On the job in America’s top corporations, government agencies and institutions, the security task is a tough one but the assignments are getting done, new threats are being faced squarely and challenges – ranging from people issues and compliance to metrics and convergence – are better appreciated and handled.

Last January, Security Magazine assembled and reported the views of a roundtable of security practitioners relative to a host of issues. Some of those executives, augmented with other security colleagues, revisit those issues here.

Among them is Bill Anderson of Ryder System Inc., who is this month’s cover person. Anderson is director, global security for Ryder, the Fortune 500 global transportation and supply chain management solutions company. He, like others quoted here, is also deeply involved in his industry’s security and business efforts. Anderson, earlier this year, authored an informative feature article for the magazine, “Securing the Supply Chain - Prevent Cargo Theft.(Read the complete article on the Web at www.securitymagazine.com)

The update roundtable partitions issues of importance, summarizes the previous roundtable consensus thoughts and reports on what this month’s executive panel has to say.

“Corporate security must find ways to improve performance while keeping control of expenses. I don’t see this changing,” said William (Bill) Anderson, director, global security for Ryder System Inc.

BUDGETS

Last January security executives spoke about tight budgets for upgrades, new technology and training. Also they saw the need to change the perception from security as a cost center to one that adds value to the business mission.

Bill Anderson: Similar to other functions, corporate security must find ways to improve performance while keeping control of expenses. I don’t see this changing. However, I believe most corporate executives can recognize a value proposition if it is properly constructed and shows a good return. Also, significant gains can be made by leveraging the skills of frontline managers. At Ryder, we’ve made significant security improvements by teaching our frontline managers that security management is not complex and if they focus on the basics, they can have a well run and secure operation.

Jack Dowling: As time grows since 9/11, the impetus for security seems to have decreased. The initial flow of funds has abated and more justification is needed. Security executives must provide a different strategy, concentrating on the business case approach, to improve the chances of funding approval. Training will continue to be a major concern as more technology is added to the security operation and critical response to emergency situations is demanded of the security staff.

Lynn Mattice: Not much change…keeping cost in check is still a key area of focus . . . generally, we have always been viewed as a value add and not a cost drain.

Jeff Bardin: I do not see things changing but actually moving to even tighter budgets. Until security is included at the beginning (the conceptual stage) of new or updates to products and services, security will not be seen as a value add, cost benefit and not included in marketing and sales pitches. Most still don’t get it.

Ronald Mahaffey: Money is always scarce, however, if managed properly and if Sr. Management has the confidence in you, then it should not be as great of a problem as some might perceive.

Anthony (Tony) Potter: The key phrase here is “adds value.” Technology and training are the twin foundations on which we built our public safety team. Administration sees the results every day, so I don’t have to fight for technology and training dollars. Getting more people to train is another story.

COMPLIANCE

In January 2007, security executives said a growing focus of their job is on regulatory compliance and working with internal and external auditors.

Anderson: Due to the growth of corporate compliance issues and the effects of Sarbanes-Oxley and other regulations, there has been a much greater emphasis on corporate security efforts, more awareness of fraud related issues and more visibility to ensure appropriate investigations are completed. Added to that are efforts to improve supply chain security through the C-TPAT program and other TSA related security regulations which have increased the regulatory and audit burden on most corporate security functions. On the positive side, security programs have become more disciplined and better documented.

Dowling: As laws and industry standards increase, the security executive will need to be aware of these requirements and work closely with compliance reviewers from both outside and inside the organization. Issues related to privacy and data security will continue to dominate the security field as well as liability for inadequate security.

Mattice: Regulatory hurdles have never been higher and there appears to be new and more complex regulations on the horizon. The single biggest advantage I have today is my access to the Regulatory and Compliance Management (RoCM) gap analysis tool I receive through my membership in the Security Executive Council. RoCM provides me the ability to ensure compliance with multiple regulations at once and provides me with a cost of compliance model. I also utilize the C-TPAT and PCI compliance modules separately to conduct annual compliance reviews on these two key areas to our business.

Bardin: Fully concur that internal audit and security should be allies.

