Cancilla: Security Must Put Business First

Russ Cancilla, CSO with Baker Hughes Inc., believes that security can enable business with the right attitude

Baker Hughes Inc. CSO Russ Cancilla has been with the company less than three years. But in that short time he has transformed the oilfield services provider's security operations from one that was fragmented to one with a converged approach under his leadership. Managing Baker Hughes' risks for employees, resources and operations is no small task. The company currently operates in 94 countries, many in high-risk zones. But Cancilla, recently named a CSO Compass Award winner, gives us the details of why the new approach of his program not only secures the business, but also enables it.

CSO: What was your goal for security at Baker Hughes when you first started at the company? Russ Cancilla: When I came to Baker Hughes what I found was there were independent pockets of security around the company that supported the operations. Then there was a Houston-based traditional corporate security department. I saw that the two weren't engaged very much and I concluded that we weren't actually leveraging our skill sets.

We weren't able to properly measure the performance of security people out in the field because the corporate team was not fully engaged. And, most importantly, I noticed that there seemed to be a perception of a two-class system between the corporate security team and the operation security team. I didn't like the fact that it didn't feel like a team.

I thought that what we needed to do was create a more enterprise approach to security. As the CSO I wanted to have line of sight of what was going on with security across the company. So I wanted to have sight not only of the risks and security activities, but of our security people: What are their skill sets? How are they being developed? How are they being assigned jobs?

I also wanted to establish some standards or guidelines across the company. For example, if you went into Egypt our security program looked very different than if you went into Venezuela. It seemed that we were probably creating some greater liability and exposure for the company and spending more than necessary by having fairly inconsistent security programs in place which nobody was really overseeing centrally.

What was your first step in accomplishing that enterprise approach?

I went out and met with people and did the kinds of things new leaders do. I was finding some of the security team members on the operations side did feel a little disenfranchised because there was this perception of an this elite group of corporate guys that didn't really interact with them that frequently. They didn't always feel they had a place to go if they needed some additional expertise on how to solve a security challenge.

So we created what we call enterprise guidelines that provide the framework for how the Baker Hughes security program would be constructed around the globe. Now when you go to country A or country B, the components of the program are very similar, if not the same. However, how they are implementing and executing them may be different because of customs or profitability of the local business.

How did you develop the ideas about what that framework would look like?

It's not like a manufacturing plant where you have the same security protocols in place at all locations. We are out on rigs and in offshore locations. The question I had immediately is: How do we know what the risks are? In some countries I would ask the security personnel: "Why does your security program work the way it does? Why does your security program have certain elements and not others?" And there was never really a good answer or reason. The response was usually: "This is the way we've always done it," rather than doing it consistently on a risk-based approach.

Did this enterprise approach involve some level of convergence between physical and IT security?

When I first came into this job my predecessor was a director of corporate security, IT security was not part of the security portfolio. When I interviewed for the job I explained to our CEO and the General Council about the concept of the CSO and the theory of bringing together different disciplines of security and the benefits to doing that. I said: "I want to take an approach where, as head of security, I have influence over all security that impacts Baker Hughes, regardless of the location. I don't need to have all security personnel working for me, but I want to influence it."

I also pointed to the IT security piece as largely influential over what we do in the protection of our intellectual property, and our access to our systems. I said I would like to see us migrate from director to CSO with all of those components rolled up under the CSO concept.

Was that convergence difficult?

It took us a couple of months to integrate the IT security piece into our portfolio. So now we have IT security and traditional physical security converged. We have also integrated a threat analyst, crisis management and a center of expertise for investigations and physical security into the security team. That is typically what some might think of as the corporate security team. But they are actually much more engaged with operational security than previously. They are the leveraged expertise to allow the operational security guys to avoid some unnecessary cost with consultants and leverage best practices. That's not to say we don't use consultants. We do as it helps keep our security costs variable. But, for example, the person who takes care of physical security standards and guidelines now helps the guys out in the field.

According to the person who nominated you for a Compass award, you have made security a business enabler at Baker Hughes. How so?

We have this philosophy: We have to be seen as business people who happen to be experts in security.

If we want to be engaged by the business and have a seat at their table, we have to speak their language and demonstrate to them that we understand that security supports, enables and reduces the risk and helps them generate revenue. We demonstrate that we know the principles of integrating security with the business by showing a return on investment in us. We do that with what we call cost avoidance.

For example, say our company is looking at a contract to work for Exxon Mobile. They have asked us to provide the services that Baker Hughes provides. Historically within the company, security would not be engaged in that conversation when the tender was being considered. After the contract was signed they would come to us and say: "Oh, by the way, we just signed a contract with Exxon Mobile in a politically unstable location of very high risks. We need you guys to put security and crisis management plan in place so none of our people get injured." Only then would we enter the picture and give them an idea of how much security operations would cost in the location. So security then became a cost that eroded profits.

Now, we've frontloaded our estimation into our business economic model and we look at the security situation ahead of time and say: "This is what we think it will cost to manage the security in this location." The business factors those costs in so when the contract is negotiated, security costs are considered and it isn't a matter of security costs eroding profits on the back end.

Our group understands that Baker Hughes is not a security company. Our aspiration is not to have a best-in-class security program. It is too costly. Our goal is to have best-in-class people who operate a security program that is appropriate to manage the risk for the business.

Baker Hughes operates in 94 countries. Given the current state of global tensions, how difficult is it to protect employees now?

Assuming you're not in an organization which has unlimited resources to expand on security, I would describe it as it takes more management skill and business acumen, combined with good sound security skills to surgically apply the appropriate security to manage the defined risks. It requires a more measured approach than it ever has before because the risks are greater and the competition for resources is more fierce. Security has to do a very thorough analysis to understand much better than what the risks are and how to manage them to ensure the business is not only protected from the threats but, the business is enhanced because of the security solutions

Copyright © 2009 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline