If someone had told Scott Pettigrew 20 years ago when he was first starting out that he would go on to build complete security organizations for three different large companies, he might have just taken a nap. Instead at this point in his career, Pettigrew finds himself the architect of security programs for no less than Tandy Corp., American Airlines and his current employer, HMS-an achievement of which he rightly proud.
Pettigrew's security career began in 1994, when he was asked to run security at Tandy Corp., a family-owned leather goods company. "Security wasn't such a developed area back then," says Pettigrew, now vice president and CSO for HMS, a cost-containment firm that serves the healthcare industry. "There wasn't the focus on security then that there is now. It was much harder to get things done, get budget." A lot of the focus then was on basic user administration. Let's just say the world has grown much more complex.
After a stint providing security advice for management consultancy Ernst and Young, Pettigrew was lured to head security for American Airlines in 2000, where there was a lot of tumult even before 9/11. "That was right when they were splitting from SABRE and just starting to hire IT staff," he says.
As for security, the airline was lacking. Pettigrew had carte blanche developing the program. "They had so many problems on the IT security side the auditors said it was going to have to be a footnote on our next financial statement. So there was a lot of work to do at that point," he recalls.
And then hijackers struck two American Airlines flights, along with a United flight, throwing the airline, the industry and the economy into turmoil. "We were implementing a security architecture [when] 9/11 hit and everything went crazy for the next year," says Pettigrew. "I worked more in that year and a half than I ever had before." He worked with the FBI during that time, and he's still sitting on stockpiles of information that he can't talk about thanks to a nondisclosure agreement.
After that, there was a much greater emphasis on security, both at American and throughout the industry. "Internal controls became crucial, and understanding patterns and data mining pretty much started then," he says. Pettigrew remained for a year and a half after 9/11, but then he needed a break. "I just had to get away from that for a while."
He opened his own security consulting firm, but "it wasn't as easy as I thought it would be." In 2004, he was asked to create the security function from the ground up for Baylor Health Care System, which gave him an understanding of healthcare. Four years later, with Baylor's security program in good shape, Pettigrew was asked yet again to build a security organization, this time for HMS.
His reaction? "Oh my God, here I go again," he says with a small chuckle. "But I realized those opportunities don't really come along all the time." At HMS, "I had one person for more than a year; now we will have 21 people at the end of this year" protecting 2,500 employees, he says, adding that finding good people with the right mix of technical and business skills is the most difficult part of his job.
Besides building up his staff, Pettigrew has excelled at working with a corporate culture that was less than welcoming to change in general and security in particular. "This started as a very small company. Over the last five years, it has grown exponentially," he says.
When he joined in 2008, the culture was like the Wild West, with virtually no controls. Many employees had been at the company forever and were not inclined to change. Pettigrew's right-hand man (and first security hire) George Macrelli, director of security assurance, says his boss succeeded in establishing early on why it was critical for the company to change its ways.
At the same time, Pettigrew managed to move the culture without being dictatorial. CIO Cynthia Nustad says, "There are many security officers who have more of a cop-like or military sense of security. That persona might work great for certain types of businesses but may not work well in our industry. We are much more focused on finding the right balance of protection, reducing our risk and adding business value." Pettigrew takes a calmer approach, which is right for HMS, she says.
Pettigrew says he is four years into a seven-to-10-year journey to complete his vision for security at HMS.
"Right now, I am very happy with where I am. It's very rewarding," he says.
Read more about security leadership in CSOonline's Security Leadership section.