Unisys' Director of Corporate Security Eileen Wieber is an ISMA member, and a security director for Fortune 1000-level corporation. She's currently facing issues of crisis management in our challenging times, and working on creating enterprise-wide security for the company. She recently shared her thoughts on security with SecurityInfoWatch.com as part of a new series, At the Frontline, that interviews senior level security directors.
SIW: Budgets for corporate security programs are often seen as a cost center rather than an investment. How do you balance spending on security with showing a return on investment to your company executives?
Wieber: The true balance that I see is cost versus risk, or risk management. With each expenditure on security-related assets, whether they are people or equipment, we must always weigh the cost of the asset versus the risk of not making the expenditure. I believe that's where security professionals can truly add value, with their ability to effectively make that assessment. In my opinion, security will always be considered a cost center to some degree, until a major incident occurs internally that affects the company. We have been able to show some ROI in utilizing technology versus labor costs. As technology becomes more prevalent in the security world, we certainly can calculate some ROI, but basically against labor costs.
SIW: What are some tips you've learned over the years about proving value of security investments to corporate executives?
Wieber: Some have used the formalization and standardization of our security and safety programs to realize reductions in our insurance premiums. It's difficult to "prove" anything as far as value. We have been able to show the value of security investments as it may affect the bottom line in dollars, such as insurance, business continuity and emergency preparedness. Other things are difficult to prove the value of until an incident occurs, and then we can say we're glad we made that investment.
SIW: You're currently beginning work on a series for Security Technology & Design magazine about women in the security industry. Can you provide us a glimpse into your own experiences as a woman in a top security position?
Wieber: I have tried to pride myself on the fact I do not attempt to distinguish myself from any other security professionals or peers. I don't feel that is appropriate to do so under any circumstances, professionally speaking. However, there are those special moments when proving you can do the job may be more challenging than a male counterpart might experience. Most of my peers, who are often men, are very respectful and do not make much distinctions. The challenge at times may be from management, which may have a preconceived notion of what a security professional should be -- maybe male, maybe a prior law enforcement or government agency employee. As a result, besides gender, there are peers of mine who may experience similar challenges because they may not have a law enforcement background. Perception is reality, and our profession is no different from any other.
My job is about being able to think on my feet and making the right decision in a split second. It's about earning the respect of my peers and co-workers. It's about being proactive, planning, ad being able to create policies and procedures.
When the day is done, and whether there exists a difference, either real or perceived, I love what I do and am proud to say I am a part of what I consider a great industry, male or female. There is a tremendous passion one must have for this job, which is what makes it so great to be a part of and which makes my peers so great to work with. Along with the passion for the job, though, there needs to be compassion.
SIW: At Unisys, you're not dealing with a one-location, one-facility type of security program, so what are some of the techniques and processes that your department uses to help ensure the safety of your overseas workers?
Wieber: Today's environment is a very difficult one, to say the least. Our employees are the most important assets we have and we do have a global presence. Having a global presence, we do have staff to assist our employees overseas and we use our local teams to advise and escort employees. We offer travel advisories to all employees globally. Any employee traveling to what is deemed a high-risk area is given both oral and written briefings on the area they are visiting. We also provide things such as emergency evacuation procedures, local contacts, third party emergency response providers, and accommodations for added insurance when required.
SIW: What kind of crisis management plan have you developed, and can you give our readers some pointers or questions to ask when they are developing their own crisis management plans?
Wieber: Crisis management plans are kept very close to the vest, so I'm unable to share details. I believe our plans reflect best business practices in the industry. The plans are always live documents; they are constantly reviewed and updated.
Some things to consider when creating a crisis management plan are the following:
The crisis can be tiered based on pre-determined parameters such as business impact, employee impact, location and size of facility. These things can be scaled and then tiered for appropriate response.
A team needs to be created regionally and/or locally and the team may differ based on the severity of the crisis, or which tier it falls into.
The team should include members from different disciplines within the company in order to have a well-rounded approach to the response. It should include representatives from general counsel, security, facilities, human resources, communications, finance, IT and possibly the operating unit affected. Each discipline will have their roles and responsibilities for the crisis predefined.
It is also suggested that -- on a predetermined basis -- the crisis management team be challenged with a crisis "table-top" exercise to work through so they know how to handle a real crisis, should it ever occur.
We also have created an automated system ? designed inside our company through our IT group -- called FINS, which stands for Facility Incident Notification System. We have created a database for global contacts in the event that we would have an incident at one of our facilities. All 450 facilities are covered under this system with contacts from all the different disciplines in the database specified to each and every facility. If a FINS alert is issued, all the appropriate contacts are simultaneously contacted via a pager or text message to their cell phone, and the team gathers and quickly discusses resolution.
SIW: With 450 facilities and operations to secure, what are you doing to develop an enterprise-wide solution to security?
Wieber: The roll-out of security standards and programs has been risk driven. The ideal situation is to get involved at a new facility from the beginning, including the location selection process. Communication has been the key factor; security directors should be letting management know what standard practices are and where to go to with questions. We cannot communicate enough in this area.
One way we have communicated is by the creation of a security/safety course that all employees will be required to take. It was initially required by employees in a limited number of countries, however, we plan on finishing the global rollout in 2005.
We have also put into place an approval process so that anywhere in the world, if a purchase is made regarding security it will come to my office for approval. This allows for visibility as to what different locations may be attempting to do with their own security. By knowing this, we can then advise them on whether their approach is meeting corporate standards.
We have categorized our sites based on parameters such as geography, business operations, size of facility, etc. and the parameters are scaled to come up with a final rating. The rating determines what minimum security requirements are necessary at that particular facility. All facilities have been rated and the high-risk facilities have been given priority for security audits and assessments. The sites are then audited to determine if they indeed have what is required.
The bottom line is communication, communication, communication. A consistent flow of communication keeps us successful in global management. We have come a long way, but we still have some work to be done.
SIW: What are some of the technologies and products that you've been interested in recently and are starting to implement?
Wieber: A large focus of ours has been to move to an enterprise-level access control system globally utilizing Lenel software. With Lenel we can utilize visitor control, property control, and the system can interface with many other platforms. As our budget allows, we have been converting old locations, and we are installing Lenel software in our new locations and facilities. The long-range goal is to have all locations utilizing one access control system. We eventually will interface this system with our employee database and also our facilities database to assist in space utilization of our facilities. Again, in this area, the cost versus risk factor must come into play. We have to ask, "What is the most economical way of achieving this goal?"
Other technologies are constantly being reviewed. We are currently in a review process for other technologies that may prove to be beneficial.
SIW: Your dealings with the current wave of technology in security must mean that you have to work more closely with IT security staff now. How is convergence handled at Unisys and what kinds of plans do you have for crossover security issues?
Wieber: Being a technology company, the need to have communication between corporate security and IT security was recognized some years ago. The two departments work well together, particularly on those issues that arise where there may be crossover responsibility.
There is also a group that was formed called the Security Advisory Council. This group has representation from any organization that may have any security relationship internally. We have representatives from corporate security, IT security, IT management, general counsel, audit, environmental safety and health, and human resources. In today's environment, this group has been particularly beneficial as there are many issues that reach out beyond what normally would be your typical security department, such as Sarbanes-Oxley compliance and C-TPAT compliance. It has also been helpful with issues surrounding privacy, which is addressed in just about every discipline within the company. The council has also been working on creating an all-encompassing security policy that would oversee all security-related policies, regardless of under which discipline they reside.
SIW: Since your workers are working closely on vital systems of high profile companies or agencies, be that financial institutions, aviation providers or the government, what kind of background check program do you use and how do you implement it in terms of cost and deciding how deep into background research you go?
Wieber: A pre-employment background check program was initiated seven years ago, and has proven to be a successful program. The specifics of the program cannot be discussed, however, we certainly are in compliance with industry best practices. The program has been centralized within the corporate security department, which removes the burden from the field offices to analyze the results and make security-based hiring decisions. The other benefits of centralization are consistency in hiring practices, which minimizes exposure for accusations of negligent hiring practices or EEOC challenges. The costs of doing background checks far outweigh the risk of not doing them. We have seen a positive influence on our workforce since the inception of screening employees.
Clients may require screening procedures that differ from our standard and we always make accommodations for those requirements. Again, we get involved as early as the contractual stage, to assist contracts personnel and advise them on what type of screening should be done for a particular customer.
SIW: Since 9/11, when all major companies had to step back and really think hard about corporate security, what have you seen happen? In talking with colleagues that you meet at industry events, what are you hearing is happening now, three years later, in corporate security?
Wieber: Prior to 9/11, security was viewed as a necessary cost, but not necessarily a value-added organization. The most significant change brought on by 9/11 and the global terrorist threat has been the increased focus on employer's "Duty of Care" requirements for the protection of employees from known or perceived risks. Shortly after 9/11, many companies took a long hard look at their policies and procedures and even may have hired auditors to determine the effectiveness of a security program, given the quickly changing climate globally. I believe the companies that took their time to truly evaluate their programs, and then made decisions on spending, have proven to now have effective programs in place.
