Security Leadership: 2007 CSO Compass Awards

There are many paths to alignment. This year’s CSO Compass Award honorees have sought alignment—and found success—through very different means. Their strategies vary from sagely anticipating and preparing for business risks, to humanizing the often austere security function, to advocating metrics and numbers as a common language to bridge the communication gap between business and security leaders. We asked each honoree to share with us his or her thoughts on, experiences with and strategies for achieving alignment.

Metrics Might

George CampbellCurrent position: Managing Partner with the Business Security Advisory Group, a consultancy composed of several former CSOs from global corporations.2002–2003: president of International Security Management Association1998–2003: ISMA board of directors

1994–2002: CSO, Fidelity Investments

Despite the strides that security organizations have made post-9/11, George Campbell believes that CSOs can still do a better job of communicating their core value to the business. “When it comes to seeing security as really connected to the brand and a fundamental part of the value equation, the corner office still hasn’t crossed that bridge.”

But surprisingly, Campbell’s remedy doesn’t depend on getting more face time with the CEO. In fact, he believes that security executives focus too intently on how they are perceived by the board or the CEO to the detriment of building relationships with the many other constituencies they serve throughout the organization. “Whether it’s from the top down or the bottom up, you’ve got to get in their face and understand their business,” says Campbell, who is 64. He exhorts CSOs to engage their business colleagues by saying, “Here are the skills we have; where can we contribute to making you more successful?”

Campbell believes that metrics are fundamental tools for CSOs who want to influence policy, effect change and communicate their value to the organization. He recently wrote “Measures and Metrics in Corporate Security: Communicating Business Value,” published by the CSO Executive Council, an affiliate of CSO. In the book, Campbell discusses what data one should track and present, how to present it and to whom. He suggests that CSOs need to develop a three-part “dashboard” of metrics: one section for items like a safe and secure workplace that are seen as the direct responsibility of the security department, another for metrics that are unique to their business constituents and one for metrics that are unique to the organization’s success. Some need constant monitoring. Others (like internal misconduct cases) develop trends over time.

Security is often seen as a nebulous function with its own obscure language, so metrics can be a tremendous communication tool for bridging the gap with business. For example, if a CSO can go to a business unit and give them the leading indicators that show that they are heading in a risky direction with the vendors they’ve selected or the people they are hiring—people are getting into trouble more often, there are more business interruptions, more problems with workplace violence—that is a powerful thing, says Campbell. CSOs need to remember that “we don’t secure the company, we are facilitators,” says Campbell, “and metrics help us tell a story.”

Read more at CSOonline: “How to Connect with Metrics” (audio podcast), | “How to Use Metrics” (book excerpt), | “Smackdown” (about CSO role)

Putting People First

Francis D’AddarioCurrent position: Vice President, Partner and Asset Protection for Starbucks Coffee 1997–present: Starbucks

1990–1997: director of loss prevention, Hardee’s Food Systems

Francis D’Addario believes that the opportunity for security to be relevant in any business organization lies in its ability to provide what he calls “just-in-time security.” When he joined Starbucks in 1997, it was in the wake of the botched robbery attempt at a store in the Georgetown section of Washington, D.C., where three Starbucks employees lost their lives. From his first week on the job, D’Addario and his team were committed to improving safety. They introduced time-lock and time-delay safe lock technology and closed-circuit television surveillance. They built security into new-store designs, by ensuring that would-be robbers could be easily observed by passersby. They track traveler risk and they involved partners and licensees in security-raising efforts.

With more than 12,400 coffeehouses worldwide, security has become a critical component of Starbucks’ ability to attract and retain quality employees. “Partners are our number-one priority,” says D’Addario, 54. “That’s something that is well-prioritized within our [corporate] values, and it’s our ability to be an employer of choice that enables us to grasp opportunity.”

Through communications and training, Starbucks employees receive constant reminders that security is a priority. Staff undergo workplace violence awareness training, and discuss safety at monthly operational meetings. In larger markets, reminders about anonymous risk reporting appear on biweekly pay statements.

D’Addario’s team provides just-in-time security to a brand operating in 35 countries as a retailer, manufacturer and distributor of beverages, food and entertainment. The key, he believes, is to keep up a continuing conversation with business leaders and customers to ensure that the security organization meets their current needs and enables their growth plans. “We have to make sure that the manager of each store or branch or entertainment business has the reliable loss prevention capability to keep people safe and protect profit and loss,” says D’Addario. “We have to understand what the risks are to that business, what markets are opening up and what requirements we’re going to have to adopt.”

The success of Starbucks depends on its ability to find, buy and transport coffee from around the world. Among the risks Starbucks faces is supply chain tampering, and that has led the Starbucks security group to develop standards and technologies to ensure product safety—everything from proliferating ISO28001 standards for container security and authentication methods for trusted agents who handle containers, to technologies that track internal temperatures and humidity to ensure that products arrive in ideal shape for consumption. A global pandemic represents another threat. D’Addario has been working with the crisis management and business continuity groups to formulate a plan that could allow the company to nimbly adjust to business in a contagious environment. The plan would leverage the existing drive-throughs and some storefront locations to create an all-carryout enterprise. “I think the ability to win a seat at the table is to have the continuing conversation for identifying the relevant risk and mitigating it in a relevant and persuasive way that is measurable,” says D’Addario. “Then continuously reevaluate what that risk looks like.”

