Ken Cummins CPP, PSP

Ken CumminsKen Cummins CPP, PSP is The Chief Security Officer for Sound Transit in Seattle and a prior video security consultant with The Boeing Company.

Chris:             Today, I am with the Chief Security Officer for Sound Transit in Seattle, Washington. Ken, how did you first get into the business of security? 

Ken:                Chris, good morning.  It has been quite a ride actually.  Honestly, if you had told me at age 21 or even age 25 that I’d be in the security industry at all; I would have probably called you a liar.  It was a twist of fate. I was getting out of the Marine Corps, and I had a job lined up right out, just did not pan out. Having just separating from the service, running around trying to figure out what I am going to do until my next opportunity came in.  I had to fill that gap in employment. 

At the same time, 9-11 had hit, and the Boeing Company was ramping up their uniform security service.  My dad had worked for Boeing and he said, “I’m not going to promise you a job.  I’m not going to influence anybody, but what I will do is if you send me up a resume, I’ll get it in front of the right people.”

So I did.  I sent him a resume.  The right people got a hold of it.  I went up, interviewed, got the job, and I came back up here to Seattle from California where I started as a uniformed security officer.  I felt it was an interesting job, but as a former Marine, just out of the Corps, 26 years old, it was not what I wanted to do for the rest of my life.  I started going to school.  I did find out . . . I did enjoy security, the concept, but doing my eight at the gate and then going home just did not appeal to me too much. 

I was standing around my post one day, in a very professional manner, observing everything that took place in sight and hearing, when an investigator from the Boeing company came up to me and said, “You have electronic surveillance experience, don’t you?”  I said, “Radios.”  He said, “We’ve got this new position opening up, and I think you should apply.  It’s in our technical security division, and we need somebody to develop the Enterprise CCTV Program.  Would you be interested?”

I thought about it for about three seconds, and said, “Yes.  I would be interested.”  I applied, interviewed and accepted the offer to become the Enterprise CCTV Focal.  That position’s function was to establish a single CCTV program, complete with standards. We standardized everything from equipment, to installation, to maintenance, to service, to service providers.  It was a extensive program.  It was fun, lots of travel, many opportunities to learn. 

Boeing had not done anything in the security side in terms of enterprise wide for CCTV.  Up to that point, site managers from the different sites throughout the world could or could not do CCTV, and they could do it with a myriad of however they felt it.  You had some really good systems, and you had some that weren’t worth the money they spent on them. 

This was 2003, 2004 time frame, networked DVRs were the cutting edge of technology, and so trying to put infrastructure on an already crowded network was a challenge. It was my first shot at major procurement; I did a $3,000,000 procurement (snap)   like that. To me, particularly at that point in time, $3,000,000  is a lot of money.   In my career, I have done multiple procurements worth millions of dollars; all of which began with this first one. I was terrified that I was going to screw it up and lose $3 million dollars.

I talk about a twist of fate. Boeing’s Chief Security Officer at the time was a man by the name of Greg Gwash.

I was walking by Mr. Gwash’s office one day, checking on a camera that needed some adjustment, and he called me into his office and said, “Ken.”  We were on a first name basis; he called me Ken.  I called him Sir.  He said, “I’ve been hearing great things about your program.  This enterprise standard is exactly what we needed.  Everybody that has been part of this program, even the ones that were a little resistant to come on, they’re really enjoying this.”  He said, “You keep this up, and when you’re manager retires, you’ll be a shoe in for his position.”

I looked at him said, “Thank you very much, Sir.”  About faced and left the office, and said, “Crap.”  (laughing)  My manager at the time was in his mid to early forties, and I wasn’t going to stick around 20 years just to be a first line supervisor. I started looking around.  Boeing is a great company..  I have many good acquaintances there.  Dave Komendat, who is the Chief Security Officer over there, he is running a truly model program.

Chris:             I know Dave, good guy.

