With rising risks and tumultuous business climates, the spotlight is shining on the enterprise’s next leader: the security executive.
In July 2006, former Security magazine publisher Mark McCourt re-launched Security magazine, “Solutions for Enterprise Security Leaders,” by writing about the changing role of security. That issue included roundtable and focus group conversations with the leading CSOs at the time. “The best and brightest in those discussions shared what security’s role could be, if permitted,” McCourt said. Seven years later, McCourt wrote: “Many of those prognostications have come to reality across the Security 500 report. And it will be exciting to watch where it goes next.”
Yes, it has been exciting to watch. Now in the tenth year of our annual Security 500 report, it’s exciting to highlight how enterprise security has taken center stage within an enterprise.
From healthcare, to finance, to retail, to education and more, enterprise security has grown and evolved since the first Security 500 report. As I reported earlier this year, and according to one industry analyst, Security 500 members and enterprise security executives are well on their way to becoming the “corporate rock star;” some are already in the spotlight in their enterprises. The talent in this industry is exemplary and impressive. And the boardroom has woken up to the importance of security – and to the enormity of what it will take to protect an enterprise and its employees.
What that means is that CEOs are putting a premium on hiring a first-rate Chief Security Officer (CSO) to lead the charge. Industry analyst Ted Schein, in a Forbes article, said that “I often say that the CSO is the ‘corporate rock-star of the future’ because exceptional ones possess a combination of skills that rarely appear in one person.”
Yet the journey hasn’t been an easy one, and it continues to evolve each day. For example, at Ingersoll Rand, the global security function didn’t even exist until Rick Kelly came on board. “I’m responsible for building the program from the ground up, and, at the same time, dealing with all of the tactical issues that come in on a daily basis,” says Kelly, Director of Global Security. “Never a day goes by when you’re doing the same thing. There’s always a different issue to address; there’s always a different problem that pops up.”
One thing that impressed Kelly the most about Ingersoll Rand was the C-suite’s focus on the importance of security. “They’re very understanding of what risk is and how to mitigate it, and they’re very supportive of what we want to do and how we want to do it,” he says. They are also good about enforcing security initiatives and supporting security programs to other Ingersoll Rand leaders.
The perception of the security brand among Ingersoll Rand employees is evolving, Kelly says. “When I came in and we started socializing the message of what security is about, most employees hadn’t seen that kind of program and didn’t know what it was,” he says. “As we start to educate the employee base from senior managers on down, people are starting to understand why access control, travel security, information security, and the like, are important.”
In healthcare security, Anthony Notaroberta, CSO at Metropolitan Hospital Center, sums up security work in one sentence: “It’s 59 minutes of boredom and one minute of sheer terror,” he says. “To me, it’s trying to explain to the security staff how they fit in with the organization, their overall mission and that what they do during those 59 minutes actually contributes something to the organization in terms of value and patient satisfaction.”
Today’s business market has created a complete shift in the security aspect of the healthcare industry, says Notaroberta. “Everything is based on satisfaction scores and it’s not good enough to just have had a good experience anymore.” Hospitals want patients to recommend the hospital to their peers and talk about the outstanding care, which makes security’s job more complex. “Trying to get the message across to security staff how they can help with that in those 59 minutes is hard. There’s no script, there’s no standard and that, for me, is the most difficult.”
For Security 500 members involved in sports events and stadium security, beyond the basic mission of being accountable for the safety and security of the facilities’ guests, clients and team members, the security team is “dedicated to providing a high-quality experience, along with a proactive security program,” says Donald Paisant, Chief of Public Safety for SMG Mercedes-Benz Superdome. Thanks to his background in the hospitality industry, Paisant understands the importance of good customer service. “If we don’t have customers, we don’t have jobs,” he says, “so we drill in the customer service aspect. One of the things we do in our training is to get our officers to understand that you can still be nice and get your job done.”
