CSOs across a variety of industries, including steel manufacturers, are having to learn to deal with the ever increasing threat of cyber attacks.
Photo credit: (Photo courtesy U.S. Steel Corporation)
Richard Douglas is general manager of corporate security and fire protection for United States Steel Corporation.
Photo credit: (Photo courtesy U.S. Steel Corporation)
As more industrial systems and proprietary data have been brought onto the corporate network in recent years, the role of the modern day security executive has also changed. Not only are security managers responsible for the safety of the people and physical assets of their company, many of them have also been entrusted with warding off the numerous threats that face organizations from cyberspace.
While cyber concerns and the potential for breaches has come to dominate the threat landscape, security executives have had to try and strike a balance between safeguarding both physical and IT operations.
Richard Douglas, general manager of corporate security and fire protection for United States Steel Corporation, knows firsthand what it’s like to make this transition from just having physical protection duties to also being tasked with IT security. In this “At the Frontline” interview, Douglas discusses the evolution of his role as a security manager for one of the largest steel manufacturers in the world.
How did you get your start in security?
I started as a college intern with U.S. Steel working part-time. I actually started as a uniformed officer walking rounds in one of our abandoned mills in Gary, Indiana, and just got lucky. I was a criminal justice major at Indiana University at the time and U.S. Steel was hiring part-time people and I came to work here part-time. US Steel has provided me an amazing level of support and opportunity.
What are your day-to-day responsibilities?
I’m responsible for the management of the security functions for all of our operations globally, so the typical gates, guards, etc. I’m also responsible for the protection of our expatriates who are living abroad. I’m responsible for the investigative and intelligence functions, cyber security, emergency response and fire protection.
How big is of a geographic footprint do you have to manage?
It’s reasonably large. We have 38,000 employees all over the planet now, we’re primarily in the U.S., but we do have operations in eastern Europe and joint ventures in Mexico and Brazil. We have an office in China, so we have a nice-sized international footprint.
What are some of the biggest security challenges you face as a security director for a steel manufacturer?
Well, I think there are a couple. Obviously, cyber is on everybody’s forefront right now. Steel isn’t the rusty old industry that people think it is. It’s pretty cutting-edge now. Most large companies like ours have robust research efforts and lots of bad people like to steal that information, so cyber is probably first and foremost. I think the other thing that’s difficult for us is integration. We have a significant number of legacy systems here and trying to get each plant to talk to each other and communicate with each other even across the access control spectrum is tough, especially when you’re a 100 plus-year-old industry. It can be hard to get everything integrated in a functional and meaningful way. Cyber is probably our most significant threat vector now just like everybody else.
What are your thoughts on a potential executive order being issued for critical infrastructure cyber security?
It’s difficult to say until you see exactly what they write. Trying to regulate the Internet and cyber security is going to be tough. I do think that critical infrastructure has an obligation first and foremost to protect themselves and secondly, to do the best they can to work with our partners in the public sector to protect the nation when we can provide valuable information to do that. I’m not sure that really works in a regulatory environment. If you can’t point at one thing and say “regulate it.” You can’t point at one thing and say “do X, Y and Z.” You just can’t do it, especially when the speed of government is significantly slower than the speed of data and information, especially in cyberspace. I don’t know how they’re going to regulate and manage to keep up. How do you enforce it? How do you decide what is critical infrastructure? I think it’s one of those cases where if you are part of a critical infrastructure network you know it, but if you’re not and regulation gets you there, how do you become as skilled and talented and as informed as people who have been doing it for the last 15 years in that post 9/11 space.
As a manufacturer of steel, are there any local or federal security requirements that you have to follow?
Sure, most of our facilities are very large and very integrated. We have deep water ports, for example, so we have MTSA-regulated facilities. We have a transportation network where we own railroads, so we’re regulated by the Railroad Security Act. We’re mandated under the same regulatory environment that any other critical manufacturer would be. We produce our own power in many cases, we treat our own water, so all of that regulatory space and we would be under that same umbrella.
How has the security landscape changed in your industry over the last 10 years?
I think there are two paradigm shifts. First, 9/11 changed all of our worlds. I would like to tell you that security was paramount in everyone’s thinking before 9/11, but the reality is it wasn’t. I think it put an emphasis on protecting assets that was never there before. It’s unfortunate that it took one, horrific tragedy to make that happen, but it did happen and everybody’s paradigm shifted. Even in Fortune 500 companies you had to take security a little more seriously than you always did. I think the second one still has to be cyber. There are a large number of security departments, not unlike mine, where their primary mission space was gates, guards and guns as we like to call it -access control, intelligence, investigations, and guards, the normal suite or tool kit that would be in a security manager’s toolbox. Cyber changed all of that. I think more of us as chief security officers are having to learn more about IT than we ever imagined and trying to be good stewards of our company networks and trying to be defensive and be offensive when it’s necessary to do that, so I think cyber has changed things dramatically in the last 10 years as well. The biggest cyber security problem we had prior to 9/11 was worrying about Y2K and the occasional gifted hacker in his basement who was trying to get into your network. It’s a much more sophisticated threat vector now and it has changed our landscape completely.
What are some of the primary security technologies that you rely upon?
We’re pretty layered. We have a very robust CCTV system across the enterprise that’s now all-digital and we use it. While I’m careful to point out that cameras should never replace guards, it is a force multiplier and we do use it. We have a significant amount of system space we use defensively in the cyber world. We have a very robust access control network linked to multiple screenings platforms.
Which is a bigger concern to you, terrorism or employee misconduct?
Terrorism, without question. You always have to be concerned about insider threats because we have so many visitors and contractors in our facilities that we just don’t control. We vet them thoroughly, but the threat from outside is more prominent and more dominant than from the inside.
What does the future hold for security in your industry?
I typically answer that with the world’s not getting any safer. The cyber threat vector is going to continue to develop and it’s going to continue to intensify. The defensive posture we’ve taken is going to have to be escalated. It goes back to the old story of you build an eight-foot fence and somebody buys a 10-foot ladder. We’re going to have to keep building higher fences in the cyber world and hopefully, at some point, it becomes cost-prohibitive or too irritating for somebody to build a bigger ladder to get over it, but I think we’re going to continue to see a push towards more integration, which we support. Having enterprise-wide solutions instead of client-specific or location-specific security, which is the model we follow and we believe in, I think that is probably the next evolution. Cyber is just out in front on everything. You spend a significant amount of time, energy, money and resources in the cyber world now. The danger is you can sometimes forget about your physical security commitments when you’re worried about cyber every day and I think it’s trying to find that balance that’s going to be important over the next 10 years.