2012 Security 500 Leader Profiles
Captain Larry K. Atteberry Manager, Global Protective Services
Emerging at Emergent
“Our team of protective services officers, including a few with designated police authority, is part of a propriety security organization housed within our company dedicated to protecting those who protect life. This tells our employees that their work environment is the safest place they will be all day,” says Larry Atteberry, manager of Global Protective Services at Emergent BioSolutions. A former law enforcement veteran, he works closely with all of the company’s business units to address risks to his company’s global workforce and physical assets.
Through global security operations coordinated by the Senior Director of Global Protective Services, Atteberry’s team provides 24/7/365 support to the company through video surveillance and access control; GPS tracking of their supply chain; and real-time monitoring of weather and natural disasters, including tornados, snow storms, fires and earthquakes. Emergent BioSolutions invests aggressively in education and has successfully hired and retained an outstanding security team.
At the core of Emergent’s security strategy is a strong focus on risk management. The identified risks to the business are compliance, business resilience and incident management. “Protecting life and enabling an innovative approach to business by creating a safe and secure environment for people to do their jobs is our number one goal,” explains Atteberry. That strategy is executed through a global security standardization program throughout the company.
“By standardizing procedures at all our facilities we reduce risk and liability by having the right people in place to respond the right way,” notes Atteberry. “We invest heavily in compliance including FDA, SOX, EPA and other regulations. Being compliant enables the company to function.”
“We work with the leadership at each location to standardize our processes and identify and assess common and unique risks. By identifying gaps we also identify the key people we need at each site, along with ensuring proper training on job duties and the reporting of information. Standardization also includes our technology, so personnel can understand and utilize the technology at any site without additional training time. That adds to our resilience.”
The security process has become embedded in the company’s business processes. By having the site audits and risk assessments integrated into the business facility plans, the protective services team is able to identify risks and mitigate them quickly. “Our assessments help enable business to be more efficient and save money by reducing risk, which translates into lower insurance premiums,” says Atteberry.
The company is heavily focused on financial contributions and incident management as key value metrics for security. “The external audits by regulatory bodies or the insurers are one measure of value. Networking with law enforcement and DHS for assessments is another measure. Getting an exact value is complicated, but we are able to meet our company’s goals and expectations,” says Atteberry.
“Our Senior Director expects us to ensure compliance through audits and collaboration and to identify and reduce risks effectively, which, in turn enables the business to run smoothly,” explains Atteberry. “Our security and business continuity programs should enable us to respond to any situation effectively to support our people, facilities and business operations.”
While ESBI’s upper management has a clear view of Protective Service and its contribution to the company, Atteberry notes that some CEOs are still getting their arms around security’s value to their organization. “This is also a very specialized profession with unique expertise. By being open minded, asking questions and listening they can get a strong perspective on risk management and security best practices,” shares Atteberry.
Atteberry most enjoys the talented people he works with at Emergent who have an appreciation for the security team and who respect the value it brings to the business and their safety. “The work is very interesting. It is a rewarding role to be proactive on risk and then reactive to an incident. I like the opportunity to look at ‘what-ifs,’ evaluate risk and then take action. It’s also great to see security being thought about at the executive level to help mitigate risks to the company.”
Outside of work, Atteberry is an avid outdoorsman and martial arts enthusiast, who enjoys hunting, marksmanship, weapons training and camping. A third generation, retired law enforcement professional, he has three children.
If Atteberry were not a CSO, he says that he would own an executive protection or investigations company.
Security Scorecard
• Revenue/Budget: $273,000,000
• Security Budget: $3,500,000
• Critical Issues:
- Enhancement of Physical Security
- Enhancement of Global Security
- Enhancement of Cyber Security
Security Mission
• Asset Protection/Loss Prevention
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Ronald J. Boyd, Chief of Police Port of Los Angeles
Economic Impact
Ronald J. Boydis Chief of the Los Angeles Port Police Department, one of the few police forces in the U.S. dedicated exclusively to maritime activities. The Port Police is a municipal port authority law enforcement agency with public safety responsibility for the Port of Los Angeles.
The Port of Los Angeles is America’s busiest containerized cargo port. The Port complex spans more than 7,500 acres, with 43 linear miles of waterfront. The Port generates more than $240 billion towards the U.S. economy. Combined with its sister port, the Port of Long Beach, this complex is primarily responsible for handling about 45 percent of the nation’s goods. The Port of Los Angeles is attractive to foreign trade partners because of its proximity, transit times, transportation efficiency and security measures. In addition to attractive transit times, generally stable weather and an efficient transportation infrastructure, the added confidence of having shipped goods move reliably through a secure supply chain is attractive to shippers. Efficiency is a key principle to controlling costs.
Port leadership expects Boyd’s team to be as technically efficient, legally responsive and fiscally conservative as possible in these economic times to give full value to the community it serves.
Toward that goal, the security program’s focus is on targeted critical issues, including:
• Public Safety
• Infrastructure Protection
• Emergency Management/Disaster Recovery
• Technology Implementation
• Staff Development
“Every CEO should understand that the security workforce role should not be overlooked or underestimated, given today’s societal challenges. A well-trained and prepared security team pays in great dividends when considering the risk benefit. Feeling secure has a positive effect upon public confidence, which in turn, affects consumer confidence in spending,” notes Boyd.
“Employee safety and security of the general workplace for all employees is a focal point in all of our operations,” he adds. “This includes ensuring that employees are kept current on safety challenges and safety practices in the workplace, whether in the office or in the community.”
The result of excellent risk and security management is that it drives business. “If you consider the primary focus of many first responder agencies, the Port’s investment in security and active marketing of its security measures has yielded a supplemental benefit of attracting trade to the San Pedro Bay port complex,” he says.
Many external issues can have a profound effect on sound public safety and risk management models. For instance, a prominent filmmaker recently committed suicide by jumping from the Vincent Thomas Bridge at the Port of Los Angeles. The bridge is outside Boyd’s office window and his dive team recovered the body. It was a busy day at the Port and the event was very public. “The impact on the victim’s family and friends is very sad and my heart goes out to them,” Boyd notes. “There was also an impact to the local community, including people who witnessed the suicide. This tragedy was most likely triggered by some other problem that is not related to the Port. But an unpredicted problem is copycat attempts. Within the same week at least two other similar attempts were reported to law enforcement.”
Keeping current with world events also needs to be on the checklist of a competent chief security officer or public safety official. There seems to be common themes related to many of the tragic events happening today. Events that happened in Aurora, Colorado or in Wisconsin, or even in other parts of the world, is evidence of negative reactions to many problems in society. These reactions, if not violent in themselves, often spur acts of violence or unrest, which impacts our sense of security. “We need to equip those we work alongside by giving them tools to help manage in these difficult situations, because they will need those tools as they go out to serve and protect others,” he says. This should also be a consideration when identifying, selecting and training new hires who will need hit the ground running to cope with today’s security and risk challenges.
Chief Boyd enjoys making a visible contribution to the national economic picture and to the effectiveness of our overall national homeland security picture through his role.
His success is the result of being dependable and being at the right place at the right time. Working as a security officer at Universal Studios in college led to an interview with Ray Charles, where he worked as his personal valet. After five years he took the advice of a police sergeant and joined the Port Police. His career advanced quickly due to his interest in developing personal skills and being a subject matter expert in his profession. When not working, he enjoys activities related to boating (naturally), fishing (kind of goes with boating) and flying general aviation aircraft (preferably rotorcraft).
Boyd is an avid reader of the Bible, so if he were not a CSO he would be a full-time minister.
Security Scorecard
• Revenue/Budget: $991,000,000
• Security Budget: $58,500,000
• Critical Issues:
– Counterterrorism/Crime Prevention
– Supply Chain Security/Infrastructure
– Emergency Management/Disaster Recovery/Crisis Management
Security Mission
• Asset Protection/Loss Prevention
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Russell J. Cancilla, Vice President & Chief Security Officer Health, Safety, Environment & Security, Baker Hughes Incorporated
The Business Leader
“I would arguethat as a CSO, if we haven’t convinced the CEO that he could not successfully run his/her company without security support, we have not done our jobs,” begins Russ Cancilla, Vice President and Chief Security Officer for Baker Hughes Incorporated.
Baker Hughes is a global oilfield service company that has $19.83 billion in annual revenues and more than 58,000 employees operating in more than 80 countries with nearly 1,500 facilities. Security and crisis management fall under the remit of the Vice President & Chief Security Officer and the department is named the Enterprise Security & Crisis Management Team (ESCM).
“Security is competing for resources as organizations reduce general and administrative allocations. Business leaders are using a more rigorous process, looking for the cost/benefit value not just the risk/reward scenarios and want to talk to a business-minded person – not merely a security person. It is the CSO’s responsibility to break the mold and communicate the business case,” explains Cancilla.
Oilfield services is a high technology business that has similarities with NASA. “NASA technology goes up, into outer space. Our technology goes deep into the core of the earth. Both are out of reach and depend on technology to work. We spend roughly $500 million annually on technology, research and development and we have to protect the investment,” he says.
As a result, Cancilla is most focused on the critical risks generated by geopolitical instability, industrial and state sponsored espionage targeting Baker Hughes’ intellectual property. The business also must be protected from cyber terrorism, theft, corruption and fraud. “The industry is seeing an increase in IP theft attempts and loss. We have strong programs in place, invest in our technology and have sophisticated, special procedures in place when it comes to handling and shipping equipment to protect our IP and demonstrate a duty of care to our stakeholders,” notes Cancilla.
Second, his organization is focused on the execution of the programs that protect the company’s people, assets/critical infrastructure and investments.
Cancilla has a simple mantra: “We proactively stay aligned with the business and explain that enterprise security does not manage risks for them, but that we help them manage those risks. We ask the business unit presidents to ask: ‘What risks do we need to manage with this money?’ If we can start with that business question, then we succeed,” he shares.
By restructuring from the traditional security programs to a more risk-based, business-aligned approach, his team has been able to contribute to business growth and profit by setting targets for assessing and managing risks versus simply responding to incidents.
“Perhaps to the surprise of most security professionals, the biggest contribution to our organization’s success is not a security feature, per se. Instead, there are two areas that have resulted in major contributions: a) security becoming a respected business partner and b) our positive impact on profitability and identification of emerging markets,” he says.
“We have metrics in place that range from cost of security as a percent of revenue and cost per employee to the amount of proactive vs. response time the team spends,” he explains. “In less empirical terms, we measure the value of security spending in how satisfied management and the workforce are with our performance. Our ESCM leadership team constantly asks the global leadership of the company for satisfaction checks on security support and performance.”
These programs enable security to meet the board’s high expectations, which are to operate with the utmost integrity and to protect the assets and security exposures that the company confronts. These programs are expected to be aligned with the business and for those involved to understand the operations and financial aspects of running the business, including revenue generation, improvement of margins and the impact of Security’s costs to the bottom line.
It is important for CSOs and their teams to be considered business professionals who are experts in security. Once CEOs and other decision makers make that mental transition away from seeing the security team as a “necessary cost” or a group that merely provides security for their facilities and people, to a team that enables the profitability of the company, the proverbial “seat at the table” becomes more permanent.
Cancilla most enjoys being a business leader who happens to manage security and having an impact on the company’s overall performance by working directly with the CEO as a member of the Senior Executive Team. Cancilla has been married for 40 years. He has two sons and enjoys spending time with his grandchildren when not golfing, riding motorcycles or cooking.
If Cancilla were not a CSO, he says he would work as a management and security consultant focused on transitioning poorly performing functions and activities into more successful organizations.
Security Scorecard
• Revenue/Budget: $20,000,000,000
• Security Budget: $17,000,000
• Critical Issues:
– IP Security
– Global Issues, such as the Arab Spring
– Competition for Resources to Run Security Programs
Security Mission
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Geopolitical Intelligence & Corporate Espionage
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Jeff Chisholm, Director of Enterprise Security & Preparedness, Deere & Company
Nothing Runs Like a Deere
“Recruiting and retainingthe right security personnel and having those individuals in the right locations are important to being prepared to deal with any level of crisis. Good people are the best trump card against bad situations,” says Jeff Chisholm, Director of Enterprise Security & Preparedness for Deere & Company.
“Our security people have to learn to fill a variety of roles throughout the organization,” Chisholm explains. “One of the first people visitors meet when they enter a John Deere site is security representatives. It is important that security is an ambassador to our brand and have a professional outward presence.”
As Director of Enterprise Security & Preparedness, his responsibilities include managing global security operations, strategic security planning and emergency preparedness. Chisholm is also the chairman of the company’s Corporate Incident Support Team and a member of the Compliance Committee chartered under the Center for Global Business Conduct.
At John Deere the focus on risk is to identify the potential, be best prepared to prevent an issue and ensure that the right personnel are in place to respond if necessary. “Commitment to developing the proper processes and posturing the right personnel to risk and security related incidents are key,” explains Chisholm.
As a result of this “right personnel” strategy, Chisholm is proud that some employees who began their careers in security with John Deere have moved to other functions within the company. “We have had staff members move to roles in marketing, supply management and IT. Bringing high caliber personnel into security, being dedicated to their development and then committing to allow them opportunities to grow within the organization has benefits,” he notes. “We are spending much more time with our management group and the HR staff developing career paths for security personnel so that we have a well-rounded talent pool for key security roles. Nurturing and retention of our high-potential candidates are important for success.”
Through its evolving security strategies and concentration on preparation for risk, the security at John Deere has its goals firmly fixed on the business. “As a leader, my main focus is aligned to those of the company’s objectives, which are to aspire at the midpoint of the cycle to achieve enterprise net sales of at least $50 billion (USD) and asset turns of 2.5 times by 2018, and to deliver operating margins of no less than 12 percent by 2014. These are impressive numbers and will require our security organization to optimize our effectiveness to support the growth of the company,” says Chisholm.
Security has provided support to John Deere as the company has grown its global business. For instance, he says, “We decided upon a global platform for access control. One system was deployed globally and the implementation of that project continues to be successful as we expand. What has emerged is a number of other uses for what was originally an access control system. At certain locations, the system is also being utilized for time and attendance processes which have created savings for the company,” explains Chisholm.
Measuring the value of security is a challenge, “This is an intangible figure. We would like to think that value could be measured through gains in efficiency and the accomplishments of the organization. I have always been a proponent of metric-based decision making. Our security team has and continues to work diligently on establishing a dash-board of metrics that would assist us to adjust and grow with the company,” explains Chisholm.
John Deere’s management has high expectations for Chisholm and his team. “We must have the proper people and processes in place to support the growth of the business. As security practitioners, we at times have a tendency to be overly protective of the organization. Our security team needs to ensure that we balance the duty to protect our assets and at the same time, support innovative growth in the organization. This growth in itself creates a variety of risks. We constantly have to evaluate and readjust. We are expected to determine exactly where we need to be on the continuum,” he says.
“Every CEO should know what his or her security group is capable of in response to risks and, conversely, every CEO should know what his or her group is not prepared to handle,” says Chisholm.
Chisholm thoroughly enjoys his contribution to the company. “I have had opportunities to see and experience things that the majority of people will never see. The single thing that I have enjoyed most is that I have had the latitude to work with a group of conscientious security professionals who share the same values that I do. I have also had the opportunity to work for a company that exemplifies and is dedicated to do the right thing every time.”