Ken:                He is a good man.  Really got some good things going over there; Boeing is an exciting place, and if anybody can get on with them, it would be a good, good opportunity for them.  At that time, I was looking to advance my career.  I noticed a position here at Sound Transit was open.  It was a new position, sort of.  They were cutting responsibilities and slicing them different ways, so they created this position.

                        I applied, and at the time, it was just a security specialist position; it fell under the auspices of the safety group. When I came in, I did not know anything about public transit, just like I had no knowledge of CCTV systems before taking the Focal position at Boeing.  In fact, I was not even aware at the time Seattle had trains.  I’d seen them go by, but it hadn’t even dawned on me that’s what they were.  I launched into it, and within nine months, I got promoted to manager.  Then a few short months after that we did some restructuring, I became the Chief Security Officer.  Like I said . .

Chris:             Good ride?

Ken:                It has been a good ride, and it continues. I have been here now, at Sound Transit for almost eight years. While I am still figuring out what I want to do when I grow up, security just seems to fit.  I suffered from the common misconception that I think many people that are not aware of what the security function in an organization does, I mean, when I thought about security I thought the guys at the mall that couldn’t handle it as police officers.  I’d like to slap myself for ever thinking that way.  The depth and opportunities are almost unlimited, depending on where it is you want to go, and what it is you want to do.

Chris:             Risk management is probably a large part of what you do here at Sound Transit.  Can you elaborate a little bit on the subject?

Ken:                Yes.  Risk management.  Risk management is what security is all about really.  Security is looking at and for all the different scenarios that may have a potential adverse impact . . . from the minute things, all the way up to the large major, regional events.  I think that, going back to the opportunity, I think that is really what has kept me in the security industry is the risk, and mitigating those risks.  What is coming next, and how can I get ahead of that?  How can I prepare my organization and my folks to understand what the risk is, mitigate that risk, and get ahead and add value our organization by that risk mitigation.

Chris:             How many employees, trains, locations do you currently work with?

Ken:                We are responsible for roughly 1,000 square miles in the Regional Transit District, the RTD.  We have approximately 45 unique facilities that we are directly responsible. There are several dozen additional facilities that our partner agencies, King County Metro, Pierce Transit, and Community Transit up in Snohomish County are responsible for in the joint venture. 

We run three modes of service.  We have the commuter rail that goes up from Tacoma into Seattle and down from Everett into Seattle and the reverse in the afternoon.  We have two light rail lines, one in Tacoma, and then the central link line which goes from currently, the airport to downtown, and in 2016 that will go down to the Federal Way, 200 street and all the way to University of Washington.  Then we have a significant capital construction program that is underway, and we are going to add about 50 miles of light rail to the region by 2023.  It’s a pretty big area that we cover. 

The agency has about 700 direct employees; we probably another 700 consultants and contractors, and that does not include our partner agencies, such as King County Metro, Snohomish County with Community Transit, and Pierce Transit that run our buses, and in Metro, run our light rail.  The operations folks that actually do that come from those partner agencies, and that is probably another 1,000 more people if I were to hazard a guess.  A lot of people. 

We move about 26,000,000 people last year.  We’re experiencing about 10% increase in ridership over last year, so that number should grow, and when we get to the University of Washington, our light rail, which is currently doing about 9,000,000 a year, a little more probably this year, probably closer to 10,000,000, is expected to almost triple.  We have got . . .

Chris:             All the students moving from home to school and back.

Ken:                Students and the University of Washington Medical Center is a large employer who likes the benefit of the transit system.

Chris:             Ken, I’m going to circle back to Boeing for just a moment.  Mergers, acquisitions, and companies that Boeing has bought, how did your security program deal with the audit and retooling of those companies?

Ken:                It was interesting.  Once the Enterprise program had taken hold, we got involved with divestitures and acquisitions, and, with acquisitions, it was not necessarily just acquisitioning new companies.  It was acquiring new facilities, whether they be bought or leased, or acquiring additional space in existing facilities that were not a secured area, but now are type of environments.  My program works alongside other’s programs that were deeply involved in the divestitures and acquisitions, and it gave me a good appreciation for looking at that whole process in terms of risk. 

