Cover Story – Boardroom Confidential

Symcor’s logo is not splashed across the building and it’s not a
household name, but just about every Canadian who makes a payment or
writes a cheque has had their information pass through the company’s
production centres. Like so many financial organizations, the security
processes behind Symcor’s transactions run deep and as Chief Security
Officer Duranleau is responsible for making sure the company’s
operations are protected across the country and as it expands into the
United States.

In the eight years since Symcor was established by three of Canada’s
largest banks — Bank of Montreal Financial Group, Royal Bank Financial
Group and Toronto Dominion Financial Group — Duranleau has been the
company’s CSO.

Symcor processes two billion cheques, 150 million customer payments and
mails more than 400 million customer statements annually. The three
parent banks that launched the company rely on Symcor to research and
process outstanding financial adjustments, as do its other clients.

Duranleau is responsible for the security at Symcor sites in Vancouver,
Calgary, Winnipeg, Toronto and Halifax. There are more than 20 sites
that are 24-hour shops running six days a week for the most part.
Symcor employs 6,000 people and the company has begun branching out to
the U.S. with a production site now operating in Charlotte, N.C.

He says his small department, consisting of just himself and a security
associate, is “typical” of modern corporate security teams where many
processes are outsourced and managed centrally.

“Our function is to focus on being advisory-oriented,” he says. “We
don’t have the manpower to do the day-to-day management of all the
other functions. In terms of physical security, we write the policy and
establish the baselines and guidelines for what should be in sites
depending on what takes place at each one — everything from alarm
systems to CCTV to locks on doors and the types of vaults and other
types of security containers we need to use.”

But in the last three years, Duranleau says more and more, he is
consulted, along with other Symcor business unit leaders, by the senior
management team regarding strategic issues that impact the business.

As CSO, he is increasingly asked to provide input on everything from a
new service offering to a request for proposal (RFP) for potential
clients as well as internal employee relation strategies that could
impact the company. “When a decision is being made strategically, more
and more we find IT and operations and security are consulted on what
we think, when just three years ago we were an after thought. When we
take on a new client we’re invited to consult on the project and our
opinions are considered.”

Duranleau sees security as providing a value-added contribution to the
organization, whether that is in securing the facility and its
reputation today or making sure that, if possible, security is assured
as part of obtaining future business. Last summer, Duranleau was able
to sell Symcor executives on an 18-month project to upgrade camera and
access control systems nationwide. It was a seven-figure investment and
he had to make the business case before getting the green light.

“The project was to upgrade current systems and the return on
investment was presented in terms of securing future contracts and
related to expansion in the U.S. It was seen as an investment in the
future and expectations of the company’s clients as we moved forward,
not only due to regulatory requirements, but expectations of overall
service.”

Symcor is not alone in its pursuit of security as a strategic
investment. According to Greg Pellegrino, global managing director with
Deloitte in Boston, Mass.,  security is increasingly being viewed
not as a cost centre, but a means to protect brand, increase
shareholder value and create competitive advantage.

“It’s easy to understand why companies and boards are beginning to take
security more seriously,” says Pellegrino, adding the emerging “secure
economy” is defined by five realities, including rapid change, new
regulatory requirements, heightened threats and greater uncertainty,
complex and interdependent risks (supply chains, multiple partners) and
globalization.

“Investment in security is an opportunity and will become a key
competitive differentiator in the marketplace,” Pellegrino commented at
a recent public-private sector security conference held in Ottawa, Ont.

Investing in security goes hand-in-hand with protecting shareholder value and creating greater shareholder value.

Security has always been seen as the “go-to” in a crisis, Duranleau
says, but it hasn’t been viewed as adding to the bottom line, until now.

“The fact I have a clear line to decision makers is very rewarding
because you do get to try things and make recommendations where you
wouldn’t normally have an opportunity,” says Duranleau. “Their position
is to listen to people around them and make the business decisions and
if the recommendation makes sense — whether it’s from me or a colleague
of mine who is from IT or business continuity.”

He sees it as an evolution of the security function from a time when
security used to provide more tactical services. “As a result of
downsizing you start cutting back your people — those who have remained
in management positions have realized the only way they can add value
is to become a better advisor.”

The expectation level for having things in place to be in business now,
more than ever, includes security. Duranleau says Symcor’s president
and CEO, Ed Kilroy, and the executive team are looking at business
contracts and asking, ”˜In order to get that business and keep it what
do we need to do?’

“We are able to add that little extra to the pitch whether it’s for new
business — if we can say, ”˜We have that piece of security you’re really
concerned about and the other four vendors bidding don’t, then it
increases our opportunity. I’m part of the RFP process for every RFP we
have, whether it’s here or in the U.S. and a lot of it’s the same —
they want to know what do you have to secure your buildings? What do
you have to secure data?”

Duranleau says he tries to look at the roadmap of the company in terms
of where it is looking to grow and where he should be concentrating on
how to evolve the security department with that growth plan.

His security career began in 1984 as a private investigator conducting
insurance fraud surveillance involving individuals who were making
potentially fraudulent claims to insurance companies for workplace
injuries. “I liked the investigation piece quite a bit but wanted to
try something else,” he recalls.

While conducting investigations he also worked at the Ontario Jockey
Club ”“ now Woodbine Entertainment — at Greenwood Raceway in Toronto’s
Beaches district. “I was getting a taste of both private investigations
and the security officer role and decided to take my chance at
expanding my investigation skills and joined the RCMP in 1987.”

He worked for almost 10 years in various departments of the RCMP
including VIP protection for federal politicians and investigated
organized crime, in particular, the trail of money from the proceeds of
crime.

But Duranleau had become frustrated bouncing from one case to another
without ever seeing any file through to resolution. He decided to look
into a career in private security and landed a job at United Parcel
Service (UPS).

“I started looking around and got my break, took a cut in pay and
vacation time and made the move at just short of 10 years service,
which is really unusual.”

His RCMP training, and in particular the skills obtained in knowing how
to follow a money trail came in handy when he learned of the job at
Symcor.

Over the years, Duranleau’s role at Symcor has evolved to one that must
anticipate what questions and concerns might come from the executive
offices and how he will respond to and advise senior management.

Reporting directly to the senior vice-president of general legal
counsel (who then reports directly to Symcor’s CEO  he says it is
incumbent upon him to keep up to date on developments in the industry
and emerging trends.

“I’ve had to really focus on maintaining that open-mindedness and
openness to learn. Not just to learning new things in security, but
learning about the business world,” he says.

Duranleau also sits on a management security committee comprised of the
heads of Symcor’s major business units which meet monthly, chaired by
the chief information security officer (CISO) who looks after computing
and network services. He is also part of the corporate emergency
response team when it comes to any event where the business continuity
plan is invoked.

With much of the security function outsourced, Duranleau relies heavily
on regular audits conducted at each site to make sure the security
policies created are being implemented and sustained.

“We do an annual site security survey — we spend two weeks a year at
each site and in those two weeks we do a review of the physical
security that should be in place and we poke at it and make sure it’s
working. That includes everything from locks on doors to lighting, to
cameras to vaults to any loss prevention procedures, securing items and
procedures around that.”

Symcor also audits its mail couriers  via surveillance.

“We pick a couple of drivers at random, pick their routes, and watch
them do their job so their contractual obligations are being followed
and any gaps discovered are addressed through our sourcing folks,” he
explains.

Over the last few years Duranleau says he has been challenged to
anticipate and be proactive about what the business needs, ready to
provide management with proactive answers.

Those in charge tend to ask just two questions: ”˜Who’s on the problem to stop the bleeding, and Is it going to happen again?’

“You identify the gaps and come up with cost effective solutions. And
so when the senior people see results, in some way they know the next
time they come to you the expectation is that you will be able to do
that again. With that comes a level of trust and a level of confidence
they have in people like myself.”