Mahaffey: We work very closely on compliance issues and have even formed a Compliance & Intelligence Unit within Corp Security. This keeps us current with issues and demands and eliminates many of the problems generally experienced in facing requests by “regulators.”

Potter: Regulatory compliance is a different issue in healthcare, especially in voluntary (not-for-profit) hospitals. We have to worry about (an agency) yanking our Medicare and Medicaid funding, Joint Commission accreditation, etc. It gets tougher every year.

PEOPLE ISSUES

Roundtable participants, earlier this year, said there are issues in their competitive environments centering on seeking and holding security people with the needed skills, talents and experiences.

Anderson: Corporate security is shifting, from a case-management and investigation function, to a profession focused on prevention. This requires new skills as corporate security managers have to think ahead of an incident and leverage a company’s resources and capabilities to the prevention of security incidents. With this shift, corporate security managers will need to have strong communication and planning skills. They will need to understand how to document and implement new processes and programs. And they’ll need to be able to change their corporate security culture from reactive to proactive.

There are a lot of “investigators” and fewer corporate security managers in the corporate security talent pool.

Dowling: This concern will always exist and you must pay to get the most qualified personnel and continue to pay to keep them. This applies not only to the security administration but also to the entry level positions, i.e. security officers. Budget cuts should not be directed at the salary lines or staffing positions as a means of improving the bottom line.

Mattice: The most important area security executives need to focus is on building the next generation of security leaders. Moving into a mode within the company where senior leadership training programs include a stop along the way in security will not only ensure a solid flow of talent into the security organization, but will enhance the understanding within senior corporate leadership of the importance of the role security plays.

Bardin: Hiring staff who are “smarter” than you in needed disciplines is still effective if you can find these people. Understanding your staff’s personality traits and in turn, their strengths is key to building an existing team. Instead of trying to improve individual staff weaknesses, which is painful, improve their strengths and truly build a team. Then hire into the areas of weakness with someone with that strength.

Potter: We manage to attract and retain exceptional people with attractive pay ranges and an outstanding benefit package. We work closely with corporate compensation to ensure that our pay is highly competitive in the marketplace. Three years ago, we implemented a four-step “career ladder” that allows our officers to plot their careers by seeing where they want to go and what they need to do in terms of education and experience to get there. As a result, our annual turnover rate stays at 12 percent.

TERRORISM

Previously, security executives contended terror threats have evolved and gotten more sophisticated with the response being better handling of emergencies as well as enterprise-wide business resilience.

Anderson: Generally, there have been significant improvements in emergency and crisis management planning. Now, many of those companies that have completed this work are focusing more efforts on prevention of the next incident.

For the transportation sector, this means tighter control of supply chains and ensuring the security of transportation equipment and infrastructure. Ryder is in the business of providing transportation equipment and supply chain services, so our efforts have been two-fold. First, as a C-TPAT participant, we are continually working with our business partners, both customers and vendors, to improve supply chain security. Second, we are working with the Truck Rental and Leasing Association (TRALA) to find better ways for our industry to secure our vehicles and reduce the risk of terrorism. Both of these efforts have resulted in audits and assessments of thousands of Ryder locations which have improved our business.

The effort has truly been grass-roots as the majority of these assessments have been completed by local managers. In the end, the process of assessing their locations and developing action plans goes hand-in-hand with building an effective security culture and giving frontline managers the skills to effectively manage security issues.

Dowling: Much of the initial “target hardening” based on 9/11 related terrorism has, in most cases, been accomplished. Emergency response and crisis management plans have included terrorism and it appears that business continuity, focusing on the aftermath of a terrorist attack or other calamity (avian flu, hurricane, etc.), has gained interest. Any of these events lean heavily on and impact the security operation. An immediate availability and prompt, professional response will be expected of the security force.

Mattice: The latest buzz word in corporations is “resiliency.” While we always seem to reinvent programs of the past, it really is nothing more than the coupling of a solid business intelligence program, risk management and business continuity. If you had solid programs in those areas, surprise, you already had resiliency built into the equation. (Editor: Last month’s Security Magazine cover story featured resiliency.)