When not working Chisholm enjoys spending time at his home in Illinois and vacationing in Florida. He is also very proud of his sons. “I started my career with law enforcement and I am proud that my sons chose that same calling,” he says.
If he had not made the transition to a security professional, law enforcement would have been Chisholm’s entire career.
Security Scorecard
• Revenue/Budget: $28,000,000,000
• Security Budget: $7,000,000
• Critical Issues:
– Personnel Recruitment
– Intellectual Property
– Fraud
Security Mission
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Risk Management
• Workforce/Executive/Personnel Protection
Mark Farrell, Chief Security Officer
The Ambassador
Several busy andeventful days had just concluded for Mark Farrell, CSO at Comcast Corporation. The Montgomery County Pennsylvania District Attorney’s Office had just released the news that a major fraud investigation had resulted in the arrest of six people, including the alleged ringleader, and that arrest warrants had been issued for 17 other individuals believed to have served as agents in a scam to provide unauthorized, discounted cable services to thousands of Comcast customers in exchange for a one-time cash payment.
“During an audit, Comcast had discovered some unusual promotional adjustments that raised concerns and one of the alleged agents unknowingly actually tried to solicit one of our employees who reported it to us,” says Farrell. “In conjunction with our internal investigation, we worked with the DA’s office and this turned out to be a great example of public/private cooperation to investigate, collect evidence and get to the bottom of the fraud.”
This is just one recent example of Comcast Security’s business-focused organization. “The company is decentralized, so we have different teams that report into my office. Comcast is one of the world’s leading media and technology companies, and we work to address the critical issues each of its businesses face through a consistent set of policies and processes,” explains Farrell.
Farrell and his team oversee systems to protect the company’s employees so they are able to do their jobs in a safe environment.
For example, Comcast recently acquired NBCUniversal, which owns and operates entertainment and news cable networks, the NBC and Telemundo broadcast networks, local television station groups, television production operations, a major motion picture company and theme parks. Farrell works closely with their security leadership to standardize policy, oversight and investigations and to align programs and move toward a single measurement tool, such as the use of an incident tracking program.
“Our critical issues are to protect people, assets and processes. The best way to accomplish that is through gap analysis to identify vulnerabilities and work our processes to eliminate gaps. This enables our employees to be secure and the business to successfully create and deliver products and services to our customers,” says Farrell. “We use a lot of metrics to show value, such as our investigations/tracking tool. It has been so successful that we now use it in other departments to help with benchmarking and gap analysis across the company.”
“Our value proposition is as an independent, reliable group that conducts quality investigations the company can depend upon. We uncover gaps and risks and assist to mitigate them. We create value by getting in front of risk,” he shares.
Examples of Security’s positive impact include travel and investigations. Security supports employee travel with experience and expertise in documentation, go/no go hotels and areas and cultural protocol. Similarly, investigations are centralized across the organization so similarities and patterns in losses are recognized and gaps can be addressed more quickly.
“Our two key metrics are the safety and security of our people and the identification and elimination of risks,” says Farrell. “Security is expected to be constantly and consistently available, so we are thoughtful regarding the processes we implement and that we assist senior management with unexpected issues.”
“Every CEO should insist that Security is integrated into every part of the business. Security is every employee’s responsibility, and our employee who reported the fraud scheme is an outstanding example of that,” he says.
Another example of cooperation and business alignment can be found in the lobby of the Comcast Center. Brian L. Roberts, Comcast Chairman and CEO, wanted the guests to receive the same welcome they would when walking into a four star hotel. Farrell’s can-do attitude kicked in and the Ambassador program was born. He recruited graduates with hospitality degrees and interests. In addition to their “uniforms” being suits from a leading clothier, they were trained in security, emergency preparedness and safety. The program is a great success for the brand and the bottom line (read ‘article name’ on securitymagazine.com for more details).
“Comcast is a dynamic and progressive company, which makes coming to work a great pleasure. I love the opportunity to solve problems in this highly ethical and respectful culture,” he says.
A father of three children and grandfather of three, he is an avid skier and boater. He also has a passion for home remodeling. Prior to joining Comcast in 2006, he worked at the Delaware North Companies for 15 years. Prior to his time at Delaware North, Farrell spent 18 years in law enforcement, including eight years with the United States Secret Service.
If Farrell were not a CSO, he would work with Habitat for Humanity building homes or assist senior citizens who are not able to fix their own homes.
Security Scorecard
• Revenue/Budget: $50,000,000,000
• Security Budget: $15,000,000
• Critical Issues:
- Internal and External Fraud
- Internet Fraud and Other IT Issues
- Moving from Decentralized to Centralized
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Corporate Security
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Workforce/Executive/Personnel Protection
Bryan Fort, Director, Corporate Security, McCormick & Company, Inc.
Spicing up Security
“Our industry justdeveloped out of nowhere, not part of any business discipline but rather as a adjunct to existing business functions. In another generation we will have a new group of security leaders steeped in the security profession, educated and certified specifically for this role versus law enforcement or military professionals who historically migrated over post retirement,” says Bryan Fort, CPP, Director, Corporate Security for McCormick & Company, Inc.
Fort has held the Director role for 120 days, after his predecessor, Bill Ramsey, retired after 24 years at McCormick. Ramsey wrote “Goal Based Security” which is trademarked by Security, McCormick & Company, Inc. “Our roadmap to move security forward is both a continuation of current programs and an evolution to new ones,” explains Fort.
Corporate security at the enterprise level is to protect and enable business for this $3.7 billion company that makes about half of all spices and flavorings worldwide and just opened its first retail store. “Certainly investigations, physical security and workforce protection are core elements of our mission. But the unique part of our role is the companion to food safety which is food defense,” shares Fort. “We have a robust supply chain security program.” Food safety is the unintentional contamination and food defense is intentional contamination of food ingredients or finished products.
Fort approaches risk and security from two vectors including compliance and being embedded in business processes. “We have invested in the Customs Trade Partnership against Terrorism (CTPAT), the Canadian Partners in Protection (PIP) and were recently authorized in the UK and anticipate being authorized in France to join the Authorized Economic Operators (AEO) in Europe programs. And we are regulated by the FDA and USDA,” says Fort. “This provides a benchmark audit that we are applying best practices and have a secure supply chain. By meeting these standards our customers know McCormick is compliant.”
The leaders at McCormick understand the value of engaging security early in their business processes to reduce risk. “We try to monetize and understand enterprise risk when we receive a security risk either to address vulnerability or investigate an event. Through this exercise, we are able to show security is a business enabler with a positive bottom line impact. We work to identify solutions that help the business succeed,” notes Fort.
Fort is active with the ASIS Food Defenseand Agriculture Security Council, and serves on the CSO Advisory Board of the CSO Roundtable,where peers are very helpful in discussing industry. “When a food related event occurs, the first question is whether its cause was food safety or food defense. Everyone in this sector must work collaboratively with the food safety side to reach the right conclusion and take appropriate action,” he says.
McCormick is highly proactive by extending their “Goal Based Security” program and supply chain best practices to their business partners through certification programs and business intelligence gathering. “An example is the recent Ivory Coast Presidential election. Our intel showed increased instability in the region as the election approached. We not only used that information to ensure workforce protection, but shared it with our partners, in this case spice buyers, to make commodity purchases while product was still available and prior to potential price increases,” explains Fort.
“The maturing of security means getting the right information to the right people at the right time to provide actionable information that adds value to the business. What information to send to whom and when are the critical challenges to focus on. We are building a proactive program to ensure successful outcomes as much as possible. We do not want to simply put band-aids on the wound of a one off security event, rather we need to elevate the business discussion of security risk to become part of the overall enterprise risk platform,” explains Fort.
