Mike Kolatski, MAS, CPP is the Director of Security for the Fred Hutchinson Cancer Research Center. Mike was in charge of event security for the World Series with the Oakland Athletics, Director of Security for the Seattle Convention Center and Security Manager for the city of Seattle. The interview took place at the Fred Hutchinson Headquarters in Seattle Washington.
Chris: I’m here with Mike Kolatski. He is the Director of Security for Fred Hutch Research Centers. Good afternoon, Mike.
Mike: Good afternoon, Chris.
Chris: First question I’m going to ask you today is how you got into the security industry.
Mike: I started in security in 1978 with the Milwaukee Brewers baseball club, I was a sophomore in college at that time; it was a great way to earn money. I just continued on. I earned my Bachelor’s Degree in Education, and in 1982 I went into law enforcement and became a police officer for the city of Milwaukee, Wisconsin. I was able to sustain that for six years until the winters . . . I just couldn’t take it anymore, and so my wife and I just pulled up roots and we moved out to California.
As I waited to get on one of the law enforcement agencies in Northern California, I ended up in charge of the event security for the World Series with the Oakland Athletics and the San Francisco Giants. I stayed with the entertainment part of security for a number of years. I opened up the San Jose Arena, the Rose Garden Arena in Portland, Oregon. I worked for a number of professional sports teams including the Sharks and the Portland Trailblazers, and eventually moved up to Seattle in 1998 and became the Director of Security for the Convention Center in Seattle, for the Washington State Convention Center. They did not tell me in 1999 that the World Trade Organization was coming to Seattle and that we were going to be ground zero.
I was able to become the Security Manager for the city of Seattle for about 5 years. Went into the private industry for about 18 months, wasn’t my cup of tea, and ended up at the Fred Hutchinson Cancer Research Center as Director of Security.
Chris: Mike, you did a lot of security for some very influential rock bands and folks in the entertainment industry. Can you elaborate a little bit on that time in your security profession?
Mike: I’ll tell you, Chris, it was a great time to be in security. From my earliest days back in the 70s where I worked for some of the major groups as they came out. I’ve had the pleasure of being able to be involved in some of the largest concerts on the West Coast, not only in the Northwest, but all up and down the West Coast. It was great time.
I kick myself a bit that I didn’t write everything down that I saw and what happened. I guess it would have been a great book according to a lot of people, but it was just a lot of fun. It’s a whole different animal when you’re doing security entertainment than it is for doing the private industry, or the public industry. It really gave me a good idea how to deal with the public and things I would be dealing with, so I can use those skills, as I’ve gone forward in my career, to really move from an industry to profession.
Chris: Mike, the event security is, I would assume, mostly personal security, executive protection and that sort of thing. Do you find that there’s a lot of risk mitigation that goes into the before an event rather than after?
Mike: I think anybody that’s worth their beans knows that risk mitigation, the idea of being proactive rather than reactive, is what you want to look at right now. The idea of having an advance team, of having plans in place before the incident or incidents would occur, certainly help that. The industry has changed a ton, especially in event industry. Back in the day, in the 60s and the 70s, the idea was event security was there to thump you if you didn’t do what you were supposed to do, which was what we told you to do.
Nowadays we’ve gone completely away from that. It’s now the idea of being proactive, of working with people, getting the crowd to do what you want them to do, but having them think it’s what they want to do. And certainly liability is something that always, always has to be considered, because no matter what you do, no matter where you are, you run that risk of being sued for something. So it’s best to have all your ducks in a row before it occurs.
Chris: I would assume that that came into play during WTO.
Mike: Absolutely. I think that the plan that was made with the State Department, with the Feds, and with our local law enforcement, was a good one. Things just took a left turn when we had some of the anarchists join the protests, and things kind of went downhill from there. But I will say that the Convention Center was the safest spot in the United States during the WTO.
Chris: Moving forward a little bit. You’re now the Director of Security for Fred Hutch and what a difference, from working with people in the entertainment industry and now working with a biotech, large biotech that’s on the cutting edge of research in the cancer field.
Mike: It’s interesting here. I think that the Hutch in general has some of the most brilliant people you could ever want, and I think our mission is so strong. I think the idea that you have . . . I’m part of something that’s trying to do something for the world. There’s no better feeling than that right now. That I can provide or help provide a safe and secure environment for our researchers, our visitors, and for our patients to make sure that they don’t have to worry about that part of their visit. It’s a great feeling.
Chris: Mike, when you go in front of the C suite here at the Fred Hutch and you’re talking risk, and you’re talking to them about what you want to do now and in the future with your program, what’s the most significant piece of that pie?