My portion was pretty simple.  It was looking at the buildings that we were either going to divest; we would take them and look at what type of system we had put it, how much of that we were going to recover, how much we going to abandon, or how much we were going to turn over to a company, if this divestiture was going to become a separate company or subsidiary.  And looking at how could we portion off that section, because all of our systems were networked at the time.

In the acquisition it was just looking at the new space, looking at what was existing.  Looking at what it would take to bring that up to our standard, and bringing up, or just putting in new equipment, just doing the new system.  That portion was pretty simple.  It was watching others look at the other types of risk that was involved.  It was really kind of my first exposure into risk mitigation, things that had not occurred to me at the time. 

If you are divesting a company, and people are going to be leaving, there is an opportunity for a lot of intellectual and physical property to walk out the door, and how to account for that?  How do you plan to mitigate that?  Then, if you are going to just divest, is that unintentional transfer of intellectual property or physical property, well we did not mean to give that to you.  In looking at acquisitions, the same thing, if we are acquiring people, or acquiring property, what kind of screening has been done for them?

Things that would never have occurred to me prior to that really came into clear focus.  It was a very interesting learning opportunity.

Chris:             All those gears have to come together.  All those separate pieces, whether it be security, real estate and facilities, or outside contractors that are working on that program, all have to come into sync to mitigate that risk.

Ken:                Yes.  Very much so. 

Chris:             Ken, how has ASIS played a role in your professional development?

Ken:                ASIS.  I could not ask for a better organization for any level of career; it is an amazing organization.  I am glad I’m a part of it.  When I started at Boeing, when I started with the technical security group and the Enterprise CCTV system, it was suggested to me that I take an ASIS course.  I looked into it..  Now, I have only been in my security career less than two years. I’d never heard of ASIS before, and I did some research. The more I read, the more I thought: , “Wow, this is an interesting sounding organization on paper.”,

I signed up to join the local chapter so I could get a discount on the course.  Through chapter meetings, and being involved early on, I found out there was an excellent networking opportunity for me to talk to folks that I normally would not have contact with, but were still members of the same industry.  I thought that was an okay benefit.  I was young, 27, 28 at the time, the idea of networking and the worth of networking had not solidified with me yet. I ASIS was like a car and networking was the leather seats, that is nice to have, but I am more interested in what this car can do.  I really found out what that car can do when I attended my very first, ASIS convention.  The first one I attended to was in 2004 . . .

Chris:             Dallas?

Ken:                I think it was Dallas.  Yes.  I do believe it was Dallas. Chris:   That was an eye-opener though walking in that convention. I took the full course, took all the educational courses.  My only complaint about those courses was there were so many going on at the same time that I couldn’t . . .

 Chris:             (laugh) Get to them all.

 Ken:                I couldn’t.  Several times I thought “I really need these both”.  I continued to go.  It has been now, this will be my tenth year as an ASIS member, and this will be my eighth seminar that I have been to.  I only missed one last year because of budgetary reasons, and I missed one the year I was deployed to Iraq.  ASIS is a great organization and I have to say the educational benefits that they provided me were the reason I stayed. 

Chris:             Ken, for a newly minted security professional or a student who may be looking at security as a profession, what advice would you give them?

Ken:                The advice I would give them would be, on the practical side of the security profession is, learn everything you can learn about risk and risk mitigation.  Learn it not in terms of security speak, but in business speak.  Be able to present your case in ways that you can show a cost benefit and a return on your investment, because are the terms that individuals that we report to, in whatever industry we are, understand. 

Very few security professionals, as a proportion, actually work in a security industry, or contract security, or some type of security firm.  Most of us work for a security unit within side an organization whose primary function has nothing to do with security.  Whether it be public or private side, they’re looking at risk through a business lens and we need to look at it too.  So anything you can learn about risk, that is what everybody should do. 

From a career perspective, if they want to go and advance their career, whether its security or a law enforcement, or basket weaving, I have a tag on the bottom of my email, that’s my signature block, that says . . . it’s from Hannibal.  It says, “You need to find a way or make one.”  This is coming from a guy who brought elephants up through Spain, up over the Alps to attack the Romans, who’d never seen an elephant ever before.  It is finding that way to get your mission accomplished. 

