The Architect: How to Design a Secure Facility

Imagine being able to layer security into your building the way you do the plumbing or wiring. Genzyme's Dave Kent doesn't have to imagine it-he got to do it.

Glass. If there is just one word for The Genzyme Center in Cambridge, Mass., the word is glass. The biotech company's eponymous headquarters, scheduled to open next October, will bestow upon its neighborhood (which happens to be the heart of the biotech industry) a 12-story, shimmering glass soul.

Start with its skin: 1,495 glass panels. Some of these sections are mirrored, including a six-story square that faces west and serves as a brilliant riposte to the afternoon sun. Other sections are tinted but still expose the subcutaneous layer. There, behind a narrow promenade that circuits each floor, is more glass. Specifically, transparent glass walls sidled by transparent glass doors lead in to offices that have identical glass doors and walls on the opposite side. It's a 285,000-square-foot corporatarium. In certain spots, if you were washing windows, you could look right through the thing.

The architects at Behnisch, Behnisch and Partner say that they were trying to "encourage the often neglected or forgotten." By that, they mean natural light, of course; and their design encourages natural light the way fire encourages heat. As if there was a choice. But this story isn't about the architects.

The CEO and chairman of Genzyme, Henri Termeer, says the design is "from the inside out." He means the building takes a worker's perspective. Termeer also likes to assign warm and fuzzy corporate symbolism to the glass, its transparency and the light it lets in. But this story isn't about Termeer either.

This story is about Dave Kent, vice president and CSO, who, when he thinks about the glass, usually sighs. Or shrugs. Sometimes, he wanders around the neighborhood with a spotting scope, peering through the glass and pretending that a piece of key intellectual property is plainly visible on a computer screen in one of the fishbowl offices. Transparency, for Kent, isn't symbolism. It's a corporal weakness.

"Yeah, the glass is a headache," concedes Kent. "But the reality is you don't design a building for security. You secure the design of a building. I accept that. It's just nice to be able to play at this level."

Earlier, Kent had laid out the level at which he plays, right across his desk: blueprints for The Genzyme Center. Trying to read them was, for me, like trying to read music for the first time, but this much was clear: They are blueprints for security. They delineate placement of video surveillance. They show wiring for access systems. And they detail the design of the Security Operations Center (SOC), a unique room that deserves attention (and will get it later).

In a most literal sense, security is a distinct layer in Genzyme's plans, as intrinsic as plumbing or electrical systems. The same holds true for the company's sites in Buenos Aires and Waterford, Ireland, both represented by rolled tubes of blueprints leaning against a wall in Kent's narrow office. In other words, the level Kent plays at is the most fundamental one: planning and design, not only of buildings but of the future of a growing company. This means he's got the highest level of executives thinking about security. That should make most of you envy Dave Kent.

The story of how he got to this envious position started eight years ago; the story of how he built security into The Genzyme Center started on the top floor. He told both stories while touring the construction site one frigid winter day.Light The 12th and highest floor of The Genzyme Center will become executive offices and, in a somewhat democratic gesture typical of Termeer, the company cafeteria. David Vroman, who works for the contractor, Turner Construction, is with us. "I've never worked on a building like this," Vroman says, leading us toward a low wall in the center of the space. "And I'll probably never do another building like this again. This is a landmark job."

Beyond the low wall is the building's interior signature: a yawning atrium that reaches from the ground level to the skylight above our heads. Randomly, sections of floors below us jut into the open space, disrupting the atrium's basic triangular shape. Still, you can see past all that straight down to ground levela semipublic area with retail shops, a large pool of water dotted with fountains and a café set on an oblong concrete slab known affectionately by the contractors as "the Potato."

From the 12th floor looking down, it's nearly impossible to envision all of this because the atrium is filled with crisscrossed scaffolding. Soon enough, it will be filled with crisscrossed light.

Picture this: A prismatic array will sit under the skylight and capture diffuse light but deflect heat. The light will hit seven heliostats (10-foot square mirrors) hanging from the ceiling. The heliostats, controlled by computers, will move, almost imperceptibly, with the day and with the seasons to capture the most light possible. Some of the light will be relayed to the pool of water, which is polished stainless steel, essentially an oversize cake pan. More of the light will be dispatched to 19 mirror clusters throughout the atrium, each containing seven reflective surfaces, and each of those surfaces multifaceted. The clusters will redirect shafts of light toward dark corners of the atrium to brighten them. Whatever light is left is show business: It gets sent to reflecting prisms, basically chandeliers, that toss pretty designs against the walls.

"It's going to be something else," project manager Gordon Brailsford says with a fair bit of pride. "I've been told not to be surprised if Hollywood calls to shoot movies here."

"The building is going to attract attention," Kent says, pondering the security risk posed by a Hollywood crew skulking around at all hours or by a corporate function hosted in the atrium. As with the glass exterior, one man's gorgeous aesthetic statement is another's risk management question.Foundation Kent was director of corporate security at BBN Technologies eight years ago when Genzyme, then an adolescent biotech company specializing in developing drugs for rare genetic diseases, hired him (he has since added vice president to his card). Not long before Kent was hired, some intellectual property had gone missing at Genzyme.

Kent has a security professional's linebacker mentality, but it's as if he's playing touch football. Which isn't necessarily a bad thing. In fact, none of the clichés about security guys fits Kent, save the fact that he owns a black leather jacket and on the bookshelf in his office are volumes such as The World's Most Dangerous Places and Germs. In the context of his role at Genzyme, both are reference books. Flawless Consulting is for professional development. He is tall, quiet and affable in such a way that, after he disciplines you for some boneheaded security gaffe, you just might want to thank him.

