Q&A with Matt Horace, Chief Security Officer – Mayo Clinic
Matthew Horace (Matt) serves as the chief security officer of Mayo Clinic. In this role, he is responsible for the safety and security of Mayo’s employees, contractors and facilities in the United States and abroad. A former SES federal law enforcement executive, he has held three CSO/VP security leadership roles and has a passion for diversity, equity, and inclusion, moving individuals and organizations from where they are to where they are going while building inclusive teams.
Horace also wrote the critically acclaimed “The Black and The Blue, A Cop Reveals the Crimes, Racism, and Injustice in
America’s Law Enforcement” and created The Horace Foundation Endowed Scholarship for Criminal Justice Studies at Delaware State University, in honor of three DSU students who were killed on a Newark, N.J., playground.
We talked with Horace about the threats facing his organization and healthcare generally, how they have changed, how he’s led his teams in combating them, and how he’s worked to build a security culture at Mayo Clinic’s multiple locations.
Keith Oringer: What do you see as the greatest security threats facing Mayo Clinic?
Matt Horace: Healthcare is designated as critical infrastructure by the Department of Homeland Security. Violence in the healthcare work environment continues to trend upward and is likely to continue to dominate our security threat landscape for the foreseeable future. Bureau of Labor Statistics data from 2018 indicates that serious workplace violence incidents were five times more likely to occur in healthcare than other industries. Recent incidents involving knives and guns resulting in mass casualties and death within the healthcare environment reflect this evolving violence in healthcare facilities.
Those targeted threats to healthcare providers are very real. And, we spend a lot of time both mitigating those risks and threats, and responding. Many times the only way patients or even family members know how to respond to less than ideal news is in threatening ways. We also deal with employee-on-employee and domestic spillover scenarios. As practitioners, we have to take every threat seriously, because many times early warning signs escalate and manifest themselves in very tragic ways.
More recently, COVID has promulgated more rules and restrictions, and people have become more stressed more of the time. This has created challenges for our frontline security staff and care providers. People are just acting out in different ways, and violence has been a part of it.
KO: What are the major steps you have initiated to face security threats at Mayo Clinic?
MH: I once had a manager who, in response to a crisis, conveyed to me what he hoped for. I told him that “hope” wasn’t a strategy. A strategy involves vision, preparation, investment and execution. This is the approach that my amazing team takes.
Mayo Clinic continues to invest in security measures to better ensure psychological and physical safety for the work and care environment while balancing and promoting a positive patient experience. The establishment of an intelligence program has been integral. Healthcare providers cannot provide the best level of care if they don’t feel safe.
The more visible security measures have included maintaining appropriate uniformed security personnel staffing levels, implementing weapons detection services, implementing intelligent patient-visitor management services, expanding personal duress alarm capabilities to personnel, implementing on-site less-lethal response capabilities such as tasers, and exploring the risk-benefit of providing on-site firearm response capability. The establishment of an intelligence program has been integral.
Less visible security measures have included modernizing, standardizing and integrating core security technologies such as access control, video management and radio; implementing convergence of multiple Security Operations Centers to a single Global Security Operations Center supporting both domestic and international operations; providing security intelligence service; providing threat assessment and management services; and training security personnel in Suspicion Indicators Recognition and Assessment (SIRA) techniques.
We want to make sure that we provide both physical and psychological safety. I know that we can put all the technology, tools and processes in place, but if our staff, patients and our visitors don’t feel safe, then perhaps we failed somewhere along the way. We value surveys and feedback at Mayo and solicit specific information about individual safety and security, and we evaluate that information fairly frequently.
KO: How do you feel about guns? How do you determine whether to arm someone?
