Russell J. Cancilla, Vice President & Chief Security Officer Health, Safety, Environment & Security, Baker Hughes Incorporated
The Business Leader
“I would arguethat as a CSO, if we haven’t convinced the CEO that he could not successfully run his/her company without security support, we have not done our jobs,” begins Russ Cancilla, Vice President and Chief Security Officer for Baker Hughes Incorporated.
Baker Hughes is a global oilfield service company that has $19.83 billion in annual revenues and more than 58,000 employees operating in more than 80 countries with nearly 1,500 facilities. Security and crisis management fall under the remit of the Vice President & Chief Security Officer and the department is named the Enterprise Security & Crisis Management Team (ESCM).
“Security is competing for resources as organizations reduce general and administrative allocations. Business leaders are using a more rigorous process, looking for the cost/benefit value not just the risk/reward scenarios and want to talk to a business-minded person – not merely a security person. It is the CSO’s responsibility to break the mold and communicate the business case,” explains Cancilla.
Oilfield services is a high technology business that has similarities with NASA. “NASA technology goes up, into outer space. Our technology goes deep into the core of the earth. Both are out of reach and depend on technology to work. We spend roughly $500 million annually on technology, research and development and we have to protect the investment,” he says.
As a result, Cancilla is most focused on the critical risks generated by geopolitical instability, industrial and state sponsored espionage targeting Baker Hughes’ intellectual property. The business also must be protected from cyber terrorism, theft, corruption and fraud. “The industry is seeing an increase in IP theft attempts and loss. We have strong programs in place, invest in our technology and have sophisticated, special procedures in place when it comes to handling and shipping equipment to protect our IP and demonstrate a duty of care to our stakeholders,” notes Cancilla.
Second, his organization is focused on the execution of the programs that protect the company’s people, assets/critical infrastructure and investments.
Cancilla has a simple mantra: “We proactively stay aligned with the business and explain that enterprise security does not manage risks for them, but that we help them manage those risks. We ask the business unit presidents to ask: ‘What risks do we need to manage with this money?’ If we can start with that business question, then we succeed,” he shares.
By restructuring from the traditional security programs to a more risk-based, business-aligned approach, his team has been able to contribute to business growth and profit by setting targets for assessing and managing risks versus simply responding to incidents.
“Perhaps to the surprise of most security professionals, the biggest contribution to our organization’s success is not a security feature, per se. Instead, there are two areas that have resulted in major contributions: a) security becoming a respected business partner and b) our positive impact on profitability and identification of emerging markets,” he says.
“We have metrics in place that range from cost of security as a percent of revenue and cost per employee to the amount of proactive vs. response time the team spends,” he explains. “In less empirical terms, we measure the value of security spending in how satisfied management and the workforce are with our performance. Our ESCM leadership team constantly asks the global leadership of the company for satisfaction checks on security support and performance.”
These programs enable security to meet the board’s high expectations, which are to operate with the utmost integrity and to protect the assets and security exposures that the company confronts. These programs are expected to be aligned with the business and for those involved to understand the operations and financial aspects of running the business, including revenue generation, improvement of margins and the impact of Security’s costs to the bottom line.
It is important for CSOs and their teams to be considered business professionals who are experts in security. Once CEOs and other decision makers make that mental transition away from seeing the security team as a “necessary cost” or a group that merely provides security for their facilities and people, to a team that enables the profitability of the company, the proverbial “seat at the table” becomes more permanent.
Cancilla most enjoys being a business leader who happens to manage security and having an impact on the company’s overall performance by working directly with the CEO as a member of the Senior Executive Team. Cancilla has been married for 40 years. He has two sons and enjoys spending time with his grandchildren when not golfing, riding motorcycles or cooking.
If Cancilla were not a CSO, he says he would work as a management and security consultant focused on transitioning poorly performing functions and activities into more successful organizations.
• Revenue/Budget: $20,000,000,000
• Security Budget: $17,000,000
• Critical Issues:
– IP Security
– Global Issues, such as the Arab Spring
– Competition for Resources to Run Security Programs
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Geopolitical Intelligence & Corporate Espionage
• Intellectual Property
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection