Risk Management - Enabling the pursuit of excellence with Joe Olivarez Artwork

Caffeinated Risk

The monthly podcast for security professionals, by security professionals.Two self proclaimed grumpy security professionals talk security risk, how they’ve managed it in the past and forward looking discussions with guests working in information security and risk management.

All Episodes

Caffeinated Risk

Risk Management - Enabling the pursuit of excellence with Joe Olivarez

May 07, 2026 • McCreight & Leece • Season 6 • Episode 3

0:00 | 32:20

Visiting the Jacobs Engineering website you'll undoubtedly encounter the phrase "challenging today", an acknowledgement that the world is much more complex than ever before. While "it ain't like it used to be" can be said of any risk manager's portfolio, Joe Olivarez became the first global security leader in Jacobs history more than a dozen years ago. How much has changed in the last 3 years, let alone 13.
Currently the Vice President, Operational Center of Excellence for Jacobs, Joe shares a candid discussion on how risk management has changed both wholistically as a profession and more specifically with large infrastructure projects. In addition to executive leadership for a world renowned organization, Mr. Olivarez is the most recent past president of ASIS , joining the show's own ASIS past president discussing ESRM roots.

Joe Olivarez 0:00

We know behind the uh the cyber or or you know folks that are wanting to attack, you know, engineering systems or SCADA systems or other OT systems or whatever they might be, there's a person with intent behind all of that, right? And so they could be doing things operationally or they could be doing through through the systems. It's still the same people with the same intent of disrupting your business, stealing your money, causing you harm around reputation. And it's really important to have that conversation in a broad sense, but also organizations, big or small, have to spend time and really determining the risk tolerances and the resources that they need to manage this challenge globally, macrally, and in an interconnected state. Hope that helps out, Doug.

Doug Leece 0:49

No, absolutely. I think you summarized it great. You can't separate them when you get to the top of the boardroom table. Yeah. It all looks like money and disruption to them, right? It does. It does.

Announcer 1:06

This is Caffeinated Risk, the podcast for security professionals by security professionals. Here are your two self-proclaimed grumpy security guys, Tim McCree and Doug Lease.

Tim McCreight 1:24

Our next podcast guest is Joe Oliveras, the Executive Vice President, Health, Safety, Security, Environment, and Enterprise Quality at Jacobs. He's also the 2025 past president of ASAS International. Joe became the first global security leader at Jacobs in 2014. And due to his leadership and focus on risk and resilience, his role expanded to include leading the global quality team, the operational center of excellence, and eventually to his current role in 2024. Prior to Jacobs, he held increasingly responsible roles at Baker Hughes, from manager of investigations to director of security global operations to VP Enterprise Security and Crisis Management. Joe's business approach to security led to the maturity of his team's adoption of enterprise security risk management, along with business planning, strategy, and resilience. Joe has been recognized as the IFSEC top global influencers for security and fire in 2018 and identified by Security Magazine as one of the most influential people in security for 2021. He also received the Don Walker CSO Center Executive Award in 2021. And now let's check out our latest podcast with Joe Oliveras. Joe, it's great to have you on the show. Thanks so much for being part of Caffeinated Risk. We appreciate you coming on board. Thanks for that.

Joe Olivarez 2:53

Thank you, Tim. Pleasure to be here. And I need uh some more caffeine.

Tim McCreight 2:58

I was gonna say, you know, this is we we always stock up before we start the session, so you betcha. We got a lot of questions I want to get into today. But first, uh one, I I want to thank you for the time and your service as past president for ASS. Sat in that chair myself, and I appreciate how much time and effort it is. So I just I want to thank you for the time that you spent as president for SS. You did an awesome job. I thought you know 2025 was just just an amazing year for you, and um, I want to thank you for all your service with ASS.

Joe Olivarez 3:25

No, thank you, Tim. It's uh it's a pleasure. Hard following people like you and you know, Godfrey and Malcolm and and uh you know JP and you know, a lot of great folks uh there historically. Um so it's an honor to be part of that group, now a past president group, but but thank you very much. And and none of it can be done without you know the volunteers and all the constituents that we serve. It's a great, great association, great organization.

Tim McCreight 3:50

You betcha. We're gonna need like a coffee mug or a ring or something. I don't know what it is, but we've got to we gotta we've gotta come up with something, right, for a past president. So um one thing I did want to ask though, just to kick things off, is I'm really fascinated about the career path you've taken and where you came from and how you ended up today in Jacobs. So can you can you take a little bit and walk us through how you got from where you first started and where you are today? And I think that's it's a really cool story for the for the audience here at Caffeinated Risk.

