The creeping force majeure that Spivey and other security professionals face is the emergence of the enterprise risk model. It requires the convergence of traditional and IT security to better define security risks and interdependencies between business functions and processes within the enterprise. The goal is the development of managed business process solutions to mitigate risks. “This will be a significant change for all of the ASIS membership,” Spivey states with conviction. “Everyone in the security profession will be affected in some way by this convergence.”
Spivey’s opinion is supported by the results of a survey on the convergence of enterprise security organizations conducted by ASIS, the International Systems Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA)—a triumvirate currently called the Alliance (more on this later). The survey’s respondents underscored the importance of physical and IT security convergence and pointed out external drivers, such as the rapid expansion of the enterprise ecosystem and the development of new protective technologies that blur functional boundaries.
Other drivers include new compliance and regulatory regimes and continuing pressure to reduce costs. And of course there is the inexorable migration of assets from physical to information-based environments.
A special session on convergence was held at the ASIS 51st Annual Seminar and Exhibits in Orlando, Florida, in September. The objective of this and other convergence efforts is to make sure that the profession recognizes the trend and the implications. “By understanding and being prepared for it, we will be able to keep the Society relevant to our members and the profession,” Spivey states.
Pinpointing and mitigating risk comes naturally to Spivey, whose father was involved in the development of the risk management profession in the 1960s and 1970s. The elder Spivey also instilled in his son a sense of the importance of being involved in shaping one’s profession. He was active in the Risk and Insurance Management Society (RIMS), a not-for-profit organization dedicated to advancing the best practices of risk management to protect physical, financial, and human resources. “He ended up being a president for RIMS,” says Spivey.
Spivey’s formative years were spent in idyllic Greensboro, North Carolina, as one of six children. In 1968, when Spivey was 12, his family relocated to Charlotte, a larger city near the South Carolina border. After leaving high school, Spivey attended the University of North Carolina at Charlotte, studying criminal justice with a concentration on business. While still in school, at age 21, Spivey joined the Mecklenburg County police force. He would serve with the department from 1977 to 1983.
During those years, Spivey was assigned to the “rougher side of town,” he says. “Gangs would frequent or have their bases in that area. So it was a learning experience in dealing with people from all walks of life,” he explains.
While serving on the police force, Spivey met and married his wife, Jeanie. Spivey continued to attend school at night, but it proved difficult. “My shift would change every month, so there were some times that I would only be able to make one class per week,” he says.
With 23 credit hours left to complete his degree, Spivey decided to return to school full time. “I knew I wanted to do something else at a different level,” he says. Spivey finished his degree in one term of 23 credit hours.
Freshly graduated in 1983, Spivey set out to join either the FBI or the Secret Service; however, he learned that there was an extended new-agent hiring freeze. While trying to decide what to do, fate intervened in the form of a friend. “I played basketball with a guy from North Carolina National Bank (NCNB). The security director was leaving the bank at that time, and he asked me to come over and help in the management of some security functions,” he recalls. Spivey entered a management-training program with NCNB, which would later become Nations Bank and then merge with Bank of America.
It was, as he calls it, “an excellent education process” that helped him understand the differences between law enforcement’s reactive posture and security’s proactive approach. “It allowed me to understand how the two disciplines can best work together,” Spivey says.
He notes the influence of two mentors at NCNB, Bob McDad and Richard Murrell. “They came into security from business, so through long discussions with both, it helped me best understand the business and security role.”
Brave New World
Spivey remained with the bank until 1989, managing various security functions and the corporate purchasing group. Then he made a bold move and left his position to found a consultancy, Security Risk Management, Inc., in Charlotte.
Spivey’s choice of a name for his business was carefully conceived. “Risk management from an overall standpoint is the identification and treatment of risk; underneath a risk management umbrella are various subsets, including security, business continuity, and others. Understanding security’s place in risk management, I named the company as I did,” he says. “It was designed with the idea that small and medium-sized businesses did not have access to the security expertise of larger companies. That was the target market—and still is to a great extent, although now some of what the company is involved with are special projects for larger companies with a beginning and an ending date.”
Getting those clients took time, however. “The long time period from my leaving the bank until the revenue started coming in was a little bit of a surprise,” he says.
During that time, Spivey and his wife, Jeanie, had four mouths to feed—children who then were aged six, five, four, and three. No pressure there.
“It was an interesting time spent helping companies understand this new strategy and how it met their needs,” he states. What he found was that many clients also wanted the consultancy to handle the design and implementation of security equipment. That aspect of the business became “an interesting adjunct because I was looking to work at the management level of the security function,”
Ultimately, Spivey’s consultancy flourished. His team has expanded to include full-time associates and a pool of additional consultants used for specific projects.
The firm has contributed to security on a pro bono basis as well. Since the early 1990s, Security Risk Management has been a member constituent of the Overseas Security Advisory Council (OSAC)—a U.S. State Department advisory committee that assists U.S. companies overseas with security-related issues.
Additionally, in 1992, Spivey was asked to be part of a delegation to Russia led by Jerry Burke, former assistant director of the National Security Agency (NSA), to assist KGB officers who were transitioning to private security.
“The private security industry was being created because of the changes to Russian society,” he explains. “They wanted to better understand what it could be.”
During the three-week trip, the delegation visited Moscow, St. Petersburg, and Ekaterinburg, to hold discussions. “The people were very warm-hearted and genuine. It was a remarkable exchange of ideas on what security was and what private business was, because previously, in the Soviet Union, if you moved away from the black market that existed, people did not understand the concept of business,” he says.
The trip was judged as quite successful. As a result, some delegates even established cooperative business ventures.
