Security is one of our basic, most fundamental needs. To keep up on the latest trends in security Fran Racioppi traveled to the Global Security Exchange in Atlanta to sit down with retired Chief Security Officers Rich Davis of United Airlines and Steve Bernard of Sony Pictures.
Rich oversaw United’s response to the 9/11 attacks involving two of United airplanes. Steve led Sony through the North Korean cyber attack after the premier of The Interview starring Seth Rogan and James Franco.
They cover the evolution of the industry, the threats we face in both the physical and cyber domains, how thought leaders are needed in senior security positions, and how we build a security culture in our organizations. The world is a complex place and today’s companies require dedicated support for the protection of their number one asset – their people. International SOS is the industry leader in travel risk management, medical support, evacuations, mental health, crisis management and workforce resilience. On the ground in over 90 countries and 1000 locations, International SOS is there 24/7 no matter the challenge.
—
Security is one of our most basic foundational needs. Maslow’s Hierarchy of Needs puts safety and security at the bottom of the pyramid, right between our need for food, water, rest, and warmth and our need for belonging and love. We look for safety and security in every aspect of our lives. We face threats and risks walking down the street, driving our cars, sitting on an airplane, or even cutting a piece of fruit.
Our companies face risk to intellectual property assets and people traveling to support the mission. As a country, we face national security risks posed by other nations and terrorist organizations. As people, employees, businesses, and as a nation, we look to the global security industry to identify the threats we face, then analyze and mitigate the risk to keep us safe.
To catch up on the latest trends and equipment in security, I went to Global Security Exchange in Atlanta. GSX is hosted by the security industry’s accrediting body, as is international. It’s the largest security trade show in the world and has everything from uniforms and cameras to robotic dogs and counter-drone sensors. I’ve been in the security industry a long time and have been fortunate to have some of the most impactful leaders in the industry as mentors and friends.
To talk about security and the threats we face as companies, entrepreneurs, and employees, I asked two of securities’ most respected authorities to sit down with me on the convention floor. Rich Davis is the former Chief Security Officer of United Airlines. Stevan Bernard is the former Chief Security Officer of Sony Pictures Entertainment.
Rich started his career in United Chicago Kitchen and worked his way through the ranks to lead one of the most targeted and high-profile global operations on the planet. Stevan earned a Bronze Star in Vietnam, came home to continue service in law enforcement and later made the switch to corporate security leading movie and film production from the LA studio a lot to the most remote regions of the world.
Rich oversaw United’s response to the 9/11 attacks, which involved two of United’s airplanes. Stevan led Sony through the North Korea cyber-attack that shuttered the entire Sony computer network after the premier of The Interview, starring Seth Rogen and James Franco, which in my opinion was a pretty funny movie, regardless of what Chairman Kim thinks.
Rich Stevan and I cover everything security, including the evolution of the industry, the threats we face in both the physical and cyber domains, how thought leaders are needed in senior security positions, and how we build a security culture in our organizations. Stevan and Rich are two of the leading Jedburghs in the industry, and then serve as Senior Advisors with International SOS, providing health and security risk mitigation for businesses of all sizes and locations.
The world is a complex place and companies require dedicated support for the protection of their number one asset, their people. International SOS is the industry leader in travel risk management, medical support, evacuations, mental health, crisis management and workforce resilience. On the ground in over 90 countries in 1,000 locations, International SOS is there 24/7 no matter the challenge.
Check out my conversation with Rich and Stevan from the International SOS booth at GSX on your favorite platforms. Watch the full video version of our conversation on YouTube. Subscribe to us and follow @JedburghPodcast on all social media. Check out our website, JedburghPodcast.com. Learn more about International SOS at InternationalSOS.com and on social media, @INTLSOS. Stevan Bernard is the Founder of Bernard Global, and Rich Davis is the Founder of Rich Davis Security Consulting. Find them both on LinkedIn.
—
Stevan and Rich, welcome to The Jedburgh Podcast.
We’re happy to be here.
Thank you, Fran.
The whole show is about visionaries, drivers of change and those dedicated to winning no matter the challenge. Security is so important in our lives. In this world, we’re seeing so many things that we haven’t seen in decades.
You have been each at the forefront of major corporations, Stevan, as the Chief Security Officer at Sony Pictures and Rich, you at United Airlines. We’re going to talk about the magnitude of these organizations. To be able to sit in a room with you, learn from you and share those experiences has always been an honor in my career in global security. To be able to share that with our audience is truly a tremendous opportunity. I thank you so much for taking time out of your busy schedule to sit with me for a few minutes in the ISOS booth, which is a great setup.
I want to start by talking about ASIS International and GSX. We are in an industry where we talk about global security that requires standards. When we’ve developed security programs, the very first thing we always talk about is standards. Often, we get wrapped up around policy but it’s about how we identify standards for what we do at every level of the organization. ASIS is the organization in global security that sets a lot of those standards that we all then use to build so many of our programs.
GSX is the annual trade show. This is where we go out to share knowledge, gain knowledge, learn the new technology and better ourselves, whether you’re new to the industry or you’ve been around for 30 or 40 years. Everybody’s here because this is how we continue to innovate, build community and come together. Security is defined as “the state of being free from danger or threat.”
