A World of Risk
Print Issue: September 2018
Protecting People with Big Intel
Nick Lovrien, CPP, chief global security officer at Facebook and member of the CSO Center for Leadership and Development at ASIS International, talks about the worldwide reach and team effort behind its intelligence operations.
Q: What's a day like in the life of Facebook's chief global security officer? If Security Management followed you around, what might we see and whom might we speak to?
A: I have the fortunate opportunity to lead a remarkable group of security professionals who collectively are some of the most specialized, talented, and passionate leaders in the industry. Each day is met with collaboration to ensure we strategically align with Facebook's values of being bold, focusing on impact, moving fast, being open, and building social value throughout the communities that Facebook serves.
My division's daily focus is delivering a safe and secure environment for the company, teams, and individuals who deliver on Facebook's mission to give people the power to build community and bring the world closer together.
In support of the Facebook mission, our global security team is responsible for ensuring that we keep the things that our Facebook teams value safe and secure. This means that we protect the people of Facebook by creating a safe environment for our culture to flourish. We ensure Facebook's physical and intellectual assets are safe and secure, from buildings and servers to prototypes and ideas. Additionally, we set out to help make smart, informed decisions to protect Facebook's reputation.
Q: When it comes to having physical locations and employees all over the world, what are the biggest security challenges that Facebook faces, and what are some of the future threats that you see as relevant?
A: One of the biggest challenges we face is ensuring that we deliver and implement a consistent approach to our holistic global security program. We strive to do this while balancing the ever-evolving global risk landscape that we face—not only where our current offices and data centers are located, but also the locations that Facebook personnel may travel to throughout the world.
The global security program is designed and focused to proactively identify potential impacts to our people, assets, or reputation. To do this, we rely heavily on intelligence to identify and mitigate risk before it is ever realized. This enables our business partners to make informed decisions on any situation that may have a potential impact to our business, ranging from severe weather to civil unrest.
Q: As physical and logical systems become increasingly merged, many security professionals are finding themselves focused on cybersecurity as much as physical security. What would be your advice for these professionals as they try to balance the two areas?
A: Both are equally relevant, considering the critical dynamic and the global operating environment. Our industry has to be nimble enough to counteract any and all measures, regardless of what aspect of security they are trying to breach. A collaborative approach leveraging specialized cross-functional teams to assess and mitigate physical, cyber, and information risks is essential in delivering a sound holistic security program. Emerging technologies promise great benefits, but also bring new risks that must be addressed jointly.
Target Talks Teamwork
Mark Krause, CPP, senior director, corporate security at the Target Corporation, discusses implementing ESRM and building partnerships across the enterprise. Krause is a member of the CSO Center for Leadership and Development.
Q: The enterprise risk management landscape has also evolved tremendously over the past decade or so. As threats to organizations become increasingly sophisticated, what are some of the things Target is doing as a global retailer to keep up with these evolving times?
A: With the retail landscape evolving as quickly as it is, Target has been aggressively investing in our stores, the digital and physical shopping experience, and exclusive brands. That investment is exciting for our guests, but also comes with additional risk that pushes our security teams to operate differently.
Our teams are primarily focused on enabling our business partners to deliver on our company priorities. We have made adjustments to implement enterprise security risk management (ESRM) at Target, including the use of a common framework and a common platform to manage risk. Additionally, we've driven deeper internal collaboration among stakeholders and built strong awareness campaigns to ensure our team members understand the sophisticated threats we face today.
Q: In what ways do legal, security, and assets protection partner at Target? Do security and assets protection functions report up to legal?
A: Our organization has evolved over time to meet the needs of the business. Our security team includes an assets protection group that secures our stores and distribution locations, an information security team to manage cyber threats, and a corporate security team that takes the lead on enterprise security. While each team reports to different leaders, the strong partnerships and processes that we have in place enable the model to work. Each group builds deep subject matter expertise in their primary discipline, which strengthens our overall security approach. Our work is driven by a shared vision of a safe place for our guests to shop, team members to work, and communities to thrive.
Q: When it comes to investigations related to safety and security, what are some best practices that Target implements to make sure it's working side by side with the security team?
A: As you would imagine, being a large retailer with a global footprint means we will always have security incidents to manage. But we work hard to minimize the risk, including having a few best practices that guide our security response.
First, we make a significant investment in our teams and partnerships to make sure we have responders who are prepared and effective. Target has a long history of engaging with public partners, like federal and local law enforcement agencies, and we feel this builds stronger communities. Second, our teams use a shared escalation model, which ensures we're using the appropriate resources and having consistent oversight with each situation we face.
We also use a full suite of technology tools, like enterprise video and a mass notification system, along with specialized capabilities, like forensic services and threat assessment professionals, through the lifecycle of an incident. All of these efforts drive a consistent and collaborative response to the full range of incidents we encounter.
Microsoft Takes the Risk Out of Business
In the unpredictable global climate of fake news, unstable politics, and information overload, how does a Fortune 100 company with more than 100,000 employees globally know when and where a threat may happen? How does it prepare for and mitigate those risks in a timely, effective manner?
Recently rebranded as the Microsoft Global Security Center of Intelligence, this business unit at Microsoft is responsible for taking incoming information from various open-source data streams and putting it into actionable intelligence.
"Assessing impact to the company is our biggest value proposition to Microsoft," says Liz Maloney, global intelligence manager. Forecasting what the cost of a risk may be to the brand, company reputation, and bottom line enables Microsoft to make smarter security and business decisions.
As part of its rebranding, the Center wanted to create a think-tank feel around its operations, says Charles Randolph, senior director at the Center of Intelligence/Center of Protection, so that it could better interpret geopolitical events and other nuanced situations that could impact the company. "Politics are going to affect corporations for the foreseeable future, therefore we needed to fill a gap," Randolph notes, "and get somebody who can translate that into, 'how does this affect a corporation, what might the geopolitical implications be—to not just travelers, but also decisionmakers?'"
To achieve that, the Center hired a Ph.D. in public policy and a journalist to add to the diversity of opinion within the Center, and further dissect current events that might affect risk. "Yes, we do need to cover traditional threats, such as terrorism and assisting with intelligence support to cyber," Randolph says, "but maybe there are other things like economic sanctions that could affect a corporation."
While the human element of intelligence is valued at Microsoft, the Center must grapple with huge amounts of data being fed into its operations every day. Randolph explains how Microsoft translates that information is into useful, meaningful intelligence for the organization.
"You start out with a data 'bog.' I've got all this data—its good, it's bad, it's indifferent—and it's kind of stinky, and we have to clear it out," he explains.
That data is then filtered into a data lake, "and we feed those lakes into data warehouses," he says.
Once the information is organized, it is assessed by company analysts who work by region to determine whether a threat, risk, vulnerability, or situation may impact Microsoft.
Oftentimes, that risk information is presented to the affected business unit in the form of a scenario. "Our bread-and-butter is developing scenarios," Maloney says, "scenarios that will tell you the various courses of action that might occur and identify some triggers and indicators along the way that might show you, 'okay this where the scenario is going, and this is the decision that you're likely going to have to make.'"
Organizing data into lakes is still just a small part of what the Center does, Maloney says. "We don't want to mistake big data for valuable data," she notes. "We're trying to get the right data sets—not necessarily the most information—and make those really accessible and customized."
The Center continues to use artificial intelligence and other emergent technologies to make the best decisions, enabling its analysts to spend their time looking only at quality information. "Philosophically that's what we want to do," Randolph explains. "We want big data, machine learning, AI, and algorithms to help find the bronze needle in the stack of gold needles, so the analyst can say 'here's the bronze needle I need to look at.'"