Bardin: It is still largely a reactionary mode. We forget all too quickly in the U.S. Plans for response are gathering dust on the shelves. Disaster Recovery, Business Continuity Planning (DR/BCP) I believe is improving but there are still significant gaps.

Potter: As a healthcare system, we are more concerned about the casualties that a terrorist attack would cause than a direct attack on our facilities. We are continuing to upgrade our emergency management capabilities and drill monthly for a variety of threats, both man-made (including terrorist attacks) and natural disasters.

“As laws and industry standards increase and become more complex, security must be aware and work closely with compliance reviewers both outside and inside the enterprise,” pointed out Jack Dowling, president of JD Security Consultants.

CUSTOMER SERVICE

In January security executives said that more of their job is customer driven, whether internally with employees or when in contact with stakeholders and the public.

Anderson: Most of our security efforts are in some way affected by, or have an impact on, our customers. For Ryder’s supply chain business, the customer plays a key role in setting the standards and processes by which their goods will be moved. Security planning is a cooperative effort between both parties so the customer plays an integral part in determining the overall security investment that will be made. Corporate security’s responsibilities include developing a cost-effective solution to the protection of their goods in storage and transit, ensuring that the customer’s security expectations are met and continually working with the customer to improve security performance.

Dowling: Access control to facilities is the point at which security interacts with employees, the public and customers. Creating an efficient, effective and friendly first contact with these individuals will be the main goal of the security operation and personnel assigned to that function. Realizing that you only get one chance to make a good first impression and first impressions are lasting, staffing the security checkpoints with the individuals that have the best interpersonal skills is crucial.

Mattice: This is one of the most vital areas security executives need to focus their energy. If you do not understand and are not able to articulate how what you do translates into supporting the needs of the company’s ultimate customer/end-user, then you are destined to fail.

Bardin: It is customer driven largely from the standpoint that we are still trying to educate customers on their role in security and what they need to do to be part of the overall security program. This ties back to the first question on budgets; we are not included early and therefore awareness needs to be stepped up and until that is done, we spend much more time in a customer service role.

Mahaffey: Much depends on the kind of company and what industry you’re in, location, etc. I don’t find this to be any more true than it was 14 years ago when I joined the company. Wall Street and financial services are customer driven versus a suburban or rural manufacturing company.

Potter: Over 50 percent of our calls are service- rather than enforcement-related. Our COO refers to us as the customer service department in the hospital. A dozen felony arrests won’t give us as much traction at budget time as one letter of appreciation from a customer.

Guy Grace: The educational environment has changed greatly post-9/11, post-Columbine, along with the awareness of school violence. The school year 2006-2007 was particularly a tremendous time of turmoil for school safety.

With incidents like the Bailey/Platte Canyon hostage situation and killing in September, Lancaster County, Pa., and the Virginia tech killings, all schools were affected across the country. The after affects were increased bomb threats, threat assessments and heightened alerts for the entire school year. One of the greatest threats to our schools is ironically the understanding and use of technology as means for socialization and expressing oneself violently using technology and media as was most certainly evident in the Columbine tragedy but most recently with the Virginia Tech incident.

For example in our district several threats of violence were posted in places such as Myspace and other chat rooms and posting services. Most of these threats were unknown to schools until someone with a great concern about the communications and/or postings alerted us to it. By the time we heard about the threat within the district it was hours and days after the first postings started. The communications and postings were never created within the school but most often within the child’s home.

What was most disturbing was how the parents were just unaware of the activity as anyone else. Parents may not even had Internet in their houses, but the children knew how to access the Web by using their neighbor’s unsecured WiFi network, using Web-enabled video games, and/or just using the cell phone to take and post inappropriate material.

This is just the tip of the iceberg, and this issue is being discussed nationwide at other school districts. We all just have to develop our tactics to deal with this latest challenge. However what is important is that our parents need to be educated somehow as to what is happening so that they understand technology, too.