We live in a complex changing world that’s changing by the minute geopolitical risk exists everywhere. You’ve both dealt with that. We’re going to talk about it down from local things that happen outside of our offices and homes to trips and falls in the workplace. As a Global Security Director and Chief Security Officer, you have to deal with everything across that whole spectrum. How do you define a security professional? Why are these organizations of ASIS International and GSX so important to set those standards? Stevan, we’ll start with you.
Thank you for the entrée. That’s great. I’ve been a member of ASIS for 35 years. That dates me a little bit. When I became a CSO or Director of Security in 1983, there were no standards, guidelines or policies. It was so new. I bought the Protection of Assets Manual. It saved me and made a difference in my ability to build a viable program in a company that had great needs and risks.
Let’s fast forward to being here. I haven’t been to one of these in three years. COVID got in the way and some other things but as you know and Rich knows, he and I walked the halls here for days. It’s so great. Nothing replaces this. Zoom has been great but being together, having these one-off conversations and finding out what’s on people’s minds is awesome. Let me shift over to Rich.
It is quite awesome, Fran. I too want to thank you for your kindness to words. That was very flattering and humbling. When you come into a building like this, ASIS and GSX and it’s my 1st one in 3 years as well because of the pandemic, it’s quite overwhelming when you look at how many people are working to support you in security and all of the different elements that come into it.
I wish we could spend an entire hour going up and down these aisles and hallways looking at the very different elements, going from uniforms to revolving doors and robotic dogs walking around the floor. There’s a yellow one and a white one. I’ve seen them both. It’s so wonderful to see how many people are contributing to our industry. We’re all about assessing risk and threats and how to counter those threats. The most important thing we do is protect people and assets. This building reassures how many millions of dollars are being spent in that world.
Why do organizations need thought leaders as their chief security officers? I ask you this question because we’re going to talk about the evolution of the security and security industry. It used to be about guards. We said, “You throw bodies at the problem. If you got a door, put a guard on it. If you got 2 doors, put 2 guards on it.”
We still need security officers. A very valuable and important component of our securities strategy in organizations is the officers because customer service comes first and they are the front line of defense. When we talk about putting people in positions of leadership within security, why is thought leadership so important?
Especially in this area of safeguarding people and assets all over the world, the digital connectivity and all of that, the big deal in leadership is the digital risks are changing by the moment, also inflation and mental health. We could sit here and make up a list of probably 100 items that I can think of that somehow should be on the radar of a thought leader.
[bctt tweet=”The big deal in leadership today is the risks are changing by the moment.” username=”talentwargroup”]
Every day, refocus that lens on, “What is it I need to worry about? What does my employer need to worry about? How do I do the best job I can to enable the business, protect the people, protect the assets and take us forward?” Part of it was also you better have business savvy. You’re not there because you don’t have the best security program in the world. You’re there to enable and align with your business.
Stevan is right. The different security responsibilities that we have like at Sony, Merck, Boeing, United Airlines, Delta, and American, everybody has their top risks. It’s called Enterprise Risk Management. Thought leaders got to understand, “What’s coming at me?” Crisis management begins long before the crisis has arrived. You have to be thinking ahead, “What’s coming at me? What’s coming down the road?”
When you’re able to communicate that to leaders that understand what the risk is to their corporation, each of us is all different. We have different risks. For instance, catastrophic sabotage is high on every airline’s list. Maybe not so high on other companies. Labor unrest is another example, weather and geopolitical. Whatever they are, wherever you’re a thought leader and whomever you’re working for, you have to understand, “What’s coming? What can harm this company? How do we take care of those risks?” That’s good thought leadership.
The tagline of the show is, “How you prepare today determines success tomorrow.” It’s all about that preparation. Without it, you cannot respond to crises. If you haven’t thought about all of these contingencies and crises that can occur, then how are we going to think through the solution? A lot of times we talk about not necessarily making the book that tells you what to do but how do we make the checklist that tells you how to think?
You have to work within your corporation with different entities, such as your legal department, finance department and insurers. The C-Suite is very interested in what all of those entities have to say. When you practice things that can harm you, you’re prepared when that day arrives, whether it’s a tsunami or an accident.
Rich is right. On that point though, let me add one more thing. What we fail to do oftentimes is to have a gathering of those functional areas with decision makers, sit down and have a conversation about, “What if these things happen? Who’s going to make what decision? Let’s redefine roles and responsibilities and make hard decisions in that room before that day comes.” I think about the Sony attack on North Korea. The decisions we made on day one probably saved the company. That’s how critical it is. Delegating, escalating, defining roles and not having conflict in the room on the day of.
Let’s talk about you guys for a second. You dated yourself so I’ll date you a little bit more. We’ll start with Rich. You retired as a Chief Security Officer at United Airlines. You were there for 25 years. The rumor has it that you began there as a baggage handler and worked your way up. You’ll have to negate or confirm that for me but you have a tremendous career through a defining period for that company and organization.
I’m a global services member so I know the organization intimately as much as you can from the passenger side. I do appreciate everything that United Airlines has done for me and also in the industry. You and Stevan were Senior Advisors to the State Department at Overseas Security Advisory Council, OSAC and the Domestic Security Advisory Council, DSAC.
Rich, you’re on the Board of Directors at International Security Management Association. We know it as ISMA. Also President and Board of Directors at the International Security Foundation, ISF, Board of Directors of Domestic Security Partnership, 6-time Chairman for Airlines for America Security Council and 3-time Chairman of the International Air Transport Association, IATA. Is that it?