To do so, Security is building a measurementprogram that will benchmark allsuppliers and McCormick’s own operating units. It will publish corporate security standards on both physical security and around programs, practices and training. The program will apply matrices to execute the program and an auditor will review them and the implementation of standards. “We will use third party penetration testing and publish a scorecard to address any areas that require strengthening,” explains Fort.
“Our CEO expects us to identify emergingrisks and protect the brand. Quality hasalways been the linchpin of our operationsand avoiding security risk is a critical way for us to sustain that,” shares Fort. Every CEO should understand risk, business continuity and security. As the next generation of business leaders evolves this will be a part of their education and they will have a stronger understanding of the function and its value.”
When not spicing up security at McCormick, Fort is an avid worldwide traveler. He also spends as much time as he can with his two-year old granddaughter, Suhaila.
If Fort were not a CSO, he would own and operate a fine cigar store where all the worlds problems would get solved.
Security Scorecard
• Revenue/Budget: $3,700,000,000
• Security Budget: $23,000,000
• Critical Issues:
– Global Expansion of the Enterprise
– The “Unknown Unknown”
– Corporate Security Growth Management
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Corporate Security
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Walt Fountain, Director, Enterprise Security
The Synchronizer
“On April 3rd,CNN showed footage of our tractor trailers being thrown through the air like toys during the tornadoes in Texas,” shares Walt Fountain, Director, Enterprise Security for Schneider International.
“Thanks to our resilience planning, that facility was back up and running within twelve hours and there were no injuries. You have to get out in front of risk and we were very pleased with our ability to be prepared, respond, and have the best outcome possible.”
Schneider National is a 75-year-old company and the largest truckload carrier in the U.S. with more than 17,000 associates, 10,000 tractors and 31,000 trailers (well, 30,999). “Schneider serves as one of the most powerful business-building tools in the industry to our customers, and security is integrated into that vision,” explains Fountain. “My role is to synchronize and coordinate risk assessment and security processes across the worldwide organization as efficiently as possible.”
As examples, Schneider’s physical security division reports into the CAO and Fountain works closely with the corporate security manager. Similarly, he works with the IS manager within the CIO’s office to address information security risk. In addition, he integrates with Human Resources on background checks, regulatory issues and drug testing.
“Supply chain management is such a vital part of a company’s ability to manage and grow their business,” says Fountain. “A great part of my job is to develop supply chain risk assessments and show our customers how to secure shipments and avoid high risk shipping profiles. Bigger shippers build a level of expertise, but smaller shippers have to depend on us for risk management.” In some cases, Schneider National provides end-to-end supply chain services, but for most customers, they manage a part of the customer’s supply chain. “That requires us to understand risk beyond our part and extend security to other parts of their supply chain.”
There are more than 700,000 registered carriers in the U.S., and like many businesses, Schneider National battles the notion that all shipping is a commodity, especially when it comes to risk and security. “Our customers get access to robust capacity with reduced risk and increased confidence in the process. We have worked with and given information to the sales team to differentiate our brand and address customer service, quality, safety, risk management and security’s value,” explains Fountain. Security uses a full suite of metrics to track its top and bottom line contribution. The information used by the sales team is fed from this extensive metrics program.
On the other side of the risk equation is knowing the customer. “Risk tolerance must be considered so we do not accept business from companies where the risk or customer request is not good business. The issues of theft, fraud or other illegal activity must be vetted to avoid being hired by a fraudulent customer,” says Fountain. Schneider National is self-insured and very careful about from whom it accepts business.
The security team also has a worldwide focus on the protection of their employees. “Workplace violence continues to be a growing concern for businesses. We brought a team together to explore the topic and address it. The outcome was to create an environment where our people felt comfortable using resources and seeking help. Our process is proactive by controlling the relationship with a colleague to discuss expectations and business issues internally,” explains Fountain.
Whether responding to flying trailers, customer shipments or workforce protection, Fountain focuses on creating a resilient organization that identifies and mitigates risks. A challenging area for all organizations is cyber security. “Our business runs on the back of information, so information integrity and availability is paramount to the successful delivery of our services. Our company was a pioneer in ‘in cab’ communication. And through redundancy and best practices we have prevented cyber events,” he shares.
“Our CEO expects us to be a business enabler and we have done that by tailoring our services to meet a specific customer segment that demands security,” says Fountain. Every CEO should expect security to be a business enabler that proactively focuses on business and not be just a defensive process and cost center.”
Fountain sums up the scope of his role by saying, “The best part of my job is going out and working with the customers. They understand that they have a risk issue, but they do not know how big those risks are or how to mitigate them. It is rewarding to help them find a solution that is positive for their business goals and increase the value of our company’s services.”
A marathon runner, Fountain served in Army intelligence for 24 years and joined Schneider National after retiring. Based in Green Bay, Wisc., he is a proud Packers shareholder who enjoys being home with his family.
Security Scorecard
• Revenue/Budget: $3,400,000,000
• Security Budget: Confidential
• Critical Issues:
- Supply Chain Security
- Workplace Violence
- Cyber Security
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Ed Goetz, Vice President, Corporate and Information Security Services, Exelon Corp.
Intelligence Driven
In March 2012,Exelon merged with Constellation Energy to become the nation’s largest competitive energy provider. The merger posed operational and transitional challenges for the integration of the two companies’ security groups. Ed Goetz, vice president, Corporate and Information Security Services at Exelon, was tasked with managing security for the new company.
Goetz’s Corporate and Information Security Services group is a converged cyber and physical security management organization with broad responsibility for preventing, detecting and responding to security incidents, regardless of the medium. The group is also responsible for assuring compliance with security-related regulations including NERC CIP, Sarbanes Oxley, the Chemical Facilities Anti-Terrorism Standards, Pipeline Security, and the Maritime Transportation Safety Act.
“Historically, security emphasis was placed on reactive investigations of localized security events,” Goetz says. “While these incidents still occur and must be addressed, the primary focus of corporate security has shifted to proactively identifying and mitigating national and potentially international threat vectors. The greatest threat to our company and customers is the Advanced Persistent Threat. So it is more important than ever, as a security leader, that I focus on the use of cutting edge technology and fostering relationships with governmental agencies and industry groups to mitigate threats to our critical infrastructures and national interests.”
To facilitate such a broad charge, the security organization is divided into four groups including:
• Client Services, which is composed of investigators/physical security specialists and guard force management.
• Compliance Services to ensure security controls adherence, compliance program management and audit support.
• Support Services is responsible for the 24/7/365 operations center, access management, business continuity and threat and intelligence analysis.
• Information Security Services for cyber, malware and vulnerability management as well as incident monitoring and response.
For Exelon, the security of the company requires regulatory compliance.
“This growing compliance issue continues to provide challenges to all lines of business,” Goetz says. “By uniting our security and compliance programs in a synergistic effort, we have been able to close the gap between our operational efforts to secure the enterprise and our ever-evolving need to maintain compliance with regulated security standards. This will help to reduce costs associated with potential regulatory fines and improve our compliance posture.”
Exelon’s C-Suite executives understand security risk and have dedicated the necessary resources to enable Ed and his team to achieve their goals.
“They expect us to provide exemplary service and have invested to ensure we have the necessary resources,” Goetz says. “With the resources available within our security program, we have the depth and breadth required to provide an intensive focus on security threat analysis, mitigation planning and execution. My team is expected to leave no investigative avenue unaddressed or preventative solution unexplored in an effort to protect Exelon from emerging and existing threats or comply with new and existing regulations.
“In this day and age, security is not optional; it is an essential component and fiduciary responsibility of the corporation. Innumerable laws, pending legislation and shareholder expectations have placed the responsibility for securing the critical infrastructure, assets, people and data of the corporation. Security is security; the only difference is what you are protecting: people, property or information.”
