"Corporate Security is a resource to solve business problems, not just security problems. As a result we have been able to break away from the stereotype that security has been saddled with for years,” says Michael Lynch, Chief Security Officer at DTE Energy in Detroit. “Business leaders [within DTE] know of our model and more frequently look upon us as that type of resource. But that direction is set at the top and Gerry Anderson, our Chairman and CEO, leverages our expertise in the nontraditional ways.”
Security’s role at DTE wasn’t always that way, though.“Long ago, people got assigned to security when they got hurt on other jobs,” Lynch explains. “Later there was an effort to add professionalism and hire law enforcement individuals. That was a great step in the right direction, but the full maturity of the relationship begins with a business mentality by the CSO.”
To support that approach, Lynch says that over time he has purposely hired individuals who have non-traditional, security-related experience. “We have people that have law enforcement experience; that’s still necessary. In fact, we are fortunate to have two retired FBI agents that work in Corporate Security and others with law enforcement and prosecutorial experience. We also have thoughtfully and purposely brought in others who have unique and diverse backgrounds as well, including those with a IT background, a strong HR professional and a creative entrepreneur,” he says. “I mention that as an illustration of the diversity of backgrounds that we purposely hire to balance our group and better enable us to protect our workforce and respond to business and security related problems. Our diversity is truly our strength. As a result we can have the potential to be more creative, communicate effectively and be business equals rather than just security professionals.”
Lynch also has a great relationship with CEO Gerry Anderson, one which he says is built on trust. “I am relentless in my responsibility to protect Gerry Anderson,” he says. “When I use the word ‘protect,’ I go beyond traditional protection from physical threats and include potentially embarrassing situations and even some kinds distractions which could interfere with his focus. As an easy example if a customer is aggressive, threatening or trying to get Gerry’s attention, I will intervene and make sure the customer knows they can call me 24/7 to get issues addressed. Most importantly I try to gain trust by being invisible (when appropriate) reliable, knowledgeable and transparent, and as a result, I have gained great freedom that I carefully apply to help solve business problems. As an example, I was asked by the president of our utility to get involved in energy theft and send a strong deterrent message. At one time I had no formal energy theft responsibility, but I recognized and appreciated my need to support the corporate goals and objectives. A few years later we have more than 386 arrests. That was a significant financial issue for the company, and it wasn’t directly related to security operations at time.”
Anderson agrees with Lynch’s leadership style. “I think that we have the best security operation in the industry,” he tells Securitymagazine. “We have been challenged through a tough economic period here in Detroit. We went through a period where Michael and his team needed to develop some creative methods to deter energy thefts. Michael has been successful. He has developed a great relationship with the media, which is not typical. He’s also creative: he used video technology mounted on poles. And he partnered with our legal organization to make sure that we could prosecute the offenders.”
Anderson notes Lynch’s trust and appreciates it, he says. “I trust him and I’m confident in him, and you need that. You need a CSO who has it personally but who also has the leadership expertise to get it done. I know that he has my back.”
More importantly, Anderson notes that Lynch understands the DTE business, by working as a business professional that understands the company’s priorities and assets, and then sets his priorities and tactics to achieve business goals. “He’s not a narrow security professional,” Anderson says. “He takes a systematic risk-based approach and then turns it into a plan that ties into our business priorities.”
Security Start Up
While it’s beneficial to be a CSO in an established security enterprise, Bill Anderson, Group Director, Corporate Security at Ryder System, Inc., didn’t have that experience. Anderson moved into the Security department at Ryder in 2002, when official corporate security for Ryder was only about two years old. While Ryder did have a corporate security director, Anderson has helped turn the function into a company-wide security management system.
Anderson, who came from Ryder’s safety and health group, had to build from a small base. “While my background at the time was not a security expert, I did understand what needed to be done, including expanding from a traditional corporate security role to developing facility standards to incorporating supply chain security and all of the issues related to the international flow of goods,” he explains.
Part of that expansion, he says, is leadership in the field, with Ryder’s vast network of commercial transportation, logistics and supply chain management solutions, which serves customers throughout North America, Europe and Asia. “Ryder’s company culture is based on local ownership of compliance with policies and procedures,” Anderson explains. “We always talk about our professional truck drivers being ‘captain of the ship,’ but the same philosophy applies to our operations leadership teams as well, so a location manager is responsible for everything related to running that local business, which includes communicating corporate security standards. All we did was leverage was the company culture into the field. It comes down to having a standard, crafting a policy but most importantly, making it actionable.”
Sandy Hodes, Senior Vice President of Safety and Health and Deputy General Counsel, as well as Anderson’s supervisor, appreciates Anderson’s leadership style.