Security’s biggest contribution to the organization is providing a secure environment, says Greg Wurm, Staff Vice President of Corporate Security at Anthem. “If it’s not a secure environment for people to work in and they’re not comfortable, it impacts their business and ability to do their work.”
At Western Union, the word is definitely getting out among criminals to avoid Western Union, thanks to security. Phil Hopkins, Vice President of Global Security, says his team’s work with law enforcement has helped with situations worldwide, including recent child exploitation cases in the Philippines and Jamaican lottery scams in Costa Rica. “Because of some of the controls we’ve put in place, we have made it more difficult for bad guys to use Western Union.” says Hopkins. “Feedback is how I gauge our success and our value to the company. I’m able to go to the executives and show them these documents and emails acknowledging our efforts are paying off. We may not be perfect, but we know our work is making a difference.”
For the second year in a row, Security 500 members rated cybersecurity as number one threat facing an enterprise and its security team. This is despite the fact that only 35 percent of Security 500 members report responsibility for it.
But it’s no surprise that it’s a top trend, as 2014 will long be remembered for a series of mega cybersecurity breaches and attacks, starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. With Target, 40 million credit and debit cards were stolen and 70 million records stolen that included the name, address, email address and phone number of Target shoppers. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked.
Other mega breaches in 2014 were:
- ebay (145 million people affected)
- JPMorgan Chase & Co. (76 million households and 7 million small businesses affected)
- Home Depot (56 million unique payment cards)
- CHS Community Health Systems (4.5 million people affected)
- Michaels Stores (2.6 million people affected)
- Nieman Marcus (1.1 million people affected)
- Staples (point-of-sales systems at 115 of its more than 1,400 retail stores)
The year 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.
In its most recent analysis, the Ponemon Institute found that each lost data record cost companies an average of $145 per record, with companies in Germany losing the most per record for each data breach ($201), followed by the United States ($195), and companies in India the least at $51.20.
Ponemon Institute’s 2015 Cost of Cyber Crime Study reported the average annualized cost of cyber crime incurred was $15 million, with a range from $1.9 million to $65 million each year per company. The net increase in the cost of cyber crime over the six-year span of the study was 82 percent.
The average time to resolve a cyber attack was 46 days, the survey said, with an average cost to participating organizations of more than $1.9 million during this 46-day period. This represents a 22-percent increase from last year’s estimated average cost of approximately $1.5 million, which was based upon a similar 45-day resolution period.
Information theft represented the highest external cost, followed by the costs associated with business disruption. On an annual basis, information theft accounted for 42 percent of total external costs, while costs associated with disruption to business or lost productivity accounted for 36 percent of external costs (up 4 percent from the six-year average).
Small businesses are particularly vulnerable because they may not have the resources to prevent an attack or they may believe they would never be a target.
To help turn the momentum, more enterprises are increasing their information security spending, collaborating more on threat intelligence efforts and turning to cybersecurity insurance policies in larger numbers, according to the Global State of Information Security Survey from PwC.
They are also turning to new technologies such as cloud-enabled cybersecurity, big data analytics and advanced authentication measures, the PwC survey says. Organizations are reconsidering key executive and board of director roles to provide more resilient and proactive security measures.
The vast of survey respondents, 91 percent, use a risk-based cybersecurity framework. Most said they follow ISO 27001 guidelines, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls.
A positive finding from the Ponemon survey is that top security executives and board members are playing more prominent roles in organizations. Fifty-four percent have a CISO to oversee security while 49 percent have a CSO. Also, survey respondents reported a double-digit increase in board of director involvement in data security, including participation in security budgets to achieve higher security spending and fostering a culture of security.
Despite policy changes, access control and identification programs, lockdown drills and training, workplace violence rates continue to rise at an alarming rate. There have been 144 shootings on school campuses in the U.S. since 20 children and six adults were killed at Sandy Hook Elementary School in Newtown, Connecticut, on December 14, 2012, according to Everytown For Gun Safety, an advocacy group. That figure doesn’t include the most recent event: a shooting in October at a community college in Oregon that killed 10 students.