Mike: You have to put it in terms that they understand. I can speak security jargon forever and ever, and I’ll know what I’m talking about. And, Chris, you’ll know what I’m talking about, however your audience may not. I think what you talked about, the idea of risk mitigation, putting it in terms of risk. What’s a risk? Are we adverse to risk? Will we accept some risk?
Put it in terms they know, and you’ve got to be short and sweet, right to the point. You’ve got about two minutes to keep their attention, so get to the point. How’s it going to help them achieve our end goal of curing cancer? If you can put it in those terms, and you can tell them that you’re reducing liability, that gets their attention, rather than the whole doom and gloom, the sky is falling scenarios, which we, unfortunately used a lot during 9-11.
Chris: Mike, can you tell us a little about your program here at the Fred Hutch, and maybe some of the statistics, people, places, things that security’s doing here?
Mike: You bet. We have a program here at the Hutch where I do have some direct reports that work directly for Fred Hutchinson. We also use contract security here. We are a 24/7 operation. We have electronic access control; we have CCTV onsite here. What we’re doing at the Hutch here is trying to get everybody involved with the idea that they are part of the team. We are no longer just a necessary evil, for lack of a better term.
I think traditionally that’s always what security’s been viewed. If anything . . . the idea that it’s not going to happen here, but we got to keep them around just for liability’s sake. Things like that. That’s going away, and that’s where I think our profession has to take the forefront to make people understand that it’s a whole new world. It’s no longer we’ve got a lot of keys and we can rattle doors. We can help in so many areas here at the Fred Hutchinson.
We have some very unique assets that need some protecting. We have a contingent right now; we have two laboratories in Africa, which presents a whole different animal as far as security and safety and what we need to be aware of. It’s getting everybody involved and letting them know that they are an important part of it, and what they see and what they hear can often be a proactive approach that will allow us to increase our safety and security yet not impede on the research that’s going on here.
Chris: Mike, where do you see security going in the future?
Mike: I think 21st Century security is in its infancy right now. We’re going from an industry to a profession, something that people can make a career of right now. I think that, to a degree, we’re struggling with that. We’re no longer able to be siloed. Physical security is here, and Information Security’s over here; everything is working together. We’ve heard the term convergence so much, and I try not to use that anymore, because that’s been happening for years and years, whether people accept it or not, it’s here. As professionals, we need to embrace that.
We need to now expand our horizons and let other departments know how we can assist with them. You look at Human Resources; what can we do for Human Resources? Background checks. The importance of that. How those occur. The idea of, in a termination, what are some tricks that you may want to do? Where do you sit in case there’s something that might go haywire? How do you get that whole team contacted? We have the ability right now, Chris, I think, to really impact all points of an organization right now. If we’re willing to take that time and be able to explain to people how we can assist them. It’s our job to make sure that people know that we are an asset to all areas right now. We’re no longer just security; we’re no longer just a necessary evil but an integral part of the entire business.
Chris: One of the things that comes up when I interview security professionals in the industry is, is that butting heads, or as you said, that overused word convergence, of Information Security and physical security. How involved are you in that, and how’s that relationship look here at Fred Hutch?
Mike: I’ve been very lucky, Chris, in the idea that when I came on board here at Fred Hutchinson, almost three years ago, the Information Security team was also going through a transformation here. We were newbies here, and so we were really able to mold and have a connection right away to begin with, to be able to interact and not forget one or the other, to be able to work together.
And, as we go forward on other projects, to realize how much physical security depends on the information security and just the whole IT world, embrace that, work with them. Keep them informed, because that will have a cascading affect. They’ll start then keeping you informed of information that they need to know and we need to know. It just works together, because one can’t work together in the 21st Century without the other.
Chris: When I came in, I notice on the whiteboard you have your program sketched out. How is that working out, and what’s your methodology for programming your security department?
Mike: It’s really having a plan and introducing a plan, and I think, as we talked about before, the idea of selling it to the C level. One of the big things that we look at right now is emergency operations, something that people will talk about a lot, and oftentimes you have a great big binder that’s got all these beautiful plans. And there’s so much on that binder, because nobody reads the darn thing.
My job is to make this as simple as possible. You will delineate departments. What you’re supposed to do in an emergency. How you need to respond, and make it usable for people. Once they get that, the idea that, here’s what your responsibility is, here’s what you need to take care of so that the incident commander can make the very correct decisions; it just makes it flow.
And the ability to let people know you have to practice. Don’t write a booklet, and don’t write a huge binder about what you should do and then never look at it. You’ve got to have some drilling; because the more you practice the better you’re going to be in case of an emergency.