DISASTERS

Last roundtable participants viewed disaster preparedness as training beforehand, testing of the plan and best practices to get back up and running as soon as possible.

Anderson: Security’s role in disaster recovery and business continuity is going to vary depending on the company.

At Ryder, we have a business continuity function that resides within our IT function. Separately, the corporate security group has developed the company’s corporate Crisis Management Plan or CMP. Development of the CMP involved almost every function within the company, but the effort was lead by the corporate security group. Currently, the safety, health and security team plays a functional role on Ryder’s emergency planning team focusing on the protection of our people and assets before, during and after an emergency. A well coordinated team of functional experts (human resources, operations, communications, IT, safety and security, etc.) lead by operations will provide the most effective response.

Dowling: Business continuity plans, involving all aspects of the enterprise, have grown over the past years. The security operation will necessarily be involved in the prevention and/or mitigation strategy for the disaster, the planning and preparing prior to the disaster, response during and after the disaster, and recovery from any disaster. Drills, exercises and tests will rely heavily on the security operation and training will be the key to success in either the drill or a real event.

Mattice: While all of these areas are important, preventative work up front to minimize the impact of a disaster is just as important, if not more important.

Bardin: Still not fully engaged with DR/BCP. Many first have this separate from security and do not understand the time wasted in not aligning security and DR/BCP. Since most do not subscribe to a standard such as ISO27002, most do not understand the need for alignment. In addition, the work done during BIAs should and must be used within security. Getting this info and getting the DR/BCP staff to collect the right info would be a significant timesaver and help in asset management, critical device definition, vulnerability and patch management, configuration management, etc.

Mahaffey: Security plays a major role in disaster preparedness given its intended role during and post- incident. Each business unit must have its own plan to include business continuity (including security) and security must be flexible enough to interact with all.

Potter: Disaster management and recovery is a primary security responsibility in any environment. We have a key role in implementing new Joint Commission emergency management standards. As a hospital, we have to keep functioning regardless of the nature or magnitude of a disaster. Now we’re planning for a pandemic, which when it occurs, will stretch our physical security and response capabilities to the max. However, since we are the primary community resource, failure is not an option.

Grace: Schools are responsible for at least one-third of the day for the most precious treasures of our communities -- the children that attend them. Schools as so called “soft targets” have to take homeland security very serious. It is important for schools to promote the overall security awareness from the community, staff and students with an emphasis on homeland security concerns. The overall awareness will be very helpful for the entire community as whole when suspicious activity arises. Encouraging people to report suspicious activity keeps not only the school safe but also the community as a whole.

Parents also expect the schools to have a plan in place to address concerns that may endanger their children while they are in school. Homeland security does have a great system in place that most certainly can be of a benefit to any school and or business and that is the NIMS (National Incident Management System). Schools and businesses should, at the very least, implement this system to put a structure in place to address emergencies. Being prepared for an emergency is the most important piece of a puzzle for any school district or business.

PROJECT MANAGEMENT

Especially when it comes to upgrading and new technology, project management – in conjunction with systems integrators, dealers and even manufacturers – is growingly important, according to January’s roundtable attendees.

Anderson: This is really a two part response depending on the size and scope of the project. First, Ryder has partnered with a security engineering firm that handles most of the project management tasks from a security standpoint. Second, Ryder has an internal project management function that is responsible for developing and tracking the project plan and providing progress reports to senior management on a weekly basis. On most projects, the security project manager coordinates tasks and status updates with the internal project manager.

Dowling: As new technologies evolve, especially in the area of IP, project management will continue to become more complex. To ensure that the appropriate technology is purchased, it may be necessary to locate a security integrator who is well-versed and experienced in the IP security area.

Mattice: We have turned project management into more of an art that pays huge dividends. From pre-planning through becoming fully operational, we have detailed process controls, issue evaluation and resolution tools, tracking and communication tools, various other systems to ensure that project management is highly efficient and effective.

Bardin: I pull a PM or two from the PMO at the beginning of the year as budgeted in the previous fall and use them for all defined projects. They are funded through the security budget.

