By Sherry L. Harowitz
Five leading security professionals participate in a live Q &A session on the issues facing today’s practitioners. Find out what’s top of mind for end users, suppliers, and consultants.
Security Management gathered five leading security professionals together earlier this year to discuss challenges and trends in the industry. Their responses illuminate the difficult task faced by security professionals adapting to a rapidly changing environment.
The Roundtable Participants
|Chad Callaghan, CPP
Enterprise Loss Prevention
Marriott International, Inc.
|Geoffrey Craighead, CPP
High Rise and Real Estate
Bank of New York
Bosch Security Systems
|Regis W. Becker, CPP
Global Director of Security
SM: Thank you all for joining us for the Security Management Executive Roundtable. Let’s talk first about challenges facing you as a security professional. What’s the biggest challenge you face, and in that context, you may also want to talk about the challenges facing your company and its business sector and how those affect the security agenda.
Chad Callaghan: Marriott International is in 73 different countries. We have been the target of terrorism on three different occasions, yet we still have to maintain a very friendly, open customer environment, so we’re constantly looking at where the bar is between security and an open environment.
Geoff Craighead: Speaking as a contractor with Securitas, one of the biggest challenges to our business is providing professional security services while responding to the corporate need to improve profits and lower contractor costs.
Kevin O’Brien: For our corporate security department, one of the challenges facing us is keeping our goals in lockstep with the business goals. We’re a global organization as well, and how do you maintain access around the world where there are different local laws or local accepted customs?
What we find challenging in the banking and the financial world is compliance with the government and regulatory issues with suspicious activity reports. Banking has always been heavily regulated anyway, but it is now on the forefront.
Regis Becker: One of the interesting dilemmas that we’re facing in manufacturing is the prospect of more security regulation specific to our industry. And I’m somewhat conflicted personally because from a professional standpoint, anytime you are a regulated industry, it is almost job security. It means growth in your profession. It means more people because you have to comply with the regulatory environment. But from my company’s and my clients’ standpoints, it is not a good thing. So that’s one of the sort of internal conflicts and challenges that I’m looking at this year.
SM: What are the most significant trends that you see shaping the security field?
Leon Chlimper: We’re seeing a major shift in physical security from a manufacturing standpoint. Whereas before we were protecting assets, now we’re protecting the businesses, and that requires a deeper understanding of what the business is. Physical protection is no longer just about assets—it’s about protecting the continuity of the business.
Callaghan: In Marriott’s world, I think the emergence of crisis management and business continuity and the interfacing of that with safety and security is the most significant trend that we’ve seen. Obviously, in the past year, there has been a tremendous amount of turmoil around the world, and we’ve learned that, in the open environment that we’re in, really the only way to thrive through those situations is to have good planning in place and good recovery in place as well.
Craighead: I agree. It’s contingency planning; it’s the whole enterprise. Secondly, I’m seeing more market specialization. This is particularly so in the industries that are becoming more regulated by the government; we, as contractors dealing with these industries, really need to know what we’re talking about. Clients are definitely asking for more and they need someone to be talking with them who really understands their business.
And, if I can just mention one other trend; guidelines. There have been six ASIS guidelines written now. There are another three in the works. It is going to be very helpful to the security industry with regard to training in the future.
O’Brien: One of the trends that we see in our industry, and it is going to affect everyone at this table and the industry you are involved in, is identity theft, specifically the physical security side. That’s because more and more, it’s not just about IT security; the data is actually lost when they are trying to get the files or some sort of media from the banks to a government agency or to a storage facility.
SM: Convergence is one trend often discussed. It can refer to IT and security or to a broader coordination of security, IT, HR, legal, and risk management functions. Can you say a few words about how you see convergence occurring in the field, what you see being done right or wrong, and what you hope to see in the future?
Becker: At our company, it’s not so much about ownership and “who’s going to run who.” It’s more working together where you have internal audits, information technology security, corporate security, the law department—all having pieces of the pie under the senior leadership of a board committee or a senior vice president. I think that’s a good trend.
O’Brien: I couldn’t agree more with Regis. I’ve seen a trend, specifically in risk management, because it is such a large umbrella, that a lot of groups will pony up and say, yes, this is for the good and the health of the organization. We’ll go into lockstep with risk management, and we’ll all evaluate our operational risk going forward.
As far as convergence going down the correct path, in the physical security realm, it’s good to have the open architecture of most access systems being able to connect to HR software and, thus, you get rid of the middleman trying to do data entry and terminations and new hires and transfers, and since you can have that open connection, everything is immediate. As we try to limit access to different facilities around the world, it is just one more step to actually get that right on the forefront.
Callaghan: I’m glad that you couched it in the terms of a merging of several different functions, because I think most of the people in the physical—or as I call it, the operational—security side have been a little bit scared by this notion of convergence that the IT world would be the one that would gobble security up.
