Bryan Koontz (pictured above) shares his concerns, experiences, goals and business vision with colleagues taking part in this unique Security Magazine roundtable of top executives. Koontz, director of safety and security at High Point Regional Hospital in High Point, N.C., also views his current and future more clearly from the perspective of his business – healthcare.
In this next in a series of roundtables, it is obvious that a primary trend emerging is that security executives are as focused on bringing value to the enterprise as they are focused on traditional security goals.
Roundtable members are listed on page 24. Check Security's Web site atwww.securitymagazine.comfor other roundtable sessions.
BUDGETSLast year, security executives spoke about tight budgets for upgrades, new technology and training.
Jonathan Blumberg: The same concerns exist in 2008 (as they have for every year previously as well). However, buy-in to strategic security goals has become much stronger due to the strategic nature of recommendations. By continuing the drumbeat of prudent security practices focused on the direct protection of business operations rather than on the implementation of security programs for the sake of “good security” (though they may often be the same), the business stakeholders begin to understand and embrace what security brings to the table.
Guy Grace: As each year passes I see our security operations adapting more and effective security technology and practices. This is a great thing because as time passes, I see better service provided by our security services to the schools we serve. The drawback is the cost to continue to obtain, maintain and implement our security technology.
Robert Holm: Having just completed the 2008 budget plan, I must say I experienced the toughest budget process in my 25 years in corporate security. We cut our budget by 25 percent from 2007 projections and doing so without losing head-count. I challenged my staff to view our operation as if every dollar spent was coming directly out of their pockets. The “nice to haves” were eliminated and the “need to haves” were prioritized differently under this principle. Don’t get me wrong, the budget was pretty lean to begin with, so we will be doing things with cautious ambition in 2008. Of course, items that were eliminated were clearly communicated to management – items that we believe added intangible value. My assumption is that some of those “services” will resume once management recognizes the void.
Bryan Koontz: Security budgets are definitely getting tighter, especially in healthcare. What is troubling is that leaders also want the security staff involved in duties other than providing traditional security services. This would be okay and would illustrate security performing duties not associated with an expense center. What happens is the exposure to an organization increases and, if something goes wrong, security may not respond as quickly because they may be performing nontraditional security tasks.
COMPLIANCESecurity executives said a growing focus of their job is on regulatory compliance and working with internal and external auditors.
R. Scott McCoy: I left one heavily regulated environment for another. It is critical for today’s security executive to know the regulations that impact the business. There’s nothing wrong having someone on staff to do the daily work, but an executive can’t delegate the responsibility of understanding the requirements to a subordinate.
Dave Morrow: Without a doubt, compliance matters are high on almost every IT security executive’s list of concerns – and the pressure is going to get even more intense. Information technology security’s mission in many companies will probably spread to making sure the company complies with regulations that are not, at first glance, directly related to security.
PEOPLE ISSUESLast year, participants said there are issues between being competitive and seeking and holding security people with the needed skills, talents and experiences.
Maria Chadwick: In any field, it is becoming increasingly more difficult to find experienced and skilled people. I think we need to start looking for people with potential and investing in training and leadership programs. It is important to take into consideration that everyone brings different strengths to the table. When hiring, look for qualities that will help balance out your team.
Jonathan Tetzlaff: “Old school” security organizations often sought to build a large security function, adding as many people and responsibilities as possible. This “empire building” would sometimes work in the short term, but it is invariably counterproductive over the long term. Large security organizations tend to become targets of budget-cutters, so the size of the security group eventually drops back to its pre-growth levels a few years after a period of rapid growth. This cycle of growth and subsequent cuts is not cost-effective nor does it reflect well on management. A far superior approach is to build a small organization of highly-compensated experts.
TERRORISMLast time, security leaders contended terror threats have evolved to better handling of emergencies as well as enterprise-wide business resilience.
Robert Chandler: Based on my research studies into private sector security planning in the post 9/11 era for significant changes in this area, I have a fairly detailed perspective of how terrorism has and is affecting business and corporate security operations generally in the USA. …Since 2001 security planning has significantly increased its focus and attention on some aspects of terrorism threat preparedness. Several threat risks are now included in a significantly greater number of (security and business) plans compared with 2001. These include bomb threats (70%), computer crime (49%), terrorism attacks/invasion/intruder threats (47%), mail threats (47%), bio/chemical release (43%), and general HAZMAT release (43%). The security field in private sector businesses has dramatically increased planning and readiness for terrorism.
Ronald Mahaffey: As much as I agree with the [summary] statement [based on the last roundtable], I think – particularly in the non-global companies – that a degree of complacency has begun to set in. When this happens, it’s difficult to accomplish much.
CUSTOMER SERVICELast year, security executives said that more of their job is customer driven, whether internally with employees or when in contact with the public.
Mark Brunstetter: My customers are our employees. Customer service is part of my salary review. I am tied to a series of matrix-based reviews. Customer service is heavily weighed within my objectives.
Maria Chadwick: Customer service is not a choice. Everything is customer driven and should be the basis for separating an average company from a great company that chooses to take care of their customers. A customer who is treated well will return and share their experience with their friends. With this in mind, customer service should not only extend to our customers, but to our employees as well.
