Taking Command of Corporate Security: Q&A With Altria’s David Trice
At MAPI’s Corporate Security Forum (February 4 in Dallas), David Trice will review guidelines for building a solid and reliable technical physical security program. At Altria, where he started as corporate security manager in 2008, he is responsible for the company’s custom-built enterprise command center, project management, technology strategies, and mass enterprise notifications.
In this Q&A, David provides a detailed look at Altria’s security operation, including its successful command center, three-year technology strategy, and specific vendors and services. He also discusses a favorite leadership lesson and his continued education for keeping up with security needs in manufacturing.
What aspect of physical security do you think companies tend to overlook?
The security professionals that I know tend to focus on their strengths and ignore issues that are outside their comfort zone. While I believe in increasing strengths, we must be prepared for a threat outside of our comfort zone. Cybersecurity is a growing threat that will require at least basic knowledge by security professionals. I believe that physical security will be part of the information security department in the future and the leader of this department will be the one who has a strong working knowledge of all components.
What has changed the most in your department since you joined Altria in 2008?
The security department is smaller by 50%; I expect another 50% reduction in the next five years.
What lessons from your career in law enforcement are applicable in your current role?
I entered private security with the intent to establish an emergency management program at Altria; however, I was quickly transitioned into a position that required technical skills and involved a large project to build a redundant command center. I believed that I had all the skills necessary to enter the corporate world and I was very wrong. I did not have the technical skills necessary to manage security systems and did not understand how to translate security requirements into business needs.
I relied on the skills that I learned in law enforcement for success while I was building the technical and business skills required for my position. As a street cop, I learned how to communicate effectively with people from all walks of life and make constant assessments of the truthfulness of their statements and actions. I trusted my instincts when I dealt with vendors; as I look back on the events of my first few years in the job, my instincts as to the integrity of individual vendors was correct on most occasions. As an example, I elected to discontinue using a vendor that had been servicing the company for several years after reviewing invoices and having several discussions with them. As I spoke to them, I began to think about the similarities between interviewing them and the many criminal interviews that I conducted.
One of my favorite leadership books, Good to Great, illustrates the need to choose the right people for your team; one chapter is titled “First Who . . . Then What.” As a SWAT leader, I learned that I do not need to be the best at everything and just have to choose the right people for the team and trust them. As I was building my first command center after two months on the job, I chose the right people based only on learnings from law enforcement and I trusted them. This formula has been successful for me for the last eight years, with vendor integrity being the primary criteria for becoming a member of our team.
How has Altria’s enterprise command center transformed the way your team operates?
The command center has become the hub for systems management, emergency communications, and management. Our team is getting smaller through corporate restructuring and the enterprise command center has allowed us to increase our value to the company in this difficult environment as we transition from a U.S.-centered business to a global company. Strategic use of technology allows the command center personnel to make decisions based on actionable information.
What is an area of corporate security that you think demands more innovation?
System integration is an area in need of innovation, both with new and legacy products. This includes access control, video, fire, and mass communication. As an example, a command center receives a fire alarm accompanied by access control information on doors in the area and video. If this alarm meets certain pre-established conditions, fire resources are dispatched to the area, building evacuation is initiated, and employees outside the building are warned by phone, text, and email to avoid the area. Companies advertise integration, but very few products will actually integrate with most legacy and new products. We are still in a very strong proprietary environment.
What’s your strategy for managing technology?
We have a three-year plan that is updated annually for video, access control, fire, emergency management, and mass communication. The overall goal is to leverage the latest technology and increase the knowledge of staff to better protect people, products, and places. I believe in continual training because the latest technology is of no use without the ability to present the solution in technical terms to our information technology department and in business terms to the rest of the company.
As an example, I am preparing for a CISSP examination. This is an advanced cybersecurity certification that is far out of my comfort zone because I have no IT background. The knowledge that I have gained from this process has given me the tools to understand technical concepts and communicate with IT. We are in the process of completing a very complicated project that involves a completely automated access control system. I did not have the knowledge or expertise to manage this project two years ago.
There is a financial element to managing technology and planning for expenditures years in advance. I was lucky enough to complete the ASIS program for security executives at the Wharton School, where I learned to communicate security needs in business terms. As an example, we are in a multi-year process to network all fire systems throughout the enterprise for mass notification. This will allow emergency messages to be sent out over speakers and enterprise television from a centralized location to better protect people, products, and places during life-threatening emergencies such as an active shooter, weather emergency, etc.
What do you look for when hiring new team members?
In my role, I do not make hiring decisions, but I have the opportunity make comments. In my view, the ideal candidate would have a strong desire to learn new things and a willingness to work outside of their comfort zone. The traits that are most important to me are humility and integrity. Law enforcement experience is desired, but I am cautious about individuals who view a security position as a retirement job.
What external groups and organizations do you regularly work with? What value do they provide?
- External situational awareness (NC4): We place virtual perimeters around our facilities and NC4 notifies us of an external emergency (fires, police emergencies, traffic issues, etc.). This allows us to warn employees and manage issues related to incidents occurring near our facilities.
- International travel (iJet, Global Rescue): Employees traveling internationally receive a trip brief containing information specific to the country or region they are visiting (crime, medical, transportation, etc.). Employees are also given a hotline number they can call from anywhere in the world to reach someone to help with lost passports, medical issues, etc. Global Rescue is utilized for personnel evacuation and medical needs. iJet and Global Rescue are integrated through a script that is provided to the call center.
- Consultant (Good Harbor): A relationship with a solid physical/technical security consultant adds value in terms of gaining a thorough understanding of how security is handled in other places in terms of new concepts, billing, etc. As an example, we are interested in facial recognition and have visited two companies that have successfully deployed this concept. We would have never located companies that have integrated facial recognition into Pro-Watch (our access control system) without the help of a consultant.
- Access control and video (Star Asset Security, Security-Net, Communication Systems of Virginia, Honeywell): We have standardized on multiple Honeywell products and our vendors assist us with installation, service, and programming; we use Pro-Watch (access control); MAXPRO (video system); Notifier (fire system, mass notification); and Honeywell (server-level programming and managing integrations with production, time and attendance, and HR personnel data).
- Honeywell Integrated Security End Users Steering Committee: There are many access control and video systems to choose from and this committee is why we are still using Honeywell products. We have an annual conference planned and managed by end users who are allowed to make comments on the products; I have seen changes made every year based on our comments. This company listens and Altria is safer because of the committee. I have learned more about physical security from my colleagues on the committee than through any other avenue. I always have someone to call if I have a question or concern.
- Mass notification (Send Word Now): Send Word Now is software as a service that is used for daily notifications for security and maintenance. It’s also a notification tool to alert the entire enterprise in the event of a life-threatening emergency.
More About Corporate Security in Manufacturing
To learn from David and other manufacturing security professionals, register for MAPI’s Corporate Security Forum and join us in Dallas on February 4. Other speakers include Jeff Anderson from Lockheed Martin, Monica Mellas from Materion, and Evan Young from Parker Hannifin. Better yet, come a day early and attend our Crisis Management Forum, too.