The Employee Safety Podcast

Insights From Visa’s Senior Director of Global Intelligence

Duration:: 25m
Broadcast on:: 31 Jul 2024
Audio Format:: mp3

In a time of “permacrisis,” the complexity of navigating modern threats, from climate change to misinformation campaigns, highlights the necessity of building strong partnerships cross-functionally.

In this episode, Mary Hackman, Senior Director of Global Intelligence at Visa, shares best practices in global security and intelligence from her two decades of experience in both the public and private sectors.

Listen in to learn:

How to maintain a high level of engagement with executives while setting sustainable expectations
How to use “listening tours” to better understand company needs
How to offer real-time support to employees during a crisis

The Employee Safety Podcast is hosted by Peter Steinfeld, SVP of Safety Solutions at AlertMedia.

Get every episode delivered straight to your inbox by subscribing at https://www.alertmedia.com/podcast/.

[MUSIC] >> Hello, and welcome to the Employee Safety Podcast from Alert Media, where you'll hear advice from experienced safety leaders on how to protect your people and business. I'm Peter Steinfeld. Today, I'm speaking with Mary Hackman, Senior Director of Global Intelligence at Visa. Mary has over 20 years of experience in designing, leading, and managing both public and private sector intelligence and security programs. In this episode, she shares advice on how organizations can improve their security and intelligence functions. Let's listen in. [MUSIC] >> Hey, Mary. Thanks so much for being here. >> Thanks for having me. I'm happy to be here. >> Excellent. Well, let's jump into it. For starters, can you tell me just a little bit about your role in the team at Visa? >> Sure. I'm part of the overall global security team at Visa. So I have multiple roles, one of which is to run the 24/7 Global Security Operations Center, where we're responding in real time to any incidents related to our people and our facilities. I also run the Global Intelligence Team, which puts out a variety of daily tactical products as well as longer form. Strategic ones for our global security team and other relevant audiences at Visa. This also includes a protective intelligence role where we're supporting the executive protection team and the events management team with Visa's many sponsored high profile events and trips. And I also run the workforce protection team, which works with other elements at Visa on investigations related to any concerning behavior. So I also wanted to note, though, that I've been in this field for over 20 years, and so a lot of what I'm sharing today will relate to best practices or lessons learned from all my years doing this with other security professionals in the field and not just what I'm doing here at Visa. >> So with that in mind, with that background that you have, any time you join a new role at Visa or anywhere, what typically is your priority for the security and intelligence function when you join the organization? What do you want to start on first? >> I think one of the first things is to make sure that we understand what that mission is, what's our overall mission. I think for most of us in this field, we understand that our mission is to keep people safe. It's to keep people safe in their facilities and in the spaces that they work in. It's to keep them safe from geopolitical incidents or natural disasters, and it's to keep them safe from harm to others. So really just understanding what the overall mission is, but also making sure that we understand, okay, what is the culture of disorganization from the various different domains that I work in, whether it's protective intelligence. What's the tolerance of that organization for vulnerability assessments for executives? Some groups have a tolerance for that and some don't. We try to look at what gaps there might be. So we really do, when I first started at Visa, I really wanted to do a listening tour with especially our regional security team to understand what's important to them. For example, protests in Latin America happen every day. They don't really affect our staff very much, but a protest in another part of the world may have a really brutal crackdown that could affect employees on the way to work. So really trying to understand what that baseline is for the regional security team, what's normal to them, what's not, and what gaps can we fill for them? How can we be of most value to them? How often do they want to see reporting? We don't want it to be too much. That's really great. And did you find over time, not just at Visa, but anywhere you've been, that taking that approach has made people more amenable to your suggestions down the road? Absolutely. I mean, the point is we don't want to give them something that they don't care about, obviously. So it's been really important. And the other thing is, especially with our Intel team and some of the more strategic reporting we're doing, we'll get the security directors on the phone before we even finalize the draft. There's a whole side of tactical reporting that I could talk about too, that I've really got the GSOC team. They are just so sophisticated, and I'm happy to talk about how we've gotten them to that point. But from the strategic piece, and in terms of the buy-in and the credibility, the fact that we're getting our stakeholders on the phone, whether it's the security team or the events team or the EP team, we'll get them on the phone and say, this is what we think you should probably hear about, with regards to the Kenya elections. You've been talking to the team in Kenya. Do you, are they worried about the same things that we are sitting in Ashburn, Virginia? And we'll really get them to answer that as close to a local perspective as possible, so that what we're providing, we know that it's going to be received more credibly from the various audiences we're supporting. Well, you definitely have a global organization now, which presents a whole set of challenges that other organizations might not have. But what are some of the key challenges that your team has faced when it comes to monitoring and addressing organizational threats? I think one of the biggest things is the permacrisives. I think you've probably heard that