An interview with Groupdolists Security Advisory Council member Steve Bernard
By Groupdolists, (May 13, 2020)

Stevan (Steve) Bernard’s diverse career has spanned nearly 50 years, working and living in over 50 countries.  Steve has served in leading business and security roles for both government and the private sector.

In July 2018, Steve founded and launched Bernard Global, LLC. Their scope of services includes advising senior management on all facets of global protection services; an emphasis on cybersecurity; creating and conducting awareness programs; executive recruiting; and partnering with the FBI and Department of State to enhance awareness and build trust.

From 2002 to 2018 Steve led Sony Pictures’ global protection services, with responsibility for the CSO/CISO function, investigations and forensics, physical security, BCP, environment, medical, major events and protection, and employee health and safety.  

In his earlier career, Steve worked in high-tech, energy, and law enforcement. His tour in the US Army included a year in Vietnam, where he was awarded the Bronze Star. He is a Certified Fraud Examiner, has a BS degree in Criminal Justice, an AA degree in Psychology, and is a graduate of the FBI National Academy.

Groupdolists is honored to have Steve as one of its expert advisors. We spoke with Steve to find out his vision for the future of business in a post-COVID-19 world.

GDL: As a security professional, can you share your perspective on the way business, and business security in particular, must refocus to survive? What factors must be considered?

During the past 30-plus years, I have watched security evolve as a profession. Today, more than ever, change is afoot, and the opportunity to raise the security bar has never been greater.

Because we live in an increasingly VUCA world—that is, volatile, uncertain, complex, and ambiguous—companies are scurrying to build countermeasures and resiliency at an unforeseen intensity. Among the threats we’re seeing are ever-more destructive cyberattacks on businesses, and now of course we have the COVID-19 pandemic, with no end in sight. Civil unrest, mental health, poverty, criminality without borders, joblessness and workplace violence will soon have our greater attention. How we manage all this may well define us.

Darwin said, “It is not the strongest of the species that survives, nor the most intelligent. It is the one that is most adaptable to change.” The same holds true for businesses.

Companies that had already established a robust security function have hopefully seen the benefit of their adaptability as they tackle today’s global Black Swan event—COVID-19. Whether security takes the lead or serves as a subject matter expert on the response team, the security function makes a vital contribution to managing each crisis.

In addition, security leadership is increasingly more strategic and less tactical. Today, they are much more likely to be invited to the table of the C-Suite and/or the Board of Directors. Security is better informed and better able to influence outcomes than perhaps ever before.

Security leaders are being given greater latitude in decision-making. Other functional leaders are getting to know their security leaders better. Roles and responsibilities across the board have been loosened and even redrawn entirely. In some instances, organizations suddenly realized that they lacked a professional business continuity leader to support the functional heads. We’re now seeing a rise in recruiting efforts for business continuity professionals.

GDL: What types of leaders will succeed in our new world?

Ideal leaders will embody a number of attributes. They must be capable of being more strategic, thus being more available. They will be delegating more to well-chosen associates and trusted third parties. A deeper business savvy will be essential. Finding the right mentor will yield great advantage.

Individuals considered for security leadership roles will be required to demonstrate their skills and experiences from a global perspective. Their network of associates (private and public sector), and the collective willingness to share information, will enable their employers to make the best possible business decisions. Wider information sharing could raise some anti-trust and confidentiality concerns; however, it’s hard to argue against it when the objective is simply to do the right thing by others.

Security leaders who are active in public-private partnership associations like the Overseas Security Advisory Council (OSAC), the Domestic Security Alliance Council (DSAC), the International Security Management Association (ISMA), ASIS and Infragard will be more sought after.

All true leaders demonstrate a strong work ethic, and they see things through a continually focused lens. Leaders today will hire the right people.  They ensure roles are well-defined and conveyed. They’ll be secure enough to let their teams manage without the more traditional constraints. They’ll create and promote more cross-functional approaches that further develop staff and provide greater depth of experience. They will embrace and succeed in managing virtually. Strong leaders know their strengths and those of their teams.

Steve Jobs said it best: “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”

GDL: Looking at the near-term future of business, post-Covid-19, what will employees expect? What will a job applicant expect?

In everything we do we must build “Think Global; Act Local” into our vocabulary.  While globalization is inevitable, we must understand and respect the nuances of life on a local basis.

As we move forward, a key word for both employees and applicants is Assurance. They must be confident that their employer or potential employer is prepared, thoughtful, and caring. Assurance will likewise be important to clients and customers.

The future of business is now. Work from home (WFH), for example, is not going away. It has an appeal and a benefit that will be lasting. I would estimate, wherever possible, this will be the new norm.

However, there will be new conditions around how an employee will qualify for a WFH program. Safety, security, protection of IP, the actual workspace, and asset protection will drive some of those decisions.

Well over 50 percent of jobs will involve WFH either full or part-time. The obvious exceptions will be for supply chain, manufacturing, and the service industry (although we will see continued job loss through automation). Hoteling space in office buildings will be provided for times when a physical presence is needed. And, by setting rotating schedules, we will see a significant reduction in the need for office space. Long and costly commutes will diminish. Parking availability will be less needed. Thus, the focus on physical security needs will change.