“He’s a very smart guy, and he came to this position with a hunger to learn it and to understand how we can incorporate best practices in security into our operations,” Hodes adds. “He took his knowledge of Ryder and his business acumen and then established key relationships with government agencies and industry groups to learn the function and then train his team from a place of expertise.”
“There are seven values that I focus on: respect, integrity, work ethic, teamwork, perseverance, innovation and talent development,” says John Turey, Senior Director, Enterprise Risk Management and Security at TE Connectivity Ltd., which manufactures electrical connectors for consumer devices, network communications, transportation, industrial, with business in America, Asia and Europe in 90 countries. “These values contribute to my leadership style.”
Turey, who has a long and successful career in the public and private sector, joined the company in December 2011. His department focuses primarily on enterprise risk management, security, business continuity and crisis management. “We take a risk based approach and follow market conditions to get in front of things so that we can support our businesses,” he explains. “That’s where I spend most of my day. We need to understand the business drivers and enable our leaders to focus on their job.” What also drives his leadership style is strategy, execution and talent. “I regularly evaluate the strategy and objectives of the organization,” he explains. “How does my strategy align with that, how we execute against our plan, and then with talent, do we have the right talent to support the future needs of the organization? If not, what should we be doing to develop that talent?”
“I’m always trying to energize my employees toward a common goal in line with our corporate business strategy,” adds Claude J. Nebel, Vice President, CSO, Global Security of Cargill in Minneapolis, Minn. The 150-year-old company is a private, family-owned agriculture, food ingredients and investment company with 140,000 employees located in more than 66 countries and 44 U.S. states. “I have 12 international country security managers that I co-manage with our Business Unit and Country Managers,” he says. “We are not big, but we are strategic in the issues we address especially in collaboration with our Business Unit partners. Global security is an important function, and we want our businesses to understand we are here to support them to attain their business goals.”
How does he energize his employees? “By including them in the development of our security strategy and business plan development,” he says. “Nothing gives our employees more of a sense of ownership than to be part of the planning process of the strategy and programs they will take on. I am fortunate that my supervisor has given me leeway and guidance to develop programs, and I couldn’t ask for a better relationship with our general counsel as a supervisor.”
“I believe my leadership skills have been sharpened through my relationship with our business and function partners,” he adds. One policy that he has implemented is meeting with each of his employees once a month. “I want to hear if things are ok with them,” he explains, “as what affects a person outside of work will undoubtedly affect their performance at work, and knowing this in advance and possibly being able to provide guidance can make a dramatic difference in how they will perform. I live by that premise. It is important to me and to them. Once they see I am committed to their personal growth and well being, they are more committed than ever to the success of our programs and our corporate strategy as a whole. It truly is fantastic!”
Cyber Security: It’s Everyone’s Problem Now
By Brian Finch, Contributing Writer
Much like a musician who becomes an “overnight sensation” after years of toiling away on the sidelines, it is only recently that cyber security has become a top concern for Corporate America. Now more than ever the C-suite understands what the Chief Security Officers and Chief Information Security Officers have been warning about for years – unchecked cyber attacks could ruin a company financially and potentially physically.
It does not hurt that the cyber threat has grabbed the attention of the highest levels of government. Former Defense Secretary Leon Panetta warned about a “Cyber Pearl Harbor.” Homeland Security Secretary Janet Napolitano warned of a “Cyber 9/11.” The Director of National Intelligence declared that cyber attacks are a greater threat than attacks by al Qaeda, and even President Obama has repeatedly expressed concern regarding the frequency and severity of cyber attacks. Abroad, the head of the United Kingdom’s MI6 Intelligence Service commented that his agency was seeing cyber attacks occurring on an “industrial scale” – definitely not something one wants to hear.
Readers of this article, however, already understand that the threat is pervasive, and that the relevant question is when, not if, your company will be hacked. This is why some cyber forensic companies have renamed their risk assessments to “compromise assessments:” They assume that a company has suffered a breach and that the mission is to discover its details.
This unfortunate reality leads one to the conclusion that cyber security is now an enterprise-wide problem that has to be addressed from the executive suite on down. Only by focusing the entire company on the problem and solutions can it be in a better position to mitigate successful cyber attacks.
The Incredible Diversity of the Cyber Threat Landscape:
It used to be that cyber threats were relatively easy to spot and combat. Computer security experts could identify specific ways a cyber attack would occur, and they often had weeks if not months of warning to prepare.
Alas, the world of cyber threats is now far more dangerous and unpredictable. Attempted cyber intrusions now number in the millions – monthly. Further, when it comes to the cyber arms race, the sad truth is that the bad guys are winning. Hackers can be hired by the hour, with only a credit card and target required. In the most dangerous cases, the resources of a nation’s government are behind the attacks. No matter how big a company’s information security budget is, it inevitably will pale in comparison to that of a developed nation.