MH: Our uniformed, proprietary staff are not armed. We do have armed police officers in a number of our settings. The arming question has been a sensitive issue in healthcare. In fact, in a number of incidents throughout the United States over the past several years, patients have taken the firearms of armed first responders and used those firearms against the responder and other staff. At Mayo, we are committed to the idea that the needs of the patient come first. It’s a cultural nuance to working here. We also know that many times, the tactical law enforcement response to a mental health crisis ends up in tragedy. Patients who are experiencing a mental health crisis need and deserve an appropriate approach. So, we’ve made a business decision to prioritize training on de-escalation and tasers as an intermediate use of force option where appropriate.
KO: When implementing or upgrading physical security technology, can you describe how you coordinate the use of external security system integrators with your in-house technology team?
MH: As a matrixed enterprise, we have a strategic partnership with a national security integrator, which was selected based on very specific needs and business requirements identified by our technology and global security operations manager. The integrator has been worked into the operational flow, providing tech support; and into consulting services and customizing product based on the unique enterprise need, which is consultative- only in some sites, while serving as embedded technicians at other sites. As an iterative process, global security partners along with a national integrator, support more accurate budget forecasts while guiding our evolution from a “break/fix” model to a “lifecycle” model.
We’re all good at some things, but none of us are good at everything. How do we get our systems integrated, condensed and talking to each other? Our technology needs to be ubiquitous to the needs of the future. We’ve found that using integrators helps us get this critical work done, and I’ve been really happy with the process.
KO: What advice do you have for CSOs in working with their organizations to add new security tools and technology?
MH: Keep your strategy data driven, intelligence-led and multilayered, and establish formal and informal coalitions to help socialize this security strategy. The meetings before the meetings are so important. Security is a business enabler, and evaluation of our core service lines is never a begin-and-end. It is an iterative and measured process that should be mindful of the business needs of organizations, and priorities of stakeholders.
As redundant as it often seems, we must continually demonstrate and talk about security’s ROI – but not just in annual board meetings and through annual written business plans. Much of the security ROI is borne out of what doesn’t happen, and this metric is challenging to quantify in any report or in front of any board or committee. Storytelling in real time with anecdotal, easy-to-understand “wins” and “saves” can be a valuable tool. Internal stakeholders can be our greatest advocates and funding sources.
Many times, we’re speaking to people that don’t speak or understand security language. Our jobs are to speak in ways that we can influence the people in our environments, to make sure that we get the resources, and the funding, and everything else that we need. It’s easy to convey statistics about how many people we speak to, or how many weapons we take. Those are easy metrics. The challenging thing for us is being able to quantify the things that don’t happen.
If you have a stretch of five years, and you never have an active shooter incident, and your workplace violence numbers go down, is that because of what you’re doing? That’s a very challenging thing to quantify. But we have to continue to talk, and write, and influence, and coalesce people around our ideas.
KO: Given that Mayo Clinic has over 70,000 employees and dozens of locations, how are you training staff and promoting an organization-wide security culture?
MH: Performance management in addition to training and professional development are critical factors for our staff. The competencies that were drivers for success in 2000 are obsolete in many ways now and into the future. These are challenging change management principles, particularly for many senior tenured employees who have not traditionally focused on training and professional development. But our operations must align with the current and future business requirements.
Security practitioners can’t be the only ones talking about security, and pithy language like, “If you see something, say something” can’t be the only answer. Ensuring that employees know specific things they can do to contribute to a secure environment and mitigate risk provides our organization with 70,000 additional eyes on our environment. It’s so critical to utilize public affairs to ensure that employees know important changes and updates – but also to do so at a pace and cadence that is not exhausting. In large, complex organizations, you need to strongly influence, through committee work and representation at the right tables with customers and stakeholders.
Threat management is our other priority. Mayo Clinic is taking a tiered and integrated approach. We are building a culture where employees are empowered to report suspicious behavior. Through strategic investments in the Suspicious Indicators Recognition and Awareness (SIRA) program, we are empowering critical frontline employees to recognize suspicious behaviors and escalate those observations.
Depending on the suspicious behavior type, these observations are triaged and an array of mitigation efforts is deployed.
If you look at some of the some of the risk drivers, like piggybacking with IDs and the things we tell people not to do, these aren’t things that security officers are ever going to see, but they are things that employees and staff are going to see and participate. Security is everybody’s responsibility – it’s not just the responsibility of global security or the CSO. In each active shooter or mass casualty event, there have been specific red flags that led up to these events. In many cases, someone did report; but in many cases, they did not. We all must be intentional about each other’s safety. Security is a serious profession, with a lot of responsibility. I take the responsibility of protecting the people in my organization, our patients and visitors, very seriously. We feel we have a proprietary organization where staff can be trained and oriented to what Mayo demands and expects from all of their employees. This enables Mayo Clinic to remain the number one healthcare organization in the nation.
KO: How are you recruiting people?
MH: The nation is in the midst of a human resources crisis. Recruiting strategies are exacerbated by competitive wages and multitudes of options for applicants. We have targeted recruitment campaigns directed at community colleges and universities, and specifically toward veterans. We use the traditional digital platforms like Indeed and LinkedIn. Because we’re a large organization, the recruitment challenges are variable depending upon the location. Nonetheless, we’re very much aware of the nuances of recruiting and talent pools in all of our environments. We are also very mindful of ensuring that we recruit and hire with an intentionality of diversity, equity and inclusion principles.
KO: What are your top three qualifications for in-house security staff?
MH: We are looking for people who want to understand Mayo Clinic culture, and what it means for their work. Our most important guiding principle is: “The Needs Of The Patient Come First.” We consider the customer-service mindset to be non-negotiable for anyone in the security organization.
We’re also looking for people that are trainable and willing to adopt an agile forward-thinking mindset. We want people who can blend a very customer-service-oriented approach, with a well-trained and practiced understanding of how to respond to violent patients or suspects or suspicious people. This sounds like a challenging juxtaposition, but our frontline officers are very good at it.
KO: Are you looking for people who had former healthcare security experience?
MH: Healthcare is an extremely nuanced environment. It always helps to have worked in the environment. Experience would be nice, but being willing, trainable and committed overcomes lack of experience. There’s a very different business imperative for officers who work at hotels, warehouses and nightclubs than those who work in healthcare. I give credit to our officers, each and every day, when I see the film and video and read the reports about what our officers endure. Our people are trained to get a really good outcome, without having to respond in kind to violence, and they do a wonderful job of it. I am honored by their resilience, particularly in the current HR environment; their work is hard and meaningful work.
KO: What educational requirements do you have?
MH: One of the things we’ve struggled with, as an organization, is whether to have college-degree requirements for officers. Initially I pushed hard on requiring college degree work as a requirement, but I was inspired at the request of my staff, particularly one employee, to change my focus. Because there are employees who don’t have their degrees, who can be productive individual contributors, last year, we removed the requirement to give more people opportunity. There are many employees who, due to whatever set of circumstances, never completed their degrees. That shouldn’t impede them from obtaining an entry-level job and being provided an opportunity.
Nonetheless, we encourage a strong cadence of training and professional development. Some people are happy where they are, and we respect that, but you have to take your own career into your own hands. And that’s something I tried to sell throughout the enterprise. You can’t wait for us to give you something. What have you done to make yourself better and more marketable, to walk up through the ranks in my organization, or any other organization for that matter?
Our organization has dozens, if not hundreds, of internal training opportunities. So don’t sit idly by knowing you need to become a better speaker without signing up for toastmasters. We try to convince people, even at the officer level, if there are needs you have, invest in yourself, and don’t wait for organizations to do it for you. And hopefully, it’ll pay dividends and a good return on investment later, when you get that promotion you’ve been really wanting.
KO: With the labor shortage, are you having a difficult time recruiting right now? Because at least on the contract side, labor shortage has been the big issue. People are running into overtime issues. So, I’m just curious from in-house security recruitment, how are you dealing with this?