Chris: What have you found is the most interesting part of working for a biotech versus high-tech versus transportation versus your time as the Director of Security for the City of Seattle?
Mike: I think what happens here is we touch on so many things here at the Hutch. It’s really the interaction with people, the interaction with such a diverse group of individuals acting collectively towards a common goal. The idea of really working with people to make them understand how vital security is, how we are really an asset towards them, and how we can work with them. And we ask the same thing, that they work with us. So many different things happen here; there’s so many assets to protect, and the sky’s the limit. Some of the research that’s being done here is just incredible. And just being on the cutting edge of that, and being part of that whole team, knowing that you’re really doing something for the greater good of the world. I don’t think there’s a much better feeling than that.
Chris: I would not assume there would be. My next question is point towards maybe a new student, somebody that’s just new in the profession, or somebody that’s thinking about the profession of security. What would you say to them if they called you up and asked you today?
Mike: I would tell that person to learn a lot about business. I can teach security; I can’t teach common sense. Because we are part of business now and that’s something that’s been forgotten and I would tell people that they should view it as a profession.
Education is so important. It’s never-ending. Don’t think that you know it all, because as soon as you think that something’s going to come up that’s just going to stump you. Continue your education. Learn from your peers. Don’t be afraid to ask questions. Don’t be afraid to say, “I don’t know.” But if you’re going to say that phrase, make sure you follow up with, “But I’ll find out.” Really use common sense in this world here. I think that’s what we’re looking for right now, and I think that, again, we want to be a profession.
We want people to realize that this is not a job that is going to be here until “you can get a real job.” So many years, I think, as you know, the idea that, I can’t get a real job, so I’m going to be security for a while until I figure out what I want to do. Security right now is a viable profession in the 21st Century, but now it’s gone from just security to the idea that you have to know business. You have to be able to interrelate the two and make people understand how those work so that you can become an asset to the organization as a whole. You have to be able to understand the mission of your organization, be able to embrace that, and to show how security can add to that.
Chris: So Mike, how has ASIS played into your professional career?
Mike: Two things. Number one is the education, the formal education part. Being able to set goals for myself. The idea of getting my CPP; I’d set a goal for that and at the same time I was working on my Master’s Degree. I had set a goal that I wanted everything before I was 50 years old, and I was able to achieve that. I’m very proud of that.
I think the idea that the networking part has been amazing to me. There are so many smart people out there, so many people that have ideas that they’ve gone through already. Why should I have to reinvent the wheel if I can talk to somebody that’s already gone through that pain and agony of inventing that wheel? I’ll just piggyback along on that.
It’s just numerous opportunities of learning, of really taking somebody’s idea, maybe tweaking it for your specific organization, and having some fun with it now. Again, we’re in our infancy; we can build this profession the way we want to right now if you’re that leader that want to take that step, and say we’re going to do something we haven’t done before, and we’re going to see how it works. If it doesn’t work, that’s great. We can go back to where we were and try again, but we can’t be stagnant anymore. We can’t do what our forefathers used to do. You want to be a leader? Do what Steve Jobs says, “People don’t know what they want. It’s our job to show them what they want.”
Chris: Mike, I know education’s one of your topics that you like to hit on during conversation. How, in your organization, does that education play into your program?
Mike: All of my direct reports right now are members of ASIS. I think it’s important for them to learn that. For me personally, the idea of being able to teach what I know to my folks and letting them practice that, and to be able to give them projects and leadership, and giving them some authority. Not allowing them to fail, but allowing them to make mistakes. I think sometimes that’s really hard for people to do. They don’t ever want to make a mistake, and I got to tell you what, we all do it. I don’t care how long you’ve been in this business.
Chris: It’s how we move forward.
Mike: Absolutely. And it’s the ability to learn from that. So my job is to teach my folks what I think is important, and then see how they can apply it. You’re right, formal education to me is really important. My Master’s is in Organizational Security. There aren’t a lot of folks around that have that kind of thing. But it doesn’t matter what you know if you can’t apply it. My job is to get them to apply it.
I love to challenge my folks. I tell them, I have ideas, but sell me yours. If you’ve got a different idea and sell me, I’m more than willing to listen and try something different. Because I want to learn too, and I learn from everybody as we go forward. Don’t be afraid to have an opinion, but if you’re going to have an opinion, have some basis for it, and have some options. The C suite loves options. They want to have there’s no one way to have to do this, because they may shoot it down. No, you can’t do it. Well, let’s consider this then.
