2010 Security 500: Profiles
Jim Hutton, Director of Global Security
Staying
in Touch Globally
The Procter & Gamble Company (P&G) has reached the five-year
milestone of its acquisition of Gillette, and with it the addition of Jim
Hutton, director for global security. P&G rings in at $78.9 billion in
annual sales with a large line-up of leading brands. Yet this complex, global
organization has created a unique and powerful platform to deliver a security
culture for employees and other stakeholders.
When discussing how P&G’s security team
reports into Human Resources, Hutton states, “HR is the perfect home for
security at P&G. Working within HR, we are able to see how things get done.
HR has the best wingspan to reach our employees, customers and business
partners.”
As a component of the overall HR mission to
serve 127,000 employees, P&G security is able to manage expectations from
HR and set clear strategy to get the job done. For example, HR focuses on
global travel requirements and leverages security for travel advisories, creating
seamless support to employees, globally.
“There are clear guidelines that all
employees follow and this is led by our Ethics and Compliance group,” Hutton
adds. “We have Incident Response Guidelines and a Worldwide Business Conduct
Manual that are rooted in P&G’s ‘Purpose-Values-Principles.’ These two
manuals enable all employees to understand company expectations. Having all
employees follow the same guidelines enables security to manage scale and
create transparency at this big organization. We rally around: ‘Do the right
thing.’”
As P&G approaches the fifth year since
acquiring Gillette, it has blended both organizations’ best practices. “The
challenge is to make a choice on best practices that is scalable to all of
P&G,” says Hutton. “We have received great support across the enterprise to
install best practices in areas like freight loss, brand protection and
achieving case closure.” P&G uses metrics and ROI to measure the value of
these processes. “Our first post-merger program was to focus on the loss of
finished goods in transit,” he says. “With P&G shipping more, and organized
crime becoming increasingly aggressive, we needed to get products to our
customers on time and meet on-shelf availability. We went well beyond
traditional shipping security and saved millions in product losses. The ROI is
so strong and measurable that the Product Supply Organization funds the program
out of the money saved.”
Another outcome of the Gillette acquisition
was its focus on resilience, particularly after the 9/11 and Katrina incidents.
“We realized that there was an opportunity to develop a good crisis management
strategy that incorporated emergency management, business continuity and
disaster recovery,” explains Hutton. P&G adopted a simplified decision making
model that worked with both external relationship leaders and internal leaders
within security.
In conjunction with the simplified decision
making model, P&G’s security utilizes technology. Instant messaging and
crisis contact management on a global scale enables both fast awareness and
action. “Our mantra is ‘touching and improving lives’ and this year our Job 1
is to better leverage our ability to manage crises,” he says. “Our employees
know that they are cared for and valuable to us, and there are systems and
processes in place to help them,” he says.
When asked about the
profession’s biggest challenges, Hutton notes that those challenges have been
addressed within P&G, “Making good macro-level decisions is a very dynamic
environment is difficult. Organizations achieve that with great staff
development, education and training. You don’t just arrive there; you have to
work at it every day.” P&G security has invested in their people with
education, experiential learning and involvement in business activities and
other field work so they can understand and learn. “We have four young people
in security getting their MBAs,” he says.
Hutton notes the best part of the job is that
there is something different each day, “The external environment is always different
and P&G is very dynamic. I enjoy developing and managing our staff quite a
bit and watching people grow in the company.” Prior to joining Gillette, Hutton
worked at the U.S. Department of State’s Bureau of Diplomatic Security for ten
years.
Personally, he has been married for
27 years, has two sons and is an avid kayaker.
Security
X Brand/Product
Protection
X Business
Continuity
X Corporate
Security
_ Cyber Security
X Disaster
Recovery
_ Drug and
Alcohol Testing
X Emergency
Management
X Executive/Personnel
Protection
X Insurance
X Intellectual
Property
X
Investigations
X IT Security
X Physical
Security
X Regulatory
Compliance
X Supply Chain
_ Other
Security Scorecard
Annual
Revenue: $80,000,000,000
Employees: 127,000
2011 Critical
Issues: • Business
Continuity
•
Crisis Management
•
Brand Protection
Richard Gunthner, Vice President of Global Corporate Security
Total
Risk Management and ROI: It’s Priceless
MasterCard has
seen dramatic change in the past several years, including over time, shifting
from a private association owned by banks to a NYSE-listed, public company.