We actually moved into the risk management function the year before last, which has really opened my eyes to how much we have merged with the other departments that come into place, particularly when you are talking about crisis management. You cannot manage your crisis without having all those different players together in a room, and I think that’s the form it’s going to take in our company, rather than one taking over another.
Craighead: From my perspective, actually, I’ve been very pleased by ASIS hitting this head on and really trying to stimulate the dialogue and, for instance, through that alliance (formed among ASIS, ISSA, and ISACA) that we are actually really trying to encourage communication. I think that’s going to educate us as security professionals.
Chlimper: We don’t see convergence as something new. We’ve been developing products that go on operating systems for years that run on networks and computers. But the biggest issue we see is, when you go and you try to sell a solution, you are a physical security supplier or manufacturer; you go to the physical security side, and then there’s an IT individual there, and the first thing he says is: “That thing is not going on my network.”
The problem is, who do I go sell to? Do I go to the IT guy because he is the one that is running the data and then try to convince the security guy, or do I go to the security guy and, hopefully, he has spoken to the IT guy? Everybody is protecting their little patch of grass and that is very confusing for a manufacturer.
SM: A successful operation needs good people. Can you discuss how you find and motivate good people as well as the skills you consider most important?
Callaghan: Marriott is pretty steeped in the culture of being a pro-employee company. In the loss prevention field, most of the people start in an hourly position and work their way up. In fact, 30 years ago, I started as an hourly employee right out of college in Marriott, and now I’ve worked my way up to the vice president’s job.
That’s a great thing. However, lately I’ve seen that we need to have more of a mix. We need to bring in some outside thinking. We’ve been able to partner with some of the universities, particularly Eastern Kentucky University. We’ve gotten some excellent students from there who are now working their way up in our system.
Craighead: In the security profession, we’ve really moved a lot with regard to how a lot of our people are operating as business managers, and they happen to be security practitioners. So there’s still a great need to continue to educate our people in those particular areas. As regards recruiting good people, there are still people from law enforcement and the military communities as well. But I’m definitely seeing another trend at my company. We are identifying people within the company and are providing them training and promoting them.
If I might just add one other thing, it is that demonstrating competency can come through education, but also certification; we all at ASIS have been very strong about having certification programs, because that is a good way to identify good people.
O’Brien: One of the things that I try to preach, particularly when you talk about the protective service staff and the hourly employees, is to remember to motivate them to work for more than just the paycheck. We try to do that, which leads to, much like you mentioned at the Marriott, a lot of promotion from within, and that’s a pretty successful program.
As for the skills sets that I look for in hiring our supervisors and our management level staff, I’ve gravitated more towards generalists and operations people, where in the past maybe I looked for more of a specialist.
Becker: The quality of the people is the most important, controllable part of your program and will lead most directly to the success of your program. And just to go one step further from what Kevin said, I think it’s not just technical skills versus business management skills. I think if you take one step back and look at character, integrity, and I know those are clichés, but the better person you get, and by that I mean all the way down to interpersonal skills, the more likely it will be that your program will succeed. If you have good people, you can always train them on the technical side.
SM: Return on investment is another key consideration. Security professionals often have trouble making the business case for security. Can you share one of your own success stories or secrets for selling security’s mission?
Callaghan: For us, it’s metrics. Having something you can measure, that you can show improvement in year over year that attaches to something that has intrinsic value to your company. Because we do safety and security both and because we are part of risk management, we’re able to measure total losses to the company and that has a huge impact. It is one of the key metrics used, and it gets a lot of attention. You better hope once you’re measuring that you are doing a good job, because it can also go the other way.
Craighead: Because we wanted to differentiate ourselves in this marketplace, I developed a tool kit; it’s a briefcase and in it, it contains certain marketing and also operational tools. It’s got three training programs, hard copies, some DVDs that we’ve done for it. It’s got a model set of post orders, properly tabbed, all electronically providing the tools to put that together and, of course, it’s got to be made site specific.
Becker: I agree with Chad on the metrics. In the macro sense, you really have to have the metrics to support what you are trying to do, but almost the opposite of that is taking advantage of every opportunity you have to fulfill your customer’s needs to have them delighted with the service, and that’s whether you are doing a due diligence, a fraud investigation, responding to a workplace violence threat, or doing a vulnerability assessment. >
Chlimper: I’m listening to Chad, and he mentions loss prevention is a big part of their metrics. We have to understand that when we start designing a system. One challenge is that when we try to ask, sometimes we don’t get the answers. Companies keep that information very close to their chest. So, in our view, for the end users to get better systems, they need to start sharing some inside information with us so that we can start designing those systems.
SM: It’s conventional wisdom that 9-11 caused a paradigm shift to the “new normal,” but in substantive terms, what has been the real effect on your business?
O’Brien: Our programs prior to September 11 were good programs, so we enhanced them, but we really didn’t change them wholesale after September 11. Like every other company and corporation, we’ve challenged ourselves since then to just be more resilient if we can. We have partnered very strongly with the government, with local law enforcement as well, and we’ve done some roundtables and tabletop exercises.
