With a background in government, criminal justice, and physical security, Carla Gray, Director of Global Security, is a key part of the security function at Uber. Carla and her team have played integral roles in Uber’s success as a technology platform which continues to change how people move in more than 700 cities around the world.
Prior to joining Uber, Gray spent 3.5 years at Facebook as a Physical Security Operations Manager, securing Facebook’s headquarters in Menlo Park, Calif. and overseeing security planning for the company through its IPO. Before Facebook, she spent over six years in the U.S. Secret Service Uniformed Division, working at the White House, Secret Service Joint Operations Center, and on Presidential Protective Advance assignments. She is a graduate of York College with a B.S. in Criminal Justice, and a graduate of the Executive Leadership Program at the Naval Postgraduate School’s Center for Homeland Defense and Security.
At Uber, Gray is deeply involved in developing physical, technical and offline security infrastructure that helps enable safe and trusted connections between millions of riders, drivers and services in the Uber community. Gray’s current responsibilities include leading the company’s efforts in security operations, business continuity and crisis management, disaster response, executive protection, and threat management for Uber’s global footprint.
How does Gray and the Global Security team at Uber ensure world-class safety and security programs to protect Uber’s people, assets, and operations, and build resilient communities?
The Global Security Team
Since joining Uber in July 2015, Gray and the Global Security team have implemented various efforts to enhance the security and safety of Uber’s assets across the world. She has built and delivered a security model to support the business through unprecedented growth, especially as Uber has ventured into food and package delivery, couriers, freight transportation and electric bicycle and motorized scooter rental through a partnership with transportation company Lime.
According to Gray, the Global Security team’s mission is focused on data-driven, risk-based solutions that enable the business, using trust and integrity as a north star. “We have a team with a global footprint and a substantial mandate, requiring us to deliver innovative security and safety solutions that provide tangible results for the organization.”
The primary focus of the Global Security Team is to protect its people. “Our security operations teams manage the day-to-day incidents and the security challenges that we face. The focus of our threat management team is on understanding threats – real or potential – to our people and the business,” explains Gray.
Helping these teams are the Executive Protection team, and the Business Continuity and Crisis Management teams that fall under an umbrella Uber calls “Resilience and Partnerships.” Gray adds, “We’ve invested in public-private partnerships and examined ways that we can engage the public sector and use our technology and capabilities to work together to help make our communities safer.”
Under the Trust and Security umbrella at Uber, all of these teams collaborate with the Global Investigations team, the Security Engineerings team, and the Law Enforcement Operations team.
Externally, the team engages with the National Emergency Managers Association (NEMA) and the Federal Emergency Management Agency (FEMA) to understand how Uber can help assist crises and emergencies with their resources, capabilities and technologies, as well as understand the public safety needs of local communities.
Uber’s Global Security Center (GSC) is also a key part of the Uber Security function. Located in Washington, D.C., it’s mission is to enable real-time response and situational awareness across security teams, provide 24/7-365 days-monitoring of sites, and act as a resource for all employees.
“Being a part of addressing safety, security and health concerns, especially during the pandemic, when these issues are front-and-center, is important work,” Gray says. “It’s incredibly rewarding to see the impact of our work and how it’s helping make a difference not only in our communities, but for our employees as well.”
Security as a Competitive Advantage
A focus over the past year for the security team has been to find opportunities where the Global Security team’s capabilities and skill sets align with key business objectives and create opportunities to stretch outside of the traditional security lane to drive the business forward. “When we talk about enabling security as a competitive advantage, it’s really about understanding what the business priorities are and how we can leverage our security skill sets to align with those priorities and help move them forward.”
Micro-Mobility and Asset Recovery
Head of Security Engagement Charles Burns, formerly the Head of Security for New Mobility, notes a key aspect of driving security as a competitive advantage was the creation of a micro-mobility and asset recovery team.