I worked for United Airlines for 40 years. I started in the kitchen. I have a pretty unique story and I’m proud of it. I worked in the kitchen for six months. That was back in 1978. It was one of the big ways to get into the company. In 6 months, I did get promoted and moved to baggage handling, which I did for about 3 years. I then advanced to reservations and did well at that. I didn’t know why I was doing well at that but I learned why. I was an usher in my teen years in Chicago, seeing The Rolling Stones, Elvis Presley and all the sporting events.
What happened was in 1973, President Nixon ordered aviation security to begin to counter the hijackings. The City of Chicago hired our ushering company to do that. I lived on the Northwest side, so I was spending a lot of time at the airport as one of the original screeners in 1973. Fast forward, I graduated from college and went into the headquarters of that ushering company.
There was a little attrition and I found myself running O’Hare Airport for that company at age 23. I had my beginning of security. I didn’t know this would turn into a career by any means. I had a career path in reservations and sales. United was acquiring Pan Am International at the time. I’m at headquarters working in international planning, reservations and sales.
In December of 1988, Pan Am 103 exploded over Lockerbie, Scotland. Within weeks, my company said, “Rich, we need you in the security department ASAP because you have an aviation security background.” I joined the department shortly after Pan Am 103 in 1989. I became the Chief Security Officer in 1997 for the next 23 years. That’s the capitalized version. It’s pretty cool.
We talk about following your passion and dreams in so many different conversations. Also, working hard every single day to make a difference.
Working hard, developing your department and finding people with similar passions. For instance, all the people in this GSX meeting are contributing to the ultimate goal of all security leaders, to protect your people and assets.
Stevan, you served in the US Army. We share that common background and talked about it at length in our relationship. Thank you for your service as the predecessor to my generation and set the conditions for so much of what the US Army and the US military are. You were awarded the Bronze Star in Vietnam, came back and became a police officer in Iowa. After twelve years, you made the jump into corporate security, worked for a petroleum company and then came to USRobotics.
In 2002, you took over Sony Pictures and had been there for seventeen years. You transformed that organization through so many technological advances during that time when it comes to film and television production. You too, Rich. Aviation has come so way. Stevan, it’s a different game when you left from when you got there. You were also a Senior Advisor to OSAC and DSAC and a graduate of the FBI National Academy. Why get into security after Vietnam?
It was a natural transition for combat vets when they came back to get into law enforcement. Once you’re in law enforcement, especially the last several years, what we’ve seen is that’s where companies, when they want to hire a security professional, tend to be where they go to look, whether it’s FBI, local law enforcement or whatever it may be. A lot of people had a law enforcement background that has come into the profession.
I don’t think it’s as much that way in 2022 from a standpoint of, “Is it necessary?” What you need are good thought leaders, managers and business savvy. You can hire security once done. For the most part, that’s one of the things that we see here. There are so many amazing providers out there that offer a lot of services. A Security Director or a CSO in 2022 doesn’t have to be the expert in all of this. They have to figure out how they add the greatest value, set the strategy, lead the team and then diversify a little bit. Find other vendors and providers that can offer those services for you to give it a holistic approach.
[bctt tweet=”A CSO doesn’t have to be the expert in all this. They have to figure out how they add the greatest value and set the strategy, lead the team, and then diversify.” username=”talentwargroup”]
My first job was at age fifteen. I was a groom for five racehorses. I took one for a walk one day and he deliberately stepped on my foot. Another time I was in the stall cleaning it and somebody started a tractor. I had to dive over the chains to get out. That’s how I started and that was interesting. When I went in 1983 into the private sector, they didn’t even have a CSO. It was the Director of Corporate Security. I only knew 3 or 4 other people in the world who did that.
I jumped into the world’s largest fresh meets processing company that was owned by Occidental Petroleum. We were at war with everybody. We had lots going on I’ll say that, anything you can imagine. It was like I had a police department on day one, had to figure out how to run that and it was all over the place. From that, I started building a network. I want to comment real quick on how important that is. For my career, I built a network and people like you, friends all over the world who I still know how to get in a hold of.
When I was thinking about retiring in 2018 from Sony, I knew I was going to launch my business. The network I had then was awesome. It was a worldwide private sector and public sector. I probably have doubled it in the last few years. It’s unbelievable. The network and the relationships are what this is all about. There’s nowhere in the world that something happens that I can’t figure out how to get resolved. I just feel that confident. That’s important.
Going back into the ‘80s and ‘90s, the perception of security was so different than it is in companies number 1 and 2. It’s a lot in the back of our minds. Rich, you mentioned the bombing of Pan Am 103 was a defining moment when you look at how the public thinks about terrorism. You had that situation in Iran through that period too. When you think back on the perspective of companies, employees, executives and the government about corporate security during that time, what was their perspective?
Gates, guards and guns. That was it maybe. Were you ever invited to the C-Suite to sit at the table in the conference room, be a decision maker and an influencer and help guide that company? You had to fight your way into that room. In 2022, it’s still sadly somewhat that way.
We had similarities but we were quite different. One of the primary differences was the airlines of the world are regulated by the government. While we had guns, gates and guards, physical security responsibilities, investigations to do and those types of things, we also had this immense responsibility to follow the regulation set out by the governments of the world, primarily the FAA before 9/11 and the TSA after Homeland Security.