Potter: Over the past four years I have identified, promoted and trained an outstanding cadre of managers, each responsible for managing a specific area of our operations: uniformed patrol, physical security and loss prevention (including investigations). My physical security manager is responsible for keeping abreast of new technology and working with our vendors to apply it to our specific needs. For example, we are the healthcare beta test site for the next generation of GE’s SecurePerfect and Facility Commander.

METRICS

At the last roundtable, consensus was that there is more collection and analysis of information to determine the value, needs and growth of the security operation.

Anderson: Without a doubt, some form of security measurement is critical to determining whether progress is being made. Similar to other metrics, that measurement should be based on frequency and severity, with severity being measured by the cost impact to the company. From a security management standpoint, these measurements tell you where to apply your resources and whether the investments you have made are having the desired impact. However, even though this sounds simple in concept the development and tracking of security metrics become complicated in the details. The only advice I can give is to remember that most of the metrics used in other areas of a business often take years to develop and refine, and security metrics are no different. The process starts with capturing security incidents, reviewing the data, and continually refining your metrics.

Dowling: Measuring performance and communicating this information to top management is vital to demonstrate the effectiveness of the security operation and build a business case for any proposed enhancements. The data must be in a form and context that is familiar to top management. When competing for limited resources, metrics will support the position and furnish the necessary justification.

Mattice: The Security Executive Council has produced the bible on security measurements and metrics, as well as developing dashboards and presentation slides for these measures and metrics. Our team has embraced these measurements and metrics and providing input to the Security Executive Council’s database, which will provide the most comprehensive benchmarking tool available to security executives. These tools provided through my membership in the Security Executive Council have contributed significantly to enhancing the productivity of my team.

Bardin: It’s a critical tool that is not used properly in many cases; just a bunch of meaningless numbers. Intelligence and analysis still needs to be applied to correlate the information to people, process and technology.

Potter: It’s a constant struggle for us to find security metrics that apply to the unique nature of a healthcare environment. For example, I just left a meeting with our budget experts who still want to use square footage as a way to determine security staffing. When I illustrated the fallacy of this approach by explaining that 64 percent of our calls originate in less than 8 percent of our square footage, they just shook their heads.

MANAGEMENT ATTENTION

Strong communications and a focus on the business goals are two ways to get a seat at the table with the CEO, according to January’s roundtable group.

Anderson: I think brief and focused communications are a more effective way to get “a seat at the table” with the CEO and other senior management. Most senior management will find time to meet with corporate security, at least initially. However, if you want a return engagement, you need to make sure that you use their time effectively. Don’t dump problems on their desk and expect them to resolve your issues. Before you walk through the door, be prepared to describe the situation, offer possible solutions and make a recommendation. Similarly, don’t have a laundry list of items to discuss, focus on your biggest issue, the one that needs their push to resolve.

Dowling: To be successful, the security executive must know and understand the mission and goals of the organization. Hopefully, since 9/11 or before, the security executive has earned a position on the group that advises the CEO. Relating any security initiatives to the goals of the enterprise will get and maintain attention from top management.

Mattice: Security executives need to be focused on what the CEO and the Board are reading for business books, who they see as the new gurus. Seek this information out. Understand where they are headed. Communicate in their language and you can’t help but get their attention and cooperation.

Bardin: The illusion of due diligence is many time the norm of the day. Until a breach occurs or some outside auditor comes down hard (which is very reactionary), attention is not given. Many first still have security buried two layers below the CIO seeing it as merely a technology solution.

Mahaffey: There must also be a trust…this the CSO must earn which then makes him/her more than just another entity within the company. If you have the trust, the business focus will be obvious and the communications will easily follow.

Potter: The only way to get along with your CEO is to find out what he or she wants and give it to him. Even though I report to a VP, having direct access to the CEO and COO has been a non-negotiable condition of my accepting every security director’s position I’ve ever held. I keep them well-informed about everything we do; and they are not only present but speak every time we graduate a class of new officers.

