For a security industry leader, Tim Williams is a pretty modest guy. As the former head of ASIS International and now as global security director for the $42.5 billion construction equipment manufacturer Caterpillar, Williams has won his share of recognition, which he doesn't take lightly.
But Williams would much rather tell you about his team - the individuals and their accomplishments - than about himself. His speech is strikingly devoid of the first-person singular. He declines to be photographed by himself for articles about his security work, saying his team members deserve the credit.
Creating and sustaining team spirit are clearly strong suits for Williams, who joined Caterpillar in 2006 after leadership stints at Nortel, Boise Cascade and Procter & Gamble. In a home-office-centric culture that valued longevity with the business, he quickly set about assembling a team that would embody the precepts of what he calls contemporary enterprise security risk management (ESRM).
Here are the top five things he did to revitalize the team and mitigate risks across the entire enterprise:
1. Rethink everything. After taking stock for a few weeks of how the then-56-person security team operated, Williams moved swiftly to establish a global team focused on ESRM. ESRM takes a holistic view of the risks to people, networks and intellectual property. Williams felt Caterpillar had some exposure that needed to be addressed immediately. Two pressing issues: The security team had been based almost exclusively at headquarters in Peoria, Ill., and Williams felt there had been an unusual focus on physical security.
"We pushed the physical security responsibility back to property managers around central Illinois. We changed the outsourced partner and we established relationships out in the facilities with people who could manage the opportunity much more closely," says Williams. He established regional security directors globally, covering Asia, Europe and the Middle East, and the Americas. "We were able to attract some of the best talent in the market at the time. They had the language capabilities and the cultural competency," he says.
Many, like Graham Giblin, now regional security director for Europe, the Middle East and Africa, had lived in the areas they cover. For a company that had had a "Peoria first" mentality, this was a big departure. "Our internal focus transitioned to a global focus," Giblin says.
Williams wrote a three-year operating plan detailing the revamped group's strategic vision and alignment with corporate objectives, roles and responsibilities. Williams' work at P&G gave him a deep and abiding love of precise process management, which served him well as he restructured the team.
"If you don't have your processes clearly defined in a well-written strategy or operating plan, you could end up chasing what other groups believe your priorities are, versus those issues that actually pose the greatest risk or threat to the enterprise," Williams says. "We articulated our plan to other staff groups, business leaders, and our executive management and the board, obtained agreement, and then set out to urgently execute the plan."
Not everyone made the transition. "Many of our colleagues wanted us to return back to what we did before - the global role was not one they were prepared for or found interest in," says Williams. There were also those who could not perform as the bar was raised. In all, the security function shed more than half its original group. Happily, many found other roles within the company.
Moving so quickly and making major reductions caught the culture a bit by surprise. To ease the transition, Williams enlisted the aid of a few human resources specialists and an internal communicator (who is discussed in Step 4) to help people understand what was happening and why.
2. Formalise underserved functions. Soon after he arrived, Williams put in place global crisis management processes and personnel as part of his effort to re-engineer enterprise security. These processes were to be overseen by the newly minted regional security directors.
Todd Wagner was working in computer forensics for Caterpillar when he was recruited to crisis management. "We didn't have a formal group at that time," he says. "We now handle any crises that may impact Caterpillar - everything from natural disasters to terrorism to major disruptions in our supply chains." Wagner brought experience as a shift commander for the FBI's Terrorism Command Center to his new role as crisis coordinator for Caterpillar.
The crisis management team had to mobilize to support local staff in Japan during the March earthquake and tsunami. Caterpillar immediately dispatched a crisis manager to the area. "Our first priority was to make sure our people are safe," says Wagner. Caterpillar has 5,000-odd employees at three Japanese facilities, the closest of which is a little over 100 miles from the site of the disaster, outside the evacuation zone.
"Anytime we have a situation like that, we locate travelers, expatriates and local employees and make sure they're safe," says Wagner. Caterpillar has internal programs to track business travelers. "We don't stop until we get through to them and can confirm they are safe. If we couldn't do that, we would go to the local authorities. We also work with a local company that has boots on the ground that can help us track the person down. We might even send someone out to knock on the door of their hotel or house."
All Caterpillar personnel and family members were ultimately accounted for. So far the company has held off pulling its people out of the disaster zone, but Williams, Wagner and the rest of the team are monitoring the situation, including radiation levels, closely, checking in daily with the Caterpillar VP in Japan. Production has been reduced but not halted by the crisis.
Ironically, just before the natural disaster struck Japan, Wagner attended a statewide disaster preparedness exercise run by the Department of Homeland Security. "We did a tabletop exercise involving an earthquake on the New Madrid fault line [in Illinois]. We have dealt with tsunamis. The new piece was the nuclear fallout."
