Sure, most of our facilities are very large and very integrated. We have deep water ports, for example, so we have MTSA-regulated facilities. We have a transportation network where we own railroads, so we’re regulated by the Railroad Security Act. We’re mandated under the same regulatory environment that any other critical manufacturer would be. We produce our own power in many cases, we treat our own water, so all of that regulatory space and we would be under that same umbrella.
How has the security landscape changed in your industry over the last 10 years?
I think there are two paradigm shifts. First, 9/11 changed all of our worlds. I would like to tell you that security was paramount in everyone’s thinking before 9/11, but the reality is it wasn’t. I think it put an emphasis on protecting assets that was never there before. It’s unfortunate that it took one, horrific tragedy to make that happen, but it did happen and everybody’s paradigm shifted. Even in Fortune 500 companies you had to take security a little more seriously than you always did. I think the second one still has to be cyber. There are a large number of security departments, not unlike mine, where their primary mission space was gates, guards and guns as we like to call it -access control, intelligence, investigations, and guards, the normal suite or tool kit that would be in a security manager’s toolbox. Cyber changed all of that. I think more of us as chief security officers are having to learn more about IT than we ever imagined and trying to be good stewards of our company networks and trying to be defensive and be offensive when it’s necessary to do that, so I think cyber has changed things dramatically in the last 10 years as well. The biggest cyber security problem we had prior to 9/11 was worrying about Y2K and the occasional gifted hacker in his basement who was trying to get into your network. It’s a much more sophisticated threat vector now and it has changed our landscape completely.
What are some of the primary security technologies that you rely upon?
We’re pretty layered. We have a very robust CCTV system across the enterprise that’s now all-digital and we use it. While I’m careful to point out that cameras should never replace guards, it is a force multiplier and we do use it. We have a significant amount of system space we use defensively in the cyber world. We have a very robust access control network linked to multiple screenings platforms.
Which is a bigger concern to you, terrorism or employee misconduct?
Terrorism, without question. You always have to be concerned about insider threats because we have so many visitors and contractors in our facilities that we just don’t control. We vet them thoroughly, but the threat from outside is more prominent and more dominant than from the inside.
What does the future hold for security in your industry?
I typically answer that with the world’s not getting any safer. The cyber threat vector is going to continue to develop and it’s going to continue to intensify. The defensive posture we’ve taken is going to have to be escalated. It goes back to the old story of you build an eight-foot fence and somebody buys a 10-foot ladder. We’re going to have to keep building higher fences in the cyber world and hopefully, at some point, it becomes cost-prohibitive or too irritating for somebody to build a bigger ladder to get over it, but I think we’re going to continue to see a push towards more integration, which we support. Having enterprise-wide solutions instead of client-specific or location-specific security, which is the model we follow and we believe in, I think that is probably the next evolution. Cyber is just out in front on everything. You spend a significant amount of time, energy, money and resources in the cyber world now. The danger is you can sometimes forget about your physical security commitments when you’re worried about cyber every day and I think it’s trying to find that balance that’s going to be important over the next 10 years.