Joe Olivarez 4:18

Yeah, thank you, Tim. Uh look, it's a conversation I've been having uh a lot uh lately with with people, which is uh uh you know really nice um to talk about. I you know, early, uh I kind of knew I wanted to get into security, law enforcement, investigative kind of work very early in my career. Um I'm the oldest of three um you know siblings, uh two sisters. I had no brothers, um, but I had uh a couple of cousins that were in in law enforcement, and um I was very close to them. I looked up to them, and that gave me my kind of initial uh you know, piqued my curiosity uh very, very early on. Um so um stayed in that channel. I knew that's what I wanted to do. I went to a liberal arts uh college uh here in East Texas um and uh pursued my criminal justice degree. But one that was a little slightly different um in that most criminal justice programs, way back then when I went to university, a long, long time ago. Yeah, uh it was uh you could take two paths in criminal justice. It was corrections or law enforcement. But at this one, Stephen at Stephen F. Austin University, they had uh something called um uh legal research or legal uh legal emphasis. And so I had aspirations to potentially go to law school later on. Um so I took that. And about two and a half years into the program, uh they expanded the program to actually uh introduce this whole world of private security uh that we now know private and corporate security, uh, which again began to pique my curiosity and be fascinated by it. Um I um at least uh had a good time in college, but I also was pretty mindful of making sure that uh I I took part in the appropriate studies, and so I got the honor of being recruited by or interviewed by an organization called General Dynamics in Fort Worth. It's an Air Force defense contractor. Um they came down to talk to a couple of top students at the university. I happen to be one of them, which was great. Uh, got the interview and got the job and got into this world of corporate security very early on in the government defense side. Um, really began right from the beginning, right from the basic, right? You know, how you deal with access control, how you deal with physical security systems, how do you respond to incidents, how do you monitor alarms, how do you you know do it all, which what which I thought was great, right? Because I didn't come in into some vertical, it was really a wide aperture of how to do that. Uh moved up to an analytical position, security analyst, also began running operations for several facilities. Um, and then I was recruited by NASA at the Johnson Space Center here in Houston, which is where I'm from. So that opportunity to come back to Houston, be closer to the family, um, and now instead of being on the government defense side, actually being the client on the government side. So came here. Um one of the things at General Dynamics that really I learned a lot was the investigative side, working with the historical uh office of special investigations folks. They recruited heavily out of the Air Force as an Air Force defense contractor. So um that investigative uh capability was an area I wanted. I continued to grow. I ended up being the lead criminal investigator at the NASA Johnson Space Center um, you know, over my seven-year career, uh, focused a lot on, you know, espionage, sabotage, uh, working counterintelligence, you know, work, uh risk analysis, um, even executive protection there. What people maybe don't understand is that if you come to Houston, everyone wants to come to the NASA Johnson Space Center, including dignitaries and presidents, right? Right. So our work with the Secret Service, with the Diplomatic Security Service that had protective uh responsibilities for um international leaders, um, I got very involved with. So did that over a period of time, you know, guys, and and as I was going through there, um, I wanted to go back to school. And so the decision was do I go do the law school or do I get into business? And I was seeing security, you know, change. So within the government side, there's a lot of regulatory things, right, that are happening. Um, but in the broader corporate, you know, side, there are regulatory things, there are other legal liability things, there are softer things that you've got to think about in the context of security and how that may affect you know your business. So I actually went back to get my MBA. And as I did that, and and I wanted to bring the business acumen to security. Um, learned early on that in order to kind of you know sell things, you have to be able to influence, you have to be able to understand your constituents and understand what kind of pulls their you know, pulls their strings, what's important to them. Um, and oftentimes it's the business side or it's the financial part of the business side and those kinds of things. So doing that, and then after that, I went to um, I left the government and I went to a consultative, uh global consultative and investigative firm. So I wanted to take the the skill set on the security SME and the business side and and go go practice this, right? And the advisory side. Um I was recruited initially to be one of their lead investigators and and actually from a career perspective, I actually pushed back on that and I said, look, I want to do something different, right? I've yes, I've got the investigative side, but I've got all this other security side. So let me work on the investigative and the security consultation side, number one. And then number two, I want to learn how you run the business. So I want to get involved in the marketing, the business development, the client engagement, the, you know, how do we how do we, you know, uh, you know, talk to banks about the, you know, the financial access that we need and those kinds of things. So did that, and what I learned, Tim, was that, you know, as we were servicing our clients, they're all different. I wanted all our clients to be my number one client and want them to feel like they're my only client. But you know how hard that is to do, right? You know, for for all of them. But they all were different. They were oil and gas, they were uh technology, they were the entertainment industry, they were transportation, they were finance. So what I learned was even security within that context is different in in a lot of these places. So there's some things that are that are core, and that there are some things that are different by industry or even by culture of organizations. Um did that, being in Houston, oil and gas is a big thing. I went to Baker Hughes, oil and gas, uh large organization. Um, and that probably changed my career. So taking all the investigative stuff, helping build anti-corruption programs for them, uh, doing investigative work. I met um my mentor Russ Kinsilla, who asked me, what do you want to do? And I said, I want to be a chief security officer. I was leading our anti-corruption, our investigative program there at Baker Hughes. And he says, Well, then I need to take you out of that. And I said, Oh, I'm I'm I'm precious, you know, about this. He said, Yeah, but you have all these other skills, right? So come be my director of operations, help build this program that was built vertically, build it globally, horizontally, integrated, um, and lead crisis management, physical security, investigative, just kind of help lead it all. So did that. Um, and then really the last thing I'll get to it is uh where I am now at Jacobs. I was hired to then so ended up um you know kind of uh supporting Russ in that role. And I was ready for the next chief security to be a chief security officer. That role with Jacobs came up. Um, you know, I took it to be the global security, you know, director. Um, and now I'm the EVP of security, health safety, environment, and quality. Um, there's a whole journey behind that. Maybe we could talk about that as we go, but that's how I got to where I'm at, you know, today and still loving it, Tim. That's awesome.