But have that idea, and teach them. And don’t be afraid to give them authority. When you take vacation, take vacation. Leave them running. The world goes on. I tell them that all the time. The world will go on whether you or I are here. But my job is to make sure that you’re prepared for that, and if you can get a job somewhere else that’s better, I hate to lose you, but I will not stand in your way, and I will be your biggest advocate if that’s your goal.
Chris: Organizationally, that seems like a smart way to run your program. Let’s see . . . Let’s get into risk for just a minute. Mike, risk is at the key to any business planning for a security program. As you developed a risk program here at Fred Hutch, what was the methodology you put in place?
Mike: I think it’s the idea, number one you have to understand what risk management is, and that everything we do in life is somehow risk management. First of all, you have to identify the risks, and it’s very specific to each organization, nobody’s the same. Then you have to identify . . . we’ve identified the risks, now what do we have in place right now to really mitigate those risks.
And then identify those vulnerabilities, and then have options to mitigate those vulnerabilities. And you have to be able to prioritize that and be able to tell people why you believe that’s happening. I think that’s a huge part of business right now.
You want to get the C suite’s attention; you put it in those terms. Don’t put in security jargon; I keep going over that, and it drives me crazy. Because we can all have the idea that fear, uncertainty and doubt, the FUD theory that was so often around. Right now they want to hear, what’s our risk? Is it going to happen? Are there a lot of risks on this? A little bit of risk?
And then being able, as a person, identify your organizations risk appetite. Are you risk tolerant or are you risk adverse? And then you base your options on the culture of your organization. You can’t change a culture of any organization. I used to think I could; I can’t. I admit it. But I can change a behavior of the culture within there. I think that’s what I’m trying to do right now, the idea of move that behavior in that culture so that it works for everybody right now.
First of all you’ve got to understand what risk management is. So take some time, learn what it is and understand it and be able to speak on it. Practice on some of your folks; get them to understand it. That’s when you have a plan, and always have a plan before you start presenting it to the C level.
Chris: You’re in downtown Seattle. How do you deal with people just walking onto your campus?
Mike: We are a quasi campus situation where, working with the SCCA, UW and with Children’s Hospital, it’s the idea that we have patients coming here all the time. We have visitors coming here, so you have to use a fair amount of common sense. We do have picture IDs for all of our employees, both contract and people that are either at the Seattle Cancer Care Alliance or here at Fred Hutchinson, so we have some ID. A lot of it has to do with being able to visually look at someone and make some judgments, whether that’s right or wrong.
Sometimes when you’re having an open campus environment, and you don’t want to impede on people, and you don’t want to impede on the idea of strategic building, of strategic thinking, there’s some risk that is inherent that you have to be willing to assume. Once you learn that culture in an organization, and here at Hutch that’s what we’ve learned, or with the City of Seattle, there are certain situations where there is just going to be risk that you have to undertake. You have to try to minimize.
Chris: Mike, you’ve outsourced some of your security group to an outside vendor. Can you tell me a little more about that?
Mike: This was done . . . this has been the way it’s been here at Hutch since before I got here, but I think it’s important when any organization decides to outsource all or part of its security resources the idea that it is a partnership and not a client-vendor relationship. By that I mean the idea that you’re willing to share information, that you’re willing to work with that person and that organization so that they feel that they’re part of the organization, not just a third party here. I think the results become much more positive when you’re able to work that way rather than saying, you’re just a vendor; don’t tell me this is the way it’s got to be done.
Everybody has great ideas, and you’ve got to have that personal relationship and be able to work with people, because it’s always a give and take. There’s nothing that is just so straight and narrow that things can’t be changed, so you have to work with it. And that also will give you that sense of honesty, and give you that sense of trust. And that’s so important in this business.
Chris: Let’s see. Head back to overseas in Africa. Mike, you have some locations overseas in Africa you had discussed a little bit earlier. Can you tell me a little bit more about that and how you’re adjusting your program to foreign countries?
Mike: It’s really interesting, because I think here in the States we like to think that what we do here is worldwide, and that’s truly not what’s going on. No matter where you are, no matter what part of world you’re in, you’ve got to understand their culture, their laws. What is normal for them? You have to be able to work that way. We at Hutch, we have two labs, one in South Africa right now, and one in Uganda.
You have to be able to know, what’s the political climate there? What’s going on? And you have to have plans of action, in worst case scenario, the whole idea of extradition. How are you going to get your people out of there if something hits the fan? And you have to be able to have an advance team. And you have to be able to know who should be contacted. What’s going on? And you have to stay on top of that, because the whole world is changing.