According to the National Institute for the Prevention of Workplace Violence, the cost of a single homicide at work averages between $250,000 to $1 million when all costs are considered. Lawsuits in the area have been impacting cost substantially. The average out-of-court settlement for this type of litigation approaches $500,000 and the average jury award of $3 million. A few awards have reached as high as $5.49 million. That figure does not measure the cost of reputational risk or brand damage. Once a homicide occurs in your workplace, it brings the whole enterprise into the spotlight. A workplace homicide is newsworthy and will likely result in front-page coverage by the national press.
All sectors are affected; no one is immune, and the issue is difficult to mitigate. According to Barry Nixon at the National Institute for the Prevention of Workplace Violence: “Most workplace violence experts agree that serious workplace violence incidents are generally preventable by a company having a progressive and comprehensive workplace violence prevention effort in place. However, even for a firm that practices due diligence, the stark reality is that we do not have an exacting capability of predicting who will explode, when or where it will happen and the commensurate outcome. Potential perpetrators don’t walk around with a ‘neon sign’ saying ‘coming attractions today at 3:00 p.m. in the company cafeteria.’ Consequently, we must focus on preparing for an emergency situation very much akin to developing a disaster plan and dealing with being able to anticipate the unexpected. It is like throwing dice, the only certainty is that a set of numbers will come up, but knowing which numbers will be rolled is unpredictable. Workplace violence specialists will advise you that there are important steps organizations can take to improve their ‘predictability,’ however, in the final analysis you are faced with mitigating as many of the risks that you can identify and hoping you have done enough.”
Nixon advises having a risk mitigation plan that focuses on five key assets to protect: facilities, technology, information, networks and people. “This starts with looking at what could damage any of these assets or seriously impair the business operations from continuing to operate. This fundamentally means you have to understand the risk and what you can do to prevent or mitigate the situation from occurring. The final stage involves business impact analysis which examines the actual financial impact should an event occur that serious impacts the business.”
Most organizations have implemented policies and programs to reduce the potential for incidents. For example, Wurm at Anthem has a primary focus on enterprise risk in terms of associate safety. “We have a large associate population, and they’re in that open environment in some of our offices,” says Wurm. “Our real primary risks are things like potential workplace violence cases or other high-profile cases that, even if not directed toward our company, could impact people at work there. Trying to find that balance to have that safe environment is one of our big challenges right now.”
Access control is a critical piece of a security strategy to mitigate workplace violence, particularly in schools. “We use an electronic lobby management system that monitors every visitor that comes in and screens them for sex registration status,” says Chris Wynn, Chief of Security at Val Verde School District. The district also employs a locked gate and locked classroom policy while school is in session. “We are basically in lockdown status at all times, which can save precious time in an emergency,” he says.
At Schneider National, the security team also has a worldwide focus on the protection of their employees. “Workplace violence continues to be a growing concern for businesses. We brought a team together to explore the topic and address it,” explains Walt Fountain, Director of Safety and Enterprise Security. “The outcome was to create an environment where our people felt comfortable using resources and seeking help. Our process is proactive by controlling the relationship with a colleague to discuss expectations and business issues internally.”
On the heels of mitigating workplace violence is the challenge to secure the funding to do so. For example, a recent study suggested that campuses nationwide might be unprepared to deal with an active shooter and that budgets are the main stumbling block to stopping an active shooter. According to a survey of 513 campus officials and senior leadership by Margolis Healy, 25.4 percent of respondents said they have never conducted any type of active shooter drill on campus. Their top reason? “Budget constraints.” Budget concerns remain a trend across all sectors. However, this year’s survey results show that 57 percent of Security 500 members increased their budgets in 2014, with 30 percent reporting that the budgets stayed the same and 13 percent reporting a budget decrease. In 2014, 65 percent of Security 500 members reported their budgets increased over the prior year.