If an employee does not have to physically be in the office for a meeting with someone else, then why would we ask them to be there?

That said, office buildings will also have much more stringent requirements around access control, screening, hygiene, health, and wellness. In multitenant properties the infection of a person working in company ABC may result in a temporary closure of the entire building.

Thermal imaging to check employees’ temperatures at the workplace will become standard. Visitors may not be allowed onto the property. The allocation of sick time will increase with strong encouragement that ill employees or others simply stay away. Going a step further, there may even be new industry standards for giving a company or a workspace a score, with heavy emphasis on hygiene.

GDL: How might business travel change?

Travel for business will resume before leisure travel. Resumption will be staggered. There will no doubt be much tighter controls. Pre-planning will include safety, security, and health. How critical the trip is should be well-documented and pre-approved. Travelers must not waiver or alter plans without prior approval. Non-compliance will be unacceptable.

Knowing and adhering to the “rules of the road” must include a deep understanding of entry/exit requirements in other countries (visa, medical, transportation, lodging, etc). Travelers may be required to carry and produce a “health status document.”

Airlines are already exploring new pre-screening techniques beyond thermal imaging. How you manage an employee’s illness while they are on an overseas business trip will require a different way of managing outcomes. Travel restrictions will be inconsistent and fluid. Medical and travel security companies such as International SOS will continue to assist with essential planning, routing, briefings, intelligence, and even response. This level of expertise and experience doesn’t typically exist in companies today.

We may begin to see a reversal in the desire to urbanize. Even crowded suburbs will likely wane in popularity. Mass transit may require a shift in scheduling of work hours to lighten loads.

How will the role of the Chief Security Officer be changing?

I think you’ll see a greatly expanded role for the CSO in the next one to three years. Organizations are already thinking about risk in a whole new way, which is creating more responsibilities for the CSO. They are creating C-suite level jobs with the words, “risk” and “resilience” in the titles. Risk management and resilience will include these functions and more, rolling up physical security, safety, information security, Business Continuity Planning, Crisis Management, Information Security, and perhaps Data Recovery and insurance.

We’ll see the CSO reporting structure shift soon. For example, it makes little sense to have such a critical function report into the facilities department. Today’s security leaders will be integral to decision-making at the highest levels.

GDL: How critical is Business Continuity Planning (BCP) going forward?

BCP cannot be optional. Companies that establish this function will be better prepared because they will have the ability to continue to run the business while concurrently managing whatever the crisis may be.

The BCP team must be formed and trained. The BCP plans must synch with crisis planning. Periodic testing of both the plans and the team’s response must be carried out through regular exercises.

New technologies can greatly enhance the speed and efficacy of a business continuity plan and crisis management/response, such as the  Groupdolists mobile app. It digitally automates, guides, and records every detail of your response.

The ongoing analysis of business risk is best determined by conducting a business impact analysis (BIA). The BIA process creates a way to identify where your greatest assets are, how they are secured, who has access and why, what redundancies are in place, and how you will sequence the importance of data recovery.

The International SOS’ Enterprise Health Security Center (EHSC) provides a platform for literally any type of a crisis you may face, including pandemic planning.

GDL: You’ve spoken before about how organizations often show a dangerous gap between the CSO and CISO functions. How can businesses bridge these gaps?

I see a strong need for cyber security and physical security to, at least, be stronger partners. In many organizations today, distance creates risk. But vulnerabilities can be mitigated. The two functions need to learn to speak the same language. Roles and responsibilities must be clearly redefined.

Bridging the gaps between CSO and CISO will happen. I am an advocate of moving the infosec function away from the CIO. The CISO is now in more of an advisory, audit, and oversight role of IT. Auditors in general often lack the skills needed to assure IT is delivering.

Further, I see real benefit in the CSO and CISO reporting into the same boss — a senior manager with CEO access. And, I would strongly encourage CSOs to obtain the CISSP (certified information systems security professional) to better understand the infosec world.

WFH will require both functions to re-examine their roles and to create new policy, especially from an asset protection standpoint. Data Loss Prevention (DLP) tools will be essential to ensure data remains protected wherever and however it is accessed. The digital transformation (5G, AI, IoT) will accelerate everything.

Unfortunately, that digital transformation also benefits cyber criminals who are now exploiting the digital vulnerabilities related to COVID-19 in a variety of ways. These new cyberattacks impact not only our data. Cyber risks can also seriously affect people’s health, as is happening lately with the spate of false, even dangerous Covid-19 information being offered as a lure in phishing and ransomware attacks.

Mobility, biometrics, and the cloud are already becoming the new targets of choice for cyber criminals. Any company with digital vulnerabilities is susceptible to a breach. Criminals are becoming more emboldened. Our ability to deter or counter these attacks is diminished by an overall lack of resources.

Clearly, businesses today face some very tough decisions. For example, they need to decide how and when to enlist government and third-party contractors for support. They may need to rewrite various procedures so that legal privilege restrictions aren’t in conflict with their ability to move quickly in a crisis. All businesses have to figure out how they might manage their operations in the absence of connectivity. The time to plan and make these kinds of decisions is now.