This evolution and the advent of shareholders and other stakeholders drove an
overall new meaning for risk management and the company’s security vision.
“Security is truly part of the
overall company,” says Richard Gunthner, MasterCard’s vice president of
global corporate security. After the IPO, MasterCard’s then CEO decided
security was critically important, needed to report to an executive committee
member and that the lead security executive required a window into the company
strategy – being aligned with the company’s goals and objectives would be
critical to be effective.
At the same time, it was
recognized that the executive committee required a strong lens to view and
understand risk for its global organization. As a result, Gunthner serves as
senior advisor to the executive committee in all matters pertaining to physical
security. “We work to earn credibility and respect across the organization
every day,” shares Gunthner. Looking at MasterCard’s global security program,
the reasons for success are clear.
“We take a strategic view and
stay focused on several key areas,” he shares. “First, as a global company that
serves 210 countries, everything we do is guided by a risk-based approach.
Second, what we do must be aligned with the company’s objectives and add value.
Third, we are very customer and technology focused as an organization, so we
map security into that platform. MasterCard, by the nature of its business,
requires us to deliver security in a customer friendly way and to leverage
technology to achieve our objectives. Fourth, our programs, as much as
possible, need to be transparent.”
MasterCard’s security organization mostly
works behind the scenes and purposely stays invisible. “Our focus is to keep
people from harm’s way by preventing an event from impacting our business,” he
says. “This takes a careful and thoughtful approach versus an emotional
reaction to an event, and it’s our job to differentiate between the many shades
of gray.” At the heart of this strategy is a sizeable investment in analysis to
predict future events. “Relying on our analysts from a combination of
proprietary MasterCard analytics, purchased information services and
algorithms, we are able to identify risks and prevent events from impacting our
people,” he says.
MasterCard prides itself on being well
prepared to respond to any situation. “Our goal is to enable the business to
operate and for our people to function effectively. But effectiveness requires
that they can also function safely. I am very conscious that we are a global
company and that to advance commerce so that everyone, everywhere can
participate, we must take increased risks in new geographies. That increases
security’s role to manage those risks and enabling, not slowing business,”
explains Gunthner.
Among the key risk management
discussions is how the powerful MasterCard brand might be impacted by a
security issue or threat against the company or its people. “Our customers are
our employees, visitors and guests and we work to get their feedback on
security and risk issues,” says Gunthner.
MasterCard has launched many technology-based
initiatives with a concern that a “big brother” response might occur. But the
feedback has been just the opposite. “Our stakeholders like and support the
mechanisms we have put in place, especially that a contact and a resource
exist. Whether a simple flight delay notification or a more significant risk
issue is in play, the response is overwhelmingly positive and appreciative. We
offer many resources to our stakeholders including security briefings, cultural
information such as whether local law enforcement in a specific area is
reliable and airline safety ratings. We work to better prepare our customers
how to avoid incidents. The informal feedback is very positive and rewarding,”
says Gunthner.
MasterCard measures the value of
security in three ways. Any program or investment:
1. Must maintain or
increase the current level of security.
2. Must be either
transparent or semi-transparent and not overly burdensome to the customer.
3. Must use a risk-based
approach versus painting with a broad brush so that the biggest risks are
managed without limiting business across the board.
“New technologies allow us to
drive more security and safety initiatives that reduce risks with equal or less
resources. Mr. Ajay Banga became CEO on July 1, 2010 replacing Robert Selander,
who will retire at the end of the year. Mr. Banga has new ideas, great energy
and a true global perspective. Having his continued buy-in is critically
important for security and something we work hard to earn and retain,” shares
Gunthner.
Looking at our profession, Gunthner addresses
the industry’s challenges. “We have to stay relevant by changing as the
expectations for security change. And we need to add value to the business by
constantly improving and enabling business to get done. That only happens with
innovative thinking outside the traditional security box. Security leaders need
to always focus on saying, ‘Yes.’”
