No Size Fits All

April 22, 2009
Mike Howard, General Manager of Global Security for Microsoft, discusses the challenges of securing a huge corporate campus

Corporate campus security is often considered a no-brainer. Some access control, some cameras, maybe some CPTED and a guard force. Some CSOs delegate it entirely to their directors and managers and focus instead on more complicated business issues. But corporate campus security is not one-size-fits-all. Campus size, location and demographics, as well as business sector, facility type and risk factors of nearby businesses and landmarks, are all integral parts of an effective and appropriate corporate campus security plan. And security executives should also inject into its design their in-depth understanding of the company and its culture.

Two members of the Security Executive Council recently discussed with us their corporate campus security plans and goals. In some ways, their campuses are similar, and in others vastly different. But where they share some goals, each has chosen a unique path to enable the best protection of corporate executives, assets, personnel and intellectual property.

Microsoft: Security Under the Radar

It’s fitting that one of the world’s largest software companies would make its home base one of the world’s largest corporate campuses. With more than 130 buildings spread over more than 15 million square feet centered around Highway 520 in Redmond, Wash., Microsoft’s headquarters campus looks imposing on paper. But Redmond’s natural beauty — the Cascade Mountains on one side and the Puget Sound on the other — is enhanced on campus by long, tree-lined walks, garden landscaping, a lake, open lawns and sports fields.

This park-like ambiance is, of course, all by design. Microsoft prides itself on maintaining a creative, relaxed atmosphere to energize its employees. While in some ways the campus acts as its own small garden city, with its own museum, filming studios, dry cleaning, convenience store and more, it is also woven into the fabric of Redmond and surrounding businesses. Public streets run through and across campus, and at least one other large business has a facility on Microsoft grounds.

In all this openness, Mike Howard, General Manager of Global Security, has carved out a role for security that honors the company’s creative, casual culture while protecting the people and assets that make up one of the most recognized brands in the world.

“We’ve grown,” Howard says. “When I got here (in 2002) we had 20,000 employees in the Puget Sound region, and we’ve more than doubled that and doubled the square footage,” he says. The sheer size of the campus makes it impossible to rely on a guard force to monitor all events, and the corporate culture would suffer if the guard presence blanketed the campus. Since the campus lies along public roads, there are no perimeter gates or checkpoints. Whoever wants to come on campus can do so, and this can present a problem.

“We work to keep it low-key here and around the world, but because the Microsoft name has such a high international profile, we get a lot of people trying to contact our employees at all levels looking for monetary support for causes, and they may get angry if we don’t provide that support,” Howard adds.

While Security deploys roving guards in white vehicles with Microsoft Security labels, they have chosen to focus on leveraging technology to provide a presence that the guard force alone cannot. “You may spend a day at Microsoft and not be aware of security guards,” Howard says, “but that doesn’t mean Security hasn’t noticed you. We’ve deployed hundreds of digital cameras and recorders around campus to give us more eyes and ears on the scene and to be able to respond to suspicious activity. All our buildings are card-accessed and monitored by cameras.”

The data from these systems flows into Microsoft’s Global Security Operations Center (GSOC), which provides event-based monitoring of cameras and access control events, streamlines dispatch and enables seamless emergency response and continuity. The Redmond GSOC is one of three that together monitor more than 375 Microsoft facilities worldwide. The event-based methodology is critical to keeping manpower needs low.

A strong, positive relationship with the local police acts as a force multiplier. “We’ve carved out a space for law enforcement so they can come by anytime to use the operations center or to sync with our guard force supervisors,” Howard says. “We encourage police to rove around as part of their usual duty, so that gives security an additional presence.”

Howard also emphasizes the importance of employee buy-in to security requirements. “Over the last three years, we’ve made a big push on security education and awareness,” he says. “And we’ve noticed that the behavior of our employees has really changed. Employees will now challenge someone tailgating behind them through an access point.” Success in such training not only enhances security but empowers employees, which plays right into the culture that Microsoft and Howard work so hard to foster.

Cardinal Health: Careful Control on Open Grounds

The greater Columbus, Ohio, area has become a nesting place for several U.S. companies, including Wendy’s, Limited Brands, Ashland Inc., and Nationwide. But a slightly less recognizable name — Cardinal Health — is actually the largest company in Ohio based on annual revenues of more than $91 billion.