Grace: Support from our executive staff has been tremendous. As a result of the demands created by the school security climate, our security department was made its own department within the district and my position upgraded to an executive level. In the past we were attached to the property management department within the district. The change allows security to be part of the official executive process streamlining the response. The same players are in place but no toes are being stepped on and all emergencies are addressed more efficiently.

CONVERGENCE

In January security executives saw a coming together of physical and logical security, but they had a diverse view of how and how fast that convergence will happen.

Anderson: At Ryder, physical security and IT security are two separate functions. I think you’ll see corporate security managers dealing with more IT related security issues, but at the design and implementation levels I believe IT security experts are best equipped to handle the specifics. The other aspect to consider is the security of integrated and networked security systems with other corporate IT systems. Single and multi-site integrated security systems usually have an IT infrastructure that must be maintained and secured against intrusion.

Dowling: Networked systems for video management, alarms and access control are proliferating and require a close coordination with the IT department prior to, during and after the installation. As more and more technology is associated with the network, the security executive must have an outstanding working relationship with the logical security side.

Mattice: I am so tired of hearing about convergence. First and foremost, why are we focused on two narrow areas “physical security” and “logical security”? Logical security is only a very small silo in the realm of “safeguarding information” and physical security is a narrow silo in the overall “corporate security” realm. Can we once and for all end this silly debate? Many organizations have been running fully integrated security programs for years and years. This is not something that is new. For example, a fully converged security program was pretty common among the defense and intelligence companies during the Reagan era when big defense and intelligence budgets were focused at ending the Cold War.

Bardin: Very slow in occurring in most cases. How can we converge when info security is far from mature. A good idea before its time is not a good idea. People are still protecting their turf.

Grace: With the new WiFi in place, security operations can now look at using IP-based cameras and other devices. This will be investigated to its fullest potential and, if it works out, will solve many security related issues. This is the ultimate merging of physical security and IT; and, with wireless security technology using wireless high-speed connections for data, it will be a revolution for security as whole. New security technologies will also be developed and will flourish with the freedom that WiFi brings mainly because the leash of wires has been removed.

PRIVACY

Some security executives last time saw a political shift in business concerns about privacy from so-called intrusive cameras to protecting people and assets as well as databases of employees or customers.

Anderson: I think we’ll see more emphasis on the protection of privacy rights in the future. This is complicated by the proliferation of data and the ever present theft of laptops, PDAs and portable memory devices. This causes a lot of concern about the protection of personal information.

The emphasis has shifted from the physical value of the stolen equipment to the data and personal information that was stored on the device. Another area of concern is balancing the need for effective protection with the need to respect personal information. Corporations are doing more screening of prospective employees and customers, which creates a need for information that is often difficult to obtain. In addition, government regulations often create expectations that are difficult to balance with privacy concerns.

Dowling: Not only do federal and state laws require protection of sensitive personal data, the threat of identity theft through the unauthorized access to and use of personal identifiers maintained by the organization can add an additional security requirement. Providing adequate security controls for the information from creation to destruction is an obligation of the enterprise and the security operation should have an active role, both directly and indirectly.

Mattice: Security executives have to be keyed into the privacy issues that can affect their companies. Database losses can have a serious impact on the reputation of the company, as well as, its valuation. We have all seen more than one company report a significant loss of customer data and have watched their stock price plunge. These are not short term events either, these types of losses have lasting impacts on the company and are a drain on revenue for years to come.

Bardin: It is and always will be about protecting the data. That is what holds value.

Mahaffey: There may be some truth to (what January’s panel concluded). However, cameras continue to play an integral part in security and are invaluable when reconstructing an incident. There must and can be a blended into the environment.

Potter: We have the mother of all privacy legislation in HIPAA. It doesn’t apply to employees, but we have had some identity theft cases that caused us to add additional layers of protection. Our security video cameras are generally overt for deterrent effect, but we have used covert cameras for specific investigations without any adverse reaction.

PURCHASING

Among the January roundtable group, some have very structured procurement procedures while others do not.

