Is Empowering Local Management the Next Step in the Security Industry10 September 2019

Jean-Francois Savard, CD, MA, CPP, CISSP, CBCP, CFE

Dennis Quiles, CPP

Agenda

• Part I – General Principles

• Part II – McDonald’s Corporation Delegation Philosophy

• Part III – Practical Exercise

2

Part I – General Principles

JF Savard, CD, MA, CPP, CISSP, CBCP, CFE

Chief Security Officer, Agriculture and Agri-Food

3

Aim

• To discuss how to determine if, and what, parts of an organization’s security program to delegate to subordinate organizations while maintaining appropriate accountability

Agenda

• General Considerations

• Elements of a Security Program Delegation Approach

• Some Tools for Assisting in the Security Program Delegation Approach

• Advantages and Disadvantages of Security Delegation

• Conclusions

Trust in the Security Industry• Trust must be earned, and is easily lost

• The security industry operates within a world of high expectations and low tolerance for failure

• Security underpins much of modern day-to-day business operations, and thus failure is even less tolerable

• Modern security, with its myriad offshoots, is too complex for the strategic level of the organization to completely control

• Delegation of key functions to subordinate organizations is therefore essential to survive and thrive in this complex environment

• The key is to develop a common understanding of security requirements and enlist/empower local management in delivering these requirements

• Trust is essential, but so is verification – the old Russian proverb “Trust But Verify,” immortalized by Ronald Reagan in 1987, applies here

6

Why Delegate Security?

• Can any one of us do it all, realistically?

• Security is too big, too complex, and too fluid to try to manage from the strategic level of the organization

• Delegation provides subordinate organizations with the flexibility to implement the security program recognizing their local reality

• A robust policy framework, effective tools, and a thorough verification program backstop all delegations

Security Functions -Categorization

• How much delegation is reasonable in the modern business and security context?

• The more critical the security function, the less likely it will be delegated

8

Critical security functions (high risk if they fail)

Important security functions (medium risk if they fail)

Routine security functions(low risk if they fail)

To Delegate or Not – a Process

• A layered approach to determining whether to delegate security functions, and if so, which ones to delegate, is a good option. Those layers include:

1. Organizational Scan (Detailed Survey)

2. Security Risk Assessment (SRA)

3. Call to Action/Value Proposition

4. Policy Framework

5. Detailed Risk Analysis of Security

Program Elements

6. Detailed Analysis of Subordinate

Organizations

7. Tools

8. Verification/Compliance Approach

9. Communications Considerations

10. Feedback/Lessons-Learned

9

Phase 1 - Preliminary Steps

• There are three steps in the preliminary phase that include:• Organizational Scan (Detailed Survey)

• The purpose of the organizational scan is to get a good understanding of how the organization works

• Security Risk Assessment• The purpose of the Security Risk Assessment (SRA) is to evaluate the status/maturity of the

organization’s overall security program

• Call to Action/Value Proposition• The call to action is to mobilize the internal support that is essential to move forward with

delegation of authority

1

0

Phase 2 - Detailed Analysis• There are four steps in the Detailed Analysis phase that

include:• Policy Framework

• The purpose of this step is to evaluate the maturity and robustness of the organization’s security policy framework as you consider what, if anything, to delegate

– Detailed Risk Analysis of Security Program Elements• The purpose of this step is to determine which program elements can

be reasonably delegated to subordinate organizations and which must be maintained at the organiz11ation’s strategic HQ level

– Detailed Analysis of Subordinate Organizations• The purpose of this step is to consider the maturity, capacity and/or

ability of each subordinate organization to accept additional security responsibilities

– Tools• The purpose of this step is to decide which tools to provide to support

the delegated manager

Phase 3 - Implementation and Follow-Up

• There are three steps in the Implementation and Follow-up phase that include:

• Verification/Compliance Approach• The purpose of this step is to determine the best way to measure compliance while

maintaining the trust bond

• Communications Considerations• The purpose of this step is to establish expectations and recourse mechanisms with the

subordinate organization(s) to whom you are delegating authority

• Feedback/Lessons-Learned• The purpose of this step is to gain constructive feedback and develop lessons-learned on all

aspects of the delegation

1

2

Advantages• Empowers subordinate

organizations

• Fosters trust and buy-in for the overall organization’s security program

• Allows more flexibility and tailoring for local realities

Disadvantages• Can be seen as

downloading by local managers

• Leads to a potentially uneven security program depending on local capacity, capability, interest and effort

• Can lead to redundancy

1

3 Advantages and Disadvantages of Security Program Delegation

Questions?

