Comedic actor W.C. Fields once said that “the world is getting to be such a dangerous place, a man is lucky to get out of it alive.” Although not a laughing matter for most executives, Fields’ sentiment could be applied to today’s global corporations that are facing constant threats from bad actors inside and outside their organizations, potential chaos resulting from political uncertainty and worldwide terror incursions, not to mention both manmade and environmental assaults on company staff, physical assets and confidential proprietary information.
In an age of global economic and political instability, ensuring your enterprise has the built-in resiliency to withstand the onslaught is critical to not only surviving threats but to flourish in times of crisis. Security and risk leaders agree that perhaps the most important concept needed for any large global enterprise to succeed is the establishment of organizational resiliency. According to a study conducted by Gartner in the months following the 9-11 terrorist attacks in the United States, they described organizational resilience as being an enterprise's capability to respond rapidly to unforeseen change, even chaotic disruption. And doing it in such a way that the organization would have the ability to bounce back — and, in fact, to bounce forward — with speed, grace, determination, and precision.
In his book, -- Not a Moment to Lose: Influencing Global Security One Community at a Time, the former CSO for Starbucks Coffee Company, Francis D’Addario, wrote: “Brand reputation is performance dependent. Stakeholders can no longer afford only heroic efforts after the fact. They expect us to prevent and mitigate, and to navigate compliance and emerging risk. We need to identify high-risk conditions and apply ourselves effectively before the event. Cross-functional talent, tools and training are required to prepare for and weather the storm.”
He adds, “Our call to action demands holistic risk management. Our ability to identify effective prevention and mitigation before the fact will serve us well in all instances. Protecting people, assets and critical process effectively protects brand and ensures community resilience.”
When it comes to describing an organization that is exposed to global risk on almost a daily basis, no company fits the profile better than Boeing. This 100-year old Fortune 50 company, mushroomed into a global corporate giant in the mid-90s after mergers with Rockwell and McDonnell Douglas. Boeing is now the world’s largest aerospace company and the leading manufacturer of commercial jetliners and defense, space and security systems, in addition to being America’s biggest manufacturing exporter supporting airlines and U.S. and allied government customers in more than 150 countries. Boeing employs approximately 150,000 people across the United States and in more than 65 countries.
The Boeing Company Gameplan
When you have a global footprint as expansive as Boeing, understanding risk and how to mitigate it is as important as churning out aircraft. At Boeing, the roadmap to resiliency begins with an enterprise leadership team that sets tangible risk goals, allocates the resources to reach those goals, and then makes the commitments to establish organizational resilience throughout its enterprise. The key at Boeing is that security leadership has striven to achieve a balance between risk taking and risk containment. This balance ensures ongoing innovation not only across the entire company but within the security/risk group itself.
The chief architect of the resiliency plan is Dave Komendat, the vice president and Chief Security Officer (CSO) for The Boeing Company.
His official biography says that “he is responsible for functional guidance and governance oversight for Boeing's global security and fire protection policy and procedures, site security, supply chain security, structural and aircraft fire protection, government and proprietary information security, data protection and security background investigations. Additionally, his organization is responsible for incorporating Business Continuity principles in critical business areas throughout the enterprise as well as leading and overseeing emergency and disaster preparedness; international security; crisis management; counterintelligence, counterterrorism, and insider threat programs; threat management; security technical operations and executive protection.”
But Komendat admits the impressive list of responsibilities doesn’t even begin to cover his myriad roles. He insists that though his title may read CSO, in many ways it could also be CMO – chief marketing officer, or CFO – chief financial officer, since selling security and risk mitigation value story to his clients, to the Boeing rank and file is a priority, along with finding ways to pay for it.
“What I’ve tried to do over the last four or five years is to create an understanding that we (the Security and Fire department) are a business enabler at this company. It’s not just enough for me to come back and tell someone this is a risk and you need to know about it. It’s my job to say that this is a risk, you need to know about it, but here is how you can mitigate it and here’s how we can help you do that,” says Komendat. “I want our organization to be viewed as an asset to the corporation – a business enabling asset. We strive to be a place where our partners come for solutions to challenges, not a place where they come to hear no.”
To that end, Komendat feels it is critical for a security leader to clearly understand the business goals of their corporation and then look for a way to help enable company-wide growth. If that means global growth as a company into areas of higher risk, then it is incumbent upon the security team that they develop plans, strategies, and outcomes that allow the company to do it in a manner that ensures employees that work in these places will feel safe and secure. At the same time, corporate leaders must feel confident that there are systems and processes in place that will protect those people, assets and information data housed in those global locations.
