Bob Hayes is a global pioneer of corporate security. A former CSO at Georgia Pacific, and a security operations manager at 3M, he’s designed and guided some of the most complex enterprise security programs in the world. He was also one of the first security executives to successfully implement a program to unify corporate security, cybersecurity, business conduct, and compliance programs at a Fortune 100 firm.
Hayes says security programs need to be tailored to the context and culture of each company. Sometimes, that means putting everything under one roof. And sometimes that means improving communication between teams. The goal isn’t to achieve a perfect structure; it’s to manage processes and data to achieve results.
“We have to let the data drive us,” Hayes said. “Show me the results. What can we do better?”
In this illuminating discussion, Bob spoke with Fred Burton, Executive Director for the Ontic Center of Protective Intelligence, about the state of security today, the benefits of integrated security programs, and his thoughts on Ontic’s 2021 Mid-Year Outlook State of Protective Intelligence Report.
Fred: Bob, you are one of the pioneers in integrating physical security with cybersecurity programs at the corporate level. Here’s a couple of statistics from our most recent study which surveyed physical security and IT leaders at American companies with over 5,000 employees. We’re hoping to get your reaction to them:
- There is overwhelming agreement among both Physical Security (95% agree, including 45% who agree strongly) and IT professionals (95% agree, including 55% who agree strongly) that cybersecurity and physical security must be integrated, otherwise cyber and physical threats will be missed.
- What’s more, 42% of those surveyed say cybersecurity alignment is among their top three immediate priorities for physical security operations integration and cross-functional collaboration, along with critical event management and alerting.
It seems like everyone in the security space understands that integrated security is crucial, but lots of people just don’t have that. What’s going on?
Bob: Many think lack of integration is an organizational structure issue, but they fail to take a step back and think of WHY it’s important to work together. Teams can experience success in silos and they can also experience success working together. It’s critical to understand the WHY behind integrating physical and cyber under one roof — focusing on the program instead of the solution it’s trying to solve for.
When you build a house you know you want the end result to have a certain number of bedrooms and bathrooms, a larger kitchen for entertaining, etc. This same outcomes-driven approach can be applied to security and I encourage teams to think about teams across the organization working together and what problems it will solve before building a program.
Seeing all information in one system is critical, but what’s also important is knowing where responsibilities end and where others start. For instance, when data hits printed form it’s often passed on to another team for handling, but whose job is it to make sure that sensitive documents are disposed of properly? Every company (and culture that goes along with it) is different, so be skeptical of definitive statements in this arena. There are a lot of nuances in terms of what makes sense for companies to integrate vs. not. Here is a graphic of the potential realm of CSO responsibilities.
Fred: In our survey, a majority of security leaders said that their CEO believes training employees so they are better prepared for potential workplace violence will create a culture of fear, and does not see the ultimate risk to business continuity. They also say their CEO does not believe their company will ever be a target for significant physical harm and does not value employee training and preparedness for dealing with such crises.
What’s your perspective on this? Is it a reasonable reluctance? What advice would you give CEOs on the idea of training?
Bob: There is a common misconception that active shooter training is the only area to focus on, which causes CEOs and leaders to be reluctant. There are so many areas and tactics to intervene before. Having technology that spots and surfaces warnings (employee behavior, social media monitoring, etc.), fostering a reporting culture, and providing resources that support mental health are just a few of the ways to structure training and awareness that will help avoid the worst-case scenario.
Inevitably, the media hypes people up and doesn’t factor in the odds. Probability and criticality should dictate strategy. If there is a higher likelihood of an insider threat vs. an active shooter, training should be focused on implementing a reporting culture where employees feel comfortable to “see something, say something.”
Fred: Across a couple of questions in our survey, we heard security experts say that they were missing threats because there was a disconnect between cross-functional teams, from HR to cybersecurity to physical security, and more. Of the physical threats that have resulted in harm or death at their company this year, respondents say almost all (15%), most (34%), some (27%), or a few (15%) could have been avoided if cybersecurity and physical security intelligence were unified so threats could be shared and actioned by cross-functional teams. Can you offer an example from your own experience of some of the benefits of cyber and physical security teams being integrated?
Bob: Results can come out of an integrated structure and a siloed structure. I always go back to finding out what should be achieved. Oftentimes what’s not working is a lack of communication between departments. What could be achieved if teams had a way of sharing information more easily?
Fred: For security professionals already dealing with the stress of COVID themselves, what advice would you give them in terms of keeping up the pace? How can companies leverage their existing resources for the long haul?
Bob: We continue to rediscover just how fragmented the security industry is after more than 15 years of research. COVID has not changed this viewpoint. Each company has a different culture, and each security program is borne from that culture, along with a mix of budget and risk factors. I can look at 115 success elements in a program but not all of them are important to every company. We have found only two universal success factors. (1) Companies must have a great security story to tell and communicate it effectively to different audiences. (2) Programs need to map to the operating environment (what we call the C4R risk model) to make the most of what companies already have.
There are foundational elements, things you can’t change but have some influence over, like talent management, budget allocations, and organizational structure. These are your circumstances. Then, you have elements outside of your control: your conditions (pre- and post-COVID), your culture, and your resources. Assessing them will inform your risk decisions and priorities, and will help you to make the most of what you have.
To learn more about our study and gain your own perspective on the data presented, download the 2021 Mid-Year Outlook State of Protective Intelligence Report. For Bob’s biography visit the Security Executive Council.