Doug Leece 12:22

Yeah, I I'm glad you mentioned Jacobs because I was gonna ask the question and I wasn't sure if it was legit. I mean, we we know that on this show our views represent ourselves, not necessarily our company, but you know, people tend to put those two together. With an engineering company like Jacobs, and of course Houston, it's a lot of oil and gas and things like that. There's a lot of cyber physical elements to it. And are you finding with the digital control of a lot of this cyber physical and the thing that you actually have to be in front of a piece of equipment, or you could be manipulating it electronically, is really making the whole investigation and protection extremely difficult to even design for?

Joe Olivarez 13:15

Well, I think you know, for me, we've got we've got you know great engineers here. I think any engineering company globally, any company today, I think we'll just take a step back from a from a cyber and from a physical security perspective, you can't have one conversation without the other anymore. Um, and at least, you know, here and where I've been, and certainly on the consultative side, you know, we really think it's really important for, you know, the cyber organizations, the global security and resilience organizations or corporate security departments to really work hand in hand with one another, right? To to proactively look holistically at what security risk looks like or what risk looks like to the to the organization. I I have this conversation a lot with with leaders about you shouldn't compartmentalize these things. You know, you have some SMEs that have deep domain experience and on both sides, you know, of this. But as you you know kind of walk up the ladder and and you think about what an executive leadership team or a board you know needs, they want that wide aperture of of understanding. And also that consistency and clarity. And so if you're if you're either the CSO that has both uh remet for uh both cyber and operational, or you're not, you know, it's compartmentalized and it's separated. The important thing is that your board in ELT doesn't always need to know all those details, they need to understand your security risk and what that looks like. Right. And these levers really pull uh left and right of of one another. We know behind the uh the cyber or or you know, folks that are wanting to attack, you know, engineering systems or SCADA systems or other OT systems or whatever they might be, there's a person with intent behind all of that, right? Yeah, and so they could be doing things operationally or they could be doing through through the systems. It's still the same people with the same intent of disrupting your business, stealing your money, yeah, causing you harm around reputation. And it's really important to have that conversation in a broad sense, but also organizations, big or small, have to spend time in really determining the risk tolerances and the resources that they need to manage this challenge globally, macrally, and in an interconnected state. Hope that helps out, Doug.