Callaghan: We talk about substantive effect. We lost a hotel in 9-11, but we were able to evacuate over 1,000 people successfully. It had a huge after-effect on the entire lodging industry. Marriott stock went down about 50 percent. Business went just really bad everywhere. The whole world really was affected by it. More specifically, though, we had a renewed focused on crisis planning and business continuity. We had it already, and we were up and running during that operation, but even more focus has now been placed on that—recognizing that it can truly put a company under.
Craighead: Sometimes you run into people outside of the security industry, and they hear what you do, and they say, boy, you guys must be making a lot of money. But, you know, in substantive terms, apart from about a six-to-eight months’ spike directly after September 11 where there was definitely an increase in business, it has gone to business as usual. The exception is certain vertical markets, which have definitely taken a different view to security.
Becker: I think we definitely have a greater visibility internally of the security and the crisis management function. We’ve had more resources. It’s not a doubling, but we’ve increased resources fairly substantially. We have also had more exposure at the board and senior management level than we ever had before 9-11.
SM: What security technologies do you find most promising or useful and which seem most overrated?
Becker: It’s not really the technology, but the whole notion of integration is most attractive to us from a cost standpoint. We see it as a way to reduce man hours, to reduce some of our operating costs. So integrating and using remote monitoring, the global collection of data for measuring security metrics, and pulling that together, is promising.
From an overall standpoint, I think from the public view versus our internal personal view, biometrics is still out there for us. And I think, from a personal standpoint, it is probably overrated.
O’Brien: It’s funny you say that because I was going to say my answer for both of those questions was biometrics.
Callaghan: That’s what I wrote down initially myself. Most promising and most overrated.
O’Brien: There are so many different facets to biometrics and how you use it; some of them work well. We employ different types of biometrics currently at data centers and things like that. They are successful. There are a lot of unmet promises made from the biometric world; look at facial recognition. Right after September 11, there was an advertising push, saying that if this was at every airport, this would not have happened, but it was probably the least mature product out of all of the biometrics. The advertisers got out a little bit before the manufacturers were ready for all of that.
Chlimper: We believe that the future of biometrics is with smart cards, and smart-card technology and the ability to read and write information that you are carrying with you at all times. And the other thing is we’re seeing that there is a generation that is going to be skipped pretty soon. From a manufacturer’s standpoint, we went from tape to DVRs, which are not going to be allowed to fully develop because we’re already on IP video.
SM: I’m surprised no one mentioned intelligent video management as a promising or good technology. What’s your view on that?
Becker: We’ve actually been using some of that. It may not be the most sophisticated but for us it’s a very sophisticated program in one of our port facilities where we manufacture highly volatile chemicals in a port environment, and we have installed post-9-11 a fairly sophisticated recognition system that will do things that integrate our fixed cameras with a graphic depiction of our entire environment. The integration of those two things allows us to respond much more quickly to a waterborne or an airborne perimeter threat.
Craighead: I wanted to touch on several technologies in use in the commercial real estate environment. Access key cards is one. I’ve seen an increased use of them, and that technology is very helpful because a lot of buildings are installing them in all of their passenger elevators as well as the freight and service ones even if the building has open access during normal office hours. Normally, the card readers are not activated. If something bad happens, they can just, with the flip of a switch, go to a controlled building environment. So, that’s a very helpful technology.
Second is video surveillance, including its transmission over networks, and CCTV surveillance in public areas. I know there’s an issue here about people saying it’s infringing on my public rights, but I think it can help us with regard to possibly containing a future incident occurring here.
As for technology that is the most overrated, barriers are very good, but barriers are very restricted, unless you’ve got a standoff distance. It will stop the truck going into the lobby. It may stop the truck going into the loading dock. It may stop them going into the under-building garage, but it will not stop a truck from pulling up next to the barrier, detonating, and doing as much damage as they almost could have done if they went inside the building.
Security Management gathered five top security professionals to comment on issues of the day. Here are some highlights.
On challenges, executives cited the need to comply with new regulations, balance security with maintaining an open environment, and stay in tune with their company’s overall goals. Asked about trends, they highlighted the new emphasis on crisis management and protecting the entire enterprise versus the former emphasis on protecting specific assets. On the search for good personnel, they agreed that general qualities matter more than specific technical skills.
When it comes to convergence, the panel agreed that it is both inevitable and beneficial and that it need not be seen as a turf war with winners and losers. It is simply a matter of having all the players work together to solve problems. Asked how to sell security to management, they cited the need for good metrics and good customer service. One representative on the supplier side cited the difficulty of building systems to meet user needs when companies are reluctant to share inside information about what they want systems to achieve.
As for the continuing effects of 9-11, the consensus was that it has led to more awareness and shifting priorities but not a great deal more money. Most promising technology? Most overrated? The two questions yielded the same answer: Biometrics.