If we flew to Japan or London, we’re dealing with the Japanese government and the British government as well as every government around the world. The C-Suites and we had to pay attention. We did that at United. Also, all the airlines did that. That difference was a big deal because the aviation industry was a significant target. We’ll call them the bad guys. The threat was they wanted to kill us and hurt our people and assets. We had top-shelf attention to this, especially upon the realization of Pan Am 103 and what damage the bad guys could do to our industry. Pan Am 103 was a seismic event that changed the mindset of a lot of people in our industry.
I want to talk for a second about the roles and responsibilities that you each had. I don’t think people truly understand the magnitude and complexity of these organizations. I’m going to throw some more lists at you. Everyone who reads this show knows I like lists. United Airlines has almost 85,000 employees, $68 billion in assets, $24 billion in revenue, 840 aircraft, roughly 500 or so on order, 360 destinations around the world, flies to all 6 inhabited continents, about 4,500 daily flights unless they’re canceling them and over 168 million passengers moved every year. It’s the third largest airline in the world.
You said, “We are responsible for revenue protection, passenger facilitation, compliance with customs and border protection laws, compliance with all countries’ security laws, company investigations and compliance with our regulators, as well as the geopolitical oversight of the world, including the United States.” It’s in a perfect situation with the war in Ukraine. I fly to India once a quarter for my job as the Chief People Officer at Analytics. That flight used to be 16 hours but now, it’s 17 hours because we can’t fly over Eastern Europe like Ukraine. You got to bypass it.
The magnitude of this organization. When you think about coming to work every day, the prioritization of the threats and how the threats transition into risks that then sit across each one of these domains and verticals almost that you’ve laid out in your comments, how do you prioritize and triage those when you show up every morning if you go to sleep, can sleep, wake up and start a new day?
That’s a very challenging question to answer prioritizing all of the above. My sense and thought process was they’re all number one priorities because failure in any area in the aviation industry could lead to one of those top enterprise risk management fears and catastrophic sabotage. For instance, where can the bad guys place a bomb or carry Obama?
When you think about it, there are quite a few places. We have to plug all of those holes and gaps. We have to protect everybody in every way we can. It’s a tremendous team effort, which includes the governments, the intel agencies, the people on the ground, the people in offices, the pilots, the flight attendants and overall security awareness, not just for the planes but in all of our facilities as well.
Catastrophic sabotage can include the airports themselves as seen in Brussels and Amsterdam not so long ago. It can happen at any facility or in a building. How can you say that’s 10th priority or 20th? You can’t. It’s all of the above. The immense team effort from everyone, especially all of these people in this building all have a piece of the pie and expertise in an area like access controls, badging and uniforms. Everything adds to the goal of the enterprise and is a priority. That was my mindset.
Stevan, you had Sony Pictures, which has $7 billion in revenue and about 9,500 employees. It’s one of the big five film studios in the United States. We know that The Karate Kid, James Bond, Men in Black and Spider-Man, to name a few, have come out of there. It is a mini city. You’ve invited me there many times. Every time I’ve gone there, I’ve been so impressed by what goes on. There’s a perimeter.
Once you come inside, it’s an entire city that functions on its own. It’s got its own fire department. There is so much activity. There are people and crews in the studios and the lot but they’re also globally all over the world. When you start thinking about safety and security, risks and threats that exist to these crews in some of the most austere areas filming television and movies, it’s not only security but there are safety risks here and travel risks there.
The IP threat is massive because leakage of any of these films even when the scripts were written results in the loss of billions of dollars. You have to have a business mindset as a Chief Security Officer and understand how the business makes money. At the end of the day, what are we there to do? Protecting the company’s ability to make money is a core component of that.
Personnel and people’s safety are top of the priority there, as well as these other things. We’ve seen what happens when that breaks down, things like the Alec Baldwin accidental shooting on the set of Rust. It’s a horrific event. With the complexity of this magnitude and a blend of the safety and security aspects, how did you look at building and focusing on that program daily?
When I started there, they were dependent on analog. You had these big reels of prints 70-millimeter or 35-millimeter. You’re shipping them all over the world. Lots of people touch them. The piracy issues all over the world were huge. It impacted the business. The leakage of films and everything was not a good situation but remember, we didn’t just produce on that lot. We produced all over the world in some hellholes because you want to get the right scene.
As we built our program and I’ll talk for a moment about that, the more and more we did, what we realized is the rest of Sony didn’t have me. I spent a lot of time in Tokyo working with them and sharing what we were doing. Sony had 160,000 people all over the world doing unbelievable work with new technologies. We had that to deal with.
When I came to Sony Pictures, I was hired as VP of Security. When I left, I was Executive Vice President and had anything in the world that needed the protection of some kind. It was content, all digital assets and people. It’s not in that order. People first obviously. Also brick and mortar, travel, response and resilience. We had to build resilient programs. It doesn’t matter what happens. You got to be able to come back, including when North Korea tries to destroy your business.
The other thing I want to say and it’s important to get out here is we heard it in one of the sessions that he and I did. We probably missed the boat many years ago when we started focusing on physical security and not on digital security. A lot of the security professionals that we know in 2022 don’t have digital. What we’re going to start to see is more convergence there because the CEO doesn’t want to call five people for security. He wants to call one for risk or resilience. The titles are changing as well. The responsibilities and roles are changing to more about risk mitigation, risk identification, good intelligence and resilience and your ability to rebound and recover no matter what.