Noting that complacency is very dangerous,
Gunthner enjoys that every day is different and that the security role keeps
his job fresh and interesting. He finds MasterCard’s global nature fun and
exciting, and that engaging with new technologies, analysis tools and
understanding risk to improve security is invigorating.
A commercial pilot by training who held senior management
positions at American Airlines prior to joining MasterCard, he is married with
two children. He enjoys renovation projects and beach vacations.
Security
X Brand/Product Protection
X Business Continuity
X Corporate Security
_ Cyber Security
X Disaster Recovery
_ Drug and
Alcohol Testing
X Emergency Management
X Executive/Personnel Protection
_ Insurance
X Intellectual Property
X Investigations
_ IT Security
X Physical Security
X Regulatory Compliance
X Supply Chain
_ Other
Security Scorecard
Revenue: $5.1 billion
Employees: 5,100
Critical
Issues: • Cyber Crime
Technology
Jeff Ward, Chief of the San Antonio, Tex., Independent School District Police Department
The S’s:
Smart, Safe & Secure
The
management.
“Creating a secure and safe learning
environment for the students to be as successful as possible is Job 1,” says
Chief Ward. Using a traditional law enforcement model, including the chain of
command for supervisory issues in an educational setting, though has nuances.
“We have a good lens on students who are serious or repeat offenders of the law
versus. those that may get into trouble with minor pranks or poor judgment. And
we treat those activities appropriately,” he says.
The San Antonio ISD includes 96
facilities that serve more than 55,000 students from pre-Kindergarten through
12th grade high school. Currently, the district is voting on a major bond that
includes $43 million for a district-wide security investment. The bond’s
approval with a focus on security technology will enable Chief Ward to provide
a more constant and consistent level of security and safety. “It is a challenge
to find the time to maintain focus on our roles and keep our existing
technology up to date. The passing of the bond will greatly support our
security goals,” says Chief Ward.
While addressing legal
violations by students are the most frequent law enforcement activity, there is
a significant strategic plan for business continuity and emergency management.
“The one thing that keeps me up at night is the possibility of an organized attack
on one of my schools. If the initial attack is successful, then we have failed.
We train and prepare to have the best possible people, policies and technology
in place to give us awareness of possible events and to respond effectively,”
says Chief Ward.
Among the challenges, he says,
is the ninth anniversary of the 9/11 attacks and the Columbine massacre in
April 1999 – they are no longer prevalent memories. “Keeping the employees,
teachers and community focused on security and at a relatively high level of
awareness is our greatest challenge. As time passes without an event, people
relax and that increases our risk. People tend to forget that these events can
happen anytime, anywhere. We need the eyes and ears of the community to be
attentive and communicate with us so we can be proactive and effective,”
explains Chief Ward.
The San Antonio ISD has also employed new technology
to assist in its mission, and it has seen positive economic results. “We
installed an access control system with video to prevent people who should not
be in our facilities from entering,” Chief Ward says. “That has reduced key
control costs and added real value to our investigations as well as our
monitoring program. It allows our force to be more productive without adding officers.”
Chief Ward is particularly proud of the San
Antonio ISD police force. “I have a great staff,” he says. “They are true
professionals and they really take care of their customers including the
students, employees, property and even me. They bring a diverse perspective to
our decision making process, and that is very valuable.”
His hobbies, other than wordworking, are
strongly tied to his profession. He is a Special Deputy U.S. Marshall and a
member of the Lone Star Fugitive Task Force. And he is an active volunteer who
has donated his time and energy to Texas Municipal Police Association and the
Texas Association of School District Police, of which he is a past president.
Among his ambitious goals for the
San Antonio ISD is to “leave the district better than he found it” and there is
no doubt that he will do so.
