There is no denying there have been paradigm shifts in how organizations perceive the role of security and how they assess and mitigate that perceived risk. For many, this new dynamic appears to be a recent development; however, for veteran security executives like Sandra M. Cowie, Principal’s Director of Global Security and Business Continuity, building a comprehensive security program that is balanced and aligned with the business values of her organization has been standard operating procedure for more than two decades.
Principal helps people and companies around the world build, protect and advance their financial well-being through retirement, insurance, and asset management solutions that fit their lives. Our employees are passionate about helping clients of all income and portfolio sizes achieve their goals – offering innovative ideas, investment expertise, and real-life solutions to make financial progress possible.
Cowie oversees site and personnel security/safety and has global business continuity responsibility for the company, including investigations, access control and physical security planning, executive protection, intelligence, emergency management and two global security emergency response centers. Yet, her ascent to the lead security position at Principal was unique for two reasons — one, she became among the few women security directors at a Fortune 500 company; and two, Cowie did not have a traditional security background. She began her career at the company spending more than 10 years in the Retirement and Income Solutions division managing pension plans and leading teams who managed plans. She moved into the security management position in 1993.
“One of the first realities for me was the importance and relevance of transferable skills,” she says. “If you are a leader in one area of the company and know the company well, you can make that leap. I understood pretty quickly that working in the pension area and retirement investment services areas, the fundamental elements of leadership are essentially the same — you have strategic skills in communications, brand awareness, relationship building, company knowledge and the ability to deliver a value proposition.
“With a finance management background it was not that much different, so that took away a lot of my apprehension; and my boss at the time was way ahead of the curve because he saw that it is a different technical area of focus,” Cowie continues, remembering that at the time the security department was very tactical. “It was typical hard security, heavy with guards, gates and greetings.”
Cowie says that management’s goal was to get security aligned and integrated with the organizational strategy so that it became a component of the organization instead of a tactical overhead function. It had previously been run more as a police department rather than an executive department. “Our initial goal was to make sure we could deliver a value proposition and that we were risk and strategy-based and not a tactical and reactive group,” she says.
The Marriage of Business and Security
Integrating the business function into the security risk picture has been fundamental to the department’s success and helped Cowie’s group grow in relevance. In the months following Cowie’s assuming a security role, the immediate focus became building the business value of the department, as well as her immersion in the industry.
Cowie’s upper management reassured her that having come from a business unit, understanding the alignment concept transition would be quick. They gave her a couple of pieces of advice:
- Learn the technical aspects of the job; and
- Surround yourself with talented people who will provide good advice.
Unfortunately for Cowie, the script went awry on her very first day as the new security director. “The reality of the job came on the first day I’m unpacking my office — my boss called and said you need to come over right away (because) there is a significant security issue we need to address ,” she says. “All I could think of was it sure is a pretty steep learning curve while still trying to get your legs under you. I learned quickly that you don’t always have the luxury of time when things occur.”
Roadmap to Success
Cowie’s business background and understanding of the corporate culture encouraged a holistic approach to managing risk and implementing security systems and protocols — which quickly became a fundamental building block. Creating an all-encompassing roadmap that could be definable and measurable was the prime objective for Cowie and her management staff.
While she admitted it might sound somewhat elementary on the surface, it is a piece many departments miss. “We had a very formalized and strategic planning process from the beginning and we have held fast to it, doing it every year,” Cowie explains. “We have a process of dissecting and understanding our environment, doing critical analysis of where those gaps are so we can meet the challenges. We are in the risk business as an organization, so being able to articulate risk to key stakeholders and senior management here is critical. Being a financial company, they understand risk, so you can speak their language.”
Identifying the foundational elements of a proactive security and risk department, then applying a holistic risk-based model and standards has made Principal’s process one to emulate, says Jim Ellis, Assistant Director --Site Security — one of the key architects working with Cowie over the past 11 years. Ellis is responsible for the establishment, implementation and management of a fully integrated, worldwide technical physical security program for the global organization, along with providing technical expertise for the establishment of physical security standards.