David Kent: We are in a service business that requires a detailed understanding of customer needs and what will or won’t work in a business environment. If you don’t understand the customer’s business, how can it be efficiently secured?
Bryan Koontz: Customer service is critical for any security operation. Security is the least expensive way to make a positive impression on any organization. People, regardless of who they are or where they are, all want to feel safe and secure in their environment.
DISASTERSPreviously, roundtable participants viewed disaster preparedness as training beforehand, testing of the plan and best practices to get back up and running as soon as possible.
Guy Grace: Security in our business is responsible for emergency planning. That is training each school to run a NIMS-compliant emergency command system. Security has the responsibility creating the drills that each school runs a couple times a year, and helping with planning with mitigation planning. There are myriad responses that security may employ in different types of emergencies and we are counted on everyday to provide that service. The best example is that security supports the other sections…such as the school administration, school psychologist, counselors, first responders and the public relations officer. It is a great feeling to know that you are a part of a well-tuned machine, which, in turn allows the school to recover much sooner.
Jonathan Tetzlaff: In an effective “world class” organization, security integrates with safety, medical, finance, information services and other organizations as needed to ensure a seamless response to disasters. Tabletop exercises can expose areas for improvement and can also assist in team-building of such cross-functional groups. Whether crisis management and disaster recovery functions are “hard-wired” into a single group – or simply matrixed as needed to respond to disasters – doesn’t really matter. Different corporations inevitably take different approaches. The issue, instead, is how well the different groups function together when planning for, or responding to, a crisis.
PROJECT MANAGEMENTProject management – in conjunction with systems integrators, dealers and even manufacturers – is growingly important.
Jonathan Blumberg: I am losing favor with the one-company approach. As integrators and large security companies buy one another in an attempt to provide all services under one roof and gain marketshare, I am more often going to the small or regional provider who has skin in the game in my area of operations. Anyone can install a security system, however, it is the after-installation support and service that will make or break a security program (and its director).
R. Scott McCoy: With an in-house security professional, preferably certified as a Professional Security Professional or PSP. This person works as project manager and directly manages the venders from design to commissioning.
METRICSThere is more collection and analysis of information to determine the value, needs and growth of the security operation.
Maria Chadwick: My first reaction is, “How do you measure the value of safety?” I understand the company needs to justify costs and using metrics works in a lot of areas, but in security and surveillance, which are non-profit making departments, it can be challenging to justify your expenses on a spreadsheet.
Dave Morrow: Meaningful metrics have a definite value to a security operation, but there is still the tendency to collect metric upon metric (“the more the merrier” outlook) or to collect metrics that are valuable only to a technologist or CIO. Technical metrics are usually of limited value to a business and, thus, are hard for the CSO/CISO to explain to the business. I believe the fewer metrics explaining how security is helping the business are far superior to more “gee wiz” technical ones.
MANAGEMENT ATTENTIONStrong communications and a focus on business goals are two ways to get a seat at the table with the CEO.
Ronald Mahaffey: I certainly agree with “strong communications,” which says that the CSO and his/her staff are knowledgeable and competent. If this is true and the CEO feels this, then you’re a winner. That you have a focus on the business goals will be a “given.”
R. Scott McCoy: I question the assumption that security should be at the CEO table. I’ve heard this many times, but the real goal should be to have a solid security program that is supported philosophically and financially by the company. If that is happening, there is no need for me to be talking to the CEO.
CONVERGENCESecurity leaders last year saw a coming together of physical and logical security, but they had a diverse view of how fast that convergence will happen.
Ronald Mahaffey: I am not in favor of such convergence and I seriously question the motive(s) of persons (particularly from the physical side) that see this as a good thing. I think this can lead to confusion, a mixing of resources and a watered-down effect on physical security and the protection of assets.
Dave Morrow: We have converged IT and physical security operations under one organization at EDS since 2005 and have seen a great deal of benefit from doing so. We have combined physical security, IT security and investigations, crisis management, privacy and executive protection into one organization called the Chief Security and Privacy Office (CSPO). This organization is responsible for all security and privacy issues for the company, including oversight of the business continuity programs of the various business units. I believe that convergence is highly appropriate for an increasing number of organizations as the industry moves towards a more holistic view of enterprise risk. While, for some companies, the cultural, political and organizational differences make true convergence difficult or impossible, the general trend calls for the integration of IT security with other disciplines into an enterprise-wide risk view.
PRIVACYLast roundtable, some security executives saw a political shift in business concerns about privacy from so-called intrusive cameras to protecting databases of employees or customers.
Mark Brunstetter: We are driven by HIPPA, so enough said. Patient data is the priority and a mandate within our company.
Maria Chadwick: In our industry [gaming], it is generally understood by both employees and customers that we use video surveillance throughout the property. We also take every precaution to ensure personal data and privacy is protected. Cameras are a necessary tool in our industry, not only because they are required by the Gaming Control Board, but also because they can help reconstruct a series of events so that appropriate and fair action can be taken for our employees and customers. Cameras also provide an extra level of protection for people, property and data.