Goetz enjoys addressing the wide range of issues he encounters on a daily basis. The converged cyber and physical security structure ensures that each day is different.
“The security organization touches almost every facet of the Exelon enterprise in some form or fashion, resulting in an ever-changing list of challenges to overcome, often in unique and innovative ways,” he says. “Security is everyone’s responsibility. Everyone has a role in keeping our people, property and assets safe and secure. That is the reason behind our intelligence based model: to look over the horizon, to prepare and prevent. We do not want to react to events.”
Goetz says his past professional experiences prepared him well for his current role. After a highly decorated career at the FBI, Maryland State Police and Baltimore City Police, and a secondment with the CIA, he joined Constellation Energy in 2009. “I enjoyed my work in the government and consider it an honor to have served my country,” he says. “In my new role, I leverage the things I learned in my previous career; combine them with an understanding of the issues facing Exelon, in order to put in place a comprehensive risk mitigation approach to security.”
Married with three sons, Goetz is an avid mountain biker and student of European history, and enjoys reading and conversing in German.
Security Scorecard
• Revenue/Budget: $32,700,000,000
• Security Budget: More than $30 Million
• Critical Issues:
– Cyber Threats
– Regulatory Compliance
– Hiring Employees with Cyber Security Experience
Security Mission
• Asset Protection/Loss Prevention
• Brand Protection
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Drug and Alcohol Testing
• Emergency Management/Crisis Management
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Safeguarding Shareholder Value
• Workforce/Executive/Personnel Protection
Jeff Hauk, Chief Security Officer & Emergency Response Coordinator
The Big Freeze
“It was the big freeze in 2011, actually,” says Jeff Hauk, Chief Security Officer and Emergency Response Coordinator for The El Paso Water Utilities (EPWU). “It sent shock waves across the city about water being available and the resilience of the city water utility against all threats, including weather. Pipes on private property burst and homes and businesses flooded. The freeze froze wells and damaged pump stations and our infrastructure. The electric utility required rolling blackouts, which contributed to equipment failures and challenges for the El Paso Water Utilities to continue providing service.”
Thus, Hauk was hired to create a comprehensive enterprise risk plan for security and emergency preparedness at EPWU. “Currently, the ‘security’ function is in its infancy stage of development. I was hired on in April of this year to formally develop a master security and emergency preparedness plan and exercise schedule that would lead the future growth and development of the department,” explains Hauk.
The El Paso Water Utilities serves more than 800,000 people in the El Paso region with a constant 15-percent annual growth and forecast of more than 1.5 million residents by 2060.
As a result, Hauk’s scope of work is quite broad. “My goal is to present and gain approval of the security risk and emergency preparedness master plan. It includes the strategic consolidation of multiple approaches to security into one global unit. Core to this plan is the infusion of a formal Risk Management Initiative, which establishes a risk and compliance culture for our organization.”
“Like the weather, water utilities are rather unique,” says Hauk. “Unlike the electrical utilities, the water utilities’ security and preparedness measures are not federally regulated, nor do they have mandatory program requirements and standards to achieve and maintain. In reference to security and emergency preparedness, the guidelines provided by the industry are voluntary. I find it to be somewhat ironic since we can all live without electricity, but we cannot live without water.”
As a business leader in the organization, his main goal is to assist in providing uninterrupted service to EPWU customers, while maintaining the positive brand image of the organization. A utility must have clearly defined protective goals that will support, not impede, daily operations. “The challenge is to raise overall security and risk management without it becoming a barrier,” explains Hauk. Operationally, his initial focus has been the in depth evaluation of the facilities, planning and operations to assess the “as is” state of preparedness, primarily focusing on physical security and emergency response. Strategically, his focus is on program development, revising and creating policies and plans, maximizing current systems capabilities, planning for upgrades to technology and implementation of best industry practices and standards.
As a result, security’s business contribution is business efficiency and resilience. “Our primary role is to help enable our business units and plants to operate effectively, efficiently, and without significant interruption. The key to our success is as a business partner, responding in a way that the business units can understand,” shares Hauk. “Ultimately, it is the uninterrupted services we provide customers that will create measurable value.”
Beyond weather, cyber security is an area of focus. “We are starting to address it on the SCADA side of operations. I am working closely with the IT and Instrumentation and Controls groups to implement best practices and policies, when it comes to security of the systems. EPWU is also fortunate because the University of Texas-El Paso is home to the Regional Cyber and Energy Security (RCES) center. We have expertise from the department of energy, private industry and academia, locally,” says Hauk.
Hauk has joined an organization with both significant need and expectations from the C-suite and community. “They have a high level of confidence and understanding in security’s value and ability to support business goals,” he says. “Our Board, President and Executives all understand that an industry leading ‘security’ program will help prepare for, and addresses, the overall operational risks our organization faces.”
“Every CEO should expect their security organization to deliver value and provide subject matter expertise. They should understand focusing resources on establishing an industry leading security risk management program that will provide an exponential return,” explains Hauk.
While he is facing big challenges and higher expectations, Hauk truly enjoys this opportunity. “The best part of my job is collaborating with others to reach mutually beneficial solutions that support protective and operational efficiencies, as well as being tasked with the responsibility of building an industry leading security risk program. Most of all I enjoy the responsibility of creating and maintaining a safe and secure environment for others to work,” he says.
Outside of work, Hauk enjoys spending as much quality time with his wife and three boys. In addition to traveling and outdoor activities, they are avid Michigan State University and Detroit Lions football fans.
Security Scorecard
• Revenue/Budget: $276,042,000
• Security Budget: $567,712
• Critical Issues:
- Cyber Security
- Implementing New Technology and Best Practices
- Changing the Organizational Culture as it Relates to Implementing an Enterprise Security Risk Management Program
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Emergency Management/Crisis Management,
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Risk Management
• Workforce/Executive/Personnel Protection
Eric Levine, Vice President & Director, Corporate Security
Putting the Customer First
“Our structure isdriven by risk,” explains Eric Levine, Vice President and Director of Corporate Security for WellPoint. “If there is no risk then we are not involved. When we do identify risks or threats, we work to mitigate them.” Two years ago, security moved from being a shared service within operations to the General Counsel’s office due to the recognition of its importance and its international business role.
“Our primary goal was to get in front of issues and changing the reporting relationship was one of the best ways to help do that. Reporting to an executive level leader, especially our General Counsel who has a widespread understanding of risk and potential impact facing the industry and our organization enabled us to further advance our security initiatives. For example, in 2012 we further developed our International capabilities in the Corporate Situational Awareness and Response Center (CSARC) or command center, which now touches our business in so many ways beyond just security from travel support to potential business disruptions,” explains Levine.
Levine joined the company in 2008 and became the first global Head of Security with the office centralized including physical, technical, procedural and travel security and the CSARC. WellPoint is one of the largest health benefit companies in the United States, including well-known brands as Anthem Blue Cross Blue Shield, Anthem Life Insurance and Empire BlueCross BlueShield. “Our security organization is tightly aligned with our company mission to improve the lives of the people we serve and the health of our communities,” says Levine. And the security organization does so by applying WellPoint’s core values including continuous improvement, integrity and most of all, putting the customer first.
“We are currently a stable security organization moving toward being a mature organizational model,” he says. “We are hiring and placing experts in key positions to identify risk and be able to take action.” Today, his team gathers information and intelligence to identify risk issues and integrates them into the CSARC, which he describes as 70 percent fusion center and 30 percent command center. “For example, we work with NC4, a situational awareness information provider who proactively sends us information on events. We integrate that into CSARC to map events to where our people and our facilities are,” he explains.