Let’s talk about the North Korea piece because you both have been involved in these events that have changed not just the security industry but the world and all of our lives in so many ways. Rich, with United’s involvement, the hijackings on 9/11 and Stevan, with North Korea that you brought up. Monday, March 24th, 2014, you go to work and the Guardians of Peace have seized and locked the systems of Sony Pictures and everybody out. In response to what I will say was a pretty damn funny movie, The Interview with Seth Rogen. What happened?
It was November 24th, 2014, Thanksgiving week. Not that I would want to remember that but I never will forget it. People tell me I should write all this down. I was like, “No, it’s right here forever.” When you live a moment like that, a near extinction event, like Mears did in the shipping and other companies have, some of what he’s been through, you’d never forget it.
What was so important about it is that we had business continuity planning. We had 150 plans written and distributed. You met a lot of the team. We had a great team of people. When it happened, they had already been in six months. We didn’t realize it. When we saw the Guardians of Peace on the screen, that was a wiper malware. We’re in 50 countries and 150 locations, plus all the productions. When you connected, the meltdown on your hard drive started. Within a few seconds, all that data is gone forever.
When I was talking about making decisions now instead of later, how about this one? You’re going to unplug worldwide to stop the bleeding. What does that mean? Who makes that decision? What is the impact of that? You got a business to run. It’s publicly traded. It’s a global stop. You went dark. You have no internet and connectivity. How do you run your business pre-internet? We would tell people that we’ve got to do that. “Should I go home? I don’t have a job now. My job was data entry and the computer doesn’t work.” “Take a piece of paper. Here’s a pen. We’re going to teach you how to run the business without that.”
When you say it changed the world, it did. That was an unprecedented attack on a nation-state. It was proven that it was them. Director Comey made attribution on December 19th, 2014. How did they do that? It’s because they saw the evidence. The other decision that was made that day one is so important. We brought the FBI in. This went through holidays for months and months. They helped us. The Department of Justice and the US Attorney’s Office were all over it.
The concern was we might lose control or they might see things. We never for a moment regretted that. The important thing about this is in your planning, you better know whom you’re going to call, start to build relationships with law enforcement and government, build trust and learn to partner because you can’t do this alone.
The public-private partnership thing is something that you’ve talked a lot about. That’s where you have organizations like OSAC and DSAC who are there to develop these relationships so you know who’s on the other side of that phone call in so many ways. In LA, when I was there, we worked so hard to develop that DSAC relationship with everybody there. You guys hosted the conference one year on one of the studio sets. That was so impactful to be able to understand, “These are the key players.”
Rich, 9/11 was one of the most defining moments that we’ve had as a country and as a world. I’ve talked a lot about it. The fact is that when you look, it’s the only time in history that Article 5 of NATO has been introduced. We think about what happened that day. You’ve certainly been put through the wringer since then in so many different conversations. Talk about how the events unfolded that day from your angle.
We all know and remember what happened. Many of us have dedicated the rest of our careers to never letting that happen again on full-scale 24/7. That’s what we had to do. I’ve used this word before and I’ll use it again. It was a seismic event. In many ways, Pan Am 103 was as world-changing as 9/11 and continued to change our industry.
It was a vivid reminder that no matter what decade passes, you talked about the evolution, whether it’s the infamous terrorist groups of the seventies to the present infamous well-known terrorist groups. They continue to try to come at us. It takes me right back to 9/11. You talk about business continuity and resilience. What a case study for the aviation industry, united Americans and everyone.
Stevan talked about unplugging from the network. That’s what the aviation industry did, ground every airplane.
Everything was grounded. We had to get back to work, did it days later and recover. It was the most challenging post-incident event that ever happened to our industry worldwide. We did that over time. The incredibly hard work of everybody touching this was like the eternal flame at President Kennedy’s grave. It never goes off. The people who were dedicated to this aviation security business do not turn off. It’s a constant reminder that no matter what the threat and evolution, you could still get a hijacking, have a bombing effort and something to harm our people and assets. It’s everybody’s responsibility to contribute.
With 9/11, Pan Am 103 and those first days of aviation security and I’ll remind everybody that 2023 is the 50th anniversary of airplane security, everything you experience is done for a reason. Don’t complain about having to take your shoes off. It’s done for a reason as everybody knows why like the Shoe Bomber and Underwear Bomber. There are plots. The incredible work that the intelligence agencies do to try to find out what’s brewing out there and the airline people do to do their job as required by the regulatory officials have been nonstop this entire time. Hats off to the people that are continuing that work.
Even the aviation industry is not immune to cyberattacks. I want to read a quote from Stevan. He said, “Cyberattacks are escalating on a global basis. The costs and impacts are spiraling confusion over how best to prepare. Even counterattacks require a renewed focus. We can’t ensure our way out of this. We can’t delegate and assume all is well. Cybersecurity is truly an enterprise responsibility, not just an IT issue.”
We used to fly airplanes with cables, a joystick and a couple of pedals. Airplanes are flying computers. We hear the stories about, “Is the next aviation cyberattack seize control of avionics and someone’s able to start downing aircraft remotely?” We think about these things and diehard too. It happened in 24 with Jack Bauer. These companies like Sony, United and Mears have massive budgets for force things like cyber security and physical security. When you think about the regular company, the small business, the medium size business and the people who can’t afford the $10 million or $20 million ransom, what can they do?
I’m giving you one example. There are many other governments like Australia, the UK and so on but the US government has a couple of programs. One is CISA. Another one is NIST. There are also ISO standards. There’s a whole bunch of good material that’s available. If you want to build a program, you can do that but somebody’s got to do it for you. It can’t be like, “It’s the other guy’s problem. It never happened to me.” It will.