Security
_ Brand/Product
Protection
X Business Continuity
X Corporate Security
_ Cyber Security
X Disaster Recovery
_ Drug and
Alcohol Testing
X Emergency Management
X Executive/Personnel Protection
_ Insurance
_ Intellectual
Property
X Investigations
_ IT Security
X Physical Security
_ Regulatory
Compliance
_ Supply Chain
X Other: Law
Enforcement
Security Scorecard
Annual
Budget: $517,327,000
Students: 55,000
2011 Critical
Issues: • Technology
•
Implementing
Access Control
• Training
Maria Chadwick, Director of Surveillance, Wynn/Encore
Securing
the Brand
Ensuring that
business is conducted honestly and that the company and its guests are
protected defines Maria Chadwick and her staff’s role at Wynn Las Vegas. “Our
job is to protect the integrity of the company and its gaming assets. That is
the core of Wynn’s
Casino surveillance is unique due
to its adherence to gaming regulation requirements. The surveillance department
is responsible for monitoring the guest and employee activities for all of the
casino games and other hotel support functions, acting as a deterrent against
policy/procedure violations and identifying actions that can possibly lead to
theft and/or cheating. As a result of the gaming regulations, surveillance uses
clandestine observation methods to achieve its objectives via a security video
camera system.
The surveillance department is also
responsible for procuring the video monitoring for the entire property and has
total override capability over all other departments who have access to view
video. “All departments are intertwined to prevent and manage events. For
example, if a subject presents counterfeit chips at the casino main cage,
casino surveillance is responsible for capturing the incident on video.
Security is informed to take the subject into custody and notify the proper
authorities and corporate investigations is also advised of the incident, in
order to conduct a background investigation and coordinate with the proper law
enforcement agency,” explains Chadwick.
Casino
surveillance’s second key objective is to enforce and ensure that policy and
procedures are followed. Staff is trained in all surveillance departmental
standard operating procedures. In turn, staff is also trained in additional
business processes as it relates to the departments outside of casino
surveillance as well as State and Federal statutes to ensure property
compliance. For example, when a dealer fails to properly clear his/her hands at
a blackjack table, casino surveillance will report the infraction to casino
management for immediate correction. The incident is formally documented as a break
in procedure against business practices and the integrity of the game is not
compromised. “By documenting and
reporting violations of this nature, the casino surveillance department shows
that the company is straightforward and operating in a suitable method,”
explains Chadwick.
One of Wynn Las Vegas’ greatest achievements
was the expansion and opening of Encore on December 22, 2008. This $2.3 billion
entertainment complex includes an additional 2,034 guest suites and 74,000
square feet of gaming space. Even more impressive: it opened at the height of
the economic collapse. “The opening of the Encore and the economy at the time
was an interesting challenge. We were expected to continue normal operations
for Wynn Las Vegas, while constructing a new property. Wynn’s high standards
for customer service and overall business values had to be maintained,”
explains Chadwick.
Wynn Las Vegas is highly focused on customer
service and Chadwick’s goal is for casino surveillance to be a support function
for both the guest service staff that interacts with guests on the casino floor
as well as anyone outside of the security department. Wynn and Encore hold more
Forbes Five Star awards than any other casino resort in the world.
Today, Wynn and Encore have one seamless
surveillance department. Yet, training was a challenge at first,” Chadwick
says. “Existing staff was tasked with maintaining operations for Wynn, learning
a new property and then training completely new staff to all operations.”
Training and retaining qualified employees is an ongoing dilemma for Wynn Las
Vegas and many other
In addition to labor and training, in
preparation for 2011, Chadwick and her staff will continue to focus on
expenditures.
For all expenditures, ROI measurement will be
emphasized going forward. “While risk management is generally an automatic
reason to approve expenditures for our business, programs such as loss
prevention or ‘what might happen’ are getting a more critical review. We are
asking ourselves, ‘how can we provide coverage at a logical investment level?”
notes Chadwick.
Casino surveillance has become a more
versatile tool to the company. “We have changed our paradigm,” she says. “An
example of this is using a database program that we use to evaluate advantage
play (such as card counting) and repurposing the information to assist
marketing in determining a player’s profitability for the company. The
information is used to set appropriate credit lines and complimentary offers,”
she explains. “We created a needed value by applying our existing technology.”
Managing something different
every day is her favorite aspect of her profession. “I walked in this morning
and learned about an upcoming project that will be taking place three to four
months from now that will have a significant impact on the technical division
for the department. Planning and
preparation had to start immediately due to the overall project scope.
