Google’s Brian Katz advocates diverse staff, bottom-to-top security buy-in

TechSec keynote speaker says every employee can be turned into ‘a member of the security team not with fear but with a feeling of community’
Wednesday, February 4, 2015

DELRAY BEACH, Fla.— Security professionals are working today in an exciting time, a time of a “new paradigm” where security is evolving faster than ever as an integral part of the company culture and not merely a separate program, according to a top manager for Google.

That new paradigm means building teams with diverse, complementary backgrounds to make security the best it can be.

It also includes deciding if security wants to be “feared, revered or irrelevant” and taking steps to address that desired goal, keynote speaker Brian Katz, Google’s global investigations and intelligence manager, said at the TechSec Solutions conference, held here Feb. 3-4.

The resumes of Katz’s current staff of more than 50 are wide ranging. He oversees a former nanny for a rock star, for instance, and a prosecutor.

“What makes them truly unique is these other things they’ve done. The skills they developed in these non-security jobs, and the other ways they continue to broaden their horizons, make them the people I want on my team,” Katz said.

That stems from Katz’s government background, as does his overall philosophy about security.

He joined Google in 2011 after working for a government contractor that helped set up the federal air marshal program after 9/11. He then moved on to the U.S. Department of State’s Diplomatic Security Service’s field office in New York, to the U.S. Consulate in Jerusalem and for the Office of Counterintelligence at the service’s HQ in Rosslyn, Va. At Diplomatic Security, he worked with ex-police officers, lawyers, former special forces operators, a biomedical engineer and a variety of other professionals, all of whom had the same goal: topnotch security.

“The [counterintelligence] cases pushed me to think out of the box about threat and mitigation. A colleague of mine once told me that when I heard hooves I thought zebras, when most people thought horses. This was meant to say that I often focused on the outlier scenario rather than the most obvious explanation,” Katz said.

Now, instead of counterintelligence interviews and protecting dignitaries such as former Secretaries of State Colin Powell and Condoleeza Rice and foreign and U.S. ambassadors abroad, he deals with, for example, the less glamorous but vital issue of access control at Google’s complex in Mountain View, Calif.

Access control is one of the single largest challenges in any security environment, said Katz, who is one of this year’s Security Systems News “20 under 40” end user award winners.

“Making sure only those authorized are in your spaces and making sure that if someone does get through the cracks it is noticed and dealt with quickly should be easy, right? Most companies do this with turnstiles, restricting the number of entrances to a building and overwhelming sensitive areas with security guards to attempt to prevent unauthorized access,” he said.

While those measures may solve the so-called “tailgating” problem, they also “can breed a culture of distrust. “It certainly doesn’t promote the open campus and freedom of movement, which helps to define Google,” Katz said. “What’s back there, anyway, and why does my teammate have access if I don’t? Why did my coworker just close a door firmly in my face?”

That’s where the security culture comes in to play; it can be “feared, revered or irrelevant.”

“Many security organizations believe that fear should be the single motivator to encourage cooperation or compliance by employees,” Katz said. “If there is fear for breaking the rule, or consequences for action which can lead to dismissal, employees will largely fall in line, right?

“In a race to become the ‘feared’ group many security organizations end up in the irrelevant category. You’ll know what that feels like when you find yourself justifying even minor decisions to non-decision makers within your organization. You’ll see this with travel advisories ignored, [with] disrespect for your guard force and a general feeling that if you can’t get a ‘rule’ imposed, your role is simply process,” he said.

Building relationships across the organization, from the c-suite on down, creates trust and also builds awareness of how operational security benefits the entire company, he said.

“It makes you approachable. It makes you relevant. It makes you a part of the team rather than an enforcer sent out to find fault and fire. Our credibility within our organizations is the most powerful tool we have. Are we seen as a group who uses any crisis or vulnerability to ask for resources we don’t need, or are we seen as a group who asks for what they need with the organization’s interests in mind,” he said.

“What if instead we turned every employee into a member of the security team not with fear but with a feeling of community?”

At Google, wearing an employee badge is not part of company policy but part of community norms, he said. Even the company’s founders wear their badges every day. Employees at every level feel empowered to challenge someone behind them at an entryway who may not have a badge.

Katz showed an amusing and informative in-house video of an employee dressed in an alligator costume. The “tailgator,” with no badge showing, tries to get through a number of Google entrypoints on the heels of the person ahead of him. Many of those in front stopped the tailgator, asking to see its badge; some did not.

At a companywide meeting later, the tailgator was revealed. It was Google CFO Patrick Pichette.

The reveal not only underscored the company’s top-down commitment to security, it prompted employees from all ranks to offer useful suggestions on how to enforce rightful entry, Katz said.

And that’s all part of modern-day security culture, Katz said.

At Google, “what we’ve tried to do is build a team of security professionals who define themselves by more than just security—[we’re] a group of people who can be empathetic, just and able to focus on the real reason they were hired and not their job titles or job descriptions. This diversity of thought and experience leads us away from the old security enforcer stereotype,” he said, “and makes my team flexible, creative, approachable and trusted.”

And that’s the way not to become irrelevant, but integral, he said.