Securing Cities: Can We Do It Better?
What U.S. city governments can learn from Canada
Municipal governments present a challenging atmosphere for security. There’s the potential for leadership turnover at each election, and there are “politics,” which may manifest in strained relationships and difficulty accomplishing goals. Procurement rules and bureaucratic red tape can slow down even simple processes in some city governments, and then there are the challenges of zero-balance budgets.
In the United States, state budget cuts and reductions in federal grants have impacted city budgets significantly in recent years, and there’s evidence that most cities have dealt with the shortfall by cutting expenditures rather than raising taxes or fees to increase revenue. This places all city departments in a struggle to secure even inadequate funding, and security – so often seen as a cost center – can easily fall to the end of the line.
But the biggest issue may be that in a surprising number of cases in the United States, municipal security isn’t a department, a division or even a formally recognized function. Many U.S. municipalities seem to equate security with public safety – that is, “security” equals “police.” Police departments rightly dedicate uniformed officers to protect citizens. However, the mission of law enforcement doesn’t typically extend to protection of information within government systems; securing government networks; assessment of security risks for the potentially hundreds of government facilities in the city, including capitol buildings, departmental offices, transportation facilities, and water and sewer resources; or to the proactive protection of the assets and personnel in those facilities. Instead, in many cities, these responsibilities are distributed among multiple departments, without a formal security leader to manage them and with little or no cross-divisional communication about security-related issues.
Distributed or Non-Existent Security Leadership
Charlie Connolly, president of the FBI National Executive Institute Associates, whose membership consists of law enforcement leaders of cities with populations of at least 250,000, sees little centralization of security in U.S. municipalities. “Major cities have tremendous infrastructure with all kinds of agencies, some of which have a direct impact on citizenry, and all with the ability to be attacked, causing failures to deliver services and endangering people,” Connolly says. “In many large [U.S.] cities, individual departments may have a facilities manager or another individual – maybe an engineer in some departments – who is responsible for identifying security issues within that department. Then when they feel a need for it, or if their non-security professionals can’t answer their security questions, they go to the police department to provide surveys and security consulting.”
Calling in law enforcement to help address known security risks is a good way for cities to make use of a valuable existing resource, but when this is the only security strategy, it likely leaves significant gaps. “Even though the expertise is there in the police department, if the city doesn’t know what their vulnerabilities are, they can’t ask for the help they need to fix them,” says Connolly.
When security responsibilities are widely distributed among staff with little security expertise whose security duties are peripheral to their “real” jobs, risks are likely to fall through the cracks. Further, when there is little communication between departments about threats and vulnerabilities, cities are not only setting themselves up to overlook potentially serious security issues, they are missing the chance to eliminate redundancies and find opportunities for savings and value throughout the
The Move Toward Unification
Miki Calero, chief security officer for the city of Columbus, Ohio, has a vision for unified security in his organization. A CSO from the IT side, Calero has taken a cue from corporate best practices, establishing relationships with security counterparts across the organization and among private-sector partners to influence a move in this direction. The facilities security manager does not report to Calero, but he began working with him from day one, sharing information, identifying collaboration opportunities and evangelizing the importance of a united front.
“Letting me know what facilities projects are going or when risk assessments are planned is a step in the right direction,” says Calero. “A physical asset risk assessment may not consider the possibility that a remote service center houses a critical network node, that there may be significant consequences of losing connectivity through that node, that information systems would be affected, and that it would have an associated business impact.”
While security leaders like Calero are making strides, the shift to unified security does not occur overnight. There are many reasons such changes may be slow to advance in any U.S. municipality. Cities may see the addition of a new security coordinator position as a funding problem. In some cases the election cycle also works against such changes. If the city government has a strong mayor system where significant hiring and firing power lies with one individual, an election turnover could mean starting from scratch. Fear of added bureaucracy can also play a role, says Connolly. “One problem with the idea of a CSO in city government is that those who do own security now, all of them, including police and fire, may look at a new position like that as an additional layer of supervision and bureaucracy that will actually hinder protection. They may feel this way even though it may only be intended as a coordinator-type role.”
Still, money talks, and if a security leader can show the tangible value of unified oversight, city leaders may be willing to work toward change. Calero has received support at multiple levels of Columbus government to accomplish his vision. “People get it. The city council gets it; the auditor’s office gets it. It not only makes sense, it improves security and saves money. People respond to that,” he says.
While the value story is compelling, it is apparently not being widely told in the States. Columbus is in a relatively small group of U.S. cities, also including Houston and Los Angeles, that are moving toward or have achieved a centralized security structure. If the individuals with security responsibilities in municipal government want to demonstrate to their leadership the full value potential of unified security, they can look across the northern border for some excellent examples.
Toronto Supports Security Value
For several years Canadian municipalities have recognized unified security oversight as a best practice. Not all cities have “converged” security – that is, not all unified organizations include every security-related function in a reporting line to a CSO or CRO. But where the reporting line doesn’t exist, collaboration and partnership across the organization can bridge the gap.
It’s true that Canadian and U.S. cities can’t be held up in an apples-to-apples comparison. There are differences in local and national government administration, geography and population. But there are more similarities, and they are fundamental.