To that end, you should always start at yes and work your way back.  If somebody comes to you for advice or support, you should always start at yes and work your way backwards.  Sometimes you are going to get to no, but more often stay with yes. You’re going to find a way to provide that support, to provide that advice, and to be that valuable asset.  

Chris:             Would you say it’s about doing more with less, because bringing that prospect to the C Suite, a lot of times you’re not getting that money that you actually need to, or you believe you need to run your security department?

Ken:                Yes.  Doing more with less.  Just one day I’d like to do less with more.  (laughing)  I think that we should always be doing more with less, but it’s not necessarily doing more with less; it’s being efficient and effective with the resources that you do have.  That is the hallmark of good management –being as effective and efficient as possible with those resources currently entrusted to you. Then when you can highlight, with the use of a good metric program, areas further reduce risk and/or mitigate loss by increasing available resources, you put yourself in a better position to successfully make your business case. It goes back to learning the security industry and the security profession, as and in the language of business.

Chris:             Risk is a cornerstone.

Ken:                Absolutely.

Chris:             If you can explain that to the C Suite, you’re golden.  One of the areas that Chief Security Officers tend to butt heads with is the Information Technology folks in their organization.  Have you felt any of that?  Have you been able to mitigate that through your own inner relationships with your IT Department?

Ken:                Yes.  We have mitigated . . . we don’t butt heads.  We work well.  In my organization, Information Security is the purview of the IT Department.  We collaborate and cooperate in terms of the physical security of the servers, server rooms, access, and control to that information, but the virtual access to our organization; those keys are held by IT. 

I know there had been some talk about convergence over the past few years.  As the two spaces, virtual space and physical space, become more entwined I still feel that it’s best to have those functions separate.  Particularly when you’re in an organization that doesn’t have a very robust department in either, but that collaboration between the IT and the Security Groups on the physical side, can be just as effective as convergence.  It is important, hrough that collaboration, to cross pollinate. Get IT talking in terms of what it takes to protect their servers, physically, and it is important for us on the physical side to understand that, as our physical systems become more networked and more integrated, that the risks that are there for that need help from the IT to help mitigate that.  It is creating a level awareness amongst both groups. 

Both department do speak on types of risks each face when we talk about changing procedures and policies, whether it be access control for the physical space or access control to the network side, the virtual side.  We also talk about what we are going to do in terms of an intrusion.  What responsibility does the IT folks, and what side do we have?  Depending on what type of intrusion it is, where and when does law enforcement get brought into the mix?  We have these discussions, fortunately, we have not had to test them in a real world scenario yet, but we plan.  We exercise; we share information.  We think about how the risks are evolving to ensure that we are adequately prepared.

Chris:             Ken, on a broader spectrum, in the security industry as a whole, where do you see security profession, as a whole, going?

Ken:                The profession as a whole is going to mirror the path that technology is moving.  As technology becomes lighter, faster, smaller, more connected, so will our systems, but so will people.  When you have people that are connected faster with more devises, the risks will evolve faster and require mitigations to adapt faster..

Chris:             Social media.

Ken:                Social media is an example and whatever the next social media event is The risks there become more virtual..  You have information sought out as much or more than a physical asset. A document for example, before smart phones and wireless day, you had to physically take the document, use those little pocket cameras that you could take snapshots, .photocopy the document , or download the document to a disk of some kind. Each one of these options have built in delays of getting the information to someone who can exploit the information. Now you take a picture on your phone and instantly Snap Chat at somebody else for ten seconds or who can capture a screenshot. All the while, there remains no record of the photo on your phone.

Every new development in social media is a new opportunity for people to expose, even inadvertently, themselves in new ways. The risk of social media is the availability of information about a particular individual. As these new developments occur, mitigation strategies and awareness must adapt to how this risk evolves with the new form of media. Bruce Schneier has been quoted: “Amateurs hack systems, professional hack people”.