term before. But for the last four or five years, since the pandemic began, even a little bit before that we've just faced one crisis after another, after another, and it really can burn out the team. We are a lean team and we're responding very intensely and thoroughly to every event we cover. So I would say we're a little bit victims of our success in that and that we jumped in so thoroughly with COVID, with Ukraine, with Israel, and we've set this expectation from the company that they don't make a decision until they've consulted with our team. And that's what we want. We obviously want to have a seat at that table. That's been great, but it's hard to maintain in the long term. So I've learned more about trying to be smarter in terms of the expectations we set for how much coverage we're going to provide, how often, how long we'll be able to maintain it. I think we've also had to overcome some challenges in terms of the multifaceted nature of threats. And so we've really had to learn how to build relationships with other teams in the company covering threats from different angles. So whether you're talking about a war or climate change or a misinformation campaign, there's also growing risks that the industry has been reporting on related to insider threats stemming from the isolation that people went through during the pandemic. So there's all these things that organizationally we're facing that other teams of visa are also looking at. Enterprise risk is looking at them, cyber threats, fraud, employee relations. They're all having to deal with these in different ways. And so building partnerships with them in covering these kinds of threats, that's been really, really useful. So we can ensure that we're set up to handle these risks. So we know their concerns they know ours and we're covering them as holistically as possible. And they've tripled your budget and staff to deal with all this, right? Yeah, I mean, I think everybody in this industry wishes they had more resources. They'd be able to do more if they had more. Yes. Do you think that we're actually experiencing more threats out there? Or is it just there's more of a flashlight on it now? And there's more of a attention to duty of care. And people just care more about it than it was in the past. Or is it a combination of the two? I think it's a combination. I've been in this field a really, really long time. And it wasn't until COVID, then Ukraine, then all the social justice protests in January 6th, then Israel and a few other things where the expectation was that every detail of those events was going to be covered, you know, it's not like there hadn't been any other crises before, but I think they were just so impactful to organizations and to their response in terms of how to protect their employees, that it really has shined this spotlight on our team. And I've talked with a lot of other organizations about this and they've all said that it really, especially COVID, put their intel teams on the map. When, you know, we all became epidemiologists all of a sudden because we're good at research and we're good at figuring out how to communicate information very effectively. And there weren't a lot of other people in the organization that were, this is an entirely new threat. So there weren't a lot of other people who could do it and it shined a spotlight on us, which fantastic, we started being invited to everything. But then we are now expected to do that all of the time and there was a lot going on. And I would say back to Judy of Care, I was talking about this with some colleagues a couple of weeks ago, that I think there is a higher expectation in the industry now on many, many organizations that those companies are going to take care of their employees through a variety of different types of security crisis. So it's a challenge to make sure that we're doing this globally consistently, that we determine as a group, we work with legal, we work with our security team, we come up with a very clear definition of what our duty of care is, we understand how that gets applied and make sure that it can be applied the same way across the world. And we make sure that we have the tools so that we actually can do what we say we're going to do if we're going to make sure that we account for every employee during a certain types of crises. And we also have to make sure that's communicated up the ladder to the executives, because if they don't have buy-in, that this is what our duty of care is and this is what our process is, then it doesn't matter. Whatever your plan is, we'll be seated to what the executive wants to do in that situation and you don't want to reinvent the wheel every time. Yeah, but those very clear, distinct definitions really help prevent burnout too, because people just know, "Hey, this is what we promise to do and we will do it." And it's when you have what you just mentioned, those scenarios where it's just different every time. You don't know what the expectations are. That's what stresses people out. Well, can you share any stories about how you and your team impacted employee safety? Sure. And I do want to say something I wanted to mention earlier, which I just think is so important when we're talking about covering any type of incident, whether it's a facilities incident or a war, whatever it is, one of the things that I just, I have found to be such a best practice and it's worked really well in this position is to have a very holistic team. So we have three different domains for the GSOC, which is very tactical and the Intel team and the workforce protection team, but all three of those teams work together in any crisis. So we all know what the other teams are watching. And so the GSOC will know that the Intel team is watching a particular situation and then they'll have the same indicators we're looking at and then we can communicate back and forth. So that's been a great model. And I would say the example that probably shows that best in terms of how we have put that to good use was Ukraine for sure. We had various indicators in place months before the war actually started that were looking at a variety of factors. And based on what we were seeing as an Intel team, we really believed that this war was likely to occur. So probably four to five months before it actually