Part II – McDonald’s Case Study

Dennis Quiles, CPP, Director Corporate Security, McDonald’s Corporation

Delegation of Authority at McDonald’s Corporation

Delegating responsibility is an art. Successful managers are the ones who know exactly ‘What to delegate?’, ‘Whom to delegate?’ and ‘How to

delegate?’

The primary objective of delegation is to effectively use time and talent and make people work as a team to achieve a common goal.

StrengthScape

1

6

Delegation of Authority at McDonald’s Corporation

• Delegation of authority is a force multiplier

1

7

Task at Hand

Force MultiplierCollaborators

YOU

Delegation of Authority at McDonald’s Corporation

• Delegate for success:

• Person’s Capacity and ability to do the job

• Provide necessary tools to be successful

• Supervision and periodic “Reality Checks”

• Be transparent, but also set expectations

• Establish project plans, set milestones and measurements

• Delegate the correct amount of authority not more no less

1

8

Delegation of Authority at McDonald’s Corporation

Delegate however, do not drown your team to do all your biddings.

Everyone should work on what he/she is supposed to do and not have to worry about anything else.

Steve Jobs, Apple CEO

1

9

Delegation Authority at McDonald’s Corporation

• Delegation is often derived from a need• What are your needs?

• Is it manpower?

• Is it technical expertise?

• Lack of a robust organizational/operational structure?

• Insufficient security core team?

Regardless the need delegating your authority is not easy to do!!!!!

2

0

Delegation Authority at McDonald’s Corp.

• Delegation Risks:

• Losing Span of Control • The possibility of eventually losing Authority • Internal Coup (take over)• Not trusting your resources • Character preferences or personnel preferences, etc. • It could be expensive

Regardless the issue there are perceived risks factors that should take into account before you delegate authority.

2

1

Delegation Authority at McDonald’s Corp.

• McDonald’s Corporation has been classified as the second largest Real State Corporation in the world, after the Catholic Church.

• Operating over 37,436 locations in 122 Countries

• McDonald’s supply chain is largest than the US Armed Forces combined

2

2

Delegation Authority at McDonald’s Corp.

• McDonald’s corporate security mission to support our global corporate plans, would be nearly impossible without Delegating Authority.

“Cadillac Corporation was heavily criticized for is decline in quality and final product details. After delegating to line employees the result led this GM division to record sales and quality awards.”

Kellogg Scholl of Business

2

3

How we at McDonald’s Corp Delegate Authority?

• Maximizing Existing Resources:

• Delegating Authority often helps supplement current core-talent.

• External Guard Services

• Meeting Planners meeting and events security support

• Facilities security support

• Global Risk Intelligence sharing information

• Contracted Services (temp-manpower, information-data, tech-expertise)

2

4

Responsibility; Who is Accountable?

“ YOU CAN DELEGATE AUTHORITY BUT CAN NEVER DELEGATE

RESPONSIBILITY”Eric Teetsel, The American Spectator

2

5

Accountability; Who is Responsible? YOU ARE...

2

6

McDonald’s Security holds the overall responsibility at all times, but also:

• Establish check and valances

• Inspect what we expect

• Conduct periodic meeting with key department clients

• Assess success by measuring plans

• Conduct client’s satisfaction surveys

• Meet with vendors and discuss service performance and expectations

Delegation Authority at McDonald’s Corporation

“Truly successful leaders are not afraid to delegate, but they also know when they need to take matters into their own hands”.

Elon Musk, TESLA CEO

2

7

Accountability & Delegation Example

Contracted Guard Force Security Services

• Guard force delegation – positioning and training

• Building Life Safety - training, equipment and recruiting

• Attending other corporate meetings

• Day to day coordination- local PD, Fire Department and landlord

• Relocation drills, evacuations - Life Safety Plan development and updates

• Life Safety webpage administration

2

8

Accountability & Delegation Example

• Meetings & Events Security Contracted Liaison

• Vendor Management (evaluation, contracts, supervision and invoicing)

• Meeting with corporate meeting planners

• Security plans development and plan executions

• Initial incident management notification, documentation and communicating

• Advance work

• Record keeping and budget accountability, etc.

2

9

Accountability & Delegation Example

• Global Risk Intelligence

• Delegates global risk intelligence data-mining to external business partners

• Assigns Intelligence analysis to external vendors

• Appoints external sources for data verification, association and validation

• Validates data sharing to key executives before reaching the C-Suite

3

0

In Summary • Delegating authority augments your core-security force.

• Delegate authority to a few “Trusted employees, contractors or vendors”

• Delegating exponentially enhances your department’s reach while expanding:

✓Department’s Influence

✓Overall Authority

✓C-Suite and Board of Director’s Reach

✓Enhances department Visibility

✓From Gates, Guards and Guns to a trusted business partner

✓Boost workforce Respect, etc.

Part III – Practical Exercise

3

2

Practical Exercise

• On the table in front of you, you have four scenarios

• I will number you off 1 to 4

• Group 1 will look at Scenario 1, Group 2 at Scenario 2, etc…

• Using the template provided to you, work through the scenario and answer the questions below each scenario (5 mins)

• Report back to the plenary group (10 mins)

3

3

Scenario 1 – Whadyathink LLC.

• Whadyathink LLC is a micro-organization with less than 50 people who were just stood up by federal legislation by the government of Lugubria, to address a politically-sensitive issue. They are all in one building in a large Lugubrian city’s downtown core. They have a rudimentary policy framework for all internal services, but have been given a very large budget allocation as they will need to conduct wide-ranging consultations, both in Lugubria, and abroad, for benchmarking purposes. Most of the employees of this new entity come from outside of the Lugubrian government, many from the private sector, but with some coming from the Not-For-Profit and international Non-Government Organization (NGO) sectors. Some subject-matter-experts from multiple countries may be hired on contract as well, bringing different perspectives and traditions with them. Meanwhile, there has been significant media attention, some concern expressed as to the large budget allocated to this initiative, and a lot of expectations around the launch of this new entity. Whadyathink LLC is supported by a larger Lugubrian government department – the Department of Miscellaneous Affairs (DMA) - for all security services via a Service Level Memorandum of Agreement. DMA has a large, well-defined and -provisioned security program which has done well in repeated audits, and all of its constituent elements are mature. You are DMA’s CSO and have been tasked by your CEO and Minister’s (Secretary/ or whatever term your national government uses) Office with “ensuring that things don’t go off the rails!” You walk back to your office and ponder your new assignment.

3

4

Group Discussion

• What elements, if any, of the security program would you recommend be delegated to Whadyathink LLC?

• If any, how would you go about doing so?

• What Compliance/Oversight mechanism would you recommend?

3

5

Scenario 2 – Food For All Incorporated• Food For All Inc. is a small jointly-funded public/private agriculture/food processing

research company with less than 500 employees that is located in a small city in the country of Canola - with two satellite locations - Bacon and Eggs - elsewhere in even smaller Lutetian towns. Recently, Food For All Inc. was voted as one of the 50 Best Places to Work in Lutetia. The atmosphere is very folksy and laid-back, and everyone is pretty excited at the honour bestowed on the organization. The security policy framework is solid, but it does allow managers a lot of flexibility in “tailoring” the program to suit their needs in order to accomplish their objectives. Senior management has traditionally been focused on achieving results in a manner that ensures that employees have fun, but yet get the job done as per the Food For all Inc.’s slogan: “Get it Done.” Security, while present, has never been a priority for the organization. However, there has been some recent negative publicity regarding both a security breach in the cyber realm where hackers took over Bacon’s website and repeatedly posted obscene content involving breakfast foods, and physical sit-ins where protesters took over Egg’s main administration building for a number of days. Both incidents made the national Lutetian news cycle. As a result, the previous CEO opted to look for work elsewhere and a new CEO was appointed. The new CEO has now arrived with a mandate to “tighten-up” the way things are done. You are the new CSO of Food For All Inc. and the CEO has asked you to “make sure that Food For All Inc. not only overhauls its security program, but is seen to be doing so.”