The industry, though, continues to evolve itself, and align itself with the risk and risk mitigation, the risks will change and develop, but risk remains the same.  You are going to need a strong cadre of leaders that understand the science of risk, the business of risk, and can keep abreast of how that risk is manifesting itself today.  Those individuals are going to be highly sought after.  I think there is a lot of opportunity now.   

Security is an aging industry, and it is an industry that certainly ages us.  So as folks are getting closer to retiring, there is a large gap developing that will need to be filled rather rapidly. I think that there is some knowledge transfer that has to occur.  You have the seasoned veterans that understand risk, understand the impact that risk has to an organization, and you have a younger generation that may not yet fully understands the impact of risk, but who are very technical savvy, and stay abreast of the latest trends. 

The two generations  together can come up with how that risk can manifest itself in today and tomorrow’s technology.  This knowledge transfer has to occur, because it is going to be those younger generations that next generation of leader, that may not right now have that clear understanding of what risk is.  They get it; they can conceptualize it, but I don’t think it’s intuitive to them the way it is to some of us more seasoned. 

Chris:             As you have gone through your career, have you seen any interesting security devices, concepts, that you would put up on the board and say, there is a great, whatever it is?

Ken:                Yes.  Technology is ever evolving, ever changing, and I am not too keen on any one particular technology.  I like things that work.  I think, on the technology side, if I were to advise future developers of technology, just keep it simple.  Just because it can do everything, doesn’t mean it has to.  In addition, use large cartoon buttons and very intuitive displays, because you need to drive that technology down to the lowest common denominator of user and to be used in periods of duress.  The least complex you can make it, the better it is.

Having said that, I think the most interesting concept of late is actually the concept of these global security operation centers.  While not so new in concept of having a data center, or an operations center, or some central point where all kinds of information are collection, whether it is security, or for operations, or whatever it is you are doing, it is this concept of having these networked operating centers that can fail over to themselves, can back each other up.  Or, as it’s coming around, can be run virtually. 

You’ve got these traditional large operation centers with these banks of monitors, and all this data coming in, and all the stuff, and to take that and be able to run that remotely from wherever it is that an individual needs it; that’s pretty powerful. It’s a powerful tool to have in an environment that, like technology, is becoming smaller, faster, more nimble.  The world is not as big as a place as it used to be even five years ago, and five years from now it’s going to be even smaller place as these connections continue to grow.

So I think this concept of having a global operations center that . . . for multiple sites, but also that is run virtual.  I think that’s the thing that I would . .

Chris:             Ken, an area that comes up frequently when I’m talking to Security Officers and Security Managers is the area of contract security.  Can you elaborate on what you’re doing here?

Ken:                Our security program has three legs.  We have our internal agency security, the corporate security.  We do all the policies; we also do design reviews for capital construction projects and those things.  Then we have our contracted security and our contracted law enforcement.  With our contracted law enforcement we’re essential a contract city for the county sheriff, providing us with a  dedicated transit police department.  The bulk of our security presence, both for our employees and our customers, is our contracted security. 

We have a robust contract security.  We have about 108 FTEs.  We have divided them into three different units.  We have our Security Operations Center; we have our Transit Security Unit, and we have our Fair Enforcement Unit.  All three of them work well together.  They all come from the same company, and they are doing an outstanding job.

I think, though, with contracted security it is important to understand, from the contracting agents perspective, is you will get what you pay for.  You also get what you put into it.  If you have a very loose scope of work, with loose requirements, and you are really intending on the contract security provider to provide your security for you, than your risk is getting exactly what you asked for.  We here at Sound Transit have put together a very large scope of work.  Our scope of work, we just finished a request for proposal and contracting process earlier this year. 