“We’ve developed a great relationship with our computer support, information technology, information security, network and storage teams over the years, to the point that they holistically understand what we need from a technology and support perspective — and we understand what they need from us in terms of requesting resources, documenting requirements, and following company policies on application use and network configuration,” Ellis says. “We’re very proactive with having our systems stress tested in a variety of ways to ensure security and reliability.”
Integrating Technologies
Ellis explains that they were already migrating into the technology arena with 20 applications unique to their department — moving to network-based card access controllers and appointing an in-house support person who had come up through the department. They were becoming IT proficient to help support their big push into network-based devices with a camera upgrade.
“Our project management resources did a great job of planning with us and taking what we thought we wanted (such as a physically separate or segmented network, redundant paths, and power) and translating them into requirements that the IT folks then reviewed with us and assured us they could provide,” Ellis says. “Now that the company is looking much harder at network segmentation as a best practice, it is nice to know that we were a little ahead of the game in that regard — we already knew that was a beneficial design requirement.”
Ellis adds that the IT team looked at all of the system applications holistically and tested them within the network to make sure they were as secure as possible before the team moved on to the task of migrating to a new application for recording the system’s cameras. This became the roadmap not only for the organization’s system design but for the later migration to increase levels of support, redundancy and upgrades of all the company’s global systems.
“Years earlier, we learned that we needed redundant storage, so there were some elements that IT already knew we wanted, and they had already designed into the architecture for this new system,” Ellis explains.
The company upgraded more than 300 analog cameras to IP network cameras using encoders and then upgraded to IP cameras six months later. Last year, they were able to migrate the few remaining analog cameras to IP in areas where no infrastructure exists, using fiber and IP over fiber encoders.
Cowie cites security vendor consolidation as a positive for a company the size of Principal because it makes it easier to execute more effective standardization of systems and technology throughout the world. “I think that some of our security vendors are still struggling with being truly global, and they operate in a silo,” she says. “Wherever possible, we do attempt to leverage the arrangements and relationships we already have. We try to use standard products, standard installation and design protocols.”
Taking these steps helps the security team successfully stay current with its systems. “We have a couple of major elements that allow us to have a holistic risk methodology related to our technology implementation,” Cowie says. “One of the more important elements is our global standardization program that outlines the various elements of site and personnel security.”
Extending the Security Model
This holistic model of security and risk extends to the company’s strategic growth into global markets in South America and the Pacific Rim. This is where Cowie, Ellis and Assistant Director –Personnel Security Pete Lowell quickly realized that in order to have the infrastructure in place for a successful global security organization, they needed to integrate both technology and human resources in that infrastructure to best serve the needs of all domestic and international employees, clients and staff.
It was determined that the most practical infrastructure model would split out site security and personnel security as its two major components. “We took the holistic view that if a function of the Global Security department related to security of buildings — ‘brick and mortar’ — it should fall into the area of site security,” Lowell explains, adding that site security would include electronic systems like access control, locks, CCTV and security officer operations.
“If the function related to the security of people, then it would strategically fall into the area of personnel security,” says Lowell, who adds that the functional organizational infrastructure would include the intelligence section, investigations, executive protection, corporate safety, and the two 24x7 Global Security Operations Centers (GSOCs).
“In the personnel section, which is my area of responsibility, I have two intelligence analysts, an investigator, and a lead who manages the safety program and the GSOCs — which have a mixture of proprietary and contract emergency communications specialists,” Lowell concludes.
Fundamentally, the program’s Global platform concept is standardized. It has a risk assessment methodology to identify the risk level of each domestic and international office. Staff then designs a corresponding physical security plan using various risk assessment components to address each unique threat. Using tools like CAP Index scores help fine tune risk levels and mitigation responses.
“The technical execution may vary based on the technology available in the respective countries, but quite honestly, I think we are doing a better job as an industry to address the compatibility and distribution issues,” Cowie says.
It is a broad global view of the business and the potential threats it faces that drives Cowie’s department’s mission. Having the knowledge that the mantra of security and risk mitigation is understood and woven into the fabric of their company’s culture certainly has earned the confidence of her C-Suite colleagues.