The CSARC has assisted in solving a homicide and assisted in providing a safer work environment for associates and visitors. WellPoint’s recent physical security upgrade stopped trespassers at our facilities, eliminating both a risk and the cost of response. So the return is measurable and positive.
“A focus on security awareness is important, and we’re looking at security from all angles – workplace violence, travel security and crisis management,” Levine says. “This also includes communicating with our stakeholders about the risks we have identified and educating them on how to reduce risk and improve security,” says Levine. “Security must work across the organization to enable business units to succeed. There are many ways to address a security risk. The key is finding the right answer that helps the business and eliminates the threat.”
From an ROI perspective, the greatest value for WellPoint is an intangible. “First and foremost, people have peace of mind in a broad sense because security has gotten in front and prevented events from happening,” Levine says. “There is a clear, ‘Glad you are there’ perspective among our employees and visitors. Our recent internal survey showed that 95 percent felt safe and the 5 percent that answered ‘no’ were referring to areas outside of security’s control,” he shares.
“Our management expects us to deliver a reduction in risk across the work environment by security being embedded within business functions, thereby helping advance business goals. That is what makes this job great. WellPoint has the most collaborative and fantastic people. Building the business is rewarding, but the interaction with great people at WellPoint is what makes this job so very enjoyable.”
When not at work, Levine is an admitted Foodie who likes good restaurants. He is also a philatelist and greatly enjoys traveling with his family. Prior to joining the private sector, Levine was a special agent with the United States Department of State Bureau of Diplomatic Security and was also responsible for embassy security on long-term assignments in Tel Aviv, Israel and Kathmandu, Nepal. He is affiliated with the International Security Management Association (ISMA), the International Association of Chiefs of Police (IACP) and ASIS International.
If he were not the Head of Security, he says that would have become either an attorney or an architect.
Security Scorecard
• Revenue/Budget: $60,700,000,000
• Security Budget: Confidential
• Critical Issues:
– Violence in the workplace
– Identifying strategic risks and developing long term mitigation plans
– Establishing effective risk mitigation plans with shrinking budgets
Security Mission
• Asset Protection/Loss Prevention
• Corporate Security
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Technical Countermeasures
• Workforce/Executive/Personnel Protection
Joe McDonald, Chief Security Officer
The Networker
“If a badge holderbreaches any of our security policies, either purposely or accidently, access is removed and the person is never again granted badge access to our facility. Why? Because this is the level of security our customers require,” explains Joe McDonald, CSO at Switch.
Switch, based in Las Vegas, is a technology company comprised of data centers whose customers need to process data within a facility that has nearly infinite resiliency, capacity and security.
With responsibility for all aspects of security, which includes infrastructure, information, personnel and physical and additional oversight of Incident Management, McDonald meets customer demands. “Our industry requires a high degree of physical security as a key component to the resiliency efforts of its offering,” he explains. “Security in depth, paralleling concentric circles of physical security, measuring delay, and the value of detection and time to respond is common exercises of the department as are open source intelligence modeling for managing security and a seemingly constant string of audits testing for compliance and analytics of change.”
With the completion of the SuperNAP, a 100 megawatt data center, Switch now has the most powerful in the world. Security is a critical part of the company’s business, marketing, sales pitch and lifeblood. “Our data centers are our tangible assets, as well as Switch’s advanced patented methodologies to manage and operate the centers. Critical risk is a constant and set to evolving requirements of management. Risks are driven, pushed, and realized with increasing criticality and our paradigms shift accordingly. Everything from the protection of intellectual property, the threat to unpatched programs or newly introduced malware, potential environmental or weather event, utility service delivery issues and even the next person who walks into the mantrap – everything effects risk,” shares McDonald.
Perhaps every risk has been assessed at Switch starting with its location. “Las Vegas is void of natural disasters and has great resiliency. “Our command centers are redundant and are designed to withstand everything from a threat through an evolving event,” shares McDonald.
Switch has a total view on risk and resiliency and security is a part of that view. “Switch has considerable well thought-out and developed security protocols, which to some may seem offensive. My goal is to provide for this heightened level of security, without compromise, through layers of customer service that equates to unending vigilance and situational awareness,” he says.
“Switch identifies each prospective entrant, who then receives an hour orientation on our security policies and must ask permission to enter the facility. Some may find this level of security offensive, but our motto is vigilance through customer service. Our security team member is the first and last person our employee, customer or visitor will see each day. And we are old school, requiring officers to address everyone by name, sir or ma’am. We focus on excellent service and security. Our holistic approach has attracted customers and grown the business faster,” notes McDonald.
At the center of the security infrastructure is SECOM. “Though not my intention, security and Security Command became somewhat the face of the company,” he explains. What is common to us is obviously memorable to our guests. If you were to review articles about Switch, security is often the first part of the article, though not always accurate, it helps set us apart from other data centers.”
Switch has a simple report card for measuring security’s value, “Value is proven by no incidents, by providing constant vigilance, respond to incipit triggers thwarting real events and being ever present with consistent levels of skill, authority and leadership,” says McDonald. “And our CEO expects continued excellence, flexibility, creative proactive approaches, leadership, commitment and performance.”
An avid security professional and ASIS Board of Directors member, McDonald notes what every CEO should know about security with enthusiasm:
• Require your senior security professional to be certified.
• There is more risk to poor security than no security.
• Security requires commitment, involvement and continuous training.
• Without genuine executive backing, the cost of security doubles.
• Intelligence and threat analysis are vital operations within security.
• Cyber security needs to be as common as locks, doors, shredders and NDAs.
As a result, McDonald is in the perfect situation. “I enjoy my CEO; he is a genius with unbelievable talents who has built a phenomenal company.” A staunch networker and believer in certifications (he has three); he recognizes that security leaders need more knowledge than ever before to succeed. “Personal ethics and the ability to communicate to the C-Suite are vitally important for career success,” he shares.
If he were not a CSO, he suspects that he would probably be standing a post protecting something or advising others how to protect.
Security Scorecard
• Revenue/Budget: Confidential
• Security Budget: Confidential
• Critical Issues:
– New Requirements of FISMA
– New Construction
– Hiring
Security Mission
• Asset Protection/Loss Prevention
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Drug and Alcohol Testing
• Emergency Management/Crisis Management
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Workforce/Executive/Personnel Protection
Stephen Morrill, Executive Director, Corporate Security
Unique Risks
“Our strategic focusis on risk and resilience first and operational security to mitigate it, second,” shares Steve Morrill, Executive Director, Corporate Security at Charles River Labs. “Our work includes identifying which events are most likely to impact us and how to best eliminate vulnerabilities and be prepared to respond.” Charles River Labs and Morrill face the clear reality that people protest against their business, which includes the use of laboratory animals in science. “Our risk is somewhat unique because we have a defined opposition that enables us to gather intelligence, assess the risks and identify how to best mitigate them. Our company has no objection to legal protest, but we do object to illegal actions.”
Charles River Labs business provides tailored research models and laboratory animal support services, as well as preclinical and clinical support services, to help its global partners accelerate their research and drug development efforts. Its partners include all of the major pharmaceutical and biotechnology companies worldwide, as well as government research centers and leading hospital and academic institutions, requiring a high level of risk assessment for physical, logical and intellectual asset protection.
In addition to animal rights extremist criminal acts, the security organization focuses on cyber crime, workplace violence, employee-visitor misconduct and business continuity planning. Morrill and his six person team are responsible for the strategic planning and development of security initiatives including policy, goals and objectives, and training for the company’s 70 plus worldwide locations and 8,000 employees. Today the company has more than $1.14 billion in revenue and invests more than $12.5 million in its global security program.
Cyber security is shared with the CISO, who is directly responsible for the company’s global network. Morrill works with him to develop strategies that ensure the network and the company’s intellectual property are secure. “This is a constant issue, especially with animal activists seeking political recognition through hacking. Their goal is typically not monetary gain. Due to the nature of our business, the most important data we protect is customer data. We host critical intellectual property of our customers for their research programs,” says Morrill.