The scope of work alone was 68 pages very detailed on what the service level expectations, the metrics, and the reporting requirements. The scope was exceptionally detailed in terms of training – when, how, and how much  training is to occur.  We also specified that all training would be instructor led even the computer based modules are to have instructors present and to enhance the CBT modules. In addition, we got creative in terms of how training costs are covered. We are not going to pay for the initial training of an individual as it occurs, but that once an individual completed their training and was certified to be able to work on Sound Transit, account by Sound Transit, that you were allowed a reimbursement to cover all your costs in a negotiated lump sum. The caveat is we are only going to cover 25% turnover a year. Couple this with liquidated damages for unfilled vacancies and you have a contractor’s attention directed where it needs to be: on recruiting and retention practices.

Before we grant that reimbursement, we have made a solid effort to ensure not only that training has occurred, but the knowledge and skills have transferred. Sound Transit looks at the training transcripts, Field Training notes, test and evaluations before certifying a new Security Officer to work on the account. Without this check-off, the contractor cannot collect the reimbursement and cannot utilize the individual for billable assignments.  It is incumbent on the contract security provider to very cognizant of their recruiting practices. If the contractor understands they are going to get reimbursed for 25% turnover to begin with and if they understand reimbursement is contingent upon going to be reimbursed upon successful completion of the training program including certification by the client, they really need to find that person that is really going to work well in this type of environment.

Transit security is a little different in we fulfill more of a public safety role than most all other industries utilizing a contracted security provider would.  Our contracted security officers are most times first responders to incidents.  Our folks are expected to act to preserve the peace and preserve the physical being of our customer. The expectation is that the officers will act in emergencies, help in evacuations, and render aid when necessary.  They are regarded among the local law enforcement as very professional, and I think that has to do with a lot of the emphasis we put in our recruiting practices and our training standard. 

In the state of Washington, it takes eight hours to get a Washington State Unarmed Security License.  Most contract security providers provide for your typical contract 40 hours of training.  Our security officers get 320 hours of training before they are able to work on their site alone.  This is extensive training program.  We have many  annual certifiable items for training each year, and there is a standard that every security officer will have the opportunity to get 16 hours of additional training; this is training outside the prescribed training course for the security officers that work on our contract.  This additional training enhances their skills and gives them something to market themselves should they want to move up. 

The only way to do effectively accomplish the mission is not having the typical contractor-client  relationship; it is developing a partnership.  With partnerships, it is mutually beneficial for both parties.  The risk is you have to be very cognizant of where that co-employment line is, because co-employment is a big issue, and you can’t cross over it.  However, collaborating with management of the contracted security provider can provide you just that.  I would say that I have a very cost effective program for what I am getting, and I would be hard pressed to bring that type of service in house.  I do not think I could get a better product, certainly not cheaper, by bringing the service internal..

Chris:             Sounds like quality, not quantity.

Ken:                Exactly.  As I said, 68 page scope of work, detailing exactly what we’re wanting to do, what our expectations are, how things are documented.  We have weekly operational meetings in which we have prescribed the metrics program for our provider to provide us.  And we measure their performance.  Because it is a partnership, it is not judgment as in “you have failed to meet X, Y, and Z”.  It is, “I’ve noticed that you have not met X, Y, and Z for the past three weeks, what is going on?”  Is this an internal issue?  Have situations changed out in the field?  Is there an identified training we need to rectify?  We look at all of that before looking at the provider as being ineffective.  What is it that is causing a certain thing to occur? 

We’ve been very pleased with our provider.  They have been on board now since 2005.  They just got their third contract with us, and it is going to be five years.  We expect great things out of our partnership with them.  They are very effective at handling personnel issues.  That is one of the benefits of contracting is I do not have to deal with the HR headache, because with 108 people, not all of them are going to fit.  Not all of them this is going to be the right environment for them, and we need to help those individuals find a place where they are going to be successful; it is just not going to be here. 

Chris:           Right.  Sure.

Ken:                I am trying to be political. (Laugh)

Chris:             Each area, metropolitan area, has a transit authority or a transit group.  Do you find there’s best practices in the security side of an organization like this?  And do you share with other folks in that genre?

