Q&A with CN’s new CSO Tim Koerner

Such was the case recently when Koerner addressed a roomful of security
professionals at this summer’s Port Secure conference, held in Montreal.

Koerner
spoke at the conference as the Canadian National Railway Company’s (CN)
new chief security officer, a role he accepted after spending 25 years
working for the Secret Service in various capacities – safeguarding
presidents and dignitaries, as well as leading some of the
organization’s work in lesser-known fields such as anti-counterfeiting
operations, forensics and fraud.

Securing the Nation spoke to
Koerner after Port Secure to get more information about his unusual
career trajectory and his plans for the future of CN’s security.

Securing the Nation: How did you make the transition from the Secret Service to CN?
Tim Koerner:
Like a lot of things, it was a network of contacts that you make over
the course of your career. For the first nine months of my career with
CN, the CEO and the executives here afforded me the opportunity to
learn what CN does. Obviously, from a security perspective that I
possessed experience and a certain amount of expertise, but rail is
unique. It provided me with a great deal of insight to spend months
learning the operating rules both in the U.S. and Canada, to see the
breadth of our system. It incorporates 20,000 miles of rail and three
coasts: the East and West coasts of Canada and the Gulf coast of the
United States. So, it’s a tremendously diverse set of geography and
personnel and laws and regulations.

STN: Whom did you succeed?
TK:
John Dalvell. He’s been here for 12 years, and he was a former
assistant chief with the Montreal police department. He is retiring.

STN: Is it unusual to have somebody from the U.S. in this kind of a role?
TK:
CN is a North American company. We have two police departments. In some
ways, I like to consider it one police department, but it is in essence
run by two chiefs of police – one in the U.S., one in Canada. [Editor’s
Note: According to CN, the Railway Safety Act (RSA) contains the legal
authority for the appointment of CN Police and provides railway
constables with all the powers of a peace officer, including those
powers vested through the Criminal Code of Canada.]
I think CN was looking to get the best qualified individual for this spot. It just so happened that I’m American.

STN: What has your first year at CN been like?
TK:
I’ve been this position since March 1. The remainder of the time has
been learning about rail. I am actually certified as a conductor. So,
it was going through certain training courses, rules courses, operating
courses and the like. The ability to be shepherded through the maze of
government and industry organizations with the guy who was currently
sitting in the chair was of great benefit. When the board of directors
signed off on my promotion to vice-president and CSO I was able to hit
the ground running.

STN: What are some the unique challenges around managing security for the transport industry, particularly rail?
TK:
I would think that most people would think that a career with the
Secret Service and a career with CN would appear to be as divergent as
you could imagine. Yet the similarities between the two are immense.
One of the ways that they’re very similar is that each agency has
finite resources. That might be a shock to people who think that the
Secret Service has limitless resources. It also might be a shock to
people that CN has finite resources. It makes the notion of partnering
with other agencies who have similar interests and goals not only good
operational sense but good business sense, because it reduces
redundancies that are not needed and it strengthens communication and
the actual security product at the end of the day.

---

STN: How do you see yourself shaping the security of CN and what might you do different than the person who preceded you?
TK:
What I hope to do is bring a fresh set of eyes to the office. One of my
mantras for change is that I don’t advocate change for change’s sake, I
advocate change if there’s going to be a real, tangible benefit. I
think it’s important that the people who report to you understand that
change doesn’t have to be grandiose for someone to make their mark.
The
other part of it is, I will be, and need to be, flexible enough to
realize that if the change doesn’t work that we need to be able to go
back to the way it worked prior to that. You can’t have a big ego in
this kind of a position. You need to be collaborative, you need to be a
good listener and you need to be open to implement others ideas and
championing those causes.

STN: Can you provide some examples?
TK:
I will say that security landscape for CN and the transportation
industry is dynamic day-to-day. When I talk about the agencies that
have a role and responsibility to regulate and oversee the rail,
whether it’s in Canada or the United States, it’s pretty broad and
pretty immense.
The TSA (U.S. Transportation Security
Administration) has changed some rules and regulations with regards to
the movement of trains and personnel across the border. This is not
done in a vacuum at CN. Any of these kinds of decisions that are made
that have a security nexus affect our business. So it’s important for
us to not only be externally collaborative and be good stewards of
safety and security but internally within the company we have to be
good communicators and explain the rationale (for change).

STN: You said during your address at Port Secure that resource management is an issue in security. Can you elaborate on that?
TK:
When I talked about the limited and finite resources that exist
everywhere, I think that’s where we look at a risk management strategy.
We all understand that there are priorities and that those priorities
are derived from a host of characteristics. It’s important that you
look at a threat and you look at the vulnerabilities that exist and
then you look at ways to mitigate those vulnerabilities. Ultimately,
you accept a certain degree of risk.
There’s no such thing as zero risk. It’s a matter of managing that risk to an acceptable level.
I
think I mentioned in the speech that a vulnerability without a threat
is no great risk to anybody. If (you own a house) with no locks on the
door, but you’re in an area where there are no people to break into
that home, or it’s an area that has never experienced a burglary, well
then having no locks on that house is not a great risk. But to only put
locks on the front door of a house in an area that has experienced a
great deal of burglaries, then you’re doing nothing. You’re spending
resources that are a waste because the mitigation won’t work because
all that one would have to do is walk to the back door. It’s very
important that the resources that are utilized for security
countermeasures are conceived in a manner that is going to succeed in
ultimately reducing your risk.
Those three words – threat,
vulnerability and risk – oftentimes get interchanged as though they are
the same. The fact is, they’re not. Here at CN we are implementing a
threat-based risk management philosophy.

STN: Is that a change in philosophy for CN?
TK:
I think what I have done is maybe brought specific words to a concept
that anyone in law enforcement or security would buy into. Most people
would say, "Oh yeah, that’s what we’re already doing." What I’ve been
able to do is put certain words onto paper that can make it so that
uniformly across the system, and for people who are not security
professionals, everyone can understand a rationale for proportioning
your resources. That what it’s all about.

STN: Can you provide an example at CN where that philosophy could be put into action?
TK:
I read an article in Canadian Security magazine where you interviewed
Jerry Fish. He’s in charge of security for Canadian Pacific railroad.
Canadian Pacific has something like 16,000 miles of railway. He was
saying it’s not feasible to fence in all 16,000 miles and he’s correct.
You need to look at your property and what property is more vulnerable
than the others, then look at where the threat exists. If all you were
trying to do is apply your resources evenly over all of your property,
you would end up with an insufficient amount of protection everywhere.
We take what we’ve got and make sure we put it where it’s needed. How
do we determine where it’s needed? Through a risk assessment process
where we measure the threat – and then we look at the vulnerability and
assess that. Then we look at the security countermeasures that we can
layer in a cost-effective way that’s actually going to affect our
bottom line which is risk.