Doug Leece 15:50

No, absolutely. I think you summarized it great. You can't separate them when you get to the the top of the boardroom table. Yeah. It all looks like money and disruption to them, right? It does. Now, Tim and I were talking about this just beforehand, and a lot of people probably aren't aware, but ACES, of course, has been almost like the flag bearer for ESRM. Because in the original history, I think it was Isaac, ACES, and one other group whose name escapes me started this. But ACES just kept going and everybody else kind of fell off. And it's rather ironic that now we're talking about things like resilience and understanding your business as security principles. And it's like Yeah, we've been saying that for 25 years. Why do you think it's finally catching up that people get it?

Joe Olivarez 16:50

You know, that's a that's a that's a great question. Um I think there are there are probably a couple of things, and there are probably many more that I won't mention here or or or just don't have the you know the time, but a couple of things. One, when you think about the visibility of threats today, uh they're much more visible to all. Right? So so all of a sudden your your customer plate has become bigger. So before it might have just been that uh executive leadership team member, but now that HR person hears that same news story, or that employee actually hears that news story, and they begin asking, what are you doing about this, right? Um, and how is the company handling it and and those types of things. So I think we where we are today in in media, uh and all kinds of media, right? Whether it's digital media, uh direct news media, all the the back channels and all the podcasts and all the other things that we have out there, right? People are the ability to kind of see um things good and bad, uh, are more visible to everyone. There's an expectation that's created. I think today going into business is hard. It is a hard thing to do. And when you look at all of the um the different nodes that affect your business, there's just so much information that you've got to be able to, you know, consume and process and build capability to do sat do that because the one CEO can't do it and the one ELT can't do it, it's got to go through through that. Right. And I think people are beginning to understand that, right? Business is hard, and there's a there's a collective approach that we we have to take. I think also a place like the US and others, there's a regulatory environment in um regulated businesses, right? You know, if you're a publicly traded company, there are certain requirements and things that you have to to do, report on your your cyber deficiencies or threats, or you know, whatever it might be, more regulation being driven. I think about California, workplace violence now. It's not enough to say you're doing something. You have to have a plan, you have to train people. That plan has to be available to your employees for them to see and all of these things, right? Yeah. So our ability now to then also educate our business that that's a need, and them seeing that, that that's making things a little easier. But part of that regulatory piece is it's required. And many board members, when they go through their corporate director training, they're hearing about the cyber threats, they're hearing about the executive protection things, and these are things that they are being trained to ask for. Um, so you as a security practitioner, um, you need to know that. Yeah. And you need to know the tools available to you, like ESRM. And really, how does ESRM even connect into global corporations enterprise risk management programs, right? So taking because a lot of ESRM, that's what it was. Yeah, it was taking that security lens but connecting it to HR and to business and whatever. Agreed. Now you have more organizations that have a real enterprise risk management leader or C-suite person or person responsible. So I think even organizations have gotten better around this, have institutionalized things around this, and I think we've evolved, right? And I think the last thing, these things are the right things to do. Ultimately, our job is to make sure that our people are safe and secure, and that our businesses have, you know, great environments to be able to execute on them. And if you want to be in this profession, it's the right thing to do, right? So you may get some pushback, but it really is you kind of going back to the relationship, and and I'll use another word, influencing. It's your job as a leader and as a as a security organization to spend some time influencing, right? And I don't mean that in just to get what you want. No, influencing, educating, building relationships, bringing building that trusted environment that people can come to you in times of stability and in times of instability. You know, it's one thing we I shared today with with folks. When you can deliver what you're delivering in times of stability, that's good. That's expectation from the client. But when you can deliver in times of instability, that's a differentiator. Yeah. Both to your people that are working for you and the clients and constituents in which you serve and the communities that you're involved with. So hopefully that helps bring some color to that.

Doug Leece 21:33

I think highlighting bringing that capability in a time of instability, you know, they call it resilience now, but you buy this product because you know no matter what it's going to be there. I don't think there's a business out there that doesn't have at least one competitor. So yeah, differentiators are important too. Absolutely. No kidding.

