This insurance company is an 85-year-old private business (and the second-largest auto insurer in the United States), with more than 42,000 employees and 10 campuses around the U.S.
About five years ago, Todd Vigneault, Director of Safety and Security, was the first physical security leader hired into such a role at the company, but security and safety is certainly not an afterthought. In fact, the insurance company built a robust, mature cybersecurity program and team years ago, and company leadership recognized the need for a robust, mature physical security program and team to follow.
2021 Security Benchmark Index
Indeed, it was the existing chief information security officer (CISO) that recognized the need for, and championed the idea of, building a just-as-robust physical security program to focus specifically on safety, security and insider threat management.
Prior to Vigneault’s role, physical security was largely siloed and ran independently at each of its locations. Within 10 regions, for example, the company had eight different contract security suppliers. “Operating separately was a damper on our progress,” Vigneault says. “We had a roadmap in mind, and we knew where we would like to end up. It’s important to have all the security staff operating like one big corporation.”
For example, a few of the company’s locations in close proximity with one another previously had separate contract suppliers and very little cross communication. Over time, as contracts have been consolidated, technology has been upgraded and communication procedures have been set in place. Now, security teams on the ground at locations can communicate, share intelligence and even share resources to make sure the whole organization is on the same page, Vigneault says.
“Company leadership is so supportive and recognizes the importance of what we are doing. And because they knew that the cyber team had walked this path several years ago prior to physical security, they had a model to see what could be done,” Vigneault says. “When you’re building a program, it’s a journey, and you don’t just pump out documents and tell people what to do. It’s important to have that roadmap and programmatically build it out to get there, while building trust and truly understanding the corporate culture and the critical areas of importance.”
Over the past five years, the physical security team has continued to grow, mature and evolve, all with the focus of being a business enabler for the greater organization. The physical security team reports to the CISO, who oversees both the physical and cybersecurity programs. Because of the way the team is structured, Vigneault says, the physical and cyber teams are truly integrated and work hand-in-hand on projects or processes that call for an all-hands-on-deck approach, such as investigations, responses to incidents, insider threats, etc. “Working as closely as we do with the cybersecurity side and really positioning ourselves as one department to manage risk — I think that helps the organization tremendously,” he says.
TOP 3 CRITICAL ISSUES:
• Business Continuity and Resilience
• Crisis Management
• Insider Threats
Vigneault says that the security team’s focus is on an enterprise risk security model for the entire organization. The corporate security team is organized into four pillars: technical operations and security systems; security operational delivery; safety and administrative; and programs and initiatives.
With approximately 30 full-time security team employees and 200-plus partner-supplied boots on the ground managing day-to-day security tasks, the leadership team has been focused on increasing intelligence across the security team as well as the entire enterprise in a number of ways.
One of those ways, accelerated by COVID-19 and the majority of the company’s workforce shifting to a remote work policy, has been infusing new technology and leveraging existing technology into the business to gain more value from the data being collected, and also to be less dependent on contract suppliers. “The more we leverage some of that technology, the more it has enabled us to centralize some of our services,” Vigneault says.
The security team has focused on fewer total systems, a smaller total footprint and increased intelligence with its technology plans. For example, the organization moved to leverage its access control system and add additional modules to expand visitor management capabilities without the need for a separate system. In addition, Vigneault says that the team recently implemented an enterprise-wide security management software, as well as a risk-intelligence platform across the enterprise that allows for centralized intelligence, access and visitor management. “Our intent is to have as few panes of glass as possible to get to events, incidents or risks,” he says.
In the near future, the cyber and physical security teams will centralize intelligence even further by merging their two security operations centers (SOCs). “We will be a joint SOC together, which will not only allow us to control and manage our operational costs more efficiently, but it will allow us to strengthen those partnerships, focus on threat management and really triage incidents in an efficient, streamlined way,” Vigneault says.
For Vigneault, who came from an earlier career in the U.S. Marines before entering into the world of corporate security, the support that the executive team gives to the security organization is a breath of fresh air. “The leadership team here really cares. I don’t know that I’ve ever seen this level of support from leadership,” Vigneault says. “They understand risk, they are willing to listen, and not only do they support security as a part of the organization, but they promote it too. They want to raise the importance of security, and I think that’s just amazing. It helps position us for success.”
Back to The Security Benchmark Report article!