started, we were already working through scenarios. So we had the GSOC monitoring the day-to-day tactical news and informing the team on anything that was really sort of breaking news. Using a variety of tools, we also had the Intel team working with the regional security directors on some scenarios development. If we see these things happening, here are some things we need to consider. So we were developing plans for alternate lodging, for example, to be available to our many, many employees that we had in Kyiv. And then when the war started, our team worked very closely with the regional security team and deployed. So I was out in the region with many of our other security directors working daily for weeks to communicate with our staff there. You know, we were gathering information from them. Where are you? What are your needs? How can we help you? What is your desire? Are you trying to stay, leave, et cetera? And then from my perspective, as the Intel side of things, I was then gathering information on exactly what was happening militarily. What were the locations? What roads were blocked? Who else do we need to work with at Visa to help people? Is it travel and mobility? Is it employee relations? What are their other questions? And then we were doing things like tracking them as they moved and checking which border crossings, if they were trying to leave, which border crossings had at least traffic, those extremely real time. And then, you know, we're working with our security directors as well who were then physically being there with them to help get them across borders safely. So it was just one of these examples where you can just see how the culture of just being such a caring organization for employees and putting employees first and making sure that we did whatever we could to get them the help that they were asking for. It was just really crucial. And, you know, every single person who wanted to leave was able to with our support. Yeah, that's great. I can imagine they were probably pretty grateful. Yes. It was good. I got to meet several of them on the other side and you could see the relief on their faces, but definitely it was definitely really nice to be able to see them safe. Well, one thing you mentioned, as you were telling that story, is communication was important. And it seems to me that communication is the fundamental underpinning of responding to any incident or event. So just talk a little bit more about that. Like, how do you communicate the threats that you identify to leadership, to employees as it's unfolding? How does that work? From employee perspective, the proactive communication really comes from tools that are available to them all the time. Our internal website has country risk profiles. They all have access to an app that they can use that will give them location information. Should they choose it, they can contact us if they need it. But for our other audiences, primarily our GSAQ and Intel team are coordinating with the regional security directors who are spread out around the world. We're giving them daily reporting that's pretty tactical. We're also giving them strategic reporting, some scenarios development that I mentioned. We're primarily communicating that to them, and then working with them to push that out as needed to effective stakeholders or they use it to give briefings to their leadership in the region, etc. So I would say that's the majority of it. We certainly do have exceptions where there are other parts of visa that are getting our reporting. When there's a big, big event that's happening, it certainly happened with Ukraine, our reporting at that point is going all the way up to the CEO. So we have to tailor the reporting a little bit differently. Obviously, if the CEO is getting the security team, may need to know day by day what's happening, practically, with the fighting and where it's moving. The CEO level audience does not need to know that. They need to know whether our staff is safe in the office on that given day and the bigger trend lines. So we do some sort of more spaced out reporting that goes to higher levels to help explain the trajectory of the conflict and the real impact of visa, just what is impacting us and our people. And then I think I mentioned we have other partnerships with enterprise risk and cyber and employee relations, and we do various levels of reporting with them when we have issues that overlap. So we have to tailor to them. And also, as we get ready for the Olympics or other big events, we have reporting that we give to our events management team, hospitality, for example. So that also looks a little bit different because we will, again, the security team may need to know about every criminal incident throughout all of Paris during the Olympics. The events team, they don't need to know that. They just need to know if the train that they're supposed to ride to the event today has a strike on it and they won't be able to get on. What's going to affect my day today as I move throughout the city? So it's a little bit higher level for them. But I think overall the point is we have to put ourselves in the shoes of the different audience members for our reporting. And we don't want to overwhelm anyone with too much information. We want to make sure it's useful. So I think that just goes back to what I said in the beginning that doing this listening tour and getting to know the different audiences as well as you can and really just sitting in their spaces for a little bit can can really help you understand how they're going to consume information and so how best to give it to them. Yeah, that tailoring is so important just because security nerds like us like to read 40-page reports doesn't mean other people like to read them. Exactly. It took me a while to learn that lesson but I think I have now. That's fantastic. Well are there any upcoming events on the horizon that you're planning and preparing for? Yes, well I mean definitely the Olympics. I will be on the ground for the duration of the event so we are really working hard to get our plans and procedures all finalized at this point. We will have the Security Operations Center on the ground where we'll be monitoring events in real time, tracking, pushing out information. So at this point we're working to just make sure