Ken:                Yes.  APTA is the American Public Transportation Association. The association has a security standards work group, in fact I’m part of the infrastructure section of that work group. The working group develops recommended practices and standards for transit agencies.  The unique challenge with standards for transit security is no two-transit agencies are exactly alike. Modes are different, types of service; the areas that are run through, all these weigh into it.  There is never a good apples-to- apples comparison, though I think you could probably say that about any industry., Despite the differences, we do share information. 

I think one of the best tools that we have, as an agency, besides APTA, is the Department of Homeland Security.  The Department of Homeland Security every three years conducts an inspection they call BASE, BASE stands for baseline assessment of security enhancements. They look at 17 different functional areas and this everything from customer awareness to physical security and IT security, and everything in between, risk management, threat vulnerability assessments; there is a whole myriad.

Chris:             Sounds helpful.

Ken:                It is.  It is a very extensive.  Each of those 17 subareas has between 12 and 50 items that they look at and they go through all of our plans, processes and procedures. They also look at the operations themselves along with our physical assets We are rated against a set standard which they have developed with the Federal Transit Administration, themselves, APTA, and best practices from other agencies and organizations and then brought together.  We get assessed every three years, and it’s good to see the improvements that we make here ourselves, but other transit agencies are too.  It gives us a good independent baseline to measure our performance and highlight areas of improvement.

Chris:             Ken, are you working on anything you’d like to share with us?

Ken:                Right now, we got many projects we are working on.  We are working on getting on with the three counties 800 MHz public safety radio network that is a big deal.  It’s part of phase 2 of our security operations center upgrade that we’ve been working on for several years .We will have resilient communications in the event of a regional emergency and we will have the ability to communicate directly with other first responders of the many jurisdictions we operate in.

I think the most exciting thing that I’ve been working on this year is actually working on developing our metrics program.  We have always had something we have called metrics, but our metrics have been mostly just counting.  “How many graffiti instances have we had?  What is our fare evasion?”  What we are developing is a total program that looks at everything from the ground up to determine if we are as effective, efficient and resilient as we can be, need to be.

We are starting with our business and security drivers.  First up are things that we are statutorily or through regulation are required to do it.  Then we look at those APTA standards that we talked about and applicable  ASIS standards.  We talk about best practices, not only from the security business, but also from business in general.  What are best practices for using Microsoft Office products, for example? We are looking at the expectations from our internal customers, the operation groups, and  our external customers.  We are looking at our threat vulnerability assessments over the last five years, and we looking at our own internal risk assessments to pull out those common themes that point to systemic risk. We’re putting all of these bodies of information together and calling them our business and security drivers. 

From there what we are going use those drivers to have a conversation with the Agency. By looking at the drivers from the Agency’s perspective; sorting out, the things that we’re required to do, we can’t get away from doing from  the things that we’ve been asked to do that are outside those required things.  Look at these are the things that we are doing just because it makes sense, or we are doing and it does not make sense.  We’re going to have a conversation and say, this is everything.  Do you want us to do everything?  This is the stuff that we’re required and can’t get away from doing this, but here’s all the stuff that we can have a discussion with.  Does it make sense for security to do this?  Does it make sense for another group to do it , or it make sense just for us to not do it at all as an agency? 

From that conversation we will naturally identify, those areas that other people are working on that make sense that security should be involved with or should have the lead in.  Let us have these real frank policy discussions.

Once we’ve done that, we’re going to mesh that into an agency security policy, if you will, rehash it.  We are then going to take that and drive development or refinement of our security plans, which will include all the processes, procedures, and tasks that we’re going to do, and how we’re going to do it. 

What we have is a acronym that we developed.  It’s DM3 AIC.  Its just something that we came up with just because we needed to call it something and we have not yet found a catchy title. It isnt just a metrics program itself; its the process were going through to develop that metric program. DM3AIC, the D stands for Determine.  We are going to answer, what is it we do and what is important? 

The M3 is Map, Measure and Metric.  Its going to be how are we doing?  Its now, in the future, and how we sustain.  We are looking at developing a draft charter. The charter sets the objectives and expectations that the agency has of us, and give us some KPIs and KSIs, Key Performance Indicators or Key Success Indicators.  Were going to then look at all that charter and all the process and procedures and develop a level of effort for each one of those and assign a cost driver to it.  Then what we want to do is create a baseline of empirical data for ourselves that we can say, this is what we are doing today.  This is how we are going to measure it today; this is what it is today.  Essentially base lining ourselves against ourselves so we can benchmark against other industries in the future.