3

6

Group Discussion• What security elements would you recommend to

Food For All’s CEO/senior management be delegated to the regional satellite or conversely be repatriated from that site to the national HQ?

• How would you go about doing so?

• If you leave the current delegation in place, what additional oversight mechanisms would you recommend be put in place?

3

7

Scenario 3 – Humungous Incorporated

• Humungous Inc. is a major international conglomerate of over 100,000 employees (rising to 125,000 with seasonal fluctuations) divided into five large global geographic areas along with the mainland US, all of which are led by Vice-President-level C-Suite executives, each with their own organic security teams. It has a very mature security program with a well-defined policy framework with all employees signing annual security and value and ethics reminders. All of its employees have taken the mandatory baseline security awareness program online. All security program elements are delegated except for sensitive investigations, which are retained at the strategic HQ level along with oversight of all subordinate security organizations’ security programs. Notwithstanding this, a few recent highly-publicized cases of product adulteration, fraud and conflicts of interest in some geographic offices have left Humungous Inc.’s senior management somewhat shaken, and led them to question whether the current security policy regime and structure actually work. You are the CSO of Humungous Inc. and have been tasked with conducting a review of the current program and making recommendations on improving it.

3

8

Group Discussion

• Given the maturity of the program, how would you approach the security risk assessment?

• What recommendations would you make to senior management regarding the delegation of security functions?

3

9

Conclusions

• In a changing world, security organizations must remain flexible and leverage every advantage available

• Delegation of some, or most, of an organization’s security functions can generate great returns as local management will feel trusted and empowered

• Modern technology allows for a great deal of remote monitoring consistent with delegated responsibilities

• Where possible, organizations should delegate as much as possible to increase the reach of their security programs and mobilize trusted local leaders

4

0

Contacts

• Jean-Francois Savard, CD, MA, CPP, CISSP, CBCP, CFE Director, Security and Emergency Management, Agriculture and Agrifood Canada, jean-francois.savard@canada.ca (613) 773-1466.

• Dennis Quiles, CPP Director, Global Security, McDonald’s Corporation dennis.quiles@us.mcd.com(630) 623-3698

4

1

Annex A –

Detailed Description of Decision-Making Layers

4

2

1. Organizational Scan

• It is important to understand what makes your organization work (what makes it tick?)

• The following considerations are a valuable way to gather this information:• Size

• Geographic expanse

• Employee composition

• Current security policy framework

• Organizational culture/orientation/focus

• Trust/Risk Management Philosophy

• Senior management engagement

• Degree of security-related issues in the organization

• If any security-related issues, what is the public profile of these organizational issues

2. Security Risk Assessment

4

4

• Before starting this process, it is essential evaluate the status/maturity of the organization’s overall security program

• A proven way to do that is to conduct a Security Risk Assessment (SRA)

• An SRA is a holistic assessment of your organization’s security program readiness and maturity

• Various options for conducting an SRA exist:• Internal Audit

• Reputable audit firm or other independent security specialist

• National HQ security staff

3. Call to Action (Value Proposition)

• To mobilize senior management’s support for your delegation of authority initiative you need to:

• Focus the attention of senior management in a meaningful, real way that matters to them

• Use SRA results if available

• Contrast with what other like-minded organizations are doing

• Show potential benefits of delegating certain security program elements (trust/empowerment) vs risk if the effort backfires (liability/embarrassment)

• Detail what is the cost/benefit breakdown (reputation is priceless/trust must be earned both ways)

• Setting the Tone from the Top is vital for your success

4. Policy Framework• It is important to evaluate the maturity and robustness of the security policy

framework in the organization as you consider what, if anything, to delegate

• Policy instruments are very important and convey the will of senior management. The more directive the instrument, the less room for interpretation:

• Policy: most powerful as it usually is signed-off by highest levels of the organization and is mandatory for all; focuses on the “who”, “what”, “when” and “why”

• Directive: very strong, but subordinate to another higher policy (Security, Values ands Ethics, Finance, Procurement, etc…); similar focus as the policy, but may include some “how”