“To have an enterprise-wide view and management approach to risk in these operational areas, you have to have an enterprise program. You can’t operate in a silo,” Cowie says. “We started focusing on U.S. operations and then expanded outside the country. There are still challenges given the complexities of the languages, the cultures, and overall operations.”
Those challenges include incident reporting and executive protection, along with leveraging boots-on-the-ground resources in the countries in which they operate. “We have a centralized security model, but we understand the value of having subject matter experts in the various countries and have built a network of trusted resources in those countries to complement our internal security and risk expertise,” Cowie says.
The company added an intelligence operations group -four years ago to help protect people and assets around the globe, which is unusual for most corporate organizations. The intelligence analysts focus on brand protection, protecting production operations, and traveler security, working in conjunction with the GSOCs.
Cowie is emphatic about the importance of the GSOCs to her overall risk strategy. “They really are the eyes and ears of the organization and in reality are the only place in our company where employees can call in 24/7 for help and assistance,” she says. “I’m so proud of that operation because of the scope and magnitude of what they do and the impact they have. They are the first trigger to report to any response team within our organization as well as managing incidents on a daily basis before they ever reach a critical level. This group is so skilled at looking at intelligence, then analyzing and mitigating the threat.”
A Team Effort
The establishment of a company-wide enterprise risk model and the consistent engagement with senior leadership by Cowie and her management staff fosters a sense of ownership and trust. “As the board gets more insight into the various risk areas at a higher level, it really has given our risk approach fuel and more visibility throughout the organization,” she says. “But we also enjoy a great partnership with our IT and IS departments, who maintain a global and collaborative perspective on technology in the organization as well as understanding our business needs.”
The company’s IT staff will often accompany the security team at conferences like ASIS. “They go to meet with our vendors so they can hear our business needs and to see what the technology vendors have to offer,” Cowie explains. “It is a great business model that leads to a solid execution of technology.”
For Ellis, this is all part of being tuned into the organization’s corporate culture and ensuring buy-in for department policy, procedure, and capital expenditures. Principal’s security department created and administrates a Global Security Council, which includes participation from all the business units.
“Together, we identify strategic risks and concerns and review them for consideration and direction,” Ellis says. “Once we get the buy-in from senior leadership, we implement and communicate the strategies. Our Brand Center and Employee Communications to help us consider changes and communicate them out company-wide.”
Lowell added that one of the biggest tasks is to “sell” the security department’s services to the operating business units in the corporation and to show them that his group is a “value-added resource.” They continually stress that security can assist the business units in providing solutions for their security problems; thus relieving their stress and enabling the business unit to focus on the task at hand.
“We emphasize that we will handle security issues so that they can concentrate on making money for the company and that we truly want to partner with them in a collaborative effort to have an efficient, secure and safe operation,” Lowell says. “This approach has not only served us well in our domestic locations, but we are in the process of rolling this out to our two international divisions, Principal International (PI) and Principal Global Investors (PGI).”
A Solid Foundation
The complexities of protecting a global corporate organization are immense, and Cowie and her management team certainly appreciate the gravity of their task. They agree that over the years the basics of running a cohesive department remain fairly consistent. “The foundational things have stayed constant, but things within them have changed,” Cowie explains. “The focus and the priorities have evolved. I think that you have to occasionally take a step back and take your temperature to honestly assess where you are at and where you need to go so you can continue to meet the needs of the organization.”
Still, telling her team’s story continues to be important for Cowie. “You have to be able to relate your business case, your value proposition, the importance of enterprise-wide risk management, along with being a prudent financial steward,” she concluded. “We are in the risk mitigation business, not the risk elimination business, so have to make sure you are not only managing your organization’s risk but their expectations.”
About the Author:
Steve Lasky is a 30-year veteran of the security industry and is the editorial director of SouthComm Security Media, which includes Security Technology Executive magazine and SecurityInfoWatch.com. He is also the conference director for Secured Cities, the only public/private partnership public safety conference in the country. wwwsecuredcities.com.