“Workplace violence continues to be a critical issue,” he adds. “We proactively employ web-based training programs and partner with local law enforcement to bring awareness and understanding to this issue. It is important people know they can seek help or that others speak up to help someone who is struggling before an event occurs.” The company has consistently received positive responses to their awareness and education programs from employees.
Business resilience has also been a strong focus for Morrill’s team. “We measure our success through customer satisfaction – our Business Continuity planning is consistently reviewed by our customers and must remain crisp to changes within the organization and market place. Having a global business certainly implies greater risk to weather, political unrest, natural disasters and business disruptions. As a result, we have worked to develop greater risk assessments and resilience planning to protect our employees, stakeholders and assets,” Morrill says. “In every aspect of our business, including risk and security, the goal of management is to apply our resources appropriately.”
The security program’s contribution is measured regularly. Morrill reports to the Executive Committee two to four times per year. Morrill and his team conduct annual audits of their sites and report their findings within the Executive Committee with recommendations for improvements. Security works with site and division management to execute against those plans. The expectation is that security is compliant with best practices within the industry. “Our goal is to be seen and not heard, unless necessary,” offers Morrill. “CEOs should understand that Security must remain a competent partner in the development of strategies that will not only keep employees and visitors safe and secure, but also compel customers to continue to expand their business commitment as we protect their image and brand,” he says.
Morrill has more than 40 years of security experience. He is a 1971 graduate of Bentley College with a BS degree in accounting. He is also a graduate of the FBI Academy in Quantico, Va. He enjoyed a 30-year career with the FBI and other leading private organizations.
Morrill and his wife Maureen enjoy golfing, sailing and dining out with friends. They have two adult sons, one working as a consultant in Washington, DC and the other in the Boston area. Morrill is involved as a member of the Board of a New England based charity – Cops For Kids With Cancer, which provides grants to families in need with children fighting cancer.
If he were not a CSO, he would be working within the private investigators world, interviewing and gathering evidence.
Security Scorecard
• Revenue/Budget: $1,140,000,000
• Security Budget: $12,500,000
• Critical Issues:
– Animal Rights Extremism
– Disaster Mitigation
– Cyber Security Threats
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Intellectual Property
• Investigations
• Physical Security/Facilities
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Dan Mullin, Senior Vice President of the Department of Investigations, Major League Baseball
For the Love of the Game
One of the uniquechallenges that Dan Mullin is presented with every day at Major League Baseball is to maximize public safety while maintaining a great fan experience.
“The most important thing is that our security be rigorous but invisible. Law enforcement is visible but security should be invisible,” says Mullin, who previously spent 23 years with the NYPD. “Baseball is entertainment and our role is to ensure that the fan experience is safe and secure without having to interact with us unless it is necessary.”
As Senior Vice President of the Department of Investigations, Mullin works with each of the 30 MLB teams, venues and their personnel to identify and mitigate risks that range from fan and player safety to preserving the integrity of the game. In addition to having on-site assets, MLB employs 11 full-time employees in Security and 19 in Investigations within the Office of the Commissioner. Security and Investigations both report to Executive Vice President John McHale Jr. It has a larger organization than most other sports leagues.
“The Mitchell Report recommended that baseball create a breakaway department for managing performance enhancing drugs and ethical issues. That changed our structure into two groups,” explains Mullin. “Security and Investigations are split.”
“With 162 games, plus the playoffs and other high-profile events like the All-Star Game, we require a significant staff to adhere to best practices and ensure strong risk management and security every day,” explains Mullin. The unique nature of Major League Baseball’s events requires risk assessments for their high-profile events. “The World Series is one example, but we also do assessments on the Yankee-Red Sox games. The number one risk assessed game is the All-Star Game,” says Mullin.
Unlike the World Series, the All-Star Game has a known location announced well in advance of the event and brings together the best and biggest stars in the league, hence its name, plus a VIP list. More than just the game, it is actually an All-Star Week. “There is a parade, concert and Hall of Fame event. As a result, we have a significant assessment and mitigation process,” Mullin says.
“Commissioner Selig is the most supportive boss for personnel, travel, training, technology and all resources we require to get the job done successfully,” Mullin says. The interaction and coordination with the teams and their stadiums are critical for success. Each team has its own apparatus and security operations. “The people at the team level are very capable and we rely on them because there are different environments and cultures. There are also different relationships with law enforcement and emergency management resources that require communication and flexibility. For example, the large, open area around the ballpark in Arlington, Texas offers a very different environment than Wrigley Field in Chicago. Therefore, we plan differently,” says Mullin.
Nothing is more interesting or exciting than being a part of the baseball’s international expansion. “International games are fun to do and I enjoy being a part of the team that is growing the business around the world. Obviously, it is very different culture and environment than any in the U.S. And the complexity grows when working with the venues and law enforcement teams in other countries,” explains Mullin.
In preparation for the 2004 season opening game between the New York Yankees and Tampa Bay, Mullin traveled to Tokyo six times for the event.
“As an example, local law enforcement in Tokyo is not as sensitive to terror threats as we are, because they have not had a 9/11 event. Another issue is emergency medical treatment and staffing. In Japan, ambulances are purely used for transportation, while in the U.S. an EMT will be treating the patient during that trip to the hospital. So we really needed to understand the local people and resources and support them to meet our requirements and mitigate risks.”
Day in and day out, Mullin’s role requires him to be involved different aspects of the game. “The league has a best practices program and each team has a fan code of conduct. Through education, training and preparation, we focus on continuous improvement,” notes Mullin. A key part of their feedback loop includes metrics. Mullin points to the new construction of ballparks as a benefit. “Most of the ballparks are new and they were designed with security in mind. We have incident command structures, cameras and emergency systems installed in the event they are needed. This makes the assessment and response planning easier.”
“CEOs and Commissioners should know that very little happens in any organization without security being involved,” he says. “And the more it is involved in identifying and mitigating risks, the more cost-effective and invisible it will remain.”
Mullin’s favorite aspect of his job is that he has an opportunity to work with talented people and teach security best practices to others that work in baseball. In addition to his duties at MLB, Mullin teaches at Syracuse University College of Law.
Security Scorecard
• Revenue/Budget: $7,200,000,000
• Security Budget: $7,134,000
• Critical Issues:
– Fan Safety/Crowd Control/Fan Code of Conduct
– Workforce/VIP Protection and Safety
– International Expansion
Security Mission
• Asset Protection/Loss Prevention
• Business Continuity
• Drug and Alcohol Testing
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Supply Chain/Vendor
• Workforce/Executive/Personnel Protection
Duane Ritter, Vice President, Corporate Security
The Multi-Tasker
“Last monthin Las Vegas, I hosted a conference for the CSOs of the largest multiple cable systems in the U.S. While our companies compete in many areas of the country, in certain areas we do not. We all face the same security threats. By sharing information and discussing how to eliminate vulnerabilities, all of our stakeholders benefit and are more secure,” shares Duane Ritter, Vice President, Corporate Security for Cox Enterprises, who contributes to both his company and the industry at large with great enthusiasm.
Cox Enterprises is a $15 billion dollar privately held diversified company that includes Cox Communications, the third-largest cable TV provider and one of the largest broadband communications companies in the U.S., Manheim, AutoTrader.com and Cox Media Group, an integrated broadcasting, publishing and digital media company.
“The security organization is structured to be the trusted advisor to our business units. Their goal and ours is the same; to create a safe and secure environment for employees, their important information and our infrastructure and facilities,” notes Ritter. Working across a diverse organization requires coordination. “We are currently consolidating disparate physical security systems. We have also taken on the challenge of standardizing our security practices across diverse organizations. But our greatest threat, like many other organizations, is cyber.”