“We started from scratch. We learned about the business and how to partner with all of our cross-functional stakeholders,” Burns explains. “We developed a strong micro-mobility security team to combat asset theft and minimize any operations that impacted the bikes and scooter business.”
As background, Burns says, preventing theft or damage of the bikes and scooter fleets is important for any micro-mobility business, and that requires a proactive approach to address theft and vandalism. “We worked closely with government partners and created a loss prevention and asset recovery team from scratch to help get stolen assets back in our hands. No one else in the industry was doing this, so we had to figure it out ourselves and scale quickly but, as a result, we recovered more than $2.5 million worth of assets to minimize business interruptions,” Burns says. “This is a great example of how our work to protect and recover those assets really enabled the business to operate and flourish.” Uber recently sold the Jump business, the electric scooter and bike sharing service, to transportation company Lime.
A Rideshare Playbook
“Uber was one of the first companies to be in ridesharing,” says Gray. “Envisioning what the blueprint of security entails for a ridesharing company was like blazing our own trail. There isn’t a playbook on how to do it. We have the challenge of operating on a global scale, but we also consider ourselves as a hyper-local company that's serving each local community that we operate in, which is a challenge. However, if we get it right, it can be an asset and an opportunity for us to innovate within the security community.”
To enable the team to make smart security decisions, the Global Security team has developed a unique operating model to align to their goal of building globally and living locally. They have created metrics and rhythm for reporting to be in control of executing locally against Uber’s global strategy. They’ve also created a task force and cohort model to bring individuals from different teams together to solve problems quickly and learn from each other.
Gray and the Global Security team’s first step was to consider traditional and basic security metrics or key performance indicators (KPI), including the number of incidents and tracking service-level agreements (SLA). Over the past year, the global security team worked to translate those security metrics into actual business metrics, Gray explains. “As we work towards that, when we talk about the impact of our work outside the security organization, we ensure we frame the conversation around benchmarks that resonate with our business leaders, such as gross revenue, top and bottom line value, etc.. “
Because Uber has a global footprint, the company is uniquely positioned to have enriched datasets and think about new ways of leveraging data to create business insights. “As a team, we are doing exemplary work of measuring our impact in terms of our objectives and execution. We are also focused on the next level of leveraging that data for really interesting insights for the business and finding different sources of data that we can analyze with our security metrics to create greater insights.”
The team bases their data-driven approach on assessing and addressing risk, Gray says. “We need to understand what the risk is and how far we need to mitigate it, so we take responsibility for ensuring the business is cognizant of security risks and use our insights and expertise to support high quality decision making. The team likens this approach to collecting and analyzing data to sabermetrics. As originally defined by Bill James, who coined the term in 1980, sabermetrics is “the search for objective knowledge about baseball.” Researchers often use statistical analysis to question traditional measures of baseball evaluation such as batting average and pitcher wins.
“Sabermetrics takes vast amounts of baseball data and statistics, turning it into a resource for optimizing teams and strategizing game to game,” Gibson explains. “Though the team does not directly apply the sabermetrics approach, we want the core of our decision making and how we optimize our resources to be data-driven. So we’ve strengthened that commitment by investing in our own custom internal data warehouse that we can use to collect, store, and analyze not only our own data, but also link it to other parts of the organization to inform our operations and inform business decisions more directly.”
The team has built its own data warehouse to collect data and use it to inform strategic decision-making and gain operational insights. They also package and export their own data analysis to business partners to help them make risk-informed decisions in the marketplace.
In turn, this, Gibson says, helps them integrate better with business partners and business datasets as well. “Rather than being the siloed security organization that makes risk recommendations or answers the call when needed and goes away, we're more integrated partners that anticipate and adapt quickly to changing business needs and priorities.”
The team hopes to continue to expand its risk-based, data-driven approach to not only inform strategic decision-making and gain operational insights, but to make the communities they operate in safer places to be more resilient to some of the crises and disasters that we have experienced just in 2020. “Our data-driven approach is definitely the vision for the future of ensuring our security solutions have an impact to change the world for the better,” he says.