The reasons vary, but overall, budget increases are getting support because organizations and the C-suite enterprises understand and embrace security’s role and success in mitigating risks, which are routinely illustrated via metrics and measures.
Budgets are getting C-suite support because Security 500 members are becoming the bridge connecting the two worlds of business and security and to be “customer facing.” More and more, security is participating in completing proposals, giving prospects tours of their security departments and engaging with customers. The good ones realize this, and use their understanding of the security world to talk to their customers, to understand what they need and why they need it. Then they translate this to fit in with business objectives and explain it to the C-suite, to employees and to customers. By bridging these very different worlds, Security 500 members can ensure proper budget increases and overall security funding.
For example, hired to help overhaul the entire security program at High Point University, Jeff Karpovich, Chief; Director of Security and Transportation had a daunting project in front of him. “How I did it is simply this: If the university wants a program they can be proud of and that they can tout and that truly makes the campus safe, it’s going to be an investment. If I didn’t have administrative support or support from the president, I could not have added as I needed to,” he explains.
Support from the C-suite, led by President Dr. Nido Qubein, is continual and plentiful. “We would not have the funding that we have received in the past seven years since I took over if the C-suite did not believe in this investment,” Karpovich notes. “To go from 12 to 120 people is expensive, and that’s a recurring cost. I’m blessed that I have proven our value, and we are supported in almost everything we do.”
During the last few years, catastrophic natural disasters have made the news, everything from Hurricane Sandy to typhoons striking the Philippines, and the most recent, historic flooding in South Carolina. Security 500 members report that they are going beyond natural disasters in their business continuity plans, and looking at all potential risks for overall enterprise resilience.
Enterprise resilience and business continuity readiness is no longer just a good practice; it’s considered a fiduciary responsibility to employees, partners and customers. In 2008, Forrester research found 77 percent of organizations had documented BC plans (BCPs). In 2014, the percentage jumped to 93 percent. According to "The State of Business Continuity Preparedness 2015” by Disaster Recovery Journal, regulators are the most likely to demand proof of readiness, as 71 percent of companies who completed the survey said that they had to provide proof of preparedness to regulators. However, partner partners and customers also frequently asked for proof.
Organizations often go to extraordinary lengths to develop BC plans that address the failover of IT systems to alternate sites but often neglect or underestimate the human aspects such as workforce recovery and crisis or emergency communication, said Forrester.
According to the survey, remote access was the most common strategy in 2014 while 54 percent of organizations report using an automated communication service, a large percentage of organizations also continue to use corporate email, manual call tree lists, in addition to social media.
The survey also found that communication, collaboration and training remain the top lessons learned from a BC invocation.
At ADP, CSO Roland Cloutier says “There is always a weather, political or other event occurring, and we are continually focused on disaster preparedness and getting payroll delivered.” From the company’s security operations centers, ADP employs full-time crisis management teams leveraging the triangle of crisis planning, emergency management and disaster recovery. “We are up, running and good to go,” Cloutier says.
Overall, Security 500 members, through business continuity plans and risk mitigation in this area, are contributing to the enterprise’s overall vision and mission by enabling the organization to effectively and efficiently achieve its goals.
Whether he or she is directly responsible for employee on-boarding or not, a security leader is ultimately responsible for employees’ security education and awareness once they are hired.
At many enterprises, Security 500 members conduct internal evaluations and surveys that result in security team members being highly regarded and valued. The key to success is ensuring prospective hires are a strong cultural fit with more of a business risk focus and less of an enforcement mentality. Second, training is critical.
For example, Honeywell has developed Security Centers of Excellence where all standard work, such as training, managing employees’ clearances, facility clearances, lining up audits and pre-audits and inspections, gets managed. “It also trains our security team on being better business people,” says Rich Mason, Vice President of Global Security at Honeywell. “I think that’s what is changing in the security environment. It is taking pure play security folks and up-armoring them with marketing skills, with procurement skills and engineering skills, and overall, creating well-rounded business professionals.”