Among other initiatives, the company is creating a comprehensive Cyber Crisis Management program. “We aligned it to our critical response program and it is based on data privacy breach notification requirements, and industry standards such as PCI DSS,” explains Ritter. The program has been well received and as a result, he will be briefing company leadership about the program.
Ritter and his team have also revamped their third party due diligence process for any organization or vendor that touches the company’s network or accesses non-public, sensitive business information. “We deliberately changed from an ad hoc to formal process with our business stakeholders. Our goal is to evaluate third-party risk to ensure their security controls are adequate during the duration of the contract. The question is simply, ‘Who are we doing business with and what is the relative risk the relationship poses to our organization?’ and by answering that question, we ensure adequate due diligence on our third-parties,” says Ritter.
Business resilience is another focus area at Cox. “Anticipating potential business interruptions and working to mitigate those threats from happening supports the business organizations to remain operational and reach their goals. Resilience and strategies and preparedness drills are critical for success. Accurate risk assessment and being prepared are the biggest contributions we can make to the organization and our people,” he shares.
Examples of the risk and security strategies include travel programs, mass notification and workforce protection. “During and after Katrina, employees were our top concern. We worked around the clock to contact them and ensure their safety. Since then, we’ve improved our technology and emergency systems, so we can support our employees at an even higher level in the event of a business disruption. We have a 24 hour watch center capable of supporting all of our employees worldwide,” explains Ritter.
“Our leadership expects us to provide professional and consistent security to the business owners we serve. The Security Department has a role in recognizing risk, understanding the effects it has on the business and identifying the means to mitigate it. Collaboration among departments and the diverse business units we support is key to our success as well as emphasis we place on mutual respect. Cox expects us to have a broad range of quality services that support the corporation in addition to providing resolution to issues and/or incidents that enable business growth.”
Ritter notes how the entire security field has changed from a law enforcement response mentality to a business risk and prevention expectation and expertise. “This is no longer seen as a post retirement job after a law enforcement career. The change to corporate security can be a challenge for many with career government and/or law enforcement backgrounds. The entire security field has changed, requiring different types of education, maturity and leadership skills.”
Ritter enjoys the variety he experiences in his job. “There are so many fields to work in, from IT forensics to physical security to complex investigations and threat assessments. This is an exciting profession because there is always something different coming in the door. This is a job where if you expect to be successful you should check your ego at the door, communicate, interact and solve problems.” Having amassed a lot of experience and expertise, he is motivated by the very talented, young people in his department who have chosen security as a profession.
When not at work, Duane likes to spend time with family and friends. Originally from Nebraska, he likes hunting, the outdoors and of course Cornhusker football.
If Ritter were not a CSO, then he would have pursued a career in law.
Security Scorecard
• Revenue/Budget: $ 15,000,000,000
• Security Budget: Confidential
• Critical Issues:
– Cyber Threats
– Consolidation of Disparate Physical Security Systems
– Emergency/Crisis Management Preparedness
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Business Continuity
• Corporate Security
• Cyber Security/IT Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Risk Management
• Workforce/Executive/Personnel Protection
Alan Robinson, Director, Protection, Security Service, Emergency Management
The Protector
“All the greatestplans and ideas in the world do not matter if you do not have a well-prepared team in place to identify risks, respond to events and have the right attitude toward helping others. We have that great team and that is the key to our security program’s success,” says Alan Robinson, Director, Protection, Security Service, Emergency Management for Atlantic Health System.
With more than nine million square feet of physical plant and campuses spread across New Jersey at four major acute facilities and other sub-acute locations, (including a rehabilitation center used by the New York Jets football team), the challenges are many. His team includes more than 100 security officers, investigators, fire safety, emergency management and contract law enforcement officers. “We build ten foot fences and then they give us twelve foot problems,” says Robinson.
He considers all hazards from the high volumes of visitors to weather to terror. “Our challenges can be simplified into words like brand or compliance, but protecting the brand and being compliant require an aggressive level of training and preparedness to identify and eliminate risks as much as possible as well as to respond to events effectively when they do occur,” says Robinson.
“We are in a very fluid and unpredictable environment that moves at a high speed. We prepare for enterprise risk management and security through training. We constantly look at what we do well and what we do not do so well. Second, we study other hospitals in the U.S. to learn about their best practices and adopt what works. Third, we prepare for every contingency from power outages to active shooters,” explains Robinson.
Workplace violence is rampant in the healthcare profession and at the top of his critical issues list. “The numbers say it all. Seventy percent of the workers in this industry are female and the number one cause of death for females at work is homicide. “I start every day with these statistics. We treat workplace violence the same way the hospital treats infections; they have to be controlled and eliminated. We look hard at the metrics,” says Robinson. Atlantic Health’s workplace violence incidents are equal to the national average in healthcare as they face the same issues with patient interaction as other facilities.
Their success is in two key areas. Through training on self defense, self escape, protecting oneself and avoiding harm, they have reduced the impact of those incidents on high-risk staff e.g., nurses, behavioral health and developmental disabilities. Therefore, they do not have a meaningful percentage of employees on workers compensation or on sick leave as a result of workplace violence. Second, employee surveys, including whether they feel safe and secure at work, are consistently positive.
“By training and preparing our employees for the risk of workplace violence, they feel empowered and secure in the workplace. We also have a significant program supporting them from closed circuit television cameras, panic alarms and facial recognition to uniformed and plain clothes officers throughout the facilities,” explains Robinson.
Emergency management, especially terror, is their second critical issue. “Will there be another 9/11? How will terrorists meet or exceed those attacks? One way is to go after our children and an attack on a children’s hospital is a viable threat. Anything that hurts children brings the shock and awe of 9/11,” explains Robinson. Atlantic Health System has conducted drills with the Israeli Defense Force to test their emergency plans and risk strategies. They also met with their trauma doctors and conducted an exercise on what a real terror experience would involve. “We changed our facilities, processes and training as a result of those meetings. They were incredibly educational and valuable for us,” notes Robinson.
The organization also focuses on preventing infant abduction. “You can give out stats all day, but security is anecdotal. Hospital security is a brand issue and infant abduction is a brand killer in our industry. We have trained and retrained the nursing and security staff,” explains Robinson. “We tell our employees that if they don’t take security seriously, no one else will either. We not only need to have security processes and training, we need to apply them consistently as an organization,” he explains.
The company CEO expects that all of stakeholders, including patients, employees, volunteers, student and visitors who visit an Atlantic Health facility will be safe and secure. “Every CEO needs to remember that security is not a silo. It is embedded in every aspect of healthcare delivery and it must be integrated into all of the operations in the organization to best reduce risk and improve security,” says Robinson.
When not working he is devoted to teaching parents and children how to avoid being victims of child predators. Devoted to physical fitness and combative martial arts, he is a third degree black belt. He is very proud of his two sons, who are a West Point graduate and Army Ranger and a law student at Seton Hall University. Robinson most enjoys the different challenges every day. “Challenges make you better at what you do,” he shares.
If he were not a CSO, he would work full time teaching others how to protect children from being sexually exploited by child predators.
Security Scorecard
• Revenue/Budget: Confidential
• Security Budget: Confidential
• Critical Issues:
– Patient-Based Workplace Violence
– Regulatory Compliance/Offsite Facilities
– Open Visitation/Overnight Stays
Security Mission
• Asset Protection/Loss Prevention
• Brand/Product Protection
• Business Continuity
• Corporate Security
• Disaster Recovery
• Emergency Management/Crisis Management
• Fire Safety
• Investigations
• Physical Security/Facilities
• Regulatory Compliance
• Workforce/Executive/Personnel Protection