MH: Certainly, it’s a competitive environment. The issue we deal with is retaining employees, especially newer employees that are in some of the entry-level roles at entry-level salaries. In many locations, people can leave a job making $20 an hour and go make 22 or 23, or 24. But at Mayo Clinic, we have amazing benefits, we have opportunities for growth, we have a huge organization. So, where you start doesn’t necessarily have to be where you end. We have generations of employees at Mayo Clinic, we have literally entire families that work here. The mission of this organization is unlike any that I’ve ever been a part of, with people who are committed to a common goal.
It’s just an amazing thing to see, and it’s even more of an amazing thing to be a part of. When we see planes with foreign heads of states that come here for medical care, or ordinary people that come here from all over the world, I’m reminded and my people are reminded every day that they’re in a unique position. I try to convey to my staff that some of what happens within the walls of Mayo Clinic doesn’t happen anywhere else in the world. So, I try to energize people in terms of that uniqueness, and how working here really matters.
KO: How are you handling coordination and collaboration between Mayo Clinic and law enforcement agencies?
MH: Mayo Global Security successfully partners with local, state and federal law enforcement organizations, domestically and internationally, and we actively participate in an array of law enforcement, intelligence and security organizations. In Minnesota, Mayo partners with the Rochester Police Department in an innovative healthcare-law enforcement partnership. Modeled after police school resource officer programs Mayo/RPD Hospital Resource Officer program provides “embedded” police officers into the healthcare environment and has proven a huge success. The officers receive healthcare- appropriate training and Mayo-centered orientation.
Given my law enforcement background, I understood the value in my personally reaching out to local chiefs of police, sheriffs and federal partners, arranging meetings and establishing relationships. Collaboration on the front end leads to success during chaos. Healthcare is so nuanced, and things like patient privacy and HIPAA are so important for our rules of engagement. Our police partners who work in our environment have responded extremely well to these nuances. Also, I think it was important for the people who work for us to understand that we have those relationships, and I have those relationships with the head of the FBI, the Department of Homeland Security (DHS), the State Department, the Secret Service, the U.S. Marshal’s, ATF, and the DEA.
When we’re dealing with threat management, threat assessments and the inter-relationships between community and healthcare environments, it helps to have cemented relationships so we can come together collaboratively and creatively to solve challenges. The partnership that we have with the Rochester Police Department under Chief Jim Franklin’s leadership, the Jacksonville Sheriff, and our other partner organizations is amazing. I couldn’t ask for more. We’ve created symbiotic relationships, between their understanding what our needs are in health care, and our understanding and respect for the law enforcement partners and services that we need.
Lastly, our engagement both the FBI DSAC Public/Private Partnership initiative and the DHS Private Sector Engagement and OSAC has been critical.
KO: With all the lessons learned over the course of your career, what’s the best advice for security professionals?
MH: Leading up and leading across are equally important as leading down. We spend a good amount of time influencing people and culture. Be intentional; build and develop diverse inclusive teams; and make DE&I (Diversity, Equity and Inclusion) a business imperative aligned with your organization’s business goals. From an HR perspective, anything less is not preparing your organization for the future. Understand the differences between leading through influence and leading through authority, and accept “no’s” as opportunities for growth, improvement and redefining your expertise. Every closed door ignites an opportunity to think differently.
For frontline workers, stay committed to investing in you. It is your job to manage your career. Don’t wait for company-sponsored training to improve your competencies. It always amazing me how many people take on the position, “When the company pays, I will go.”
For executives, it’s hire and train the very best people, gain buy-in from them, establish trust, and empower them to execute. Regardless of your business climate, resist the urge to micromanage good people.
Learn and study different people’s personality types and learning styles. Myers Briggs, Tru Colors and other such methods are amazing resources. Team-building is not just about the right people, but the right temperament. So often, we get so super-focused on execution that we lose focus on people. I like to keep in mind the maxim, “Leadership Is About People, Management Is About Things.”