Another key aspect of enabling security as a competitive advantage has been leveraging public-private partnerships to build community resilience. Scott Gibson, Senior Manager of Strategy and Planning for Global Security, says Uber has made it a priority of their social impact role to be active in disaster response and disaster recovery. “We’ve taken that to heart. We’ve taken ownership and evaluated how global security plays a role in supporting community resilience.”
“We’ve tried to take a more proactive approach by building relationships and starting conversations with federal, state and local partners to better understand how we can develop more innovative solutions and collaborate through planning, response and recovery,” Gibson explains. “We've built relationships with FEMA at the national level and are engaging states at scale through organizations like NEMA and the Central United States Earthquake Consortium (CUSEC).”
The team is looking to deepen these partnerships through responsible information sharing to benefit public safety. “We are evaluating how we can develop innovative solutions to inform shared best practices and operational integration with our state and federal partners,” Gibson adds.
In the future, Gibson notes, “We want to demonstrate what proactive, innovative, and responsible public-private partnerships can look like. We want to lead by coming together with our partners to co-plan and share information to benefit from each other’s resources and to identify the right roles and responsibilities.”
The Global Security Team has also been leveraging technology to maximize the efficiency, scale and quality of the security services Uber delivers. The team, especially during the pandemic, has stepped up to the plate and delivered, Gray says.
“We have learned that the skill sets and frameworks that the Global Security Team uses day-in and day-out to respond to crises and incidents are applicable to multiple scenarios that might be considered non-traditional security issues, such as the pandemic,” Gray says. “We made the best use of the technology that we have and harnessed its capabilities to execute our emergency response plan. We started out with the basics: How do we shut down our offices? How do we guarantee that only people that are authorized should be in there? How do we monitor sites that no longer have anyone there?”
Going forward, Gray notes, the strategy continues to evolve as we think about how to return to the office safely. To oversee this project, a cross-functional group is leveraging a mobile application that allows employees to check their health on a daily basis and tells managers if employees are coming in to work to manage the capacity of those returning to the office over time.
Other plans in the works include an exciting project within the GSC. “We’re looking at how to maximize all of our current tools and systems to reduce the noise and bring them into what we call a ‘single pane of glass.’” Gray says. The idea is to have a single interface to simplify what Uber analysts are asked to do in the GSC and at the four Regional Security Centers, to better understand the information that they need to get their jobs done. “The goal is to empower those analysts to be decision makers, so they have the right context within each scenario to make quick and effective decisions,” Gray adds.
To determine what information delivers the highest impact and what noise needs to be filtered out, Gray says the security team is considering machine learning and artificial intelligence capabilities. “The investments we’re making in automation to support data collection, analysis, and incident response are beginning to pay dividends but we’re just scratching the surface. Getting to a point where rather than doing data entry during incidents to capture incident data, we can have a system that simultaneously tracks and records important details - such as timestamps, location, type of incident, and the people involved – as the analyst responds to an incident.” Having a system that registers this crucial information is helping create richer datasets that they can then leverage, Gray says.
To keep up with business growth, Gray and the security team have also undertaken a major project of updating cameras and access control systems. The project was introduced in Latin America and is now set to expand globally. This cross-functional project aims to bring all camera systems into one cloud platform to prevent switching between different systems to view video. Now, cameras and access control outages are linked to a call center to reduce downtime and increase response.
The goal with every project the Uber Global Security team undertakes is to protect our people, assets, and operations, and to make communities more resilient, Gray notes. “Security is becoming a human and a personal issue more and more in today's world, and people value their safety and their security. They’re going to expect more out of their employers, out of their brands, and the companies that they choose to affiliate with. Both trust and security are going to be critical components of a business’s success and impact. For us, this presents an opportunity to really deliver value to become a differentiator for the organization if we do our job well.”