• Standard: not as strong, usually provides detailed instructions on the “how” in support of a policy and/or directive

• Guidelines: voluntary, focused on providing useful tips concentrating on the “How” in support of all the above

• Guidance: weakest form, general statement of intent/future direction or wish but usually without any enforcement built-in

5. Detailed Risk Analysis of Security Program Elements

• It is then important to conduct a detailed risk analysis of all security program elements to determine which can be reasonably delegated to subordinate organizations and which must be maintained at the organization’s strategic HQ level

• The lower the maturity of the program element, typically the higher the delegation risk. Some exceptions apply, but as a rule of thumb, always err on the side of caution with security matters

• You can always delegate more in the future as the organization’s security program improves its maturity level

• There are generally three options for delegation of program elements: full, partial or no delegation

4

7

6. Detailed Analysis of Subordinate Organizations

• The next step to consider is the maturity, capacity and/or ability of each subordinate organization to accept additional security responsibilities.

• Issues ranging from size, governance, location, and delegation of other similar responsibilities will help determine the suitability of each element to receive such delegation.

• It is quite possible and appropriate for some subordinate organizations to have greater delegation than others.

• For each subordinate element, a maturity assessment needs to be done to determine suitability of dealing with delegated authorities.

• Following the subordinate organization’s Maturity Level Assessment, the next step is to determine which, if any, Security Program elements to delegate to that subordinate organization.

4

8

7. Tools

• Once you have determined the nature of the organization, mobilized senior management’s support, validated the policy framework, verified which parts of the program can be delegated and the maturity of the subordinate organization, you then need to decide which tools to provide to support the delegated manager. Some tools to consider include:

• Note from CEO – Sets Tone from the Top

• Security Policy Framework

• Common look-and-feel BCP and Bldg Emergency Response Plan templates

• Common emergency notification systems

• Managers’ Self-Assessment of the Risk of Organizational Fraud, Waste and

Abuse (FWA)

• 1-800 Information Hotline for confidential reporting and/or advice

• Managers’ Security Checklist (MSC) completed by head of subordinate organization

• Threat Risk Assessment Self-Audit Questionnaire

• On-line mandatory security awareness course

• Security-related issue workshops with interactive voting technology

• Code of Values and Ethics/Code of Conduct Annual Reminders

• Other tools developed by the national HQ security team

8. Compliance/Verification Strategy

• No delegation of security program elements/responsibilities can be done in good faith without some form of verification/compliance

• Some approaches to verifying compliance include: • detailed reviews of:

• Completed tools from the previous section:

• Threat Risk/Physical Security Assessment Self-Audit Questionnaires

• Common Bldg Emergency Response Plan and BCP templates

• Managers’ Self-Assessments of the Risk of Organizational Fraud, Waste and Abuse

• Records of Decision of local security governance/management committee meetings where security program elements are discussed

• Findings from Audits and other compliance activities where security may have been mentioned

• Periodic on-site Organizational strategic HQ Staff Assistance Visits (SAVs) to validate information provided

• On-line surveys completed by security practitioners and managers

• Program Audits that include sampling from all levels, particularly if program elements have been delegated to subordinate organizations

9. Communications Strategy• Early establishment of expectations and recourse mechanisms is vital when

considering delegation of security functions to subordinate organizations.

• The initial discussions should be made in-person to ensure that there is a climate of trust established between the organization’s strategic HQ element and the subordinate organization that is gaining new responsibilities.

• Periodic check-ins thereafter maintain the confidence and trust of the subordinate organization, and could include the following measures/activities:

• Video teleconference (VTC)

• Telephone conversations

• E-mails

• Social media accounts (for non-classified issues)

• Classified networks

• In-person meetings during Staff Assistance Visits or regional outreach activities

• Workshops

• Structured training both in-house, and with third-party service providers

10. Feedback and Lessons-Learned

• Feedback on all aspects of the delegation is essential for the overall security program to be effective

• Periodic lessons-learned/feedback analysis must be performed

• Feedback can be provided via verbal feedback, electronic surveys, paper surveys after workshops or presentations, suggestion boxes, etc…

Annex B – Delegation of Security Functions in Organizations –Decision-Making Template (separate handout)