Forging relationships in the enterprise: how the security dept collaborates
At varying degrees, corporate security teams have always required collaboration with other departments to meet their own mandates.
Now, entering a third year of the coronavirus pandemic, security leaders from various Canadian organizations have reported an acceleration of this trend in collaboration. Security teams are liaising with other departments not only to fulfill their own goals but also to maintain the continuity of the organization or business they serve.
For Thomas Stutler, vice-president of national security operations at Cadillac Fairview, security within this organization has always maintained a high level of engagement with other departments due to the nature of the risks they face each day.
According to Stutler, this level of engagement was established incrementally at Cadillac Fairview long before COVID-19 came on to the scene.
“We’re the owner and operator of high-profile offices and office towers and mall properties and those have a tremendous risk,” said Stutler.
A setting like the Toronto Eaton Centre is what he refers to as a linear target — one where the potential for a single individual to carry out a lot of damage is very high.
The shopping mall at the heart of the city is just one of the many commercial properties in the multi-billion-dollar real estate firm’s portfolio. Not only does the mall overlay underground public transit stations and railroads, this downtown attraction never closes. According to Stutler, 51 million people walk in and out of the Eaton Centre in a typical year.
“Here’s the thing with Cadillac Fairview — everyone just had to add COVID to their normal workload. We cannot shut down properties. We just can’t do it,” said Stutler.
For him, everything that has happened since 2020 has been an exercise in resiliency. Security at Cadillac Fairview operates on a business continuity plan that accounts for everything from pandemics to burst water pipes, according to Stutler.
“I just kept telling my team, ‘This is business as usual, guys. We’re just increasing the pace a little bit and we’re rockin’ and rolling, but this is just business as usual.’”
For organizations like Cadillac Fairview, keeping up with federal and provincial responses to COVID-19 meant engaging with the legal team, human resources and procurement at a much higher frequency than ever before.
Stutler said that in March 2020, security at Cadillac Fairview worked together with HR to ensure security guards were asked to work overtime and schedules were adjusted as necessary.
As lockdowns persisted and security personnel saw an increase in COVID-19 protests, Stutler said HR became the front and centre of mental health as guards experienced lowered morale from their dealings with what he called “activism.”
HR collaborated with security to provide their teams with mental health resources. One such resource was an over-the-phone counselling service, another was the introduction of a buddy system where security employees worked in pairs and asked each other a set of questions to encourage discussion for the duration of their shifts.
According to Stutler, the buddy system has proven most effective in lifting team spirit.
When vaccinations against COVID-19 became available, Cadillac Fairview’s tenants decided they would support a vaccination policy for all employees of the property. Once again, HR became involved to help determine whether the company would have a zero-tolerance policy for unvaccinated persons or whether they would allow for exemptions. Any communications containing deadlines to meet vaccination requirements were filtered through HR to ensure they respected union rules and provincial legislation.
Finally, Stutler said procurement played a major role at the start of the pandemic when masks became mandatory. The procurement team helped security acquire five million masks in as little time as possible.
Once vaccine passports were incorporated into the day-to-day workload, procurement also obtained for security 400 cellular phones that could support the application needed to present QR codes. According to Stutler, they were procured from a secondary market to minimize costs and get them in the hands of their staff as soon as possible.
At Shaw Communications, conservation of resources and efforts has also shaped the way security collaborates with other departments.
James Armstrong, the company’s chief security officer and senior vice-president, data, said security is no longer a process point along a chain of events to getting a project approved. Instead, security is engaged in conversations as a collaborative builder towards the outcome.
As Armstrong explained, the purpose of engaging security early on in a project is to have the department assess for any risks and help the team leading the project avoid unnecessary trips down a path that could prove costly.
“Their success is our success,” said Armstrong.
He said this shift in collaboration needed to happen. “We can’t do it without every employee working with us,” said Armstrong.
For a telecommunications company like Shaw, threats go beyond traditional forms like thefts and break-ins. Threats change and evolve at the same pace as technological advancements.
The continuous shift to cloud control represents a new set of security challenges for his team as it does for others in the industry. As well, the internet of things (IoT) and introduction of new devices means that his teams must learn the skills to keep those devices secure.
However, he notes that amongst all threats the constant factor is always people.
“Whether it is their entryway into your company, whether they get phished or they’re handling sensitive assets or data, you want them all in the security role processes. The constant factor is all your people,” said Armstrong.
For this reason, talent pools are a source of strength but a vulnerability at the same time. The solution, according to Armstrong, is to collaborate closely with HR to develop a strong security culture.
This means, for example, that staff at all levels of the organization must be trained and continuously updated on the latest phishing scams and hacks.
As Armstrong explained, it is frontline workers in call centres or retail stores who represent the first point of contact for scams.
“Your training and awareness team needs to be well embedded with your HR team and your communications team. They really need to understand the learning dynamics of the employees you have,” said Armstrong.
In addition to scams, telecommunications companies like Shaw must cope with the global shortage for cybersecurity talent.
Armstrong said someone with a lengthy cybersecurity resume with a lot of skillsets is a highly valued asset. However, cybersecurity teams must continue to develop their skillsets regardless of ability.
Technology teams represent another vital collaborator for cybersecurity. Armstrong described how the technology teams at Shaw have carried out development operations and have proactively built security controls.
Marti Katsiaras, global public safety, crisis manager and physical security professional at ADP, also echoed the need for collaboration between security and IT not only at her organization but across various enterprises.
“You’re going to need IT to help with installing the back end, the IP addresses, the backups and making sure that everything is secure [and] not susceptible to any bad actors,” said Katsiaras.
Even before the pandemic, Katsiaras said the security team at ADP had always sustained strong collaboration with other departments. HR has been a strong partner both before and during the pandemic, Katsiaras added.
In working with various associates of the company, security has required guidance from HR at ADP to know how they can contact associates, what things they can and cannot do, all while managing a crisis.
Katsiaras also said the communications team has played a significant role in the delivery of new security policies and products at ADP.
“If the communications team explains our reasoning and associates understand it, it makes it better for us to put those policies in place and for people to accept them,” she said.
Katsiaras mentioned that while there is still a lot of siloed work in the industry, she said conversations with colleagues in other security companies have indicated to her a higher degree of collaboration amongst their teams and other departments.
“There is no way you can sit in your own world and put up any barriers and say, ‘We’re going to do this, and you guys do your thing and leave us alone,’” said Katsiaras. “There’s got to be collaboration. There’s got to be communication.”
Risk mitigation and management
Effective team-building is one of the top skills required in the modern security industry, according to Paul Huston, senior director and chief security officer at BGIS.
Huston said people in the security industry need to be able to bring together skillsets from various areas of a corporation to effectively address the different types of risks they face. With this skill, Huston added that security professionals must also develop a better appreciation of risk and move away from what he called black and white “yes or no” responses.
“Corporate security entities today need to have an appreciation for Enterprise Security Risk Management (ESRM), a willingness to not only mitigate risk, but to accept risk rather than striving to always reduce risk to zero,” said Huston.