2012 Security Leadership Issue: The Security Leader: Beyond Guns, Guards and Gates
Jeff Berkin rarely makes a business and security decision these days that doesn’t somehow impact, either positively or negatively, the business.
That business is CACI International, which provides enterprise IT and network services for the federal government employing 14,600 employees working in more than 120 offices in the U.S. and Europe. Berkin is Senior Vice President and Chief Security Officer, the first CSO in the company, and he also has an impressive career, first as a trial attorney and then senior executive roles within the FBI.
Berkin is tasked with helping the company identify all security risks and appropriately prioritize them so that the resources available can be applied in a financially sensitive manner to the highest risks that the company faces. “There are risks in the cyber realm that are complex and ever changing, and it is one of our high priorities,” he says. “We also have a large percentage of our workforce that is ‘cleared,’ so I help the company to remain compliant with government regulations for handling sensitive information.”
“Security and the security leader is all about providing strategies that promote the competitive advantage of a company, because that leads to shareholder value,” Berkin explains. “Rather than being focused entirely on the detail level of projects, the CSO role is often more strategic in terms of helping the company identify and exploit a competitive advantage through better security. It’s also important that there be recognition that operational effectiveness is not the same as strategy; you have to have both. Those who are higher performing recognize that.
“I have to see things the same way that my CFO and CEO see things,” Berkin notes. “My priorities have to be the same. Change is constant, so security has to support change. A CSO has to continuously facilitate and support the company's growth, and the absence of that role would make those changes harder.”
Yet, a CSO can’t be too forceful in changing an organization’s cultural mentality towards security. What works for one organization may not work for another. “While the ‘early’ days of physical security were focused on guns, guards and gates, today’s security leadership has evolved to taking a more holistic approach to its security measures,” notes Dave Komendat, Vice President and Chief Security Officer (CSO) for The Boeing Company. He leads the company’s Security & Fire Protection (S&FP) organization that provides risk management and site based security and fire services to more than 170,000 employees in 70 countries. “Security must enable growth and productivity and understand its role in supporting every aspect of the business.”
Komendat is responsible for delivery of security and fire services as well governance oversight and building in business resiliency for Boeing's operations around the world. This includes domestic and international site security, supply chain security; structural and aircraft fire protection, government and proprietary information security, data protection and security background investigations.
“Our organization’s mission is focused on providing risk management services to protect people, property and information any where we operate. To do that successfully, we need to be viewed as a business enabler,” he explains. “Our business partners need to see the value in what we do and want us to do it. Having a seat at the table and being able to help them better compete for new business because of what we do is the best demonstration of our business value. Only then can we create a security environment that is more commitment based versus governance based. Long gone are the security organizations that don’t have to run their operations like a business.”
Going forward, Komendat is focusing efforts and resources on several areas, including developing a strong leadership pipeline to ensure that Boeing has its next generation of security leaders ready to step up. “We have to find more ways to give them the knowledge, guidance and expertise necessary to quickly take on today’s leadership challenges.”
He’s also educating his staff to better understand the rapidly changing business environment and the total risk picture. “We have the unique arrangement of supporting our commercial business and defense business under the same operational roof. This presents equal risks to both sides of the house. The security challenges we face with two large dynamic business units that have to adapt to varying political and global markets means that our security leaders must develop business acumen and be very adaptable to shifts in the business climate.” Other focus areas for Komendat and his team include workplace violence, insider threat and risks posed by a volatile international environment including natural disasters that could impact the continuity of our business. “There is never a shortage of critical focus areas,” says Komendat.
Sandra Cowie credits her boss for advancing security’s role and facing those same types of challenges at the Principal Financial Group. Cowie is Director, Corporate Security & Business Continuity at the Principal, which has 13,000 employees worldwide and operates in 18 different countries.
After working in the company’s retirement and investor services, she moved into a management position in facilities planning. “The head of facilities asked me to take over corporate security, and I give him credit because he was ahead of the time, as he understood that the CSO role needed business acumen and planning, which I had, to integrate and align Corporate Security with the corporate vision and mission.”
The position was still one of “riding on the cusp of engineering or facilities, and that’s why my boss wanted to put me into the position, to evolve it, which was visionary at the time (back in 1993),” she says. “That was an important piece of what we were doing, to show how we are critical to the success of the organization and to establish credibility.”
Yet Cowie stresses that what works at Principal may not work elsewhere. “Corporate security doesn’t need to be in charge of all risk organizationally, in some companies that may work, but it is not a one size fits all equation. What is critical is that there is coordination and collaboration across all areas of risk so your company has a holistic view of risk, and that all areas are covered,” she says. “The model that will work for you may not work for another, and that’s why you see security reporting to different areas. Sometimes we have the tendency to say ‘it should look exactly like this, you should have a seat at the C-suite.’ I don’t necessarily subscribe to that. For example, while it’s important to have senior management buy in, you need to be careful to align your program to what works best for your organization. While you want a seat at the table and the ear of senior management, it’s most important that they respect, buy into and support the security program. How you get there may require different approaches.”
Cowie’s leadership strategy includes “a real passion and love of what I do and drive that I’m not unashamed of,” she says. “I believe strongly in a solid strategic planning program and continuous self assessment. I plan boldly and I live by my plan. I look for individuals who have that same passion, commitment and shared vision along with integrity that is unchallengeable. Our team understands that the crew really makes the ship run. Our job is to provide a map and support to ensure a successful journey to our destination.”
Slowly, but Surely
Last November, Federal investigators thought that hackers had remotely shut down a utility’s water pump in central Illinois. It was a breach that Jana D. Monroe understands. Monroe is Director, Corporate Security for Southern California Edison, one of the largest electric utilities in the US, providing power to nearly 14 million people, 180 cities and 300,000 businesses.
