Lessons Learned from Security 500 Palo Alto

Opening his keynote by presenting a gap that needs to be successfully closed, Tim Dillon, Vice President of Global Physical Security for Oracle said, “What is the job? The job is to protect assets, protect shareholder value and align with the corporate culture. And answer the question: How little opex can you spend and still get the job done?”

“Making Security’s Brand Mean Business” was the perfect title to kick off the third Security 500 West Conference. Tim’s focus on the basic issues of brand management resonated with attendees. Simple, but not easy, questions to answer included:

“Do you understand what you stand for?”
“What are you selling?”
“What does your product or marketing brochure look like?”

“These are the answers that take a security program from guards and cards to answering how security helps customers meet their revenue opportunities. And building this plan should include a three to five year outlook,” shared Tim.

Indeed, the goal to assure and enable business (this publication’s purpose statement) is front and center at Oracle. He is part of a three-person risk and security team that reports into the chief software architect, ensuring that all security programs are aimed at supporting business goals. Meeting the Oracle culture to ensure that customer service and policy enforcement are balanced, understood and motivated to actively participate (become a customer) in the security program.

“A key element in our planning is our ‘de-invest/re-invest’ program. We realize that each year, some in place programs are no longer necessary,” Tim said. “To avoid resourcing legacy programs that have reduced or no ROI, we review existing programs and make changes. That frees up budget dollars to invest in new ones.”

Oracle is well on its way to supporting business goals and protecting people, IP and assets through its security roadmap. More about Oracle and enabling security’s brand can be found in this month’s cover story.

In addition to Tim, three panel discussions addressed top of mind risk issues for our attendees:

Cyber Security
Big Data and Analytics
Sourcing: Single v Multiple vendor strategies

Joshua Belk, CSO, FBI moderated the cyber security panel and was joined by Brent Conran, McAfee/Intel and Neil Rerup, Enterprise CyberSecurity Architects. The panelists noted that the unfortunate news is that the cyber criminals are outstripping the enterprise’s ability to defend itself.

“We look for the right attitude and aptitude when we hire. Having intellectual curiosity is very important for understanding and identifying vulnerabilities and anomalies. The people who are the best at cyber security are not always the ones you would expect,” shared Brent.

Neil noted that you have to create a defense that matches your culture. “Law enforcement, like the FBI, is focused on reputation and retaining the public’s confidence. Government is focused on politics and electability, while the private sector is about brand and money.” For more on this talent gap, check out Security’s May cover story.

The Big Data and Analytics panel, moderated by George Booth of EBay, started with defining the topic. About a week prior to the conference, John McClurg, CSO of Dell, sent me a note suggesting that if we were going to tackle this topic, we first read, “Big Data: A Revolution” by Viktor Mayer-Schonberger; so we did (thank goodness for that Amazon one-click/two-day delivery).

While misunderstood by most, the definition is straightforward. Big data is just that. The interesting example in the book that was discussed at the conference was Google’s ability in 2009 to identify where the H1N1 flu outbreaks by geographic area ahead of the medical community. No understanding of medicine or flu was required to follow the searches for flu like symptoms, remedies and treatments.

Duane Ritter of Cox Enterprises led our discussion on the plusses and minuses of both single and multi-vendor sourcing for both systems integration and guarding. He was joined by Jim Mercurio of the San Francisco 49ers, Drew Levine of G4S and Wesley Bull of NVIDIA. Perhaps the most valuable learning from this panel was that there is not and may never be a “one size fits all” solution for our industry. While there are many economic and operational advantages to a single provider, there are also some risks associated with this model.

As the Levi’s Stadium (new home of the 49ers) nears completion, Jim shared, “We have tried it both ways. With a single guard provider we felt like the first 100 guards were superior to the last 100 guards. So we split the contract and now we believe each company is sending the first 100. They are competing and the quality is better. It costs a bit more, but we feel that it is important to maintain quality.”

The 2014 Security 500 Survey will be out later this month, so please watch out for it and plan to participate. And we are pleased to announce that this year, the Security 500 Conference will be held in partnership with OSAC week. Please mark your calendars for November 17 in Washington, D.C.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.