R. Scott McCoy: There are specific laws defining and protecting a person’s reasonable expectation of privacy, say in a locker room. Public space both in companies and on the city streets are under surveillance more and more. This trend will continue, and people are already getting used to it. As far as protecting employee and customer data, this is increasingly more important and a primary responsibility for a security operation.
Dave Morrow: At EDS, we have long believed that security and privacy are intertwined and interrelated subjects and cannot be adequately addressed in a fragmentary manner. Our Chief Security and Privacy Office (CSPO) combines IT and physical security, privacy, crisis management and business continuity organizations into one group that views these issues as a whole. Privacy relates to how you handle information on individuals, where and how you store it, who has access to it (authorized or not), and what uses you make of the information. It is similar to, but not the same as, the traditional security concerns of ensuring the confidentiality, integrity and availability of data. You can have secure data and still have horrible privacy practices. You cannot have good privacy practices without a good data and physical security program. Too many security tools companies would have you believe that one type of technology (encryption, data leakage and/or content monitoring, etc.) will take care of a company’s privacy needs.
PURCHASINGSome have very structured procurement procedures, while others do not.
David Kent: We view our purchasing organization as partners in creating secure contracts and other third party relationships. Standardized security language that addresses hiring practices, security posture and inspection rights is present in all agreements that bring non-employees into trusted environments, place our information in the hands of others and in distribution agreements for our products.
R. Scott McCoy: We need to assist our purchasing departments by giving them language to add into the boilerplate of all contracts to make sure venders and contract workers meet the background screening requirements as well as other security requirements. As for purchasing processes with regards to security services, all contracts should be reviewed on a regular basis and either put out to bid or justified as a single source provider.
Dave Morrow: We are moving from a decentralized to a very structured procurement process that allows us (the physical and IT security function) to more easily identify and contribute to procurement processes. The centralized procurement structure provides a good “choke point” for identifying significant projects and initiatives throughout a global and dispersed enterprise. The downside, of course, is that these organizations can become true bureaucratic choke points in the worst sense of the term and can bring an otherwise agile company to a grinding halt.
WEB-BASED SOCIAL NETWORKING AND THE BUSINESSIn addition to the obvious downside of Web-based social networks, do you see them as a serious tool for business in general and security organizations in particular?
Maria Chadwick: I don’t see these sites as a “serious” tool, but certainly a tool that can be incorporated into the business organization. These sites can be used in certain cases to gauge the situation, but do not necessarily make for acceptable standalone evidence. On the other hand, if someone is foolish enough to post confidential or damaging information on the Internet, they should be held accountable for their actions.
Jonathan Tetzlaff: Although I admit to some concerns, I am a strong proponent of leveraging the Web to share information and build support networks. The balance, of course, involves determining the type and extent of information to reveal on the Internet, and the proper place to reveal it. Unprotected Web sites – sites with no password or membership required – are obviously the most vulnerable to identity thieves. Many prudent security professionals take a more conservative approach, using such online tools as “Linked In” to convey information to a selected group of security colleagues instead of making it available to the world at large.
SIDEBAR: Meet the Roundtable MembersJonathan Blumbergis director, corporate security at MeadWestvaco, the diversified manufacturer of packaging solutions/products, with a presence in more than 30 countries.
Mark Brunstetteris physical security manager at Siemens Medical Solutions of Siemens AG.
Guy Graceis director of security and emergency planning, Littleton Public Schools, is a member of the Security Advisory Board.
Bryan Koontzis director of safety and security at High Point Regional Hospital, and is also is featured in the parking security article in this issue.
R. Scott McCoyis chief security officer at Alliant Techsystems, a leading provider of advanced weapon and space systems.
SIDEBAR: More on the RoundtableSecurity Magazine brought together some of the best leaders in the profession. Not all answered every question and not all answers are reflected in this cover story because of duplications and space limitations. An expanded version will appear online – coupled with posting of this print issue of Security Magazine – atsecuritymagazine.com
In addition, the upcoming March 2008 print issue of Security Magazine will have a similar roundtable reflecting comments from top consultants as they see the profession growing and changing.
In addition, Robert Chandler will share unique and informative results of his security research and perceptions in an upcoming issue.
SIDEBAR: Shouting Fire in an Effective WayIn response to the Malibu Canyon fire that began a devastating rampage through the small ocean-side community last fall, Pepperdine University actively used its newly deployed mass notification system provided by 3n (National Notification Network) to help evacuate faculty and staff and to coordinate efforts to prevent the loss of life and property.
Involved in the effort with an emphasis on communication was Robert Chandler.
According to students on campus, Pepperdine sent out five notifications during the first day of the fires. Two of the messages were instructions to students and faculty to evacuate dorms and classrooms and proceed to safe areas on campus. Students not on campus at the time were informed that they would not be allowed to return and instructed to stay away from campus.
Pepperdine officials sent out two more messages providing status updates of the fires.
Pepperdine initially decided to acquire the 3n InstaCom Campus Alert system earlier this year to further strengthen University emergency preparedness.