Chris:             Continual improvement.

Ken:                Yes, that comes next.  The A is the Analyze.  We’re going to, once we have some real empirical data.  We don’t want to have numbers that are just counted to count, and we don’t want to base our assumptions and improvements and our analysis on an old data.  Well, this one time we did this, and this one time we did this, and back a long time ago we couldn’t do this, and we used to do this.  We don’t want to get in that loop.  We want to just what it is that we can measure objectively, and that’s what we’re going to do. 

And then when we get all that data, we’re going to analyze it for identify the gaps, identify overlaps, and some root causes.  We’re going to look at poor performing processes.  We’re going to look at the level of effort.  Does the level of effort it takes to do X make sense?  What are the cost drivers? Then we’re going to back to that charter, that draft charter, and once we’ve made some good analysis we’re going to start tightening some of those KPIs and KSIs. 

That way we can get to the I, which Improve.  We are going to take all those areas, those gaps, those overlaps, those poor performing indicators, and identify those areas that we can improve and prioritize them to which areas will make the most impact in our process or in our overall cost control.  We’re going to focus in on those ones first, and then we will just roll out a process of constant improvement. 

It is through the loopback process, this C, the Control.  As we put a project or a plan in place we measure against ourselves to say, we’ve done X; we were expecting Y.  We got Z, and is Z good or bad, and so we have that.  I believe it is going to be an interesting project.  I think it is a different look from, definitely what the agency has done, in metrics and metrics development before.  I believe it is inline how people are looking at risk and risk mitigation nowadays, and having some key metrics.    We do not want to measure for the sake of measurement.  We want to really identify . . .

Chris:             Actionable measurement.

Ken:                Absolutely.  We want to focus in on those things that really make sense.  I think what’s really exciting about this process is that we actually are giving a tip of the hat, so to speak, or some recognition to the outliers, those black swans; those things that no matter what, it’s that unpredictable outcome.  Something completely unpredictable happens; we are acknowledging that in the program, and saying we can become as lean and efficient and everything that we can in our day to day operations, but we can’t ignore the fact that we don’t know what we don’t know.  Eventually that unknown is going to show up.

Chris:             Looking at this plan, it seems to me that once the real hard work is done up front, it should be pretty simple and streamlined.

Ken:                Yes.  It will.  The process has feedback loop into several other areas, so as we develop this, and we have a report out to the public and our board of directors, but we also use that information, that report out, then goes back into our expectations for our external and internal customers.  That could change our drivers, which could change our policy, which could change our metrics.  It can change, but once the hard work of developing and sending up is, it gives us something to work from.

Chris:             Solid foundation for your security program.  Great.

Ken:                Thank you.


Ken Cummins CPP, PSP  is the Chief Security Officer for Sound Transit. Ken has been involved with security issues surrounding Sound Transit, commuter rail, light rail and bus transit since 2005.

Ken’s work has significantly improved the professionalism and responsiveness of Sound Transit security operations. By demonstrating the value of security by aligning the department’s mission to organizational goals and board level risks, he has built positive working relationships within the agency and with partner agencies and jurisdictions.

Ken’s vision and direction created and coordinated a 24 x 7 Security Operation Center, transit security department, transit police department, and a fare enforcement program to provide the public as Safe, Secure and Comfortable transit environment. Ken has nearly 20 years of military and security management experience. He holds degrees in business administration and security management.

Ken is board certified as a Physical Security Professional and a Certified Protection Professional by the American Society of Industrial Security (ASIS); a member of the American Public Transit Association’s (APTA) Security Infrastructure Working Group; and the Washington State Transit Association’s (WSTA) Security Council. Mass Transit Magazine named Ken as one of the Top 40 under 40 in 2010.

Related Security Interviews