As security chief for one of the nation’s largest financial-services firm, Don Davis, Global Head of Security, Safety and Real Estate at Visa Inc., is responsible daily for securing assets and personnel all over the world.
Visa’s Global Security department is newly centralized in two principal locations in the U.S. With an average of 250 travelers per week, over 40 properties worldwide, and ongoing sponsorship of major events like the Olympics, FIFA, and the Super Bowl, efficiently managing security and safety is a daily test for Visa Security.
Davis recently took time to speak to CSO about Visa’s Global Security and Safety program.
Tell me about Visa Global Security. What challenges does it face and how big is it operationally?
I would describe our mandate as really four major pieces each of which has challenges:
1. Protecting people, information and the facility in office settings across 78 locations in 38 countries.
This phase, along with the second, have many of the aspects commonly associated with physical security including: setting security policy and procedures; access control and video surveillance systems; badging procedures; security officer management; completing on site security risk reviews of Visa offices, data centers and key third parties; risk monitoring and assessment ; workplace violence prevention; health , safety and ergonomics; background investigations; executive safeguard; general and due diligence investigations; initial response to medical incidents at Visa facilities; initial response to natural disasters, criminal and terrorist attacks , and employee awareness training.
2. Protecting people, information and the facility in data center locations.
3. Protecting staff who are in travel status (including expats).
For Visa to claim to be “everywhere you want to be,” our staff travels globally, including to high-risk destinations. Because of this we have a robust travel security program.
Whenever any Visa employee or contingent worker makes travel arrangements, they receive an automated email from Visa security with content provided by ISOS (our travel security provider), which describes medical and security concerns at their destination.
Visa security ranks countries as low, medium, high or extreme risk. We also have some countries where travel is restricted due to armed conflict or government sanctions.
When a traveler has made reservations to a high or extreme-risk country, a Visa security manager (VSM) is notified.
The VSM must have a personal briefing with anyone traveling to a high or extreme risk country prior to the travel to review risks and precautions. We have a template of security measures, which are required for specific countries such as armored vehicles or security agents, etc. These are not optional and are arranged by the VSM.
All travelers are covered by ISOS and receive a contact card for assistance from ISOS.
All traveler’s itineraries are included in the daily SRMS report received by VSMs.
4. Protecting staff, guests and operations at major global events such as the Olympics and the FIFA World Cup, which Visa proudly sponsors.
Visa is a Partner level sponsor of the Olympics, FIFA and other events such as the Super Bowl. Visa can typically have up to hundreds of employees at events like this with tasks such as managing the payment networks, marketing, corporate communications and the hospitality programs. We also have thousands, sometimes up to ten thousand, of guests ranging from consumers who won a sweepstake contest to clients such as the CEOs of major financial institutions. Visa has a duty of care to provide a safe and secure experience for the staff and guests, and to limit exposure from incidents that could impact our operations.
[Read more interviews with leaders in the security industry by subscribing to CSO's leadership newsletter]
Because of the immense brand reputation at stake, risk mitigation planning for these events starts three years before the event and includes coordination with organizing committees, law enforcement authorities, and a host of external and internal stakeholders. For some events such as the World Cup, this encompasses up to twelve cities so needless to say it involves lots of relationship building and strategic planning. The overall security management during the event is very much alike to a military operation with a dedicated command and control operations center, security teams in every city or per project activation, tracking and securing individuals, offices, vehicles, airplanes, etc.
Incident and issues management is something we prepare for comprehensively as well. Firstly, we deploy an intelligence management component with every major special event to collect, analyze and distribute actionable security information. This process starts up to a year before the event with monthly products. During the event, info is shared daily and on an ad-hoc basis when events occur with an impact on Visa. The security plan is intel-based and as such, the business operation can be required to change depending on the dynamic risk conditions. For example the protests currently occurring in Brazil have prompted security to order business processes to be altered because of life safety concerns for our guests and staff; we have decided to close services earlier in some cases, have changed guests’ itineraries and have required staff to cover up branded apparel to limit personal safety risks. Our crisis plan also require us to communicate with lots of people simultaneously in emergencies, for this we use mass communication tools with response capturing capabilities. This allows us to account for people and ensure they have received the messaging.
I understand you created an in-house integrated web-based mapping solution called the Security Risk Management System (SRMS). Tell us about it. What prompted its creation and how does it work/what does it provide?
The major driver was to take all of the intelligence information we see and filter it to what was important to Visa on a real-time basis so that we could react to the situation.
SRMS tracks and overlays the following information:
a. Intelligence on incidents from various subscription sources as well as open source
b. Travel itineraries (feed from Visa travel services)
c. ExPat info (feed from Visa Human Resources)
d. Visa office locations
e. Scheduled events/meetings ( feed from Visa corporate events)
f. Country risk rating ( from Visa GSS)
So, if there is a terrorist incident or a natural disaster in a city where Visa has an office, has travelers or a scheduled event, we are alerted to that incident. The system has complete travel details and contact info on travelers so we can reach out to them. We also have information in the system on travelers over the next two weeks. SRMS even creates a report that can be emailed directly to those affected and to concerned business units. In less than 30 seconds, SRMS produces a report detailing the incident and intelligence, the location and risk rating, the point of contacts for the nearest office, the security managers assigned to that office, the number and itineraries of all travelers to the location, including contact information from the Corporate Directory, any expats in the area and if there are any conferences or events scheduled in the affected area in the next 6 weeks. We know exactly what our exposure is and who to connect with in real time, which affords us the ability to manage an incident the moment we learn of it.
You've also expanded your intelligence analysis & risk monitoring capabilities ,which I understand will be rolled out into a formal program in FY14. Tell us more about that effort.
We began our focus on intelligence led security as part of our planning for major event security, so we have recognized the need for intelligence analysis for quite some time.
Prior to 2013, we had multiple access control systems and video surveillance systems, which were not monitored centrally and were managed and maintained locally. In 2012, we started a project which had been years in planning to implement a global ACS and VSS with security rules managed by a piece of middleware called Quantum Secure. As a part of that rollout we decided to have two global security operations centers (GSOC) to monitor alarms and receive video. Initially these two GSOCs are in Virginia and California; but we intend to transition the California GSOC to Singapore.
With the establishment of the two GSOCs, we recognized this provided an ideal platform to build our analysis and risk monitoring effort. We have created a senior level position to focus on intelligence analysis and will have additional analysis resources located in the GSOCs .
Visa's Global Physical Security team collaborates closely with the organization's Information Security/Cyber Intelligence team. What are the benefits to this collaboration? What does it provide your organization?
The risks which Visa faces don’t always label themselves neatly as physical or cyber. Each Visa security group may identify a threat, which falls within the other groups’ area of expertise and each group has competencies which can assist the other. Our focus is to identify and react to threats to Visa.
What advice would you give to other security departments in large organizations looking to find efficiencies in security?
The bigger question is: what value can the security organization bring to the parent organization? Finding efficiencies is part of your day-to-day responsibilities and is expected. Things like replacing a security officer with a camera, improving internal processes, increasing automation, negotiating better deals with suppliers, etc.
The good security department is looking for the risks the company faces and devoting its limited resources to mitigating those risks. I didn’t specifically mention in question one that there is a mandate to protect the company’s reputation. But, that is really central to everything that we do. Any perceived security lapse can injure the company brand and that has real financial implications for any company. Visa obviously has strong security and public trust as key components of its brand. So I think the question should be: What are you doing to systematically assess risks and then what are you doing to mitigate?