Overall, security’s mission is “about people,” Mason adds. “Any successful organization needs to advance in all three domains of people, process and technology. But it starts with good people to advance the latter. At Honeywell, people are our ultimate differentiator. We have skilled, motivated people that embrace change and are constantly looking for ways to improve and increase their productivity through new tools and standardized work. That’s what makes us valuable partners to the Leadership team,” says Mason.
With so much at stake, Bob Messemer and Nielsen invest a lot into the development of talent and the team, and take mentorship seriously. “I was happy to play that role in the FBI and to be able to see some of the people that I managed now assume greater roles within the FBI and create greater value for our nation,” Messemer says. “Now, coming to Nielsen and being able to mentor young security professionals, it’s a very personally rewarding experience for me.”
At Nationwide Insurance, life safety, asset protection – including data protection – and domestic and workplace violence are the top concerns within the security function. Since a number of the security officers and leaders carry firearms at the larger campuses within the company in case of an active shooter, there is significant training involved, says Jay Beighley, Associate VP of Corporate Security. “Part of that training includes time on a decision simulator, practical firearms training and scenario-based training with role players. The liability risk involved with this approach requires us to train to a very high level and to also test new less lethal devices as an alternative to deadly force,” he says.
Beighley serves as a board member of the Ohio Private Investigator and Security Guard Provider Commission, which gives him the opportunity to influence key safety and security legislation and training for security officers. “I would love to see an accrediting body for security groups, much like the police have in CALEA. I think an independent governing body that could help to bring a consistent level of professionalism and competency to the profession would not only help the security provider, but also enhance the reputation of the organization that employs them,” he says.
In an effort to motivate his security staff, one of Donald Paisant’s favorite practices is to test the system. “The greatest plans are great on paper, but if we don’t test our systems, we don’t really know if they’re working,” he says. On game days, he has operatives, mostly from the hotel industry, come in and try to pay his staff off or generally sweet talk officers into letting them go places they shouldn’t. He also uses undercover police officers to try to get guns and knives inside the screening checkpoints. Paisant then follows up with employees and rewards those who do their job well. “The staff is a lot more alert when they know they’re being tested,” Paisant says.
At Seattle Children’s Hospital, Jim Sawyer, Director of Security Services, says that training is his greatest security challenge. “A lot of clients in hospitals aren’t exactly refined, sensitive intellectuals who read Shakespeare at night. But if their child is sick, they are totally focused on their child, and we want to support them during that difficult time.”
His staff of 75 proprietary security officers is trained in customer service. “Our security officers are more about supporting people in crisis and treating people well than being an enforcer,” Sawyer explains. “If someone asks for help, we never turn them down. And the same time, with a smile on our faces, we’re doing a quick risk assessment to determine what, if any, threat they are to our hospital, patients and staff.”
This year, 94 percent of Security 500 members reported responsibility for investigations, and 71 percent reported responsibility over asset protection and theft. And with good reason. According to the 2015 Hiscox Embezzlement Watchlist: A Snapshot of Employee Theft in the U.S., U.S. organizations with fewer than 500 employees experienced a median loss of $280,000 per year due to employee theft across a wide range of industries.
The study found that embezzlement is not just a problem for large organizations or the financial services industry; 80 percent of victim organizations had fewer than 100 employees, and losses were suffered across a wide variety of industries, with an average total loss of $842,403.
According to the report, most instances of employee theft involve employees with long tenure. Women represented more than 60 percent of employee perpetrators, while the median age of wrongdoers was 50. The embezzlers were also not confined to the finance operations of an organization. In fact, more than 50 percent of actions were committed by employees not in the finance or accounting function.
More than 21 percent of employee thefts in organizations with less than 500 employees involved entities in the financial services category, which includes banks, credit unions and insurance companies. The median loss for financial services organizations was $271,000. Retail entities and the healthcare industry had the largest median losses, at $606,012 and $446,000, respectively. Other organizations with a high concentration of employee theft were non-profits (median loss of $202,775), municipalities (median loss of $293,717) and labor unions (median loss of $41,599).