Read more at CSOonline: “Where the Metrics Are,” | “Job Descriptions”

Call Me Anytime

Deven BhattCurrent position: CSO, Airlines Reporting Corp.2002–2004: Corporate Information Security Manager, Newell Rubbermaid

1990–2002: various positions in security at Frontier Telephone culminating in Manager of Security

For Deven Bhatt, achieving business alignment means taking a very personal approach to his job. Although Airlines Reporting Corp. (ARC) processes $70 billion worth of ticket transactions each year, security was a one-man operation when Bhatt joined in 2004. With limited resources at his disposal, Bhatt learned early on that developing good relationships with employees across the company would be critical to creating a security-conscious culture.

So Bhatt, 49, advertises his availability. When he conducted a mandatory security awareness training program for the company’s 450 or so employees, he handed out a brochure that contained his personal cell phone number. (The program covers computer security, ID theft, fraud, business continuity and emergency evacuations.) “I still get calls in the middle of the night,” says Bhatt. “That’s fine. I really want to show my commitment.” He also has an open-door policy to encourage employees and business leaders to bring him problems rather than hide them. “We can always find a middle ground” for a solution, says Bhatt, who adds he is careful never to blame the messenger for sharing information, and he encourages employees to bring up any issue, no matter how trivial it seems.

Now that his department has grown to seven members, Bhatt has deployed his staff to sit within individual business locations to serve as their security points of contact. Initially corporate leaders questioned whether this was necessary, and employees were worried that security was there to spy on them and monitor policy compliance. But Bhatt was able to show that this was a customer service move designed to provide quick results to security-related needs.

Bhatt believes there is a clear value to providing personal attention. He’s even willing to play the fool if it enhances security awareness. He put together a Mission Impossible–style spoof film for his security awareness event, with the CEO and other executives as his actors and playing the Inspector Clouseau role himself, complete with pratfalls. Although the film was intended to educate everyone on the need for general security and the Payment Card Industry (PCI) standard for processing credit card data, it had the added bonus of humanizing the security function. Bhatt also offers employees training to help them with physical and computer security at home. “I want people to feel this from their heart, that this is their company, and security is their responsibility,” he says.

His approach has paid off with the success of several high-profile projects where failure would have been catastrophic and where employee cooperation was crucial. ARC was the first company in the airline travel industry to get its PCI compliance—a requirement for all merchants and service providers that store, process or transmit credit card data. Bhatt also convinced his CEO and executive board to make supporting security initiatives like these two projects a prerequisite to receiving annual bonuses. ARC completed both the encryption project and awareness training.

Read more at CSOonline: “Winning the Gadget Wars”

Trusted Information Hub

Dan LohrmannCurrent position: CISO, state of Michigan1997: started working for the Michigan state government; Appointed CISO role in May 2002

1985–1997: network engineering positions with ManTech International, Loral Aerospace and the National Security Agency

The state of Michigan may have 55,000 employees, but in many respects it’s a small community. “People have been around a long time in state government and you get a reputation,” says Dan Lohrmann, Michigan’s CISO. “It’s very important to be someone that delivers.” For that reason, Lohrmann believes that trust is the cornerstone of a well-aligned security organization.

One of his techniques for achieving that trust is to try to “undercommit and overdeliver” when dealing with his state agency counterparts. This strategy is particularly important in state government, where funds are short and legacy systems are plentiful. He makes a point to celebrate security achievements with his own department and the business units that helped make them possible. “Thanking them enhances the image of the security department so they start to think of us as partners instead of this oversight body,” says Lohrmann, 43.

For example, Lohrmann’s group threw a pizza party for the Department of Information Technology to thank them for helping reduce the number of vulnerabilities on their servers (a milestone in achieving PCI compliance). “By showing our appreciation, it helps to build trust and change the perception of us as always being the ones who say no,” Lohrmann says.

Lohrmann also looks for ways to add value beyond the basic services that security is expected to provide, like identity verification and virus protection. By installing Web-filtering technology, he was able to save approximately $700,000 a month in spyware, bandwidth and repair cost avoidance. Because of his background in the NSA and his work with the Department of Homeland Security on behalf of the National Association of State Chief Information Officers (Nascio), Lohrmann has relationships in Washington that he has been able to leverage on behalf of some of his state agency directors. “I’ve been able to work on issues that were of interest to individual directors, and they really like that I’m helping them conduct business and do their job.”

He has been able to share insights from his work at Nascio to help the state’s homeland security adviser, Mike McDaniel, and establish processes for a new homeland security intelligence center, where law enforcement, public safety and private-sector participants share information. Lohrmann says he’s also been able to help DHS officials in Washington understand state and local homeland security issues.