Ransomware is a number one example form of attack. It’s unbelievable how many incidents there are that are not reported where they pay the money. What it’s doing is it’s feeling it’s creating a cottage industry. In certain countries, some people are experts in that that are gun slingers there for hire. Do you want to know how to hack, what to do when you get in, how to gather a ransom or deal with Bitcoin? It’s all for hire. Everybody gets a cut. You can’t indict and extradite them because you don’t have those relationships. These guys hide out in these locations and do that. Cyber has to be a cultural issue and everybody’s responsibility.
We’re going to talk about the future of security or risk as a profession, however you want to describe it. There are 8 billion people in the world and 5 billion connected to 5G high speeds. It’s going to get more of that. What does that mean? It’s a risky world. It’s fun. It’s how you have to manage but it’s also not without risk. We got to pay a lot more attention to educating the workforce, engaging them and helping the company. Not only themselves at work but also teach them good cyber hygiene. It carries out in the private sector.
It’s their personal lives, family, kids and grandparents. Everybody’s online and potentially a victim. A lot of the victims you don’t ever hear about but it’s not a good situation. I’m such a promoter of this and a believer. You talk about maybe airlines being compromised through cyber. The automobile is another one. Here’s what you got to remember. Most of the ways that we do lead our lives and how businesses run are going to be about connectivity.
[bctt tweet=”Most of the ways that we lead our lives today and how businesses run are gonna be about connectivity.” username=”talentwargroup”]
Think about the internet of things and all the devices that you can buy off the shelf and plugin. All of a sudden, there’s another vector that’s going to allow somebody if they want to get into you and compromise you. Time out, we’ve got to pay a little more attention to that. Have fun with it but understand the risk.
They push software updates to your vehicle sitting in your garage. One of my cars wouldn’t start. All of a sudden, I had a call and I understand what happened. They told me what to push on the screen. They said, “We pushed the software update last night.” If your car was in the garage, it could not have been taken properly. My car is not functional, even though it takes gas.
Let’s talk about where we’re going. Rich, you said, “Security like safety is our culture. Safety and security are part of everybody’s responsibilities. It’s embedded in our daily thought process through our worldwide network. The safety and security of our employees and customers are our top priority every day.” Every security organization and company has to develop a culture of this personal responsibility.
I’ve built a triangle and at the bottom of it, it says, “In this pyramid, personal responsibility starts everything.” We could buy everything on this floor but if we don’t develop a culture where people care about the implementation and are willing to implement and adhere to a standard, it almost won’t matter. When you talk about building this culture, embracing it, accepting it and not forcing it upon people, how do you do that?
It’s a lifelong responsibility in the security world. What’s most important is finding your people, developing your people, supporting your people, investing in them and training them. It’s finding different people that have different expertise and a visionary thought process. For instance, in the ‘70s and ‘80s, we weren’t thinking about drones. We’re thinking about them in 2022 but we can’t stop thinking about what we were thinking about in the ‘70s and ‘80s. It grows and grows. All of the avenues for people to do harm are at us.
It’s the people that are so important, both internal employees or looking for people from external areas. People need to understand how intelligence works and what the day-to-day execution is. We need to work with our people around the globe to make sure they’re executing their day-to-day responsibilities. In one word, auditing. Go out there, learn, teach, show them and make sure they’re doing things right. Investing in people, training them and supporting them is the path to success in that arena.
[bctt tweet=”Investing in people and training them and supporting them is the path to success.” username=”talentwargroup”]
What we have to do going forward is to realize that this is not about, “This company is good and strong in these areas and this one is not. Shame on you.” It’s about, “You better know where you are now if you want to know where you’re going.” It’s about continuous improvement. As Rich said, audit. Where are you? It’s okay. Maybe you’re not in good shape. Maybe you are. Maybe you need to spend more or reallocate resources. It’s fine but do something about it.
As far as engaging the workforce, if you help them understand why it’s important to them and their employer, they’ll be much more willing to do that. The problem we have and I’m very concerned about it when we talk about the future is the distributed workforce. Not just work from home but work from anywhere. Plug in here, plug in there. “I’m at Starbucks.” It’s okay but is it a safe network?
How do you manage remotely? How do you set up a proper environment for someone who’s working out of an apartment with their kids around and their wife has also got her business and they’re trying to do theirs? How do you safeguard sensitive data? The list is 1 mile long. How do you manage? How do you recognize mental health, which is a big issue and it’s getting worse? How do you recognize when someone’s got a problem? How do you deal with that? How do you fire or onboard somebody?
The whole issue of mental health and working from anywhere is we’re not going to see what we saw before. All these buildings contained all the workforce, a lot of them are going to stay empty or going to be occupied a day here and a day there. We’re going to see some bankruptcies and buildings that are gutted that will never be occupied.
We’re going to see those repurposed because they’re not going to be used that way anymore. It’s the plug-and-play idea of, “I don’t need to have an office with nice windows, a couch and all that,” which I did have as you know. You don’t have to have that. Walk in somewhere, plug in and play, do your thing and go home or don’t go there. COVID drove it so we haven’t figured out how to manage it very well.
You said you retired. I joked that neither one of you seems to have retired, even if you’re not in the roles that you held for so long but the generation of leadership insecurity is up and coming. One of the tasks that you have both taken on valiantly in your retirement is, “How do we develop and train this next generation of leaders in the security industry?”
We talk about the nine characteristics of performance used by Special Operations Command in the assessment and recruitment of special operators, whether you’re a Green Beret, a Navy SEAL, an Army Ranger, Air Force Operator or MARSOC Raider. Drive, resiliency, adaptability, humility, integrity, curiosity, team ability, effective intelligence and emotional strength make up these nine. When you think about those who come after you, those who have to take the helm of these organizations and build this industry in this new environment that we’ve talked so much about, what are you looking for in those leaders?
The day you hire somebody is day one of hopefully the rest of their career. Our security industry is so magnetic. It draws you in. It’s like that Al Pacino movie. Many people I know stay in security for a lifetime. When you have employees in your industry, both with your company, your competitors, the people in the industry, the members of OSAC and the members of DSAC and you meet so many security professionals that contribute to what we’re trying to accomplish, you become a family.
[bctt tweet=” The day you hire somebody is day one of hopefully the rest of their career.” username=”talentwargroup”]
People do move around but quite often, they move their security departments to other companies because people shine, get reputations and move on to new opportunities. We’re all interlinked. That’s the value of our industry, the people and contacts that we have who’s good and who’s where. Believe me, wherever they go, they contribute to what you’re trying to accomplish.
All boats rise and all boats sink on different occasions in our world but we benchmark with each other and push our people to succeed. I may work for them someday. They may work for me another time. People move. It begins on day one. What we do is plain magnetic. A lot of people do aspire to hire positions. They do well. We’ve watched people for decades. Stevan started in the kitchen and all of a sudden, he was the CSO in a new industry. It’s part of the attractiveness and charm of our work.
Rich and I have been talking about this a lot. We’ve been successful and had amazing careers. We know a lot of other friends here that are in similar roles to what we are. They’ve got their business doing some consulting. We must find ways to give back to the next generation of security professionals to help them along, nurture, develop, find and promote them. We’ve got to do more to give back. One of the reasons we’re sitting right here is to try to give back. It’s an obligation that we have that we can’t ignore.
I want to ask about your work with ISOS. We’re sitting in the booth here. I’ve worked with ISOS in previous roles. We live in a complex world. Risk exists in everything that we do, especially when we talked about traveler safety and putting people in remote locations, whether they’re travelers or that’s their place of duty. For many of our organizations, crazy things happen in the world. Can you talk a minute about ISOS, the mission behind the organization and the work that you’re each doing with them?
SOS has been in existence for many years. It’s a fascinating company that makes a difference in people’s lives every moment. I brought them in my early days at Sony Pictures. We then had the Sony contract. It was all about Sony. The services they provided were invaluable. I got to work with them as a client. I saw what they did. I was at the table and as they were developing new technologies, I would pilot, see what worked and what didn’t and help them understand the industry better. I got to know a few people in the company.
When I started to announce that I was going to be starting my business in ‘18 and retiring, the CEO of the Americas for International SOS said, “Call me.” I called him and he said, “Let’s set something up with a program. We’ll call it Strategic Security Advisors. We’re not full-time employees but we’re there anytime you want us and you want to kick around an idea and understand better what’s going on in the industry. All good.” We did that.
We brought Rich in, Kelly Johnstone from Coca-Cola and another guy in the mix with us, John Rendeiro, who at one time in his career with DS, every RSO in the world reported to him. He’s an amazing guy. We have a real cadre of people that can deliver. What SOS does is not only medical. It does security, intelligence, risk advisory, travel planning, and journey management.
They’re in 27 different call centers around the world where they’re staffed by doctors, nurses, and security professionals. They can handle 90 languages. One of the reasons we’re here is there isn’t anybody else that offers what they offer that makes that big of a difference in people’s lives. They do medevacs. It’s an amazing company and what they do.
Stevan covered it very well. In my four years here, despite the pandemic, we average about 6 to 8 conference calls at least a month, listening to what our people are saying and what we’re asking. They ask us what we’re doing and whom we’re meeting. You’ve mentioned it several times, Fran, OSAC, DSAC, and ISMA benchmarking. Do you know anybody here and there?
The thing that jumps out at me with our group here is the people. I’ve said it before in this last hour. Security people have passion and these kids have a passion here. They want to do the right thing. Two of these people to my right were on the first plane to Ukraine. In 2022, they were on the ground with John Rendeiro. They’re right there. They want to help people. That’s the magnet that makes me love this group of people here. They want to do what’s right for people. They’re extremely interested in the safety, security and health of people. That’s why it’s fun to be a part of this group every day. I love it.
I’ve worked with them all across Africa, even in the DOD capacity where it’s augmented and in places where you can’t always get government assets in. Civilian organizations sometimes can go places you can’t go as a US government.
A lot of what they deal with is so complex. We had a guy out of our Hong Kong office who’s American. We’re making a movie on the Tibetan border. He drives twelve hours. They get in a head-on collision. He dies on the scene. You’ve got to bring the family to release the scene. We want to repatriate him. I called SOS, and they managed the whole thing. We got him back to his family who were of Japanese descent. It’s a long story, but I could give you a whole list of stuff like that that they deal with all the time. They make a difference. We talk about, “Why are we here, the safeguarding of people?” In Maslow’s Hierarchy of Needs, safety is a huge part of that, “I need to feel safe and secure with these guys who do.”