we've got our full exposure, our full presence mapped out exactly where everybody is, what their roles are going to be, what our SOPs are. We're doing a lot of scenarios, development to make sure we're prepared for different things. We're working with our various networks. I mean huge plug to having a good network because that's so important. It's been important in every position I've been in this field but security is a small world and especially when you're talking about the events, people who are on the ground for different events such as the Olympics, it's even smaller and so the information sharing between these groups especially with OSAC. OSAC does such a great job at coordinating all of us and sharing real-time information. It's such a help. So we're establishing these networks, making sure we have the right points of contact for the government and just doing our monitoring at this point as we lead into it. So that's a big one. Obviously we know half the world is going to elections this year, already has or is still going. So that's another area we're doing some scenarios work on, making sure that we understand what we think the impacts to visa might be in certain cities, depending on outcomes of elections. Are we prepared? Are there any gaps that we need to fill before those elections occur? And making sure again that if we think there might be a cyber aspect or missing disinformation connected to an election that could impact us as well as a physical security impact that we're kind of married up on our reporting and having regular meetings so we can talk through that. So with those stories it sounds like that your job is basically information flow optimization. Yes and I think I was mentioning this before but I think we've done this in as holistic a way as possible where we've got the GSOC that has very detailed SOPs for every different type of incident so they know okay this was an earthquake it measured this it was this distance from an office this is exactly what we need to do this is the information we need to push out right now. So we've got one group that really they free the intel team up to then do the more proactive you know let's think about what's going to be happening six months from now and make sure that we're talking to the right people to prepare for that. So we've got the tactical cover and we've got the strategic covered we've got the workforce protection team conducting investigations and sharing the results of those investigations which also does relate to sort of the broader environment that we're looking at across the world right now in a post pandemic world where we're seeing different kinds of threats come from people themselves. So we're in taking all this information we're processing it and we all have our different roles to play in how that gets processed and distributed and then we're just making sure it's a constantly involving process but we're making sure that it's getting communicated in a way that people are going to read it and pay attention to it and listen to us and that always evolves. I think it will continue to evolve as people consume information by 30 second videos. This is something I'm learning from my children. Exactly. That's right little TikTok alerts or something. Exactly. Getting people to pay attention is ultimately what it's all about and that's I guess the art of the job. So I'm glad you guys are thinking about that stuff in advance. As we start to wrap up here I always like to spend a little bit of time on lessons learned. Someone with your experience probably has a lot of lessons they've learned from. So what are some of the most common mistakes that companies make when it comes to managing global intelligence and security and how can they avoid those mistakes? You know not necessarily mistakes but certainly challenges that we've faced. Sometimes it relates to managing expectations. I think we've learned a lot in the space of managing expectations. In that age of perma crisis as I was talking about where you just I think for many people in the Intel and security space your instinct when something bad is happening is to jump in and do nothing else until you sort of feel like okay I've managed this I can walk away from it now and what we're realizing is that that time doesn't come typically sometimes for years so you really have to you have to think about and just take a few minutes or take a day even if that's what you need at some point to really think about okay how can I sustain coverage on this event what's the smartest way to do it how can I manage the expectations of the people who are getting the reporting you know they may really like it but is this the best way to be covering this right now so you know these events have been terribly destabilizing but what I have learned is you really do need to take a step back and try to think strategically before you just dive right in you know another we also already talked about but managing the expectations of employees in terms of what they can expect from a duty of care and how they will be taken care of as employees I know this varies by organization I think FISA is very very good messaging to its people that they are first and that they will you know we will always do everything we possibly can to keep them safe but if you really need to make sure you're involved in very careful conversations with your legal teams and other teams to make sure that's consistent clear well-defined and communicated all the way throughout the organization to make sure that everybody has the buy and increase so I think those are a couple of the bigger ones no those are great oh that's an excellent way to end it Mary thank you so much for being on the show such great insight and advice well thank you I appreciate you having me to learn more about Mary and her work with VISA click the links in the show notes for video highlights from today's episode just search for alert media on youtube don't forget to subscribe rate and review the show wherever you get your podcasts stay safe out there thank you for listening to the employee safety podcast from alert media the industry's most intuitive emergency communication and threat intelligence solution to learn more about how to protect your people and business during critical events visit alertmedia.com until next time