Ensuring Security and Safety at The State Street Corporation

Keeping a business running for more than 227 years takes effective security management.

This is true for State Street Corporation, the second oldest bank in the United States.

A global company with headquarters in downtown Boston, State Street Corporation (State Street) was founded in 1792. It is ranked among the largest banks in the United States by assets, with $31 trillion of assets under custody, which also makes it one of the largest asset management companies in the world. It has more than 70,000 people on staff in 29 countries.

State Street is also designated as a Systematically Important Financial Institution (SIFI) in the U.S. and globally because of its size, complexity, interconnectedness and the lack of readily available substitutes for the financial infrastructure that it provides.

Helping to ensure the success of the enterprise by leading the enterprise security programs and strategy of State Street is Chief Security Officer Stephen D. Baker, CPP.

As CSO, Baker is responsible for the strategic plans and operations of the Global Security and Investigations functions. He guides the direction and ensures alignment with the business functions of this successful corporation for all protection programs globally. Baker says that as he and his team focus on effective defense in layers and mitigating controls, they drive cost efficiencies for the company. Baker is proud of his team’s entrepreneurial owner’s mindset, and says that together they deliver value to the company and its stakeholders in three specific ways. “We are here to add value and we do so in knowledge, assurance and performance,” he shares.

For knowledge, he is a proven veteran, tasked with ensuring the development and implementation of regional security programs and practices as well as enterprise-wide solutions to ensure the security and safety of State Street’s executives, its personnel and its assets, information, continuity of operations and solid reputation.

For assurance, he and the team have direct responsibility over the company’s physical security, fire life safety, incident management and response, risk assessment, safe travel programs, personal protection and event security, background investigations and investigation programs, among others. He also maintains the Global Protective Services unit, which includes the design, installation and management of security systems. These services are checked by regulators, clients and others so often that there is now a formal client assurance and regulatory risk compliance subgroup on Baker’s team.

For performance, Baker’s lean approach and enterprise view has yielded a team who delivers value beyond security back to the business, Baker says. “We have a long list of successes, which have been used across the company to improve performance. They include workflow automation, business reporting and client assurance management. We are constantly taking action proactively to better serve the company.”

The Road to State Street

Baker always wanted to be a police officer. He attended Northeastern University’s College of Criminal Justice, and while studying there, he served as a special police officer, where he experienced law enforcement first hand. “What I found out back then is that a lot of law enforcement officials are reactive crime fighters as opposed to engaging in a proactive community policing concept, which better fits my personality,” he says.

After college, he spent 15 years working for Digital Equipment Corporation. “I did just about every job there is in security until I became the headquarters area security manager at Digital,” he shares. He was then offered a role at State Street, as Assistant Vice President of Security Systems. He was eventually promoted to Vice President of Global Security and then Deputy Chief Security Officer. He was named Chief Security Officer in March of this year.

In addition to Baker, the State Street Global Security team includes six directors: three regional directors for the EMEA, Asia Pacific and Americas regions; and three functional directors for investigations, security systems in technology, and strategies and initiatives.

Security within State Street operates three security control centers: in Boston, (a Corporate Security Control Center), in Sydney, Australia and in London. “Each center has the ability to take control of any other center, if needed,” Baker says. “Earlier this year we conducted a recovery exercise, where we shut down the U.S. center and temporarily gave control to London, to ensure the business continuity plan works,” he notes.

Inception to Delivery

Global Security protects its people, property and information through the continuous implementation and improvement of security programs and safety measures. Baker and his team participate on key committees such as Operational Risk, Country Risk and Vendor Risk committees, along with a reporting line to the Chief Legal Officer who serves on the Executive Management Committee. In addition, Baker’s role on the Corporate Incident Response team eliminates information gaps.

Even more, Baker is closely aligned with the company’s CISO. “IT security sets the [cybersecurity] policies and monitors for policy violations and when they find those, our team in Global Security steps in and conducts the forensics and the cyber investigations,” he says.

Baker and his team are required to formally present their security program annually to the State Street Board of Directors for approval. That approval provides support for the program's implementation. The Global Security function also provides significant support to the Legal team through litigation support activities and to the Compliance group through its assistance with due diligence and investigations that pertain to global money laundering laws; Foreign Corrupt Practices Act violations; and employee ethics infractions.

Baker and his team have worked hard to ensure that State Street Global Security is highly regarded by all of its stakeholders. The security team works closely with senior business executives through a process called “from inception to delivery.”

Global Security’s engagement in the business from inception to delivery ensures that State Street has solid enterprise risk management planning. “As soon as any part of the business wants to make an acquisition or introduce a new location or a business initiative, security becomes involved at the earliest stage to ensure that the process is protected. We always want to consider our clients, shareholders and our regulatory requirements,” Baker says.

The Global Security team also works to measure all aspects of their value and cost matrix. One initiative separated constant RFP costs, such as hourly contract officers and equipment costs from variable costs, including sick leave and vacation. By separating the items, that business unit is more able to predict expenses and budget across the enterprise.

A second initiative to improve security without increasing costs was the move from four leased office buildings to one bank-owned building. While the direct cost of security increased, Global Security documented that the indirect costs funded by the bank at the leased buildings met or exceeded the direct costs.

Global Security also conducts internal evaluations and surveys that result in security team members being highly regarded and valued. The key to success is ensuring prospective hires are a strong cultural fit with more of a business risk focus and less of an enforcement mentality, similar to what Baker says he experienced while working in law enforcement in college.

Second, continuous training is critical. “We have a large contingency of personnel around the world and each one of them, by requirements of the company, have to take training classes, whether it’s about anti-money laundering training or safety training,” Baker explains. “We collaborate with other business units to ensure that there’s a security piece embedded in each training to avoid over-training of employees. The goal is to ensure that employees report irregular or suspicious activity to us. Or, if they want to report to HR, ethics, compliance or another business unit, we ensure that message also reaches us in a timely manner.”

Overall, Baker wants people, especially State Street employees, to truly understand the critical role that Global Security plays. “We need to continue to recruit people and make it exciting to be in security,” he says. “For example, with our vendor management program, which includes our guard force, we go out of our way within those agreements and train those personnel about what’s happening in the organization as a whole. Often, that has been a stepping-stone for some contract employees to obtain a role within State Street. Three of my vice presidents are former security control center operators.”

Overall, Baker notes, “Global Security is way beyond guards, guns and gates. We are integrating ourselves within the business and adding value to each business function. For example, when State Street seeks a new data center, we put together a team to assess potential risks and help that business unit to avoid them. It is inception through delivery, over and over. When you provide a good security program, people can be more productive because they’re not worried about their safety while they’re working. That’s our mission each day.”

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.

Service reliability underpins every modern business. Without reliable services, organizations cannot build the trust required to keep their customers loyal or free up time to focus on product innovation and differentiation.