Anderson: Outsourcing is critical to businesses and specifically the security function. The purchasing of physical equipment such as cameras, DVRs and access control devices can be a more level playing field, but the purchasing of services is more difficult to compare one vendor against another. None the less, whether you have a purchasing department or not, you must ensure that the purchasing of products and services is based on business needs and definable criteria.

Dowling: To protect the enterprise and reduce the opportunity for fraud in purchasing, checks and balances and strong internal controls should be implemented and this will require a formal process. The security executive should offer ideas that prevent fraud in addition to protecting the items after purchase.

Mattice: You have to have a mixed purchasing program that allows you to have structured procurement for appropriate areas, but you also need to have the flexibility to respond quickly around the world to issues that arise. If you are having a major investigation you are having to launch somewhere around the word, you do not have time to go out and get three bid based on a defined specification.

Bardin: Purchasing should be very structured and tied to strategic plans, programs, budgeting process and assessments of risk.

Mahaffey: We have an extremely structured purchasing process.

Potter: Most of our purchasing (other than office supplies, etc.) is highly specialized, but our assigned buyer is very helpful in getting us what we need.

SIDEBAR: About the Participants

Security Magazine has assembled a high-level group of practitioners to update last January’s informative roundtable on issues and concerns in the industry.

William (Bill) Anderson is director, global security for Ryder System Inc., a Fortune 500 global transportation and supply chain management solutions company.

Jack Dowling is president of JD Security Consultants, LLC, Downingtown, Pa., and a member of the Security Magazine Advisory Board.

Lynn Mattice is vice president and chief security officer for Boston Scientific. He was a key member of the January 2007 Security Magazine Roundtable and featured on the cover of the March issue.

Jeff Bardin is the chief information security officer for a New England-based financial institution. He was recently awarded the 2007 RSA Conference award for Excellence in the Field of Security Practices.

Ronald Mahaffey is chief security officer at American International Group, Inc., New York City.

Anthony Potter, a long-time security veteran, is director of public safety at Forsyth Medical Center, Winston-Salem, N.C., and a respected author.

Guy Grace is director of security and emergency preparedness for the Littleton (Colo.) Public Schools, and a member of the Security Magazine Advisory Board.

SIDEBAR: Technology Empowers the Team

It’s a wireless communications world for Guy Grace, director of security and emergency preparedness at the Littleton (Colo.) Public Schools.

“Our IT department is installing a district-wide high speed WiFi network. Security is working with IT to use this network for day-to-day security department use. For example, where the WiFi is active right now, security can access critical security information when needed from our video and integrated security system using our WiFi-equipped laptops. The IT department has also graciously agreed to expand WiFi networks out into deployable hot spots that extend the range dramatically. As a result of this, if an emergency arises, first responders can set a command control point away from the school. In addition IT has dedicated fiber optic lines that go from the school district to the City of Littleton’s network which will allow first responders quick access to need information in an emergency. Many years ago such sharing would have been not well received if we asked or even not possible. The new IT leadership include very impressive people and realize that their realm when combined with the security realm can and will save lives and property.”

Enterprise leadership, of course, sees value in security of their people, reputation, intangibles and facilities; but they also sees value with working within their industries as threats and solutions go global. Ryder System is a Fortune 500 global transportation and supply chain management solutions company.

SIDEBAR: Think Global, Think Local

Bill Anderson, director, global security for Ryder System Inc., is responsible for directing Ryder’s global security function and leading Ryder’s international safety, health and security team. It is also a leader in global supply chain security.

He is a member of Ryder’s crisis management team and corporate compliance steering committee, as well as the American Industrial Hygiene Association, American Board of Industrial Hygiene and American Society of Safety Engineers.

In a supply chain feature article focusing on cargo theft published by Security Magazine and authored by Anderson earlier this year, Anderson pointed out that a global supply chain drives today’s economy. But that one of the biggest challenges affecting businesses today is cargo theft, and the resulting potential disruption of the supply chain. It is difficult to quantify because cargo theft is not always categorized in the same manner and often goes unreported. According to experts, estimates range from $10 to $30 billion a year. However, this figure does not capture the indirect costs associated with theft such as lost sales, production downtime and missed deliveries.