When the famous Chicago bank robber Willie Sutton was asked why he robbed banks, he simply replied, “That’s where the money is.” While that’s still true, the security director of a financial center now has to protect much more than just the cash, particularly due to the continuing trend towards a consolidated and converged security model. In this article we will consider one financial center that went outside the box to develop an efficient, creative, and cost-effective set of security solutions.
A Complex Institution
Our case study involves a financial center in Washington State with multiple tenant companies that serve customers in various ways and work under different business models. These companies, although separate corporate entities, share a common founder and consider themselves an alliance of firms.
The primary facility incorporates approximately 185,000 square feet of usable space. The building houses a bank branch, an insurance company lobby and a separate credit union lobby on its ground level. Each of these companies also does business in a number of additional branches and field offices around the state. Some of these offices are substantial in size. One 22,200-square-foot facility houses a large insurance operation and a bank branch, and another office of 84,030 square feet houses a credit union lobby and an insurance operation.
Each of these companies does business only in Washington State. The companies have some shared customers, but most of the customers have independent business dealings with only one of the allied companies. The insurance company—the largest company both in size and financial strength—owns the real estate.
In effect, all forms of security are handled for the insurance company by the CSO. Each of the tenants decides whether to provide its own security or to contract all or part of it to third parties. In some cases, the tenants contract out to the insurance company for security services.
This financial center had an established security program in place in 2001. The main building had a security guard station and a CCTV program to monitor the perimeter. A well established information security structure used a variety of products and techniques to protect the information in the network.
But 9/11 caused executive management to conduct a review of their existing program. We’ll examine their review and the ways the CSO addressed their newly discovered vulnerabilities.
Know the Risks
First, each company needed to conduct its own risk assessment to determine its needs. Each firm considered the level of security expertise available within its own resources. The insurance company had experienced staff with expertise in many aspects of security, including physical security, information security, safety management and contingency planning. The other companies had various levels of expertise in physical security, some background in information security, adequate background in contingency planning, and almost no background in safety management.
Determining Each Firm’s Needs
The firms made a number of decisions based on the results of their risk assessments.
The bank decided to continue to contract with an independent third-party vendor for lobby and branch security. The contract included the typical set of bank branch security controls—CCTV, teller alarms, bait money, dye packs, suspicion buttons to take snapshots of customers of concern, and monitored burglar alarms to protect the vault and cash. The bank would rely on the insurance company’s security staff to provide external monitoring of the premises, in particular an external ATM machine, and for building access controls. The credit union would contract with the insurance company’s security department for all of its security program elements, both for its main office and for a secondary branch.