What path led you to a career in physical security?
As a teenager, I was interested in federal law enforcement and wanted to be a criminal psychologist. However, I realized that path would require years of study and a massive financial commitment from my parents as I wracked up a mountain of student debt! Instead, I found myself in an undergraduate program with a heavy focus on history, political science, and critical thinking – all of which created an academic track for students seeking to join the US Government Intelligence community.
And then came 9/11…
When the attacks occurred in the US, I was in my third year of university. This significantly accelerated my professional journey. I spent five years as a government intelligence analyst working on counterterrorism issues. Upon moving to the United Kingdom, I obtained my first role in the private sector. This opened my eyes to the need for proactive security management in business; before, I wouldn't have thought that a company that makes soft drinks or cosmetics needed to worry about terrorism or political unrest. Yet, businesses must manage and mitigate various threats and risks on behalf of their clients, employees, and investors. Good security management is good business.
…This is also true in your current role at SAP.
When joining SAP in 2021, I was presented a fantastic opportunity to develop new capabilities and utilize the insights I’ve gained over almost 20 years in my profession. As the Global Head for Physical Security Intelligence, my job is to develop threat intelligence sources and capabilities that help SAP identify, prevent, detect, respond, and recover from physical security risks with the potential to impact business and operations. These risks might arise in the context of terrorism or criminal threats, but also from issues like climate-linked severe weather. My job is not only to understand various threat trends globally, but to deliver this insight in a way that enhances decision-making and reduces risk to SAP.
You have quite a varied background. What is an unforgettable experience you have had?
I am incredibly fortunate to have had the opportunity to travel and see the world. When visiting Sri Lanka years ago, a colleague and I travelled from the capital of Colombo to the spiritual center of Kandy, driving alongside rural villages and the rainforest. This first-hand experience of a country that I had been responsible for understanding from afar was invaluable. And that rich cultural context made me a better analyst. During the journey, we also stopped at an elephant orphanage. To this day, I tell my husband that if we leave our current professions, I want to open an animal shelter. Looking to my career, my international experience (travel, but also interactions with global colleagues) has shaped and expanded my thinking about the world, including the way I consider threats.
What does a typical day in the job look like if “typical” even exist?
I operate remotely most of the time, which helps me work better alongside my global team and stakeholders across multiple time zones. I start my day with Asia and end it with the Americas. The security issues that my team monitors are just as diverse. On any given day, I can be pivoting between monitoring political violence related to an election in one SAP market, and then turning to support assessments of the impacts of war in another.
Within the security profession, teams must be representative of the companies, employees, and the clients they serve.
Running a global team, you then understand firsthand the importance of diversity and inclusion…
Within the security profession, teams must be representative of the companies, employees, and the clients they serve. If I'm in a team that is not diverse and not representative, it narrows my field of vision as I consider what these stakeholders care about and the challenges they face. Plenty of evidence points to the impact of diversity on real-world security and safety.
One infamous example is the use of crash-test dummies to test US vehicle safety standards, which were built to the proportions of an average adult male. As a result of this decision, it is now clear that women, over men, are at risk of more severe injury and/or death in similar accidents. Safety standards simply weren’t being designed with women in mind. If you translate this into the way that we think about threats to employees, whether in the office or traveling, diversity means that we think outside of boxes that might make us less secure.
As a woman working in physical security, has this been challenging at times?
Having worked in the government, and alongside the military, I'm used to working in teams that don’t look much like me. I wouldn't necessarily say that I faced obstacles, but I certainly am very aware of the role gender plays in the opportunities and challenges I've met. Sometimes, it’s the culmination of these anecdotal experiences at different periods in my career that have made me realize my gender has played a role in my career.
Is there a particular example you can think of?
In many companies, hiring managers may be required by policy to seek a diverse shortlist of candidates. However, if there isn’t an increase in the hiring of women or other diverse groups, this can actually be demotivating – particularly for those individuals applying for roles. There can be good intention in such mandates, but if they do not succeed in elevating diverse candidates, organizations can feel less inclusive.
Your advice for other women thinking about their career development, whether in physical security or other fields?
You're good enough. There are plenty of studies out there that say women sometimes hold themselves back from opportunities because they don't quite have all of the skills required. We must put aside some of those insecurities and take that leap of faith. You might start by asking for support and advice on your career development.
In a few sentences, could you summarize the differences between physical security and cybersecurity?
These are two complementary and critical fields. Cybersecurity’s primary focus is to prevent attackers from exploiting a company’s information technology systems, whether to carry out destructive and disruptive assaults, or to steal information and data. Physical security focuses on securing physical assets such as employees, facilities, and other resources. Both focus on protecting our business operations (i.e., all of the things that we do to serve our customers).
How do the two fields overlap? And why is it important for collaboration?
Attackers can apply tactics that exploit both physical and cyber security controls. This danger is not static or siloed. Threat actors have a range of capabilities to achieve their objectives such as extorting a victim or stealing information or assets. If they fail the first time, they don’t just give up; they shift their focus to someone more vulnerable, or they change tactics to increase the likelihood of success against their original target.
If we look at security in silos, we miss the point that attackers are dynamic, and we need to adapt as they do. In partnering with my colleagues in cyber, I can consider how harm may manifest in both worlds and to support the teams who work to prevent an attacker from succeeding. Without this collaboration, we risk pushing the problem elsewhere rather than resolving it.
If we look at security in silos, we miss the point that attackers are dynamic, and we need to adapt as they do.
What does the future of physical security look like?
(laughs) I often joke that my crystal ball is broken, but the future of physical security and security, more broadly, is about shifting to being proactive versus reactive. Security professionals must work to be trusted advisors within their organization. This happens alongside good business practice and not to its detriment. Perhaps finally, reflecting on the pandemic and the move to flexible working, I see this as a field that will need to continue to adapt to new challenges.
What would be your top tips to keep personal information safe?
Be mindful whenever sharing personal information. We are socialized into routine behavior that makes us more vulnerable to social engineering, identity theft, or other threats. In our personal and professional lives, the ongoing shift to digital channels creates new opportunities attackers will exploit. And we may share information inappropriately or without thinking about the security implications because we seek to be helpful or make our lives easier. For example, you save your credit card details on that e-commerce website because it’s convenient, even though it’s known that attackers actively target these sites to steal financial data. A desire for convenience can co-exist alongside a security mindset.