In retail specifically, U.S. retailers are losing $60 billion a year to shrinkage, up from $57 billion in 2014. Additionally, employee theft was reported as the single biggest cause of loss to retailers. The 27th Annual Retail Theft Surveyconducted by Jack L. Hayes International, said that dishonest employees steal more than six times the amount stolen by shoplifters.
The National Retail Federation recently announced a multimillion-dollar investment to form a new department within the organization focusing on industry research. The Retail Research and Analysis Center will bring together all existing research within NRF and expand upon the wide range of issue areas and trends already studied. The Center will focus on four main areas: the economy, legislative and regulatory policy, the retail industry and consumers.
Legislation and technology in the form of video surveillance is assisting, as well. Texas recently passed legislation to protect businesses from fraud by allowing them to scan and store electronically readable information embedded in a driver’s license. It also allows businesses to provide the information to check services or fraud prevention services companies as part of a transaction initiated by the license holder. Check services and fraud prevention services companies are governed by the Fair Credit Reporting Act, and therefore any electronically readable information that they obtain would be subject to the Act’s data privacy protections.
Charles Andrews, CPP, ASIS Regional Vice President for the State of Texas, said: “Security directors are expected to do more, all of the time, and often that means that we need to be heavily involved in operations. This is a great example of how Security can bring strong value to the bottom line.”
Seventy-one percent of Security 500 members report responsibility for workforce, executive and travel protection this year. And enterprise security plays a key role in ensuring that executives and employees are as safe as they can be, given all the unpredictable events that can occur. As noted in Trends 3 and 5, Security 500 members spend much time, effort and money on securing and training employees across the enterprise. If an employee is not safe while he or she travels, why would they stay with the company? If money is seen being spent on door locks, video cameras, firewalls and ID cards, it’s for naught if an employee is not taken care of while traveling on business. And ownership of duty-of-care plans in this area should be shared with all key stakeholders, including those responsible for security, risk management and travel, as well as with senior management.
Evacuation expenses, emergency medical care costs, productivity losses and damage to an employer’s brand because of a travel incident can far outweigh the cost of duty-of-care programs. And there is no one-size-fits-all plan. Companies must tailor their duty-of-care programs based on where its workers travel, the nature of their work, the types of employees who travel and the organization’s culture.
“Travel risk mitigation plans should protect all employees, including travelers, expatriates and emerging market employees, and there should be a focus on duty of care,” according to Pablo Weisz, Regional Security Manager, Americas, for International SOS and Control Risks. “The plans should include clear and comprehensive policies governing business travel as well as the ability to locate and communicate with travelers within minutes of a significant event.”
A court case demonstrates the potential for legal liability for failure to manage travel risk. In March 2013, a Connecticut jury awarded more than $41 million to a student who was bitten by a tick and suffered brain damage while on a school-sponsored trip to China. The Hotchkiss School, in Lakeville, Connecticut, failed to warn trip participants about known dangers, according to court testimony. The school has appealed the verdict.
At the same time, the traveler should be asked to participate actively in planning, to follow procedures during travel, to check in with headquarters often, to use common sense and to ensure that he or she avoids unnecessary risk.
At Ingersoll Rand, Rick Kelly’s team focuses on travel security. “It was the number one issue I looked at when I came in. We put some really good controls in place to ensure our travelers are fully briefed and aware of security issues and risks wherever they’re traveling,” says Kelly. Personal security details are also provided for travelers going into high/extreme risk
This year, Security 500 members reported increased responsibility for their enterprise’s operations in Asia, South America, Africa, Europe and Australia. In Australia, responsibility increased three percent; responsibility increased eight percent in Asia and six percent in South America.