“I can’t remember how I became aware of ASIS,” Spivey says, but he does remember when: The Society first caught his attention in the late 1970s while he was still a police officer.
Spivey joined the Greater Charlotte Chapter and began to attend meetings. As the 1980s dawned and progressed, he undertook a series of chapter leadership positions, including secretary, vice chair, and chair. “I saw the need and wanted to assist,” he says. “I thought it would be a worthy cause to be involved in.”
It was a fellow chapter member who eventually would be a fellow ASIS Board of Directors member who challenged Spivey to do even more. “Linda Florence, CPP, had come from another chapter to the Charlotte Chapter. She encouraged me and gave me some guidance on how to become involved in volunteer leadership above a chapter level. Linda is a credit to ASIS’s long-term volunteer efforts.”
Spivey went on to become an assistant regional vice president, then a regional vice president (RVP). He says that attending other chapters’ meetings and being part of their training programs gave him invaluable insight into chapter needs, as well as those of the broader Society. “I’d learn what their specific needs were and then I’d reach out to ASIS headquarters to get those needs answered. It was a very engaged time for me,” he recalls. As an RVP, Spivey says he gained tremendous insight into Society leadership and learned from other upcoming leaders such as Steven Millwee, CPP, Daniel Kropp, CPP, Daniel Consalvo, CPP, and Shirley Pierini, CPP, PCI.
As part of his professional growth, Spivey also decided that the time was right to earn the ASIS Certified Protection Professional designation (CPP). It was and is “the preeminent designation of security professionalism,” he notes. Spivey passed the difficult exam and was awarded his CPP in April 1999.
In 2001, Spivey was one of six ASIS members appointed to the newly created position of council vice president (CVP) by then ASIS President Bonnie S. Michelman, CPP. (The others were Roy N. Bordes; Edward G. Casey, CPP; Richard F. Lisko, CPP; Howard A. Moster, CPP; and Michael A. Crane, CPP.) The CVP positions oversee the progress of the Society’s nearly three dozen councils.
The councils each focus on an issue, such as banking, IT, and physical security, to provide the membership with subject matter experts and targeted security-related information pertaining to those fields. The councils also support and enhance ASIS educational programs and materials. Each council reports to one of the six CVPs. The CVPs report to the Society’s secretary, who reports to the president. The first six CVPs formed a strong bond and christened themselves the “Six-pack.” “It was a very, very good group of people. The original Six-pack was a group that wanted to be involved, wanted to contribute, and that had a lot of great ideas. The board, led by Shirley Pierini, let the CVPs act on those ideas, and so I think we were able to make a positive impact early on,” Spivey states.
In 2000, with the encouragement of then board and executive committee members Cynthia P. Conlon, CPP; Millwee; and F. Mark Geraci, CPP; Spivey ran for the board. He was elected on his third attempt, in 2002. “I just kept raising my hand and saying this was something I’d like to do and always appreciated the opportunity afforded me,” he recalls.
As a sort of natural balance, perhaps, Spivey did not have to wait to join the board’s executive committee. In 2003, he was selected as ASIS secretary, the following year, he was the Society’s treasurer, and last year he was its president-elect (formerly vice president).
Serious About Certification
During his term as secretary, Spivey was involved in the preliminary working groups for one of ASIS’s two new designations, Physical Security Professional (PSP). Wholeheartedly behind the expansion of the Society’s certification program and wanting to show board-level support, he successfully passed the PSP exam with the inaugural group that earned it in July 2003.
“The exam was a real indicator of my abilities. The question sets were good and met my expectations,” he says.
Both new designations—the PSP and the Professional Certified Investigator (PCI)—are starting to gain recognition, and both will continue to do so with every new addition to the ranks, he opines. However, Spivey says he would encourage more emphasis on broadly marketing all three designations, highlighting “the significance of the designations and how they lift your personal status,” he says.
“We tend to do a good job of marketing to ourselves, but marketing to outside groups will earn more recognition—just like the CPA. People know what that is because of broad market awareness.”
Age of Convergence
Spivey, along with board members Raymond O’Hara, CPP, and Timothy L. Williams, CPP, was part of a Convergence Task Force set up by former President Shirley A. Pierini, CPP, PCI. This effort to understand how convergence would affect ASIS membership led to the alliance between the Society, ISSA, and ISACA.
“ASIS is stronger in traditional security—although we do have experts of IT security on our councils. These other associations are stronger in IT security and they want to know more about traditional security from us,” he explains. Just as ASIS members are seeing this traditional security convergence with IT security, the same thing is occurring within the membership of those organizations, says Spivey. The goal of the alliance is to understand what convergence means, create training programs, share best practices, and carry out joint legislative analysis and additional studies for mutual understanding of the issues.
Spivey is delighted to work with his fellow board members to address the security and IT convergence and other important issues affecting ASIS’s membership. “I think that the 2006 board is a very cohesive unit and an energetic group of people with the Society’s best interests at heart,” he says. “I’m very proud to be working with them on ASIS strategic issues for 2006 and beyond.”
As part of his presidential duties, Spivey will travel on behalf of the Society. He’ll be in Nice, France, April 23-26 at the ASIS 5th European Security Conference, and in San Diego September 25-28 for the ASIS 52nd Annual Seminar and Exhibits, as well as at additional appearances.
“I’m looking forward to meeting the many people who contribute to the Society and the profession. I’m excited to better understand the important issues that concern members and explore how the Society can best meet their needs,” he says. “All the former presidents say that before you know it, it’s over. I want to try to contribute every day. The opportunity we have is bringing clarity to the complex issues of today and providing a roadmap for tomorrow.”
Ann Longmore-Etheridge is an associate editor of Security Management and editor of Dynamics