What exactly do some of these threats look like, and what are they trying to accomplish? They can be traditional viruses, with known “signatures” that are dead giveaways that they are harmful. Among the newer worries are “advanced persistent threats” or APTs. APTs are one-off cyber weapons designed to strike at a particular company or person. Through a technique known as “social engineering,” a person will be lured into opening a seemingly harmless file or website, whereupon malicious code will be downloaded onto the target’s computer. From there, that APT can spread laterally, infecting computers across a network. Or it could sit silently, waiting until a predetermined time when it will suck up specific information and exfiltrate it.
Companies also have to worry about vulnerabilities such as contaminated or counterfeit parts that have malware built into them. Similarly, even if a company takes all the appropriate security measures, if it links to third parties with insecure systems, then it may as well have done nothing to protect itself thanks to this fatal gap in its defensive lines.
The next question is why would someone hack into a system? There are many reasons, and none of them are positive. The threat of the theft of personally identifiable information (credit card numbers, etc.) is well known. Companies are just now, however, coming to grips with the realization that valuable information like intellectual property or trade secrets is also being hunted. Our adversaries have realized one way to get ahead in business is to electronically steal someone else’s ideas. No longer do we have to bribe someone to steal an Everlasting Gobstopper from Willy Wonka’s factory – instead we just need Wonka to click on what he thinks is his bank website and *bang* so much for that sucker (pun intended).
“Hacktivism” is another concern. If someone doesn’t like a company or its position on a particular issue, what better way to ruin their reputation than to copy and release its sensitive information and correspondence. Then of course there are cyber attacks designed to destroy data, property or, worst of all, human lives. A well designed piece of malware could easily accomplish that task.
I could go on, but the point is simple: the threat is real, varied, and here.
Who Needs To Step Up To Defend Against Cyber Attacks
Given the scope and scale of the cyber problem everyone – from the Board of Directors and CEO and on down – has to take action.
First and foremost, the entire company has to be involved because everyone needs has to have the same understanding of the threat. It does no good if only a few employees understand the scale of the cyber threat. The modes of attack are so varied and occur so regularly that defending against them has to be the kind of company-wide priority that can only be set with the involvement and backing of the executive leadership team.
The next step is bringing together the resources of corporate leadership to address the many issues that will arise from cyber attacks. For instance, this means that the General Counsel’s office will have to carefully catalog legal and regulatory obligations and identify what – if any – “standard of care” exists. This will help set the baseline measures that have to be undertaken. The risk management group also has to be involved in order to use risk transfer mechanisms like insurance policies and indemnification agreements with vendors.
If a company is in the business of investing in or purchasing other companies, then that arm needs to be fully educated on cyber threats so it can conduct proper due diligence. Those groups needs to understand where the threats come from, and that they need to seek out answers to basic questions like is the targeted company’s IT system secure, and whether the asset to be purchased (especially intellectual property or trade secrets) is actually still within the control of the company. No one wins if money is invested in a “secret recipe” that is not really a secret.
Wrapping this together, every member of the company has to understand their role when a compromise is discovered. As law enforcement likes to say, there’s nothing worse than having to exchange business cards at the scene of the fire. The same thing is true for cyber attacks – the stakes are too high for companies to stumble their way through a breach response. Companies have to set up not only a comprehensive cyber attack plan where everyone knows in advance what their role is. Again, that kind of coordinated effort can truly only be driven from the C-Suite, and so it will be vital to have their engagement.
Part and parcel of that, a company should not wait for the alarm to go off to decide which cyber forensic firm, crisis communications counselor and outside law firm should be hired. Instead, the company should have a proactive plan and engagement with such parties so that when the event occurs, everyone knows their responsibilities and can jump into action. Part of that planning too could involve having an outside law firm take the lead so that the attorney-client privilege can attach to the work that is being done. That same firm can also work to develop evidence showing the company was taking reasonable actions, thereby limiting litigation. Law firms can help with liability management tools like the SAFETY Act, a program administered by the Department of Homeland Security that can limit or eliminate liability upfront.
The Unbearable Certainty of Cyber Attacks Made Bearable
Cyber attacks are here to stay. Too much data and valuable information is stored electronically for the future to be any different. Worse yet, the sophistication of cyber attacks is only growing, so companies are going to be hard pressed to maintain a robust defense.
But this does not mean we should throw our hands up to surrender. Instead, it means that companies have to recognize and accept the scope of the threat, and bring together all its resources to minimize the occurrence of cyber attacks and mitigate the consequences of successful attacks. To do so will require that a company’s executive leadership has to step up and step in to make this an enterprise wide priority. Without that engagement, a company will never be as secure as it could be, and the door will be wide open for attacks and worst of all the ravenous pickings of litigation post-event.
About the Author:
Brian Finch is a partner at Dickstein Shapiro LLP, where he leads the firm’s Global Security Practice.