If you can get people synergized and coalesced around your goal, anything’s possible. So for me, team-building is very important. It can be a formal team-building session, or it can be a very simple afternoon at the ballpark or hike up a mountain – anything that engages people and helps people understand that they’re a part of something bigger than their unit or their group.
I am the CSO, but I’m not enamored with my position, I’m enamored with the idea that I get an awesome opportunity to impact people and to impact business. My greatest joy is looking back on all the people that I’ve been able to lift up, and looking ahead to those who I am working on now.
KO: What changes do you believe may most affect security practitioners going forward?
MH: Security is no longer gates, guards and guns. What has gotten us here is never going to take us there. Performance management and key performance indicators will continue to drive our strategies. FTE (full time equivalents) increments will continue to be a sensitive topic to business leaders. Can we do more with less, will remain a part of the lexicon of our discussions. Can technology be leveraged against increase in budget and FTEs?
From an HR perspective, recruitment, hiring and retention of staff particularly for entry roles is going to remain challenging given the impact of the competitive market environment. How to maximize security technology integration into consistent operational workflows; the Internet of things (IoT) and the many implications it will have on security technology; staying abreast of changes and anticipated new technology paths – which means ensuring enough time is available for research or “sharpen the saw” type activities – and the impact that technology will have on the “boots on the ground type calculations,” along with the ability to speak to that change and accurately plan for it, will remain priorities.
Security is a trillion-dollar business that involves so much more than putting bodies in place. It’s intelligence. It’s technology. It’s automation. It’s artificial intelligence. It’s budgets. It’s HR. It’s a business, just like any other business. We need to be preparing for and recruiting people that have an agile and change management mindset. If we don’t want high turnover rates, we have to continually invest in the training of people. You want to create positive environments so people want to stay, and you build that sort of muscle memory internally.
KO: Do you believe there is a place for autonomous response and robotics in security industry today?
MH: Mayo Global Security continues our drive towards innovation in a measured and disciplined way. There is a place for robotics, but it will be situation-specific. For example, the robot dog that I saw demonstrated at ISC West would be great for an area that doesn’t require 24/7 staffing but could respond to an intrusion, and maintain visual and communication through a GSOC while an officer responds. There could also be an opportunity to utilize this type of response and technology in a parking garage or parking lot.
It also doesn’t need to be a vehicle robot. It could be autonomous response through things like observation towers that utilize AI to identify potential threats, triggering a response. In the very near future, period drone certification might very well be as common a certification in our field as CPP or PSP. Accordingly, I already have a number of my team members who are drone pilots. We are ready for the future!
There’s a place for most every type of advanced technology that exists on the market today. The question is, where and how, and to what extent. Business leaders are looking for ways to cut costs and make processes more efficient. The question is, are there places where we can substitute for FTEs and better leverage technology; where we can go to a business leader, and say, “Hey, we saved 10 FTEs by leveraging technology in these core areas.” That makes any business owner or CEO very happy.
KO: Do you have best practices among your various locations in Minnesota and Jacksonville and Phoenix? Is everything uniform, or do you do it a little different depending on location?
MH: While there are some best practices as it applies to people, process and technology, each one of our locations is very individually nuanced. The FBI uniform crime reporting statistics vary from Rochester, Minnesota, to Phoenix or Jacksonville. The topography of all of our operations is different within the U.S. and clearly in foreign settings, as are the geopolitical risks. As much as we execute on risk-based principles and standardization, local nuance and considerations are very important.
KO: Because you’re a research hospital, you’re not only protecting people and assets, you’re protecting very essential information, cutting-edge research.
MH: In Global Security, we are a part of the risk function, incorporating compliance, privacy, operational risk management and audit. It’s safe to say that we want the people on our staff being very mindful of their roles in the larger picture. Working at Mayo Clinic, we’re collectively responsible for so much, and we’re literally on the cutting edge, protecting some of the most critical infrastructure in the world, and our people buy into that. We maintain our critical connective tissue to our internal stakeholders in the information security business and others to maintain this cadence.
