• United States



Tips to Improve Public-Private CSO Partnerships

Dec 01, 200314 mins
Critical InfrastructureIT Leadership

As the government's influence over security practices grows, CSOs have a few suggestions to improve public-private partnerships.

In the area of security, whether it relates to homeland defense or to various industry guidelines and standards of practice, the consistent philosophy of the Bush administration has been to emphasize voluntary public-private partnerships and market-driven solutions over more adversarial, regulation-heavy approaches. While laying off the regulations is a popular course among private-sector companies, some pieces of the partnership puzzle still seem both frustrating and confusing to CSOs and the organizations they serve.

Questions abound. Does Washington really understand how businesses work? Does it know enough about the industries it seeks to influence? Is there money where the government’s mouth is? Are the lines of communication really open and omnidirectional, or does too little information flow among too few parties? Can the inertia and weird prerogatives of bureaucracy be overcome? And are there some circumstances that call for compulsion and not just voluntarism?

CSOs don’t lack a voice in these matters; but they would like their voices to echo a little louder in the halls and hearing rooms of the nation’s capital. With that in mind, we asked CSOs representing different industries (oil and gas, electric power, manufacturing and health care) to sound off on the Beltway issues that affect them most, and to offer suggestions for achieving a more productive public-private relationship in the coming year.

[Editor’s note: In this story we use the terms government and Washington more or less interchangeably and in a monolithic sense that, we concede up front, is somewhat unfair. Government consists of many agencies and countless individuals and is often more variable in its actions than perfectly consistent. Nonetheless, what we mean to suggest here is that there are norms of government conduct that are defining and characteristic. The conclusions our sources draw and the prescriptions they propose are offered in that spirit.]Get to Know the Private Sectorif a common theme ties together many of the threads in this story, it is the desire of CSOs for a true public-private partnership, one in which information flows in two directions and there’s a greater understanding of the private sector on the part of Washington. Lynn Mattice, director of corporate security and business intelligence at Boston Scientific, is in the camp that believes that both the executive and legislative branches have to do a better job of reaching out to corporate CSOs. One model that Mattice strongly endorses is that of the State Department’s Overseas Security Advisory Council (OSAC), which is a collaborative partnership between U.S. multinational companies and the State Department that has been around since 1985. Its goal is to help companies do business abroad and to identify security risks in foreign locales. CSOs are represented on the council.

Though Mattice and others have energetically advocated adopting an OSAC-like framework for dealing with domestic security issues, the message so far has not gotten through. He has encountered uneven government receptivity to private-sector input. “The government has to understand that the private sector isn’t an adversarywe’re not the bad guys,” says Mattice, noting that sometimes people’s perceptions are unfairly tainted by the Enrons and other corporate bad apples.

The government could also do a better job of understanding the interrelationships among industries, says Bobby Gillham, manager of global security at ConocoPhillips and chairman of the Energy ISAC. To illustrate one such interdependency, Gillham notes that the regional electric-grid blackout last summer had the potential to shut down energy pipelines as well. “We’re working with the government now to better understand the issues when there’s a loss of power or [an inability to] transport natural gas or petroleum products. What’s the impact, and how can we deal with it?” he says.

Robert Hayes, a former CSO and currently a security consultant, says that government needs a way of checking regulations and guidelines developed by separate agencies to make sure they aren’t in conflict with one anothera cause of great frustration for CSOs who must ensure compliance. Hayes would love to see a position created in the federal government that gives one person oversight of laws, regulations and voluntary compliance programs; an office that produces status reports and benchmarking to ensure that businesses are aware of the regulations that impact them, and that tracks how businesses are complying and whether security funds are being spent in the right places.Homeland Security Is Powered by InformationIn the aftermath of 9/11, the government passed legislation and proposed regulations to help prevent another catastrophe. At the same time, CSOs took the initiative to develop and implement new security measures in response to the terrorist attacks. For many CSOsespecially those within the so-called critical infrastructure industriesissues related to homeland defense are a growing part of the daily agenda.

Gillham has worked closely with the government on critical infrastructure issues affecting oil and gas companies. “They really do listen,” he says. “They have the right attitude about working in partnership as opposed to legislating so many requirements.” Gillham thinks getting the right information to the right people in a timely manner is an area that the government needs to focus on. He says that the ISACs are currently working with the government to facilitate better information-sharing.