And with good reason. According to EY’s Rapid Growth Market Forecast, the economic output of China’s 150 largest cities will triple from $8 trillion today to $25 trillion by 2030. Coastal cities close to China’s manufacturing hubs, such as Jakarta and Ho Chi Minh City, are set to see large increases in industrial employment. Others, such as Delhi and Hanoi, will benefit from their relatively competitive labor costs.
Financial services will also expand rapidly. Beijing, Lagos and Mumbai are all expected to create more financial service sector jobs than London over the years to 2030, according to the report.
The last four years have been exceptionally turbulent in the Middle East and West Africa. The ripple effects of the Arab Spring and other geopolitical developments have led to an increased threat from transnational terrorist networks and reduced governmental capacity to deal with it. Yet, as these regions struggle, their economic indicators remain strong. The International Monetary Fund forecasts the Middle East and North Africa is set to be the third fastest-growing region in the world over the next five years, fueled by one of the youngest consumer markets on the planet.
According to the 2014 Chubb Multinational Risk Survey, one in two (52 percent) businesses plans to increase its overseas activity in 2014. Survey respondents expect to increase overseas travel (27 percent), introduce new products in foreign markets (27 percent) and increase employee headcount abroad (26 percent).
“Companies, large and small, continue to seek out new business opportunities abroad, and they increasingly are being confronted by political and economic turmoil, natural and man-made disasters, and regulatory hurdles,” said Kathleen Ellis, senior vice president and worldwide manager for Chubb Multinational Solutions. “As they expand their international business operations, companies need to take a more holistic or global approach to managing risk.”
Support from the C-suite and the Board of Directors is instrumental in building a global security department, and Security 500 members are excelling in this area. For example, at Western Union, Hopkins says: “In the last several years, we’ve been able to increase our global presence. As a U.S.-based financial institution, we probably have, if not the best, one of the better global footprints as it relates to our team members locations. We’re hiring in numerous places around the world, and we never would have been able to do that without that commitment and trust from the C-suite.”
This year, 61 percent of Security 500 members report responsibility for regulatory compliance within their enterprise, and justifiably so. According to the EY 2015 Governance, Risk and Compliance survey, in the aftermath of the global financial crisis, stakeholders and regulators intensified their focus on an enterprise’s risk management oversight. Enterprise security executives and risk managers are expected to take a more proactive role in understanding the company’s risk appetite, its risk culture, and risk management policies and procedures. And more than ever, boards must understand the risks their organization faces.
Those risks are many. “Organizations are pressed to meet quarterly financial targets, while complying with accounting standards and new reporting requirements (e.g., new revenue recognition standards). On the operational side, increased outsourcing of major elements of manufacturing processes in emerging markets and countries can increase risks. Meanwhile the regulatory environment has grown more active, with fines and sanctions on the rise. And the recurring front-page headlines about cyber-attacks and data breaches at companies across the world make it clear that cybersecurity has become a primary concern,” says the EY survey.
Countries around the world have taken varying approaches to corporate governance and risk management. Some examples, according to the EY report:
- In the U.S., the COSO framework lists 17 principles that organizations should follow.
- Companies with a premium listing on the London Stock Exchange must report how they have applied the UK Corporate Governance Code. In general, listed companies must “comply or explain” – in other words, they must clearly and meaningfully explain why they have chosen not to apply the Code in a given area.
- The European Commission has recommended a similar “comply or explain” regime across the EU.
- In Hong Kong, issuers are expected to comply with the Corporate Governance Code. Companies that deviate from the Code must give “considered reasons” in their annual report.
For money service businesses (MSBs) like Western Union, the issue of “de-risking” is a challenge. Phil Hopkins says that since the money service business is looked at as high-risk, many banks are now considering reducing banking services to MSBs. “We’re working to give these banks comfort that Western Union has a strong Compliance department,” says Hopkins. “We believe the strength of our Compliance department is now a long-term competitive advantage for our company in this regard. Western Union is the industry leader because we have 500,000 locations in over 200 countries and territories. We’re essential for people who do not have bank accounts or who need to send money home to their families in other countries.”