Now nuclear catastrophe takes its place on the spectrum of risks facing Caterpillar employees, wherever they may be.
3. Demand proven business skills. Karen Frank remembers the day, early in Williams' tenure as CSO, when he called an all-staff meeting to tell everyone they should seriously consider getting an MBA if they had not already done so. "I had never thought of it," says Frank, brand protection and investigations manager.
She decided to take advantage of Caterpillar's tuition reimbursement policy and pursue the degree. Williams' emphasis on personal growth and development "made me feel important," she says. "You can support the business much better if you understand the principles of business decision-making."
Williams himself has an MBA, which made him a huge believer in its value. "I really saw the benefit and the ability to talk in depth with business leaders and get it from a business standpoint," he says. And it drives him to distraction when people suggest sending employees to take a course that only teaches the "language of business."
"Spouting catchphrases can get you into more trouble than it is worth. It's better to take the time to really understand business principles through in-depth coursework. You need that immersion so you can put all the pieces together," he says. It's fine to refer to internal rates of return in a presentation, but you better know where that number comes from and the thresholds set by your company.
The new generation of security leaders understand business as well as they understand security. Many would prefer a business person as their deputy rather than a security person - security is easier to pick up. Says Williams, "I'm proud to be someone rooted in both worlds - I simply couldn't have succeeded as CSO of a Fortune 100 company if I weren't."
4. Create a communications czar for security. As noted, Williams made some sweeping changes when he came to Caterpillar - changes that shook up the old regime. In addition to asking for help from HR, he pulled in Ashley Hunt from the corporate public affairs office to be his communicator for security. Unusual? Yes, but invaluable, as it turned out.
Hunt helped communicate the reorganisation of the security team to both affected employees and the broader group. "She has helped all the employees understand the real risks they face," says Williams. "Ashley is a force multiplier for us."
Now her role is much more proactive. She publishes a monthly security bulletin on the intranet - basically a newsletter with a variety of awareness information on topics such as travel security, scams and fraud. She includes some general awareness articles, too. "We help people understand the real security risks at Caterpillar. We want to change that perception of security and [of] the role each employee plays in creating a safe and secure environment," says Hunt. She believes employees view security as having a higher value within the organisation now, and they have a better understanding of the role they play in enterprise risk management.
For example, the Global Security function offers several educational resources concerning travel security. It's part of Hunt's job to help the team inform employees that this material is available. "Every traveling employee has an opportunity to participate in online security awareness training, receive security alerts while they travel and have access to 24/7 travel security advice," says Hunt.
Other teachable topics include terrorism, workplace violence, crisis preparedness, and information security.
Hunt spends roughly half her time on security matters and the other half on general corporate affairs. She has not yet encountered anyone who performs her role at another company. Williams hasn't either. "[The security department] is one of the best internal clients I have ever had. You know what you're going to get when you work with them," she says. Williams is a straightforward guy, pleasant to work for, requiring little second guessing on strategy or tactics. "He values communication, which makes my work more effective for Caterpillar and more fulfilling for me personally," says Hunt.
5. Nurture dissent. File this one under easy to say, hard to do. Williams encourages his staff to bring honest disagreement to the table - respectfully, of course - whenever it comes up. "He's very open," says Frank. "He is open to the opinions of others."
"On our teams, we have direct, crucial conversations," says Williams.
"We have respect, but we get the conversations on the table. I solicit people to challenge management. That is so critical. It creates much better decisions when people can respectfully and openly challenge assumptions, thinking and decisions." Giblin, for example, may disagree on how certain processes and protocols are implemented in his region, and he feels comfortable letting Williams and the rest of the team know. Like Williams, he encourages his staff to bring up differing points of view.
It's not just disagreeing; anyone can say they don't agree. "People should point out if they think we should look at something from a different perspective. It's healthy to have differing opinions on issues - it keeps us away from the traps of groupthink - and keeps all of us focused. It happens every week."
At Caterpillar, the voice of the individual is important - maybe moreso than at most companies - though in some regions, that can be tricky. In most countries, "there still is a gap between what people think and what they feel comfortable saying," says Williams. "What they do want is the opportunity to influence decisions."
No matter where Caterpillar employees are located, they have at least one thing in common: the knowledge that the company's whole is more important than its individual members. Williams learned this the hard way when he praised one of his regional security directors for a job well done. The executive almost resigned because he felt the credit should go to his team.
It's an odd lesson for Williams to have to learn anew, given his own unshakable devotion to teamwork. He is immensely proud of the team he has assembled. As he works on his security plan for the next five years, he trusts they will be at his side, helping to carry the ball. "They excel daily. I am very proud of this team," he says. "Each person is mutually supportive and doing a great job."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.