One of the biggest issues on Gillham’s plate is vulnerability assessments. The Environmental Protection Agency, under the Clean Air Act, identified some 15,000 RMP sitesor risk management plan sites, which store or utilize hazardous chemicalsthat require periodic security reports from companies that use or store hazardous chemicals. These sites have also been identified as potential terrorist targets. In late 2001, Sen. Jon Corzine (D-N.J.), whose state is home to numerous hazardous chemical facilities, introduced legislation that would have required those companies to assess their vulnerabilities, improve their security, and consider safer alternatives to their current methods of manufacturing and storing chemicals. Corzine’s bill died on the Senate floor after the chemical industry lobbied hard against it (it wants the industry to voluntarily police itself). Earlier this year, the Bush administration took the EPA off the chemical plant enforcement beat (Corzine’s bill gave the EPA the power to mandate safety measures) and gave oversight to the Department of Homeland Security. Critics say this has done little to address the safety issue, partly because DHS’s plate is full just trying to organize itself.

“The real, positive side of DHS,” says Gillham, “is that it recognizes that 90 percent of the critical infrastructure is in private hands, and it has placed a responsibility on us to do these vulnerability assessments.” He supports legislation drafted by Sen. Jim Inhofe (R-Okla.) that would not require vulnerability assessments to be filed with the government, which he says would make them potentially available to public exposure through the Freedom of Information Act (FOIA). “That’s a real concern to us,” he says. To the usual concerns about FOIA disclosuresthat they potentially risk damaging a company’s reputation among stockholders, customers and the general publicGillham adds another reason. “Any vulnerability information we put out there could be viewed as a road map for terrorists to attack us.”

Michael Assante, vice president and CISO at American Electric Power, a Midwestern energy provider, has similar concerns. He’d like to see some guidelines and requirements around the protection of critical infrastructure information. “Everyone likes to talk about it, but there is no specific guidance to make sure [such information is] exempt from disclosure to the public. Nor have any criteria been established for withholding and protecting the information,” he says, referring both to federal and state governments, which have sunshine laws requiring public disclosure. He also notes that when politics are involved, information can get leaked to the press. “I’m down to one option,” he says. “Don’t hand it over to somebody because there’s no way to make sure it’s controlled properly.”

Though Hayes calls DHS’s early efforts “first-rate,” he cites some issues that come up repeatedly when he discusses homeland security with his peers. For instance, he says, “one-stop shopping” for informationmeaning a single place where CSOs can get the homeland security-related information they need. Currently, he says, you might call the FBI and hear one thing, then call the State Department and hear something else. There is, in effect, no quality control.

Hayes understands that the government can’t reveal all of the intelligence a security executive might like to get his hands on. But he believes that when the government asks companies to take action of some kind, they will be more eager to comply if they know a little more about the nature of the threat to which they’re being asked to responddoes it come from a credible source, and what is the time frame?so that they can put the best action plan in place. “A lot of times you get information from the government right after it’s been on CNN,” he says.

To deal with the many homeland security issues that affect the private sector, some CSOs agree with Mattice that a domestic security advisory council, patterned on the OSAC model, would be an ideal way for CSOs to share information with the government, and vice versa. In April 2002, Mattice presented a white paper to DHS Secretary Tom Ridge’s chief of staff proposing the establishment of such a council. Ridge appeared to embrace the idea of an OSAC-like entity and assigned his chief policy person to work with a small private-sector group organized by Mattice. (Among its members, according to Mattice, the group included a former assistant secretary of state for diplomatic security and a former CIA deputy director of operations.) In December 2002, Ridge spoke at the OSAC annual meeting and expressed his intention to duplicate that group within DHS. But that council remains an idea on paper only, and Mattice is perplexed by the new organization’s failure to form what he views as an absolute necessity. His frustration is evident: “I’m also perplexed by the government’s apparent willingness to ignore input from the very people who understand the environment the best, because we work it every single day.” Mattice has spent nearly 28 years in the security business and wants to contribute some experience to a fledgling, cobbled-together government entity that needs all the help it can get. In the aggregate, he says, private-sector security professionals “outnumber government folks by 3-to-1.” What’s needed, he says, is “an open flow [of information] and communication. We can’t have this ‘We’re going to shove it down your throats’ approach. This needs to be done on a collaborative basis.”