We talk about risk mitigation. They sit squarely in that area to help you as a Chief Security Officer and Director of Security to build programs and understand, “If I identify what my threats are and I have to build a mitigation program against it, we can take these guys and put them in there. They’re going to augment our internal capabilities all day long anywhere in the world.” It’s truly an impactful organization. You each also have your consulting businesses, Bernard Global and Rich Davis Security Consulting. What’s going on with those?
It’s that word retirement. If you have your health, you still feel passionate about what you do and you’re making a difference, why not? I spent my whole life building a book with great people in it, government, private sector and friends. When I was thinking about retiring or slowing down, I thought, “I’m not closing the book. That’s what drives me.” It’s probably twice as big as it was before. It’s what nurtures me and helps me feel like I’m making a difference in giving back.
The business is amazing because the phone rings quite often, and every time it’s something different. If you’re okay with that, that’s amazing. You are able to make a difference in people’s lives. Now more than ever with people like us, there’s a shortage of skills. We have them and we’re available, so why not? Pick the phone up and kick an idea around. We don’t always start the clock running and bill people. We want to give back. Sometimes we do, it depends. For most of the government work we volunteer, we don’t get a penny for it. We just do it.
We were having breakfast and somebody said, “Don’t do anything for free.” I’m thinking, “I do almost everything for free.” My business is simple. I have had a few clients since 2018. A lot of them are affiliated with airport industry issues. I’m primary in it to stay connected with my friends that I grew to know for many years in security. I love them to death. I love working and helping them. If anything can help us afford a couple of trips here and there, my wife and me, then we do travel quite a bit. It’s very satisfying. I’m enjoying the time.
As we close out, the Jedburghs needed to do three things every day to be successful. They had to be able to shoot, move, and communicate. If they did these three things as core foundational tasks, we call them habits, if you will, and they did them to a high level of precision, they could focus their attention and efforts on other more complex challenges that came their way. What are the three things that you each do every day to set the conditions for success in your world?
When we wake up in the morning, we go, “Yes, it’s another day,” whether we’re in our offices or homes. I had a boss at Sony. He was a very successful British guy. When I retired, I said to him, “What do you recommend?” He said, “You probably won’t even understand why I’m going to tell you this, but listen to it. Manage your calendar. When you’re not in that office anymore or whether you are, it’s about when I say I’m going to do something, I better do it.”
That’s me. I cannot miss something. When I tell you I’m going to do it, I will find a way to do it, or I’ll tell you I can’t do it right then, but I’ll do it later. Manage the calendar. I’ve got two calendars that I am religious about. The other one is to plan my day. My day changes by the moment. I change at the moment. Being resilient in that sense is important.
Enjoy the day a little bit and find a break. I can walk out on the balcony, pet the dog, and come back. I’m refreshed and ready to go again. You’ve got to have a little bit of that balance as well. The final one for me is I talk about the network. Every day, I talk to new people I haven’t talked to in a while to keep it vibrant and alive and find out what others are doing. I learn a lot. I’ll give you one more. I pay a lot of attention to world events, what’s happening, and how that affects my clients and me.
When I think about three things, I have to go with exercise and maintaining health as number one. I put a high priority on that. I walk seven days a week as much as I can. In the summer months, it’s great. I’m talking to Stevan and everybody else I work with while I’m walking. It’s two things at once. When it gets a little colder in Chicago, I’m on the treadmill.
Stevan mentioned at third, and I’ll put it second. I stay on top of world events to understand the security view and the security challenges resulting from worldwide events. Staying on top of the world news, both within the US and outside is extremely important, especially with our roles at International SOS. Number three, I’m going to go with this one. Not change too much from who I’ve been in the last years in security and at United. I want to maintain what I accomplished in those years, stay the same person that I became and continue that with the people I continue to work with
Stevan, manage your calendar, plan the day, build a network, and the fourth one is to pay attention to world events. We’ve got a bonus one for you. Rich, exercise, maintain your health, stay on the world events to understand the effects, be proactive, and three, be the same person that you were. Even though you grew to be the Chief Security Officer of United Airlines, you still started in the kitchen.
I’m proud of it. Those people work very hard and contribute to security as well.
Maybe in the next years, the next Chief Security Officer will be sitting in the kitchen.
I’d still rather see Elvis and The Rolling Stones, but I cherish that experience.
I mentioned the nine characteristics of a lead performance that we talked about. As high performers, you both demonstrate all nine of these in varying capacities, rarely and almost never all of them at the same time. Depending on the situation that you’re faced with, you demonstrate a number of them.
We mentioned in our conversation here about world-changing events that you’ve each demonstrated all of these at some point in those responses. We talked about what it’s going to take to build the next leader in this industry. At the end of these conversations, I take one and think about my conversation with my guests, the one that defines who they are and what they exhibit to me.
For this conversation for each of you, Stevan and Rich, it’s this concept of effective intelligence, which is defined as our ability to take the aggregate experiences of our past, the things that we’ve seen, whom we’ve interacted with, and the environment that we’ve operated in. Learn from it, apply it to our future decisions, our current behavior, and our view on the world, and position ourselves to make better organizations for ourselves, teams, and organizations based on that.
You have led some of the most complex organizations in the world with massive scale and impact on all of society. You have done that with the utmost success. Thank you so much. Thank you for your friendship, for your mentorship, and for taking some time with me here. I look forward to the next chapter.
It’s a great interview. Thank you, Fran.
Thank you very much, Fran. It’s very flattering. I appreciate it.