Continuous projects, changes, additions and remodels keeps each day fresh and
exciting,” says Chadwick.
When not working, she enjoys walking,
yoga and Pilates. “Finding a balance between my professional life and personal
life is important to me. You have to devote equal time to both, finding the
quality time with those you care about,” she says.
Security
X Brand/Product
Protection
X Business Continuity
_ Corporate
Security
_ Cyber Security
_ Disaster
Recovery
_ Drug and
Alcohol Testing
_ Emergency
Management
_ Executive/Personnel
Protection
_ Insurance
_ Intellectual
Property
X Investigations
_ IT Security
_ Physical
Security
X Regulatory Compliance
_ Supply Chain
X Other: Gaming
Surveillance
Security Scorecard
Revenue: $3,600,000,000
Employees: 15,500
2011
Critical Issues: • Expenditures/Budget
•
Labor
•
Training
Mark Cheviron, Vice President, Security and Corporate Services
World
Class Leadership
Mark Cheviron started the Archer Daniels Midland Company’s security
department in 1980 with a simple vision: the gates, guns and guards approach to
industrial security simply was not sufficient any longer – ADM’s security
program needed an investigative focus. Second, because the department was new
and the scope of corporate risk was unknown, creating a line-item security
budget didn’t make sense. “At the time our security issues mostly involved
grain theft and we needed to train and focus attention on various forms of
commodity fraud. It was understood that we would not spend any more than
necessary to get the job done and we moved forward without a budget for our
department,” he explains.
This was not that unusual for a company like
ADM whose business is routinely affected by weather. Since they are used to
flexibility in their core businesses, managing security in a similar, fully
allocated manner was understood and accepted. Today, the $70 billion company
transforms crops into products that serve vital needs for food and energy. At
more than 240 processing plants, ADM converts corn, oilseeds, wheat and cocoa
into products for food, animal feed, chemical and energy uses. Today it
operates the world’s premier crop origination and transportation network,
connecting crops and markets in more than 60 countries. And after 31 years, the
corporate security department still has no line-item budget.
Regardless, the global company
has an outstanding security program developed as a result of Cheviron’s
experience and leadership. The corporate profit centers appreciate the fact
that effective security and successful investigations limit loss and account
for recoveries that positively impact the bottom line for the business unit. As
a result, corporate security enjoys the full support from the operations
groups.
Part of the reason that the security effort
has been so successful at ADM involves the importance placed on self-evaluation
and an incident debrief process that ensures that lessons learned after an
event or as a program develops and matures are integrated into future planning
and performance.
The role and importance of the
corporate security function have also expanded over the years to include all
aspects of security risk management. For example, in addition to the
traditional security roles, corporate security currently employs three security
analysts who provide the ability to employ intelligence driven security programming,
and to provide for real-time security risk management for ADM’s many travelers
around the world.
Among the more recent additions
to corporate security responsibilities are security related regulatory
compliance assurance programs, enterprise risk management, food defense,
workplace violence and innovative collaboration with ADM’s IT department.
Although ADM’s IT security department is separate from the corporate security
department, the two groups work closely together. “IT is the expert at who is
pinging our firewalls and attacking our networks,” Cheviron explains. “My
organization is the expert at investigations. We partner with other companies
in our sector and share data to identify where threats are coming from and new
risks.”
Although food safety has long been a critical
focus for ADM, food defense, or the mitigation of risks associated with
intentional adulteration of food or feed products, has been an important part
of the corporate security focus since the Tylenol contamination event. Like many
security issues, food defense has matured from a responsive, investigative
focus, to one involving highly innovative proactive modeling and risk
assessment processes to prevent major events from occurring in the first place.
Among our greatest challenges,
Cheviron notes, “One mistake I feel people in our profession make is that they
forget that they are a support group for the main business units. We do not
directly contribute profit. Our role is to help keep the money the company does
make.” By establishing a clear vision and role for the security function,
Cheviron has established an excellent reputation for security within the
company. “We focus on important areas of concern where we have expertise that
is unique within the company. That is one way to create value,” he says.
