Business is built on relationships, so security at Raytheon uses relationships to maximize results. At Raytheon, security professionals are “embedded” in various product lines and functions in the company. They serve as business partners to those parts of the business and build relationships and rapport that help accomplish the security mission.
Charlow manages 320 security employees in the organization. Every aspect of the operation is interdependent, so overall success is based on each individual’s contribution. Evaluations are not limited to managing a certain niche but on a stake in the entire organization. Such an interwoven environment requires collaboration for success.
Training is ubiquitous and geared to the needs of each employee. Raytheon, like other large companies, has many employees; they may be audio learners or visual learners, have a GED and plenty of practical skills or be a Ph.D.-level scientist. The diversity of employees requires the training approach to be specific to the learning style of the employee. “Sometimes the folks in the trenches don’t realize that what they do can have a big impact,” Charlow says. “Employees must perform on every level for the business to be effective. Sometimes employees don’t see the bigger picture, so it’s important that the company’s leaders help employees make the connection.”
The Role of Metrics
Being alert and analyzing business systems and metrics provides ongoing feedback about the operation of security. Looking at spikes in violations reports, for example, can aid Charlow’s understanding of underlying factors. The information provides an ongoing “near real-time” picture of security success. “We work with business teams in partnership to cover those graphs and look at the output of business metrics, measures and data,” Charlow explains.
Integrating appropriate metrics and measures into the “cadence” of the business is another way to make security a fundamental part of what the company does. Raytheon uses monitors (four full-time equivalent employees) whose job is to oversee any factors related to Raytheon and compliance with factors laid out by the National Industrial Security Program Operating Manual. The monitors travel to Raytheon operations across the United States and around the world and drive commonality in each the organization’s facilities.
The ongoing monitoring program is one source of security metrics and data that guide decision-making. Others are incident reports by employees or reports from security officers on patrol. All the data is rolled into databases specific to IT systems, closed areas, violations, containers, etc. The information is reported to Raytheon’s internal software system and to a Perspective incident management system from PPM 2000 (www.securityinfowatch.com/10214679).
An online scorecard and visual display provide metrics information by process and product line, focusing on the performance of each group.
Fundamental security elements are assessed based on the National Industrial Security Program Operating Manual, which establishes the standard procedures and requirements for all government contractors regarding classified information, and on Raytheon’s enterprise standards and policies.
The internal software sends automated notices to affected persons specifying what corrective action must be taken, confirming when the action is taken and routing the response to management to validate that the fix is correct. “We know what the problem is, and we know how to direct our resources to intervene, and we initiate corrective action almost immediately when we see trends that we don’t want.” Charlow explains.
Embracing Six Sigma
Raytheon embraces philosophical elements of the Six Sigma process, a business management strategy originally developed by Motorola and used commonly in manufacturing. Six Sigma seeks to improve the quality of processes by identifying and removing the causes of defects (errors) and minimizing variability in business processes. “The Six Sigma elements are at the core of our success — it is in the company’s DNA,” Charlow says. “It’s about making sure that when we correct a problem, the corrective action is sustainable. We make sure every process we put in place can adapt as the business changes.”