Kevin Lampeter, senior vice president and director of corporate security for financial giant State Street Corp., agrees there’s room to improve interactions between DHS and private-sector security execs. Among other things, he mentions the sharing of joint resources, better coordination in planning and testing emergency-response and risk-mitigation programs, and more detailed threat information when the level bumps up a color. Still, like many of his peers, Lampeter recognizes that DHS will experience growing pains for a while. “It will take time for them to organize themselves and obtain the appropriate resources and focus on building relationships,” he says. “They’re in an early evolutionary state.”Don’t Tread on UsFew issues raise the hackles of security executives (and others in their enterprises) more than regulation. On the one hand, CSOs generally favor industry self-regulation and voluntary compliance over requirements laid down by the feds. Many don’t believe that bureaucrats in Washington have enough knowledge of their industries to make informed decisions, and they chafe at the extra costs that come with compliance. And when there are regulatory sticks, they want the government to complement them with some carrotsincentives for compliance.

American Electric Power’s Assante points to the International Organization for Standardization (ISO) standards framework as a voluntary compliance model that works. With ISO, he notes, CSOs can apply the model in a way that best fits their organizations. Assante argues that specific regulations from Washington often require him to take scarce security resources and brainpower away from protecting the company the way he best sees fit and instead puts them to work on what he calls “compliance exercises.”

Of course, many would argue that, because many standards are voluntary, some companies will inevitably fail to implement proper security measures. After all, why spend the money when there’s no fear of consequences? “It’s a tough problem,” says Assante. “I’m not going to tell you that every utility is developing an infrastructure protection program [as robust as the one] we are.”Talk Is Cheap. Security Is ExpensiveMoney talks. indeed, the rising costs of security in the private sector, especially at a time when companies continue to pare spending, are all too familiar to budget-beleaguered CSOs. Whether it’s homeland security, the Health Insurance Portability and Accountability Act (HIPAA) or Sarbanes-Oxley, many companies have had to devote more and more resources to complying with the recent spate of government regs.

That doesn’t mean security executives think that money is going to waste, however. Bonnie Michelman, the director of police, security and outside services at Massachusetts General Hospital, says that recent regulations have made her job easier in many ways. Broadly speaking, she says, Sarbanes-Oxley, the Patriot Act, and HIPAA have increased security awareness and education of employees, making them more willing to focus on security efforts and cooperate with security departments. However, she would also like to see federal grants to help cash-strapped nonprofit hospitals make ends meet.

Assante, too, would like to see a grant program implemented to help pay security-related costs. Industries wrestle with the question of where the line should be drawn between a normal cost of doing business and an exceptional burden caused by security threats. American Electric Power, says Assante, is a regulated entity. “Our price is defined for us.” Consequently, the utility can’t pass along those added security costs to ratepayers. “Our cost basis increases,” he says, “which [amounts to] asking our shareholders to take on an unfair burden to protect the nation’s critical infrastructure.” Assante, however, believes there is a willingness in the executive and legislative branches to develop a grant program to offset some of these costs.

There are other cost-recovery mechanisms that could work. Gillham likes the idea of tax exemptions, which he says would help defray the bundle of money ConocoPhillips is spending on enhanced security, in his words, “to help the U.S. economy.” For example, he says, “We’re spending $5 million on one of our 14 refineries to enhance security,” adding that refineries are a low-margin enterprise for the company.Improve Background Checks for Security PersonnelBecause of inconsistencies in the way background checks are done, employers may play unwitting host to blue-uniformed security personnel with shady pasts and uncertain intentions. John Pontrelli, formerly the director of security at W.L. Gore, the manufacturer of Gore-Tex fabrics, cites development of a uniform credentials program as the top way that government could help the private sector. Such a program would include speedier and more thorough background checks. Pontrelli notes that in the state of Maryland, for example, a check can take six months and not even be a full National Crime Information Center (NCIC) database check. In Delaware, by contrast, he notes that all applicants must be fingerprinted, the prints run through the NCIC and the results returned the same day. “There are a lot of private-security officers out there guarding our nuclear facilities. What if one is guarding, but his background check hasn’t come in because six months isn’t up yet?” asks Pontrelli.

Michelman would also like to see more consistent and sophisticated standards for earning credentials. She, too, takes issue with background check laws. Currently, she says, she can get information on applicants for positions at Mass General Hospital from Massachusetts databases only and not from those in other states. “A large majority of the criminal population moves around,” she says. She’s especially concerned because she works in a large hospital, where employees have access to patients, narcotics and children. “Not to get at that [out-of-state] information really creates a risk for us,” Michelman says.

All in all, it’s safe to say that the relationship between CSOs and Washington is a mixed bag, with plenty of room for improvement. How, when or whether security execs can make their voices heard more loudly in the coming year is anybody’s guess. In the meantime, they’ll continue their quest for just a little more peace, love and understanding from the folks in the nation’s capital.