Cheviron recommends getting involved in broad
private sector security collaboration and networking opportunities as a
powerful way to learn best practices and to ensure success. “Organizations such
as OSAC, DSAC, ISMA, ASIS and the Security 500 are excellent for networking and
learning about what policies, procedures or technologies are working – or not
working. The goal is to be the subject matter expert on merging your
organization’s business and security goals.” Cheviron has served as co-chair of
OSAC and was a founding member of DSAC.
Cheviron most enjoys his involvement with
people and his peers and being focused on ADM’s business issues to contribute
to the company’s success. “We deal with something different every day and there
has been more change in the last ten years than the first twenty,” he notes.
He has been married to his wife
Cindy for 39 years and they are very proud of their three sons, including a
genetics professor at the University of Nebraska, an FBI agent in San Diego and
his youngest, who has the dream job – teaching passengers on Holland Cruises
how to get the most out of their computer experience, including photographic
post-processing.
Security Scorecard
Annual
Revenue: $69,000,000,000
Security
Budget: As needed
Employees: 28,000
Lives in: Legal/Risk
Stephen T. Colo, Chief Security Officer, SAIC
The
Security Link
Science
Applications International Corporation (SAIC) is a diversified business with
more than 95 percent of its revenues coming from the
SAIC is always seeking to innovate in a
dynamic environment. As a result, it hired Mike Ennis to lead its risk
management and international security programs. A retired Marine Corps major
general, Ennis has a strong intelligence background overseas and thus developed
the programs to have a powerful alignment with SAIC’s business goals.
“Our support of our federal government
customers sometimes requires our employees to work overseas,” explains
“Ennis joined SAIC 22 months ago and he has
made a significant impact on how we approach risk and international security
operations,” Colo adds.
“Not all areas are friendly to Americans
and/or expatriates. In addition to potential hostility, risks such as weather,
terrorism, political unrest and natural disasters exist. The consequences of
these events can be predicted and managed,” notes Ennis.
Colo and Ennis have teamed with the business
units to address business and security needs. Ennis has created a matrix of top
risks and presented them to the business unit leaders. This has enabled
security and the business units to begin working together early in the proposal
stage to assess risk issues and help the business unit develop a proposal that
thoroughly vets security and risk mitigation planning and costs. “Our
credibility and expertise enable us to propose, ‘No, the risk is just too high
to go there,’ and have that decision supported by the business units, customers
and our CEO,” shares Ennis.
Among the significant changes SAIC security
has implemented to improve performance and align with the company’s business
goals are:
1. Created a security
council to bring security and business people together to address issues and
solutions.
2. Partnered internally and
externally with customers and other contractors for better risk management.
3. Included greater
emphasis on business continuity plans in annual presentations to the Board of
Directors.
4. Conducted live and
virtual table top exercises to prepare for hurricane season and other natural
disasters to help ensure all employees are prepared.
5. Worked to be “best of
breed” in crisis management and response.
6. Focused on workplace
violence issues, including an exercise devoted specifically to this topic.
SAIC’s security team has strong
examples of how they have added business value for the organization. “During
Katrina, our business continuity program enabled our employees to stay in place
and provide services to customers in the impacted area. Our first priority was
the safety of our employees, and then how they could assist our customers
during the disaster,” explains
Among the challenges SAIC faces,
Colo notes, “Because of our strong ties to the federal government, one major
area of focus is counterintelligence and finding effective ways to determine if
people are stealing classified information or IP.” Cybersecurity is the number
one threat for most organizations today. Insider threats are the major concern,
especially with the growth of social networking risks. Physical security risks,
international travel risks and foreign intelligence or espionage risks are ever
present challenges.
“Risk and security are inextricably
linked,” shares Ennis. “They are at the opposite sides of the same coin. You
cannot pull them apart. Security protects people, infrastructure and
information, and doing so effectively reduces risk.”
Security
X Brand/Product Protection
X Business Continuity
X Corporate Security
_ Cyber Security
X Disaster Recovery
_ Drug and Alcohol
Testing
X Emergency Management
X Executive/Personnel Protection
_ Insurance
X Intellectual Property
X Investigations
_ IT Security
X Physical Security
X Regulatory Compliance
_ Supply Chain
X Other:
Information Assurance, National Industrial Security
Security Scorecard
Annual
Revenue: $10,846,000,000
Security
Budget: not available
Employees: 45,000
Lives In: Operations
2011 Critical
Issues:• Counterintelligence Training
•
International Safety and Security
Jack Sullivan, Director, Corporate Security and Loss Prevention, Dunkin’ Brands
Finding Security’s
Voice
With more than 14,800 points of distribution in 44 countries, and
approximately 120 years of combined history, Dunkin’ Brands is home to two of
the world’s most recognized and loved brands: Dunkin’ Donuts and
Baskin-Robbins. Within this nearly 100 percent franchised sales and
distribution company are 8,000 restaurants. Jack Sullivan manages risk and
provides security for the corporation’s 1,000 employees and their assets as
well as working a complex, global matrix to deliver security knowledge, best
practices, resources and policies to its business partners.
“Our primary goal with the
franchisee is to reduce theft, increase profitability and improve financial
performance,” says Sullivan. Dunkin’ Brands security includes three teams to
best mitigate risk: Investigative, Financial Analysis and Corporate Security.
The financial analysis team is focused on
identifying anomalies at the store level and notifying store management so they
can appropriately deal with the offending employee. To complement the financial
analysis program, the investigative team is in the field meeting with
franchisees and walking the thin line between advice and policy. “Due to liability
issues, we cannot prescribe mandatory security rules. We do train and recommend
to our franchisees that they work with their security consultant to implement
specific policies and programs,” explains Sullivan.
Corporate security is the third team.
“Corporate security focuses on enterprise risk issues, including protecting our
1,000 employees, regulatory issues such as the Foreign Corrupt Practices Act,
travel security, data and information security, business resilience and crisis
response,” he shares.
Dunkin’ Brands has moved into emerging
markets and its security team is focused on its “duty to care” and provide safe
and secure environments for its employees. “We have an excellent travel
security program that allows our employees to focus on the job they need to do
and not get distracted or interrupted by worrying about their personal
security,” says Sullivan.
Dunkin’ Brands also measures the value of its
security program. Employee theft is the most easily measurable. “We identify
the theft within a franchise and notify the owner so it can be eliminated. Then
we track sales after that event to document their immediate sales increase and
the impact of our action,” he says.
Dunkin’ Brands’ field
investigative team meets with franchisees in both large groups of 200-300
owners as well as one-on-one. “They not only present training on red flags of
employee theft and better security, but we also get feedback from the owners.
We use that feedback as a metric on our performance, too. It is hard to prove a
negative and quantify the dollar not taken. But we know that having loss
prevention programs in place is a deterrent and reduces theft at the stores,”
he shares.
The biggest change for Sullivan occurred two
years ago when his role changed from loss prevention to heading up all of
Dunkin’ Brands security programs. “Security as a business function has been
added to the company’s strategic planning. Corporate Security and Loss
Prevention now has a voice before a decision is made,” he says.
One recent addition to his busy day includes
cyber security. The Chinese Advanced Persistent Threat effort to steal trade
secrets from
Among our profession’s
challenges Sullivan notes that he still hears “old” thinking from peers that
the role is about rigid policy
enforcement and not the organization’s business objectives. “In my view,
if a security executive is seeing things through the traditional law
enforcement lens and not a business lens, they will have trouble succeeding,”
he notes.
A father of two girls and an avid
Red Sox fan, Sullivan holds a Masters Degree in Government from
Security
X Brand/Product Protection
X Business Continuity
X Corporate Security
X Cyber Security
X Disaster Recovery
_ Drug and
Alcohol Testing
X Emergency Management
X Executive/Personnel Protection
_ Insurance
X Intellectual Property
X Investigations
_ IT Security
X Physical Security
X Regulatory Compliance
_ Supply Chain
_ Other: 8,000
Franchise Restaurants
Security Scorecard
Annual
Revenue: $8,000,000,000
Security
Budget proprietary
Employees: 1,000
Lives In: Finance
2011 Critical
Issues:• Business Continuity
• Foreign
Corrupt Practices Act
• Chinese
Advance Persistent Threat