At Honeywell, the challenge with managing risk with a Six Sigma environment is the risk to become complacent. “One campaign for us right now is resilience,” says Honeywell’s Rich Mason. “I think too many security organizations are getting caught in the trap of saying compliance is good enough to manage risk. Some will say: ‘If I’m ISO certified and if I have my government certification, I’m secure.’ And I like to push back on folks and say that’s minimum security. Let’s not confuse that with resilience. Resilience is this concept of no matter what gets thrown at us we can minimize the impact, we can get up quickly, we can learn from it, and we can continuously improve. The only way to do that is when security is integrated, when it is built in, not bolted on.”
At Peabody Energy, a focus on employee health and safety has always been valued at the company, and Peabody continues to cooperate with MSHA (Mine Safety and Health Administration), a function of OSHA (Occupational Safety and Health Administration) and BATF, the area of ATF focusing on explosives related to the mining business. On any given day the company may have seven MSHA inspectors performing routine checks at its operations.
For Exelon, corporate security demands regulatory compliance. “This growing compliance issue continues to provide challenges to all lines of business,” says Ed Goetz, Vice President; Chief Security Officer, Corporate and Information. “By uniting our security and compliance programs in a synergistic effort, we have been able to close the gap between our operational efforts to secure the enterprise and our ever-evolving need to maintain compliance with regulated security standards. This will help to reduce costs associated with potential regulatory fines and improve our compliance posture.”
Technology integration and management appeared on the Security 500 horizon for the first time in 2012. It has remained front and center and is one of the 10 trends this year. Ninety percent of Security 500 members reported responsibility over technology integration and maintenance within their enterprise. As Mark McCourt reported in 2013, “Simply, the security’s role is too wide to rely solely on manpower.” Tying into last year’s Security 500 theme of enterprise security moving towards a predictive, versus reactive mentality, McCourt noted: “Having situational awareness to identify and mitigate threats requires information. And security technology has become very good at collecting, analyzing and presenting many data points into actionable information. Thus, as long as technology supports and enhances security’s mission as directed by the C-suite, technology investment will continue to accelerate.”
Helping to assist in mitigating risks for Security 500 members are cloud-based solutions, IP camera surveillance, facial recognition, PSIM, perimeter intrusion detection and more.
For example, because protecting the Nationwide Mutual brand is critical to the company’s success, Jay Beighley’s team at Nationwide Mutual focuses on strategic areas to ensure safety for everyone. “We are working to deploy new technological capabilities that will enable our team to provide virtual security support to associates and members in remote locations,” he says.
For Rick Kelly at Ingersoll Rand, physical security includes not just locations and people, but technology as well, says Kelly. “We built solid standards and specifications, and we are standardizing processes across the organization,” he says. “We have one particular system that will manage access control, cameras, alarms and monitoring instead of a diversified bunch of equipment.”
Implementing critical technology such as electronic lobby management, into the Val Verde Unified School District has been one of Chris Wynn’s primary focuses. The district has implemented a new video management system and is significantly upgrading its security cameras and moving toward an electronic access control system. “We’ve done a tremendous amount for reconfiguring our lobbies,” says Wynn. “We’ve put in physical barriers, glass store fronts, reconfigured counters to create natural barriers and reconstructed entry points to make them still open and welcoming, but not immediately accessible to our sites without being granted access.”
Aflac is a big company, with big security needs. Scott Shaw, senior manager for corporate security, has invested in security cameras, alarms, and access systems, enabling security to monitor multi-facility campus in Georgia and work sites in Columbia, South Carolina from a single location, reducing personnel costs and providing real-time access to information in a crisis. Also, by using security best practices in security camera deployment, Aflac has decreased the need for patrols to cover areas that are now monitored through cameras with video analytics and alarms.
As Security 500 members continue to gain influence in the C-suite and grow their budgets and staff, it’s encouraging to see these rising stars of the enterprise make the most of their resources through force-multiplying and efficiency-driving technology.