Lohrmann’s efforts to build those trusted relationships have paid dividends. When the Michigan Department of IT (MDIT) recently undertook a Return on Security Investment analysis, the results convinced MDIT’s state agency customers to double their IT security spending at a time when the state budget overall has been cut.

Lohrmann says he continues to search for ways to deliver on his promises when he meets with his state agency colleagues. “You have to look for areas where you can add value as a [security] organization and as an individual,” he says. “If you can always walk away from those lunches with a little nugget, you’re going to have a reason to get back together again, and it’s not just a courtesy call anymore.”

It was through such lunches that Lohrmann learned that his security group’s reputation as naysayers to new initiatives needed a makeover. His answer: find ways to say yes, securely. His initial rejection of a wireless network access gave way to limited connectivity that satisfied users without sacrificing security standards.

Read more at CSOonline: GovSpace, Dan Lohrmann’s blog

Team Player

Lisa “LJ” JohnsonCurrent position: CISO, Nike 1998–present: Nike, various security management positions

1993–1998: security manager, U.S. Bank

It has been said that you can’t truly understand a person until you walk a mile in her shoes. LJ Johnson, Nike’s CISO, put that adage to shame when she recently embedded herself within her company’s footwear organization for a year to learn how she could help with intellectual property protection.

In 2004, Johnson took the bold step of removing herself from the security group’s daily operations so that she could focus on business outreach and alignment. She moved her office across the building and shifted her attention to strategic planning, business relationship development, and security marketing and communication issues. And she got involved in activities where she would meet people from all over the company. Sports—not surprisingly—has been a great way to make connections. Johnson meets people by playing racquetball, soccer and golf and gets involved in as many volunteer opportunities as she can make time for. “You’re interacting with people that you don’t bump into on a regular basis, and I have formed some good business relationships,” says Johnson, 45. In one leadership training class she met a woman involved in product quality and counterfeiting protection. So far, they have exchanged ideas and hope to find some ways for Johnson’s group to help.

Although she acknowledges that relationship building is an organic process, there are explicit steps that security executives can take to help it along. Johnson found that asking business executives for 30-minute informational interviews can yield good results. “It’s an opportunity to ask them what security services they would like to see and if there are things you could do to add more value for them,” she says. “People will give you a ton of ideas.” Johnson has found that most executives are open to being approached like this; they especially appreciate it when you follow up later with some action items or ideas from the talk.

Johnson’s most dramatic attempt to get closer to her business customers came recently, during her yearlong experience working with the footwear organization to learn about IP protection. “It was tricky juggling my other job,” she admits, “but it made such a big difference to sit next to them, to go to their staff meetings and be a part of their team.” She says she found ideas for product and IP protection, and training that she might not have otherwise. It’s a technique she plans to try again in the future with other divisions.

See more at CSOonline: “The Team Builder”

Open for Business

Lynn MatticeCurrent Position: VP and CSO of Boston Scientific 1992–1997: Director of Corporate Security, Whirlpool

1980–1992: Corporate director of security at Northrop Grumman

When Lynn Mattice picks up a book or magazine, chances are good he won’t be reading something focused on security. The Harvard Business Review, maybe, or MIT Sloan Management Review, to stay on top of the latest business trends. The World Economic Forum’s Global Competitiveness Report, to keep up to date on the global sales environment. Or one of Soundview’s Executive Book Summaries, which have led him to such gems as Execution, a book about getting things done by Honeywell’s CEO, Larry Bossidy, and consultant Ram Charan.

“I need to be on the leading edge of the issues that are taking place in business,” says Mattice, VP and CSO of Boston Scientific, the $7.8 billion medical-supplies company based in Natick, Mass. “When I’m talking with the business community here, I need to communicate with them in the language that they communicate in. They’re interested in business results.”

So, while security is certainly what Mattice does—he has global responsibility for business intelligence, business continuity and a fully converged corporate security program, including information security—his focus is Boston Scientific’s business.

Mattice is deeply involved with sales efforts, for instance. Boston Scientific has salespeople or distributors in more than 100 countries, so he regularly attends sales meetings, where he provides intelligence about what’s going on in different parts of the world. His work includes ensuring the safety of these far-flung teams.

Mattice also helps the sales group understand common business practices in other countries and make sure that Boston Scientific isn’t working with businesses that require bribes or are likely to deal in counterfeit or gray-market goods. And anytime business leaders are looking at expanding into a new geographic area, he helps them evaluate the market conditions, environment, political situation and economic risks.

“We cover a broad range of issues so that people don’t go into a country blind,” says Mattice, who is 53. “You need to know how the country works. It’s understanding your marketplace. And the more you do along those lines to support the business, the more the business comes to you and wants to engage you. When you’re providing support and information that’s important to them to do their job, then you’re viewed as a partner.”

His overriding mantra? “This isn’t rocket science. This isn’t anything that’s hidden behind smoke and mirrors, and it’s not anything special. These are business processes. We are working to help refine the effectiveness of the company in every possible way that we can.”

Read more on CSOonline.com: “Mix Masters,” about surviving mergers; “Vet Your Outsourcer”