“Out of the 18 components of key national infrastructure, utilities are not as advanced [with security] as we could be for the responsibility that we have,” Monroe explains. That, coupled with the fact that the utility, with its infrastructure, had an aversion to change, made her role difficult, at first. But it didn’t last long, she notes. “There are risks everywhere I look,” she says. “Just the fact some of our facilities are built on the San Andreas Fault takes risk to a new level. Today, we have a strong business resilience, emergency response and life safety policy, and it’s a number one corporate goal. We are still competing with the ‘guns, guards and gates’ mentality,” she says. “It’s an unnecessary evil. But we have to move forward.”
One of the breaches that Monroe dealt with took place on December 16, 2011, when a disgruntled colleague shot three people inside a company facility. “He was an employee who was in good standing with the company; his badge was credible, so while it was more of an work environment situation, it became an opportunity for corporate security to educate our employees and to help influence the culture of a 125-year-old company. It was a teaching moment for my security team to show that security is everyone’s business. We are trying to create a security-centric culture. We have received some pushback on it, but it’s working. At most utilities, the emphasis is on safety, and there are synergies.
“I love working in teams, having the vision and outside experience that I brought to the table and was able to see that there’s opportunities that don’t necessarily cost a lot of money,” she adds. “We change the culture. I do need to show ROI, but this company is now understanding reputation management better than before. Walmart and Disney understand that, but we have been lax in that because people need electricity. So building that perspective is important. It’s also about pacing ourselves so that pushback is minimal.”
The CSO Standard
The Chief Security Officer (CSO) Organizational Standard, which was originally published by ASIS in 2004 and adopted as an ANSI standard in 2008, was designed as a model which organizations could use when developing a leadership role to provide a comprehensive, integrated security risk strategy that would support and contribute to the viability and success of the organization.
Jerry J. Brennan, Chief Operating Officer of Security Management Resources, was the lead architect of the standard, with assistance from a small committee of security professionals.
Of the standard and the process, he explains, “We tried, at a 30,000-foot level, to develop the key areas of accountability that we felt that an executive in an organization should be responsible for, the single point of accountability at a senior level charged with the strategic management governance of the areas of security related risks to an organization. And that should be configured to match the culture of the organization, as well. We also developed a framework for the sort of person whom an organization should put in this role. What we ultimately called the ‘CSO’ had to be viewed in a broader context context beyond just a title. The point is that all organizations should have a point of accountability to oversee security strategy.”
The result wasn’t a stretch by what many organizations have been doing, by any means. “In any organization, we found that somebody owns that accountability,” he says. “Often, we have found that all these areas end up under the COO, (Chief Operating Officer).”
The bottom line, says Brennan, is that “While the standard is a valuable tool, one size doesn’t fit all. But it’s also important to note that the reporting of this position needs to be to a senior executive in the organization, other than the COO, that makes sense for that organization. You are sending a message that the organization feels very strongly about this role.”
And as many CSOs have articulated, for the standard to be successfully implemented, “security has to be an overall strategy and has to include how to leverage security assets across the entire organization.”
Years later, Brennan says, a lot of the information within the standard is very relevant and directionally, is the future for organizations that can use it “purely as a guide.”
“We keep trying to improve on key topics and keep it at a high level and not get into tactical specifics,” Brennan says. “We still feel that all organizations have specific areas that require some kind of risk governance and the standard can help with that.”
Security Leadership and Big Data Loss: How to Lead Your Company to Better Business Practices
By Shawn C. Clark
Leaders are big-picture thinkers. C-suite executives recognize the value of investing in technology. They have taken the leap, investing millions of corporate dollars in Enterprise Data Warehouse (EDW) solutions to store and analyze massive amounts of data. Revenue Management, Customer Management, Sales and Marketing stakeholders – divisions with budgets we security types long for – typically lead the effort in justifying the EDW purchase. Those same divisions, with hoards of analysts, are quick to mine the EDW and discover new analytical answers, efficiencies and business intelligence that only big data analytics can derive.
The CSOs of today are wise to follow suit and reap the benefits EDW analytics can offer. Imagine your investigative staff having the ability to electronically identify fraudulent activity, the suspect(s), number of occurrences, over what period of time and the actual losses; all before interviewing the suspect. A slam dunk, right? Dedicating security staff to write profiles to mine your EDW’s sales transactions for fraud will give your team this investigative advantage.
If your company is not currently mining your EDW to find fraud and proactively directing your security team to do so – caution! Be careful what you wish for because you just might get it. The true value of fraud analytics is not just identifying fraud perpetrated by an individual, but having the ability to quantify the losses on a department, division, country, region and global scale. Not only will you find fraud, but you will find potentially tens of millions of dollars of waste through poor business practices. You may find some of your best employees, vendors and customers engaging in illicit or unproductive activity. Conversely, you identify those who consistently perform with high integrity and maintain best practices in their duties.
One of the keys to successfully launching a fraud analytics strategy is making sure the CEO and other top executives are well aware of the endeavor, on-going progress and global findings. This will minimize the initial shock and awe of the new approach – again I can’t stress enough that you will find a lot of it. Expect some initial resistance – particularly with front-line leaders, some of whom will be less than enthusiastic when you advise them that a senior employee, most valuable customer or productive vender account is engaging in fraudulent activity.
Big data and fraud analytics can help a company recover lost revenue and lead to better business practices. By cultivating cross-divisional, data driven partnerships, fraud and unproductive business transactions will be minimized through investigations and new or enhance controls. A big-picture thinker understands the value this approach brings.
About the Author:
Shawn C. Clark is president of Clark Consulting Group. He has served as Director of Asset Protection and Global Security Operations at Continental and United Airlines.