We’ve just talked a lot about; do we have any people in Egypt right now? You have to be able to anticipate that. You have to look at that and think, what’s going on? Is it safe for our folks to travel there? If they have to travel there, what precautions can we take ahead of time to try to ensure their safety as best as we can? And if we can’t, to be very honest and say, we don’t think it’s a good idea to go there. We think it’s time to wait.
Oftentimes you don’t want to say that, oh it’s fine. Well, no that’s not right. Sometimes it’s just not fine, and sometimes you have to do your best to convince someone, no, this shouldn’t happen. And they may not listen to you. That’s part of the whole profession, but you have to do your best to be able to tell them why you think what you think and put it in terms that they understand. And if they make a decision that’s contrary to what you believe, you’ve done the very best you can to explain the entire situation to them, the risks that they’ll be inheriting, and what could be the consequences. And never ever stop.
Chris: And get everything in writing.
Mike: That’s right.
Chris: There you go. Mike, in a biotech and dealing with a lot of intellectual property, I would like to discuss social engineering a little bit in, not only what it is or how it’s affecting your organization, but how you’re mitigating that specific type of risk.
Mike: Here at the Hutch, what we’ve got here just a group of individuals that works here, from post grads to doctors that work out of UW and Children’s, and so you’ve got a lot of interaction with a lot of different people, lot of age groups from young folks, guys and gals just coming out of college to people that have been around for years and years and years. People have to understand that social engineering is probably one of the top ways of gaining information without people knowing that.
We all hear about social engineering and how they prey on the elderly and things like that; they can prey on anybody. That idea of getting into a conversation and all of a sudden it starts leading into, what kind of research are you doing? What have you touched on? Oh, really. That’s really interesting. I studied this; what do you got? That kind of information can be gleaned anywhere. Emails, one of the most common forms of social engineering.
The idea of trust nobody but thyself, and even be careful with that. There are lots of people out there, be it countries, be it individuals that would love to have information that you may have in an organization. So you have to be able to protect that, not only at your workplace, but also, and I think more importantly, in a social environment. Because if a person is good at what they’re doing, social engineering-wise, that’s the least the place you’d expect it but probably where more and more information is gleaned.
Chris: Let’s discuss education and awareness within the organization. Are you out there letting the folks know that there is social engineering and that they could be affected by it?
Mike: I think it’s great to be able to talk to departments face to face. What I’ve started here at Hutch is the idea of putting short videos together on certain subjects. The idea, let’s use technology. I think that one of my end goals is to work with HR, and this now becomes part of the required learning for any new employees and for any employees that are on site right now. The idea that there you can track electronically that they’ve watched this video or that they’ve accessed this video or that video, so that they can’t say that nobody ever told me this, or that I shouldn’t say this or that. Well you looked at it right there.
And use technology to our advantage, because we can’t be everywhere at all times, but we can have that information available to them via the Cloud and via our IT departments here. So that information is always readily available, and you have to be able to update that. You can’t say one and done. It doesn’t work here anymore because technology changes day in and day out.
Chris: Mike, we’ve discussed a little bit about IT and physical security and how those two pieces are implemented within almost every organization and how, at the essence of security we are trying to close a door and not let the bad guys in either case.
Mike: I think it’s really in essence the idea of what’s our end goal? And I think both on the information security side and physical security side, you’re absolutely right. It’s the idea that we don’t want them to get past point X, but we have to understand what point X is before we can say that’s where we don’t want them to go. Well, what if they get past point X? Well, now we don’t want them to get past point Y.
Be it physical or information security, it’s that whole layered security thing. You have things that are in place that if they would get past your first stopgap, they hit a second one. And if they get past that somehow, you’ve got a third one. You have to have a plan for a plan for a plan for a plan, because unfortunately plans sometimes fail. Or somebody’s got too much time to think about how they can overcome your security defenses.
You have to be able to understand what the end goals are. And you’re right, we all have the end goal, it’s to keep the bad guy away from getting to where they want to go. But we can’t do that if we don’t understand what they’re trying to do, what they’re trying to get to. We’re both working toward the same goal.
I think, as you and I have spoken about, the CSO of the future is going to be the decision maker for both. That person has to have multi-layered understanding of where everybody’s going and be able to understand that we’re all going to try to end up at the same goal, keeping the bad guy away, just different methodologies of how to do that.
_____________________________________________________________________
My Video Interview with Mike Kolatski, security director for the Fred Hutchinson Cancer Research Center, discussing his extensive background in security and the importance for modern day security executives to learn the business operations perspective of their organizations