Employees must be engaged in a corporation’s security mission, said David Carpenter, vice president, global security, Pepsico, Inc., keynoting the Corporate Security Roundtable hosted by the Security Industry Association in Miami.
Behind the headlines, the events of September 11, 2001 are changing decisions on security systems, according to leaders participating in the Security Industry Association’s Corporate Security Roundtable in Miami.

“We’re about to become the most regulated industry in America,” predicted Bob Hayes, who was in charge of security at Georgia Pacific Corp. headquarters in Atlanta at the time of the El Qaeda and anthrax attacks. Spooked by paper dust always found in packages, customers insisted on proof of security through the supply chain. Now a security consultant, Hayes noted the rising number of government units, regulatory bodies, compliance agencies, advisory groups, and supplier certifications now authoring guidelines and rules on security.

“This is not a fad,” Hayes said. “This is a tidal wave coming at us.”

Federal directives, in particular, conflict and overlap with each other. “They didn’t do a very good job of making sure there’s only one Washington standard,” Hayes said. At the state level are more policies and procedures. “Every state in the union has something they’re working on,” Hayes warned, and they’re not being coordinated. Overall, the goal is to help reassure the public via anti-terrorism measures. Hayes is less than optimistic. “I’ve never found standards and policies to be particularly helpful, because they vary so much, even within a corporation,” he said. While penalties are not in place yet, in the event of an incident, Hayes expects repercussions. “If you don’t know” about applicable rules or guidelines, and then make recommendations not in compliance, “you could be held liable,” he said. “At the very least, increase your insurance, especially errors and omissions.”

Biometrics Required

Upgrades of the ID badge system at the Port of Seattle were underway, when the requirements changed abruptly. “Our security requirements are shaped instantly by world events,” said Brad Jenson, AV/IT Security Systems Supervisor at SeaTac Airport. “In the aftermath of September 11, biometrics became a requirement.”

The airport’s ID system is designed so that staff on site can modify scripts as necessary and customize the data view. With the requirement for higher security, Jenson said, “The specifications for the ID badge system and access control technologies were modified accordingly.” Still “a work in progress,” the systems now include fingerprint identification, and smart card printers, for example. The intent is to achieve “maximum flexibility for an uncertain future,” he said. Changes in security needs as well as changes in security requirements can be accommodated.

No More Holes

For Chelan County Public Utility District in Washington, the documents to follow are “The Physical Protection of Critical Infrastructure and Key Assets” and “Vulnerability Assessment Methods, Electrical Power Infrastructure.” The guidelines are set to help power utilities upgrade security systems in light of September 11 attacks. “That was the basis of the investment,” said Richard Robert, director of security. He led a major overhaul of access control, video, and monitoring for the agency, which generates electricity for clients throughout the West from its dams along the Columbia River.

Prior to 9-11, the agency had determined every possible gap in security and “then put it on the shelf,” said Robert. “After 9-11, ba-boom, everything came off the shelf.” Now that an enterprise-level system has been installed with upgrades throughout the facilities, “It’s a better place to work, people feel more comfortable, and we have an excellent management tool.”

With his background in law enforcement, Robert did his homework before and after requesting bids. “The installation is key: the integrator. If you get a bad integrator, you’ll find out…later.” His diligence extended to multiple on-site visits, checking integrators’ references and poking inside their control boxes. Too often, it wasn’t pretty.

“When you opened the panel, you’d swear somebody had put a bowl of spaghetti in there,” he said.

To determine which integrator will meet his standards, the power security chief looks for manufacturer training and certificates that show technicians assigned to his worksite are personally qualified on equipment they install.

“When you first install new security, everybody hates it,” Robert said. When it’s done right, “then they get used to it, and everybody’s a security expert. They want it on their door.”

Awareness and Education

At Pepsico, it’s hearts and minds that needed changing. “When we spend money on gates, guards, fire alarms, and security systems to better protection ourselves against threats, then we can’t have employees let strangers follow them in the door,” said David Carpenter, who heads up global security. During the 2001 attacks, Carpenter was assistant secretary of state for diplomatic security at the U.S. State Department. In his current assignment, concern about September 11 is real, but doesn’t hit home at first. When concerns are pointed out, the reaction is typical: “’We make sodas and salty snacks. Why would someone want to get in our facility?’”

“We need to engage employees and make sure only people with passes come in. We’re trying to drive that home very hard,” Carpenter said.