“Value for money is an incredibly important thing for any municipality,” says Dwaine Nichol, manager of Security & Life Safety, Corporate Security for the city of Toronto. Toronto is Canada’s largest city and its sixth-largest government. The corporate security program Nichol has headed for 13 years protects 1,500 properties and 45,000 employees citywide. “We have a unique stakeholder: the public. We don’t lose sight of the fact that it’s their money we’re spending. We have to defend the spending we do in our budgets, and we’re expected to show a return on investment. Our clients are also the municipal divisions – water, ambulance, transportation, parks and recreation. We have to show the value for dollar to them as well through service-level agreements and divisional security plans.” A citywide corporate security function enhances value by improving security, streamlining budgeting, funding and operations, and focusing mission-based decision-making.
In 2009 the Toronto City Council mandated that Toronto’s Corporate Security Unit be responsible for “setting security standards and protecting assets for City divisions” in order to validate the existing corporate security framework and to ensure that security resources now and in the future are “properly coordinated, shared and responsive towards those areas in demonstrated need according to threats.” The mandate was included in a 59-page citywide corporate security policy that lays out mission, objectives, services, related legislation, policies and requirements for divisional security plans.
Nichol explains that the impetus for the mandate was value-related. “A budget committee which reports to the City Council saw different requests for security funding through some different committees, and they said, ‘We have this great corporate security group—we only want to see one submission for operating and capital security, we want it to come from that one group that’s properly vetted everything. That committee saw the cost effectiveness and center of expertise it was going to provide.”
The Corporate Security Unit now has about 150 security staff, some of whom act as security supervisors within single divisions and others who have portfolios of various divisions. Each divisional supervisor brings specific expertise to that area, for example, participating in industry associations relevant to that division.
A Corporate Mentality
It’s telling that so many Canadian municipalities term their security function “corporate security;” listening to security leaders like Nichol and Owen Key, CSO for the City of Calgary, discuss their operations and leadership philosophies is remarkably like listening to the CSOs of major corporations. And why should it not be? Security in public entities and private enterprise is about meeting organizational needs, providing value, and protecting constituents. Doing this well in a multi-faceted environment requires collaboration and understanding, says Key, whose corporate security division protects 32 citywide business units including transit and water services.
“We have to understand the business units and their operations,” says Key. “You can’t sell security with a Fort Knox mentality. We must be collaborative with business units; we have to demonstrate to them the value of security and the added value toward operations, and we have to understand that we can’t impact greatly on them. We have to sell security just like legislative or HR and be enablers at a corporate level.”
Calgary Corporate Security has recently moved from a generalist structure of security advisors to a specialist structure, splitting security into sections including investigations, physical security (which covers risk assessments, audits, project management for major security components of new construction and renovations), security operations (monitoring, contract and employee guards) , and security advisory (education, awareness, policy work). They are currently working on incorporating IT security into the division as well. Under the new structure, the division has been able to show value by implementing citywide technology solutions, creating a centralized operations center, and measurably reducing incidents.
While a businesslike mindset does seem to dominate municipal security in Canada, Nichol is quick to point out that the widespread use of the term “corporate security” may be due to benchmarking more than an intentional comparison with private enterprise. “Cities in Canada do a lot of benchmarking,” he says. “Every time a staff report is prepared you have to include information on what is happening in other cities. The early adopters [of centralized security] were the cities of Vancouver and Ottawa, which both had strong corporate security leaders. Now when a city revisits its security based on a threat or incident, benchmarking shows these cities have a successful corporate security unit, so they often decide that’s how they should do it as well.”
Nichol helps administer a Government Security Forum LinkedIn group that includes contacts from municipal, provincial, and federal government across Canada, whose purpose is to facilitate information sharing. The benchmarking culture among Canadian municipalities enables sharing of information, development of best practices, and overall strengthening of security operations and services across the nation.
Is Change Possible?
It’s interesting that in the United States, where terrorism has been accepted as an imminent threat and homeland security has been incorporated into so many forms of government, municipalities overall tend to treat security with a much lower degree of urgency or priority than our northern neighbors. With strong leadership, however, can U.S. municipalities accomplish the unified security and enhanced value that many Canadian cities have seen? It is possible. Many U.S. municipalities excel at collaboration, partnering more often with law enforcement and with the private sector than Canadian municipalities tend to do. Why not turn that collaboration inward as well?
The NEIA’s Connolly shares a few ideas U.S. cities may consider for a start. “It might not be a bad idea for a municipality to ask the question, ‘Where are the security leaders located in our government? Is there something we’re missing among the departments where the expertise of police and fire would not be sufficient for our needs in the future?’” he says. At the very least, this exercise would identify and locate security responsibilities, which could expose some gaps. Cities could then also consider security when they’re hiring. If they know that the water services division has security needs to be met, for example, they could make security responsibilities part of the job description and attempt to hire someone who may be more cognizant of the risk issues for that area. If a municipality decides that security should be centralized, Connolly says, they may have the best luck combining a CSO with a homeland security function.
“Every organization is different, and that includes municipalities,” says Key. “Some are large and do more than others that are smaller and outsource more functions. It’s like any corporation – no one size fits all.” He cautions that while he’s a fan of the corporate approach, it won’t be the best solution for everyone, and cities should choose the oversight method that works best for their unique needs. But all organizations moving from silo toward centralization should be prepared for some pushback. “Change management is difficult in the best of times, especially when you’ve got silos in any organization. To get past that you have to be a new breed of businessman, to understand the roles of the business units but also sell security, which is difficult in the best of times.”