Komendat says that if you can sit down and have informal discussions with department and corporate leaders about upcoming events and other issues just to spitball possible scenarios at play, you then realize you have earned not only their confidence but also a seat at the table and gotten past that traditional guns and hoses perceptions of what security is.
“When you are viewed as a business partner and have a seat at the table then you have the opportunity to influence the outcome. But more importantly, from a fiscal perspective, whatever decisions are made going forward will cost the company less because your organization was involved early on helping to shape the strategy, helping execute the plan and you’re not surprising your business partners with costs they neither understood nor anticipated. It is a win for everybody since you’re on the same page day one,” he explains.
Komendat, who has gained the reputation among his peers as a visionary for his transformational approach to security and risk and for his critical thinking related to operational risk and mitigation, stresses that in today’s tumultuous environment where the security situation is so dynamic, having the ability and possessing the agility to deal with multiple issues at varying levels of complexity concurrently is critical. He maintains one must possess the ability to change priorities on a dime and deal with the crisis of the moment.
“If you are a big multinational global corporation right now and you’ve got exposure anywhere outside the United States, given the fact there is so much happening around the world on a day-to-day basis, you’ve got to have what I call a group of agile thinkers,” says Komendat. “These are people that are non-linear in their thought processes; that can be tasked with an assignment at the beginning of the morning and by mid-day understand that is no longer your priority and be handed a new task, and at the end of the day be told this is your new priority tomorrow. And they have to be okay with that.”
Komendat understands that to be in security today and to be a linear thinker is a challenging situation for both staff and leadership. So the ability to have broad capabilities within your organization and multi-dimensional skill set that team members can plug and play are what creates resiliency within the organization; having that depth and breadth of the talent that can move around the chess board on any given day to deal with different types of issues is important.
“I think that is where you build resiliency. Of course, you need to have good processes, you have to have good systems and good communication methods, which are the foundational building blocks of any successful security organization,” Komendat says. “But it is really the people and the talent you have on staff that ensures organizational resiliency.”
Komendat and his team have a unique philosophy when it comes to finding those special people for the Boeing security organization. When there is an opening team leaders are instructed to act like pro football scouts and hire a “first-round draft choice”. To be more specific, he wants his staff to hire a first-rounder that is an athlete – meaning the potential hire doesn’t need a specific position but rather can do two or three things on the “field” really well. “So you draft him or her as an athlete that you may be able to put on offense, defense or special teams,” he quips.
“That is the type of security professional you want to bring in. It’s great if you can come in with a specific expertise like counter-intelligence or a cyber focus or a business continuity focus – whatever it may be. But in the environment we’re in today there are very few security activities that are so specifically defined that you would go out and hire for that area of expertise,” Komendat adds. “It would be very rare. You want to find people that possess expertise in specific areas, but also demonstrated capabilities in other areas or at a minimum, a demonstrated desire to learn those skills and want to be a broader player in the organization. When you can do that at every level of the organization, including leadership, you’re setting yourself up for long-term success.”
Building Out the Security and Risk Process
The Boeing security mantra is simple -- you can’t help the company unless your own department can help itself. Komendat realizes it’s important that as a security leader he makes sure that his own house is in order, acknowledging that before you can think about bringing value to the rest of the corporation you’re supporting, as a leader you must know that the core security function that you lead in the company has the ability to withstand intense pressure and stress from an event or multiple events and remain functional. If your organization can’t do that, then the rest of the company will struggle to cope as well – it is a symbiotic relationship.
“You want to have built in processes and redundant capabilities within your organization that allow you to not only survive but thrive in any type of critical situation you and your staff may encounter. Are you able to run things from a regional perspective, do you have virtual capabilities you can bring into play, can you transition operations over to your GSOC for a temporary period of time to handle enterprise business while you reconstitute business – do you have those abilities? In your preparation, you have to be ready to go to Plan B if Plan A is not available, and then move on to consider Plans C and D, and perhaps Plan E if circumstances dictate,” advises Komendat.
“I call this the ‘what-ifs’. You just have to ‘what if’ yourself to death figuring out what course to take if this fails, or if this person is not available or this process doesn’t do what we think it should do. You have to lead with that mindset,” he continues.
Another component of organizational resilience is embedded in its enterprise culture. A resilient culture is built on principles of organizational empowerment, purpose, trust and accountability.
