As more industrial systems and proprietary data have been brought onto the corporate network in recent years, the role of the modern day security executive has also changed. Not only are security managers responsible for the safety of the people and physical assets of their company, many of them have also been entrusted with warding off the numerous threats that face organizations from cyberspace.
While cyber concerns and the potential for breaches has come to dominate the threat landscape, security executives have had to try and strike a balance between safeguarding both physical and IT operations.
Richard Douglas, general manager of corporate security and fire protection for United States Steel Corporation, knows firsthand what it’s like to make this transition from just having physical protection duties to also being tasked with IT security. In this “At the Frontline” interview, Douglas discusses the evolution of his role as a security manager for one of the largest steel manufacturers in the world.
How did you get your start in security?
I started as a college intern with U.S. Steel working part-time. I actually started as a uniformed officer walking rounds in one of our abandoned mills in Gary, Indiana, and just got lucky. I was a criminal justice major at Indiana University at the time and U.S. Steel was hiring part-time people and I came to work here part-time. US Steel has provided me an amazing level of support and opportunity.
What are your day-to-day responsibilities?
I’m responsible for the management of the security functions for all of our operations globally, so the typical gates, guards, etc. I’m also responsible for the protection of our expatriates who are living abroad. I’m responsible for the investigative and intelligence functions, cyber security, emergency response and fire protection.
How big is of a geographic footprint do you have to manage?
It’s reasonably large. We have 38,000 employees all over the planet now, we’re primarily in the U.S., but we do have operations in eastern Europe and joint ventures in Mexico and Brazil. We have an office in China, so we have a nice-sized international footprint.
What are some of the biggest security challenges you face as a security director for a steel manufacturer?
Well, I think there are a couple. Obviously, cyber is on everybody’s forefront right now. Steel isn’t the rusty old industry that people think it is. It’s pretty cutting-edge now. Most large companies like ours have robust research efforts and lots of bad people like to steal that information, so cyber is probably first and foremost. I think the other thing that’s difficult for us is integration. We have a significant number of legacy systems here and trying to get each plant to talk to each other and communicate with each other even across the access control spectrum is tough, especially when you’re a 100 plus-year-old industry. It can be hard to get everything integrated in a functional and meaningful way. Cyber is probably our most significant threat vector now just like everybody else.
What are your thoughts on a potential executive order being issued for critical infrastructure cyber security?
It’s difficult to say until you see exactly what they write. Trying to regulate the Internet and cyber security is going to be tough. I do think that critical infrastructure has an obligation first and foremost to protect themselves and secondly, to do the best they can to work with our partners in the public sector to protect the nation when we can provide valuable information to do that. I’m not sure that really works in a regulatory environment. If you can’t point at one thing and say “regulate it.” You can’t point at one thing and say “do X, Y and Z.” You just can’t do it, especially when the speed of government is significantly slower than the speed of data and information, especially in cyberspace. I don’t know how they’re going to regulate and manage to keep up. How do you enforce it? How do you decide what is critical infrastructure? I think it’s one of those cases where if you are part of a critical infrastructure network you know it, but if you’re not and regulation gets you there, how do you become as skilled and talented and as informed as people who have been doing it for the last 15 years in that post 9/11 space.
As a manufacturer of steel, are there any local or federal security requirements that you have to follow?