He'd never say it, but he probably wasn't surprised by the intellectual property theft. Upon arrival, Kent found a company with 13 different access systems and dozens of people authorized to give out access credentials. So, first off, he eliminated 12 of those systems in favor of one, which provided some dramatic ROI and quickly validated why he was hired in the first place.

But Kent took the job with grander ambitions. He took the job because, as he says, "this is much more fun than an old company where the walls are up already." He knew Genzyme was growing, and he wanted to broadly affect its growth. He wanted security to be integrated into every aspect of that growthhiring, partnering and building. His plan was no less ambitious than to get every employee thinking about security intrinsically. He wanted security to be, as he puts it, "the ugly little tugboat that turns the Queen Mary."

That wasn't easy, but it also wasn't impossible. After all, Genzyme hired Kent because of a major security breach. Clearly, the company would invest in preventing another such disaster (stealing intellectual property from a biotech company is like stealing money from a bank, only worse; ideas about how to cure rare diseases aren't replaced as easily as cash). Then again, security awareness has a half-life. The further an incident recedes into the past, the harder to keep executives' collective attention.

In hindsight, Kent says he didn't realize how ambitious a plan he had crafted. "For me it was like merging onto a freeway," he says. "First you're thinking, Jeez, these cars are going fast. Then you're in traffic but you're still going slower than everyone else. Eventually, you're part of the flow." It took Kent two years to make security an integral part of Genzyme's culture.

"Now, we have our own layer in the blueprints," Kent said the day he spread the plans across his desk. They are labeled Genzyme Confidential, another standard that Kent created which means contractors must adhere to Genzyme's security standards. A security staffer attends weekly construction and architect's meetings. And Kent provides input into every phase of the project, including IS (he pulled that tactical discipline under his purview too). Brailsford says, "I could not envision doing a project that didn't have security integrated from day one."Superstructure From day one, when Kent set out to integrate security into The Genzyme Center plans, he started from as deep inside the organization as he could get. He sanitized blueprints because some are public documents filed with the city. It doesn't make sense, for example, to identify labs and their purpose. He pushed for, and got, a lecture hall designed with pure acoustics. That way, he can discourage the use of wireless microphones, which can transmit up to a mile. If someone absolutely needs a microphone, it can be encrypted using technology developed for the National Football League that allows coaches to talk to quarterbacks while keeping the other team from intercepting anything (but passes).

The architects' design didn't separate the first floor's semipublic space from Genzyme's second floor lobby. In fact, in an early design, the architects wanted to add doors into the atrium, which Kent's IS officer, Bhavesh Patel, describes as a nightmare. "Imagine your house has two doors that are locked and then you add 20 wide-open doors," says Patel. Kent inserted an access point to divide Genzyme's space from the public space.

He also went outside the organization. He talked to security heads at businesses in the area. He asked about their policies and proposed possible collaborationneighborhood-watch style. He went on his spotting scope trips, mapping out the vulnerable sight lines.

The architects' glassophilia, which led to Kent's spying on his own facility, is starkly on display when we get to the seventh floor. Here, the exterior glass windows and clear-walled offices absorb so much sunlight that artificial lights would be feeble.The building itself will know this, at certain hours. The Genzyme Center will employ a relatively cunning environmental control system. (The building is likely to receive a "platinum" environmental rating, the highest attainable under the comprehensive Leadership in Energy and Environmental Design rating system managed by the U.S. Green Building Council. Even if The Genzyme Center doesn't hit the mark, it will be one of the greenest commercial buildings in North America.) The building will know when to open the windows. And if it starts raining, it will close them. If it's bright outside, the building will open shades and turn off the (motion-activated) lights. It will also monitor humidity to gauge the need for air-conditioning.

"It does all this without thinking about security," Kent says, "so I'm thinking about it."

A pattern was emerging. In every feature that Brailsford, the architects, the CEO or Vroman from the contractor described with giddy pride—the glass, the atrium and the environmental controls—Kent found vulnerability. Innately, The Genzyme Center's design is a security nightmare. If Kent hadn't brought security into Genzyme's culture, the center probably couldn't be secured at a reasonable cost afterward, if at all. It's conceivable to think that only because Kent has made everyone at Genzyme so security-conscious, including the CEO, that such an inherently insecure design could be approved.

Patel confirms that The Genzyme Center is a special case. "Typically, we try to work within the culture of the company," Patel says. "With this building, the culture will have to change."

The most obvious manifestation of this cultural shift, but not the only one, is a clean desk policy Kent's team is developing. It will guide employees on what they should not leave on desks or computer screens. Kent has considered investing in whiteboards with automatic shutters. He will not be shy about enforcing the clean desk policy through spot checks and discipline. When Genzyme moves the more than 900 crowded employees out of their current home down the road at the old Boston Woven Hose and Rubber Co., Kent will start to change their behavior.

Once, when Kent talked about the cultural shift he's about to foist on his company, he said it was about communicating trust and value. "It's a collaborative approach," he said. "If they trust you and you communicate value, you get your way." Remembering his collection of books, I briefly wondered if this came from Flawless Consulting.

1 2 Page 1
Page 1 of 2
How to choose a SIEM solution: 11 key features and considerations