“Every company has a risk culture. When you look at an industry like ours – aviation and defense – it is highly regulated and is subject to intense quality control for every product we manufacture. We are fairly conservative overall when it comes to risk. There are other industries that are more risk-adverse and have a higher level of risk tolerance because of the industry they’re in – sort of the fail quickly, pivot early scenario,” says Komendat.
He also says that it is easy to get bogged down when it comes to risk planning. Some companies have compiled huge print manuals, rigid procedures, and unrealistic expectations when it comes to their mitigation planning. Again, he insists that simplicity and straight-forward procedures and protocols fit best in a global operation.
“If you end up with this monstrous book or series of books that you use in a crisis situation, in many cases they are already out of date and most people can’t execute on them because there is so much detail in it the plan become much more of a stress-point than an enabler. The ability to have a plan that is executable and practiced and that takes into account 85 percent of the events you would face is far superior,” he says. “If people can consistently execute and everyone has the same plan, that is what allows for sustainable resiliency. If we lose communication and half of Washington State breaks off and floats away into the Pacific Ocean, other parts of our security organization could step right in and do whatever I and others on my security team should be doing because of that all-hazards approach.”
The GSOC Solution
Perhaps the most impressive accomplishment for Boeing Security and Fire and one that has strengthened its resiliency has been the consolidation of several disparate Emergency Operation Centers into one state-of-the-art Global Security Operations Center in Mesa, Arizona this past year. This intelligence-led GSOC and its successors will be keys to assuring Boeing Company’s all-hazard risk resilience for the next 100 years, so says its staff.
Komendat explains that the reason Boeing had three main operation centers previously was not the result of any brilliant strategy, it was a result of several mergers and acquisitions in the 1990s. All had different sorts of capabilities from a communications perspective. Some already had regional communication centers, with many of those doing site-based dispatch. So, just as the Boeing Company was meshing and learning to work with new partners in the late 90s and early 2000s, the same thing was happening with the newly melded security departments.
“It became clear, especially by the mid-2000s, that we were spending a lot of money to maintain these centers. We had done a good job early on identifying the fact that we have these three centers and there are good capabilities in them all if we decided to transition site-based dispatch to these regionally-based centers. And we did that, doing a lot of consolidation over a 10-year period taking small site-based dispatch operations and rolling them up to our BCCs – Boeing Communications Centers,” Komendat points out. “There were sites in St. Louis, Seal Beach, Calif., and one in Puget Sound. Following the roll-up of these site-based operations into the BCCs, there was a realization that there was no redundancy between the three and capital dollars were being spent every year to upgrade a capability in St. Louis or fix equipment in Seal Beach, and because of the volume of work that had been brought into Puget Sound, that facility needed to expand.”
In the end, the security staff concluded that they were spending a ton of money and probably getting back a third of the capabilities being realized by other comparable companies.
“Once were able to sit down with our leadership team and explain why this was not a model that was sustainable and why it was going to inhibit our company’s ability to mitigate risk, people came on board. After that, it was just a matter of a lot of heavy lifting by a lot of smart people at every level in the organization who went out and did their due diligence work. Our president at the time remarked that this move was not about cost-savings but more about strategic direction,” he says.
The new GSOC gives Boeing a single, integrated operating picture. It now has one place in the company where all global and domestic data and information is collected, analyzed and secured. Using its a proprietary situational awareness operations tool that was developed in house called ThreatNavigator, which has been studied by other large organizations across the country, the software allows the Boeing security organization to assess threats and risks on a global basis in real time and then take that information to determine the impacts of incidents to company’s business operations.
“We had never had that capability before because we were siloed by our three operations centers, which forced us to cobble together a risk perspective. We don’t have to do that anymore since all information is coming from only one location,” says Komendat.
The confidence Komendat and his security staff have in being a prepared and proactive team are palpable. With their new GSOC and a solid culture of sustainable risk resilience they have mentored within the company, Komendat admits he sleeps better at night now than perhaps in previous years.
“When you think about incidents that are occurring around the world on a day-to-day basis, the risk faced by any of our employees worldwide worries me. But to be honest, I do worry a little less now realizing that we have a lot of people in our organization paying attention to this stuff. I know I’m not going to wake up in the morning and be surprised that somewhere in the world where we have a traveler or a group of employees working, that something bad happened to them,” he says. “I may worry about those Black Swan events, but there again, I sleep okay at night knowing that we can cover almost every scenario and have built a strong all-hazards approach to risk.”
About the Author: Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s top security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS.