1. Identify the scope
As the third-largest city in Canada, Calgary has a metropolitan population of roughly 1.2 million, and like any city of that size, it provides a range of services. Including seasonal workers, the city has an employment base of 22,000 people working at roughly 700–1,000 different locations. That scope, says Owen Key, chief security officer and manager of corporate security for the city, requires considerable effort to protect.
“Unlike a lot of our contemporaries in the private sector, such as oil companies, we have a number of different types of operations we have to look after, from the protection of critical physical infrastructure such as wastewater-treatment plants, transit facilities, and hockey rinks, to the protection of critical information technology,” Key says. “It’s a varied area to secure, and the challenges are compounded by the large asset base, a $60 billion capital base, and $3 billion in tax revenues per year.”
2. Develop a strategic plan
When Key joined the City of Calgary in 2004, he saw a disjointed security effort, with 32 business units and 500 business lines all looking after their own security. “It was ad hoc, with different levels of professionalism,” Key says. “It was a unique chance to build something from scratch.” He sought to bring the disparate systems together under one structure in order to create a world-class enterprise security system.
3. Divide and conquer
After starting his job with the city, Key immediately put in place an effort to split security into six separate sections: Investigations, which consists primarily of former police officers, handles all the internal investigations in the city. Physical Security provides the security for new builds and retrofits as well as executive protection for councillors and other senior administration. Security Operations employs about 150 security guards for regular mobile patrols, special events, and incident response, and it has a world-class monitoring centre. Security Advisory handles security clearances, corporate intelligence, business continuity, and emergency-response planning. Information Security protects the city’s digital platforms from viruses, hackers, and the like. And, lastly, Technical Operations maintains and administers the systems used by the six security groups.
4. Sell security
“Security is a difficult thing to do and an even harder thing to sell,” says Key, comparing it to the sitcom Seinfeld, in that they’re both “about nothing.” “If nothing is happening, the corporation wants to know why they need us; if something has happened, the corporation wants to know why we didn’t do anything about it.”
One solution, Key says, is to look at security—traditionally considered a cost centre, not a revenue generator—as a means of reducing costs from a business perspective. “If that means using analytics on a camera to tell you how many people use a building so that you don’t have to build a new one, then so be it,” he says. “We can have dual roles.”
5. Stay on top of the changing environment
According to Key, the needs of information security in particular are always changing. “Now we have advance persistent threats from nations such as China, and traditional signature-based virus checks won’t work on some of these new tactics,” he says.
On the physical and operational security side, “security is driven by the gaming industry and the military,” Key says, adding that the City of Calgary is following suit by implementing a physical security-information-management system that is akin to playing Halo. “All of the systems exist in real time in a 3-D environment, providing full situational awareness.”
The security industry has traditionally been a closed shop, according to Key, but it’s becoming a lot more open. “It’s important to be open when speaking about the roles we play and how we face challenges,” he says. “I haven’t done this all on my own; I have some phenomenal people working for me and have also received advice from other professionals.”