5 Secrets to Building a Great Security Team
For a security industry leader, Tim Williams is a pretty modest guy. As the former head of ASIS International and now as global security director for the $42.5 billion construction equipment manufacturer Caterpillar, Williams has won his share of recognition, which he doesn't take lightly.
But Williams would much rather tell you about his team--the individuals and their accomplishments--than about himself. His speech is strikingly devoid of the first-person singular. He declines to be photographed by himself for articles about his security work, saying his team members deserve the credit.
Creating and sustaining team spirit are clearly strong suits for Williams, who joined Caterpillar in 2006 after leadership stints at Nortel, Boise Cascade and Procter & Gamble. In a home-office-centric culture that valued longevity with the business, he quickly set about assembling a team that would embody the precepts of what he calls contemporary enterprise security risk management (ESRM).
Here are the top five things he did to revitalize the team and mitigate risks across the entire enterprise:
1. Rethink everything. After taking stock for a few weeks of how the then-56-person security team operated, Williams moved swiftly to establish a global team focused on ESRM. ESRM takes a holistic view of the risks to people, networks and intellectual property. Williams felt Caterpillar had some exposure that needed to be addressed immediately. Two pressing issues: The security team had been based almost exclusively at headquarters in Peoria, Ill., and Williams felt there had been an unusual focus on physical security.
"We pushed the physical security responsibility back to property managers around central Illinois. We changed the outsourced partner and we established relationships out in the facilities with people who could manage the opportunity much more closely," says Williams. He established regional security directors globally, covering Asia, Europe and the Middle East, and the Americas. "We were able to attract some of the best talent in the market at the time. They had the language capabilities and the cultural competency," he says.
[Also see Keeping employees safe in global hotspots]
Many, like Graham Giblin, now regional security director for Europe, the Middle East and Africa, had lived in the areas they cover. For a company that had had a "Peoria first" mentality, this was a big departure. "Our internal focus transitioned to a global focus," Giblin says.
Williams wrote a three-year operating plan detailing the revamped group's strategic vision and alignment with corporate objectives, roles and responsibilities. Williams' work at P&G gave him a deep and abiding love of precise process management, which served him well as he restructured the team.
"If you don't have your processes clearly defined in a well-written strategy or operating plan, you could end up chasing what other groups believe your priorities are, versus those issues that actually pose the greatest risk or threat to the enterprise," Williams says. "We articulated our plan to other staff groups, business leaders, and our executive management and the board, obtained agreement, and then set out to urgently execute the plan."
Not everyone made the transition. "Many of our colleagues wanted us to return back to what we did before--the global role was not one they were prepared for or found interest in," says Williams. There were also those who could not perform as the bar was raised. In all, the security function shed more than half its original group. Happily, many found other roles within the company.
Moving so quickly and making major reductions caught the culture a bit by surprise. To ease the transition, Williams enlisted the aid of a few human resources specialists and an internal communicator (who is discussed in Step 4) to help people understand what was happening and why.
2. Formalize underserved functions. Soon after he arrived, Williams put in place global crisis management processes and personnel as part of his effort to re-engineer enterprise security. These processes were to be overseen by the newly minted regional security directors.
Todd Wagner was working in computer forensics for Caterpillar when he was recruited to crisis management. "We didn't have a formal group at that time," he says. "We now handle any crises that may impact Caterpillar--everything from natural disasters to terrorism to major disruptions in our supply chains." Wagner brought experience as a shift commander for the FBI's Terrorism Command Center to his new role as crisis coordinator for Caterpillar.
The crisis management team had to mobilize to support local staff in Japan during the March earthquake and tsunami. Caterpillar immediately dispatched a crisis manager to the area. "Our first priority was to make sure our people are safe," says Wagner. Caterpillar has 5,000-odd employees at three Japanese facilities, the closest of which is a little over 100 miles from the site of the disaster, outside the evacuation zone.
[Also see 3 tabletop exercise scenarios]
"Anytime we have a situation like that, we locate travelers, expatriates and local employees and make sure they're safe," says Wagner. Caterpillar has internal programs to track business travelers. "We don't stop until we get through to them and can confirm they are safe. If we couldn't do that, we would go to the local authorities. We also work with a local company that has boots on the ground that can help us track the person down. We might even send someone out to knock on the door of their hotel or house."
All Caterpillar personnel and family members were ultimately accounted for. So far the company has held off pulling its people out of the disaster zone, but Williams, Wagner and the rest of the team are monitoring the situation, including radiation levels, closely, checking in daily with the Caterpillar VP in Japan. Production has been reduced but not halted by the crisis.
Ironically, just before the natural disaster struck Japan, Wagner attended a statewide disaster preparedness exercise run by the Department of Homeland Security. "We did a tabletop exercise involving an earthquake on the New Madrid fault line [in Illinois]. We have dealt with tsunamis. The new piece was the nuclear fallout."
Now nuclear catastrophe takes its place on the spectrum of risks facing Caterpillar employees, wherever they may be.