAGEMENT ATTENTION

McCann:
 It is great for the security chief to sit with the big guys. But it also separates the performers from the non-performers, somebody that may have been acting as a security person when it didn’t have that kind of focus, when everybody wasn’t focused on what they were doing. So now they had to rise to the occasion. But it gives them an opportunity to do things and ask for things and also fighting for the budget. You can articulate concerns and what the numbers are and how it would not be just a security problem, but something that would affect the whole organization.

I learned that was one of the most important things during a crisis is communications with staff. And security people, you’re always waiting to get the information to find out what happened. Then you’re not giving out the message until you find out what happened and now it’s too late. So if you can train the people and have people that right away are going to get the communications out to staff during a crisis, top management appreciates that.

Blasi:
The CEO focuses on asset protection and protecting those buildings and making sure plans are in effect to safeguarding liability. So you’re involvement with that is almost on a daily basis. And they give you the resources to do your job. Business continuity is important – just getting back to normal as quick as you can.

Hudak:
Business concerns – we are the problem solvers in the corporation. And the CEO and other top management must realize that.

Roberts:
Security, I think, our role is the first responder and crisis management, and to make sure that we know the business’ plan. I can protect the assets and protect the people. But I need to know where we’re going as a business, too.




MANAGEMENT ATTENTION

McCann:
It is great for the security chief to sit with the big guys. But it also separates the performers from the non-performers, somebody that may have been acting as a security person when it didn’t have that kind of focus, when everybody wasn’t focused on what they were doing. So now they had to rise to the occasion. But it gives them an opportunity to do things and ask for things and also fighting for the budget. You can articulate concerns and what the numbers are and how it would not be just a security problem, but something that would affect the whole organization.

I learned that was one of the most important things during a crisis is communications with staff. And security people, you’re always waiting to get the information to find out what happened. Then you’re not giving out the message until you find out what happened and now it’s too late. So if you can train the people and have people that right away are going to get the communications out to staff during a crisis, top management appreciates that.

Blasi: The CEO focuses on asset protection and protecting those buildings and making sure plans are in effect to safeguarding liability. So you’re involvement with that is almost on a daily basis. And they give you the resources to do your job. Business continuity is important – just getting back to normal as quick as you can.

Hudak: Business concerns – we are the problem solvers in the corporation. And the CEO and other top management must realize that.

Roberts: Security, I think, our role is the first responder and crisis management, and to make sure that we know the business’ plan. I can protect the assets and protect the people. But I need to know where we’re going as a business, too.




CONVERGENCE

Harris:
As far as convergence is concerned, it’s unavoidable. Because there are risks involved, some of what we do is to use separation and segregation. But nowadays you can get all your security stuff from one infrastructure. You’re talking convergence. I mean, there are different types of convergence. For example, the network here is probably the seventh largest in the country. It’s an extensive network. We have converged, but we have segregated. So you’re getting the best of both worlds.

Hudak:
There is real love of the digital world. We all have a strong feeling about convergence. I think there is a role for the CIO and CSO – both are important and can have equal authority levels.
Blasi: Look at convergence in terms of security systems, too. The big thing in our business is access cards. Tenants don’t want to use the four different sets of access cards to get from the garage to the turnstile to their office space. So we all have the same type of card.

Roberts:
The convergence ideal? Identity management and entitlement management from one application that sits over the top giving you logical access, physical access, every type of entitlement that you would need to live in this corporate environment.

Mattice:
I’ve worked in a converged operation since the 1980s. It is very effective and goes across the entire enterprise. This is no ivory tower. I am an influence agent.




PRIVACY

Roberts: What is your concern and from which perspective? That we’re throwing in so many cameras and so many access control devices that you can pretty much track anybody from end to end on Manhattan island. Or should we be concerned about the legal issues around all the information that we have? You can look at it, either way.

McCann: Your point is well taken. Politically, things have changed in the country after September 11. But the pendulum will probably come back at some point.

I remember going to a seminar last year about the proposed national ID, if you were pro or con. And I was for it. Hey, we’ve got nothing to hide. And two attorneys really debated the issue. It was really interesting. I left there undecided. There are good things to it. But there are strong arguments against it. If you had a national I.D., it would not have stopped McVey, it would not have stopped the Belt Way snipers because they weren’t in that database to stop them. It’s limited. It’s not a cure-all.




PURCHASING

Roberts: The purchasing question is an interesting one because we have so many different vendors now. We’re taking a look to see who the best vendor is and who is the best fit for us. But from a product and supply, we’re trying to create a standard across the board. So we’re buying the same camera for Boston that we’re buying for Newport Beach.

Harris: For us, we have very structured procurement environment. What we’re looking for is that our products are standards-based. It’s just the nature of our business. So included in our specification are standards, performing standards that folks must meet so that eventually you can start interchanging devices.

Mattice: Everybody is still trying to be standalone, proprietary. Instead utilize some of their unique features and look for interoperability standards. Interoperability would enhance competition to provide the best systems. What is the business value in those great wiz bang technologies? Will they really help? Do I really need them?

Hudak: Polices, procedures, people, standards and technology. Our challenge is to create standards we can live with. Each one of the major hospitality organizations have standards they live with. But the essence is that the general manager of each property is responsible. You need to have – all organizations need to have – some broad standards that reflect their corporate culture.




Alexis Roberts
Director of Corporate Security
Teacher’s Insurance & Annuity Association (TIAA-CREF)


SIDEBAR: Roundtable Members

Participating in Security Magazine’s “What Keeps You Up at Night” Roundtable, held in New York City and by telephone:


Ralph Blasi
VP, National Director of Security Brookfield Properties




Carl Harris
Technical Deputy Project Manager for the Integrated Electronic Security System Program with Metropolitan Transportation Authority Capital Construction (MTA CC).




Richard Hudak
Director of Corporate Safety and Safety
Loews Corporation




Michael McCann
Former United Nations Director of Security
McCann Protective Services, LLC




Lyn Mattice
Chief Security Officer
Boston Scientific
(Not pictured)




SIDEBAR: Worry Warts

  • Budgets – Lack of resources; making the case for more money.
  • Compliance – Meeting internal and external requirements and auditing.
  • People Issues – Making training a top issue.
  • Terrorism – Balancing reality with potential threats.
  • Customer Service – CEO, employee, tenant drive conflicts.
  • Disasters – Anticipating what can happen.
  • Project Management – Working and trusting others.
  • Metrics – Measuring and reporting for the operation and the future.
  • Management Attention – The good and bad when the CEO looks in.
  • Convergence – The challenge of IT and systems integration.
  • Privacy – When is security too much?
  • Purchasing – Viewing vendors and standards.