12 insights from General Electric's CSO Frank Taylor

June 24, 2009, Baltimore, Md. -- This morning at the Electronic Security Expo in Baltimore, Md., General Electric's Chief Security Officer Francis X. (Frank) Taylor discussed the role of a lead security executive for a multinational corporation. Taylor's address was the keynote presentation for the tradeshow and served as an inside view into his role, providing insights for the technology vendors, security systems integrators, alarm dealers and monitoring providers in attendance.

To understand his perspective, here's a little background on today's keynote speaker. He has 31 years of military service, rising to the rank of Brigadier General. He served with the United States State Department as Assistant Secretary of State for Diplomatic Security, and worked with the State Department on counter-terror intelligence following the 9/11 attacks. At General Electric, the parent company to the business unit we all know of as GE Security, Taylor has to protect over 300,000 GE employees worldwide, making the firm's operations roughly equivalent to the size of the United States Air Force. He faces security challenges drawn from having thousands of individual facilities as well as operations in over 100 nations around the world. He has a company reputation and livelihood to protect; General Electric is the only company that has been continually listed on the Dow Jones Index since that index was established. Taylor joined General Electric in March 2005.

In the span of about an hour, Taylor covered a lot of ground, so for the sake of brevity, I'm going to boil it down to some key points he made, but if you ever get a chance, make sure to hang on the every word of chief security officer for a multinational corporation (MNC). There is a lot to be learned.

The CSO position of today has evolved beyond response to threats. Taylor stressed that his main strategy has to be the anticipation of risks. "There is nothing impossible in today's world in terms of a threat to our nation and our people. In our business, things we couldn't image do happen," said Taylor.

While his duties don't include IT security for GE (those duties fall to the CIO at General Electric), Taylor said that, "Your customers are going to be more literate than ever about information security. They will ask your technicians about hackers and how your physical security systems are defended against their efforts." At GE, the security team works with IT closely. Those ties are manifested in employee investigations but also in areas like protection of intellectual property.

Taylor advises CSOs to deeply study previous threats to anticipate upcoming threats. Taylor pointed to what the company learned about how it was affected by the avian flu and said that knowledge played directly into how well they have been able to respond to swine flu.

Terrorists are strategically targeting multinational corporations. The fact is, said Taylor, that most corporations' facilities around the world are less protected than embassies and government facilities. That makes them crimes of opportunity, whether it's a hotel owned by an MNC, or an oil refinery. He clicked through news clips of terrorist incidents around the world to prove this point. The embassy is no longer the sole target.

The global CSO needs to have a depth of global experience, but he or she needs to put people in place with local experience, said Taylor, citing the example of a recent GE hire from Egypt who brought a wealth of local, cultural knowledge to the security table.

Travel security is a bigger issue than ever. Before his time, said Taylor, it could have taken weeks for a large corporation to know whether any of its employees were affected by a natural disaster or a terrorist event. Today he knows within minutes.

If you're a CSO working at a global level, you need daily intelligence on global instability issues. "You can't do security today unless you are globally aware of the world issues that could affect your company," said Taylor.

Salesperson representing security technologies pay attention: The CSO doesn't want to hear about widgets. "We don't even talk unless you have integrated systems." On the same note, he says that sales people need to understand his problems before they even think about offering a solution. "There is an attitude [among security technology salesperson] that, 'I don't need to know what your problem is; I need to tell you what my solution is.'" Don't expect that attitude to fly with a seasoned security executive, said Taylor.

Any security system you're selling to a well-run security department needs to produce metrics. As Taylor said during the keynote, "If I can't measure it, then I'm not buying it." Some of the metrics that Taylor looks at daily include metrics on compliance with regulatory issues, but he says he is also measuring response time tests for the company's emergency notification systems. As mentioned before in regards to travel security, Taylor said the company measures how effective his department is in locating employees quickly in the case of an emergency (the recent landing of a U.S. Airways flight in the Hudson River was cited as an example). He is also routinely measuring the "standard" items, like his budget, security staff headcounts, security incidents and incident trends.

Employee security awareness is vital to an organization's overall security posture. Taylor helps facilitate security briefings with employees. He has put into place a method through which General Electric employees can report security concerns, and he makes sure his department responds to those concerns in a timely manner.

The CSO should do a briefing to senior management on a regular basis. For Taylor this involves a monthly briefing where he reports to the company on new concerns and threat vectors.