Cardinal Health’s more than 60-acre corporate campus sits in Dublin, on the border of Interstate 270, the outer belt that runs around Columbus. Two large buildings totaling approximately 600,000 square feet house the global headquarters’ 2,600 employees.

Cardinal Health is a two-pronged business. On one hand, it is a manufacturer of clinical and medical devices, including IV pumps, automated medication dispensing equipment, patient identification systems, ventilators, gloves and gowns. The other side of the business is healthcare supply chain services, providing pharmaceutical and medical product distribution to retail pharmacies, hospitals, physician offices and surgeries. The company states that one-third of all distributed pharmaceutical, laboratory and medical products flow through the Cardinal Health supply chain.

Corporate headquarters does not face the same challenges as Cardinal Health’s distribution centers and manufacturing facilities, says Greg Halvacs, the company’s CSO. “Although our number-one priority is safeguarding our employees, our mission is a little different in that we focus more of our attention at headquarters on intellectual property, customer information and privacy matters.

Halvacs notes that one of the senior management once told him that headquarters felt like Fort Knox. Halvacs replied, “If that’s your perception, that’s great.” While an open and friendly campus environment is important to Cardinal Health, it’s equally important that employees, executives and visitors recognize a strong security presence. “We pride ourselves on the fact that we are customer service-oriented, yet we can address any security-related issue that may arise,” Halvacs says.

Cardinal Health’s campus isn’t surrounded by fences, but the highway and the also-bordering Emerald Parkway provide a sort of natural barrier. All facility entrances are carefully controlled, Halvacs notes.

“We have cameras and a control center,” Halvacs says, “and we also have electronic turnstiles that require everyone entering through the lobby to card-in. This means everyone in the facility has to be authorized before they are granted access. On many campuses, you’re allowed to walk up and show a badge to a guard or receptionist, but how can they know if that badge is activated or even authentic? With turnstiles, we have positive ID of everyone coming into our space through a central point.”

In addition, Halvacs says, “no one can drive onto the property without being greeted by a security officer.” There are guard gates at all vehicle entrances, and visitors must sign in and head to the main lobby, where they are entered into a visitor system and greeted by an escort before being allowed into the facility.

The Cardinal Health security officers have a soft but professional look that is designed to blend well into the corporate culture. Security officers are provided a mix-and-match wardrobe — sweater vest, polo, long-sleeve shirt — that gives them the authority and continuity of the Security logo without the hard appearance of uniforms.

But more important than their appearance is their training. “Our officers are full-time firefighters and part-time security officers,” Halvacs says. “I like this model, because the majority of our issues are safety-related events. As in any large and heavily populated location, trips and slip-and-falls all are possible events.”

Staffing security officers with life-safety training bolsters a perception that officers are present not only to deter crime, but to positively assist employees and visitors, helping to maintain the open security balance. “A clear indication that the system works is the fact that I receive thank you e-mails and letters monthly from our employees saying that one of our officers went above and beyond the call of duty to help them, which is a great feeling,” Halvacs says.

Shifting Concerns from Sector to Sector

When a security executive leaves one company to take a new role in another, he or she must learn the mission, goals and culture of the new company in order to appropriately secure its corporate campus. Transitions between business sectors require even more forethought.

Do not be fooled into thinking that corporate campus security concerns will be the same across sectors. While it is true that executives are not often housed with manufacturing, infrastructure or high-risk operational functions, the business of the company will still impact the risks the corporate campus will face. The fact that a chemical company’s global headquarters does not handle hazardous material on site does not mean that eco-terrorists will not target that facility. The fact that a health insurance company does not manage claims at corporate headquarters will not discourage a disgruntled policyholder from threatening damage to corporate offices.

Work with local law enforcement and federal agencies where possible to keep current on the threats to your sector and to your brand, because the name on your building may be the only incentive a criminal needs.

Marleah Blades is senior editor for the Security Executive Council (SEC). Prior to joining the SEC she served for six years as managing editor of Security Technology & Design magazine. The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. For more information, visit www.securityexecutivecouncil.com/?sourceCode=std.