Tim McCreight 21:55

And and I really appreciate that. This whole idea of linking it, and this was you know, going Back, sadly, I've watched ESRM mature from way back almost 20 years ago or a little piece of paper? Yeah, on a piece of paper. Yeah, yeah. This is why you don't get security professionals in a bar late at night. That's just a bad idea all around. Um, one of the things that we caught early on, and you know, Doug and I lived this in one of the organizations we worked in, was you mentioned linking the ESRM program up into the corporate ERM program. And we had that, we structured that in one of the places that we worked at. And it was fascinating to watch how the work that we were doing fed up into the larger program. And when you go to look at what the ERM program is doing, and they're able to show the difference in the cost of the American the Canadian dollar by the penny and how that impacts the organization we were working at. Because we we traded in a commodity that was both on the Canadian and you know, had sold at a Canadian price, but also listed worldwide on American cost per barrel. That was probably a giveaway. Um it showed exactly every time there was a change in the currency between the American and the Canadian dollar, what the risk was to our company. And how we were able to show with our security program is that every time we identified a risk and reduced the risk, we were able to ensure that you were successful that day. Man, that lesson stuck with me forever, and it still does today. It's one of those, you know, it's one of the areas that I keep going back to and I'm when I'm talking to some of our clients and even mentoring some new leaders, is that you need to find friends, you need to be able to, you know, to your point, Joe, you need to be able to influence the decisions based on a business set of data, not a technical set of data. Like no executive wants to see a firewall report of how many, you know, incidences you blocked. They couldn't give a shit. That's not their job, right? But when you can tell them that today or this past week or this past month, even though we opened up an office in Spain or in China or somewhere else in Southeast Asia, we were able to ensure that our intellectual property maintained and stayed within the organization and we were able to deliver a product and we were able to meet our delivery requirements across that region. That to talk to it in that language, yeah. That's such a huge differentiator. And for people to find the right path to speak to executives on risk, I wanted to ask, how did you change your approach to talking to executives about risk? Like from when you were early in your career to where you are today, because right now you have, if memory serves, you have a really big team and you've got a lot of folks that now report up into you. And you've got more than just security, but your presentations, your discussions, your the way that you present risk or how you're addressing risk at that level. How did your message change or how did you approach it differently from when you first started your career to where you are today?

Joe Olivarez 24:43

Yeah, look, I think, you know, early on I was really focused on, you know, the threat, you know, down at the coal face level, right? You know, what was happening right there. You know, I didn't I didn't have the well, it wasn't that I had didn't have the I didn't focus on the ability, you know. Sometimes uh, you know, to look up and to look out, right? I was trying to solve that problem right there. And I thought also, hey, you can become more successful, you know, the more you get things right, and you go on to the next one, and you know, that's the way things were done. It was a it was a churn, right? Certainly as you go up an organization, things kind of go like this, right? So you know what you're what the span of control is, um, what your you know influencing, what the portfolio, you know, looks like first it was very technical. Then as I got into the business piece, it was beginning to understand the business language. So a lot of my time early on was really understanding their thoughts about risk from their you know uh lens, and me trying to translate that to one my security knowledge, but also my new knowledge of business and how that might affect them. Now it's gotten to a point where one, I understand their business now, and I understand the security piece. So when they're talking to me about what risk might be to them, they only see it from their lens, not just that pure one-on-one, you know, business. They don't see it from my lens, right? Right. So that ability to then broaden and shaping shape that out. So a lot of it has become teaching in a positive way, helping them broaden their aperture, right? So they see rix risk here, but they really need to be seeing it here, right? And that's what's what's changed. I think the other thing that has changed for me, um, certainly down you know, early on, it was very technical, long explanation. Now it's broader, it's certainly what's the impact and or potential impact to business, and it's crisper in its delivery. So, even from a crisis perspective, I'm not gonna go narrate what that whole scenario is, right? But there are gonna be four things I'm gonna tell them. How is this affecting your people? How is this affecting your environment in which you're operating? How is it affecting your your assets in any way? And how is it affecting your reputation? We call it a paraprocess, right? We'll we'll we'll go through that, and that might be slightly you know changed depending on, but that's gonna be consistent to them. The other thing is that they're in crisis or high events, they know that's how they're it's coming to them. Right. So we've educated them around what to expect in the content, and if they don't see that this risk that we're dealing with, you're not telling me how it's affecting my people, they're gonna ask that question. Oh, okay. Or you're not you're near you're not you're not informing me as to what are the reputational considerations. And not just from my lens, right? I'm talking to you know to other leaders on the ground that they're thinking about their reputation. So there's some structure, there's some crispness, you know, to it. And the other thing I would I would say, Tim, is uh every constituent is slightly different. Yeah. The CEO constituency versus the chief operating officer. They have different constituents. Yeah. I mean, ultimately, yes, we're all serving our our employees, our people, and our shareholders, but you know, a CEO is the board is their direct constituent, you know, as you as you know, uh Tim, and leading the board, right? And and they need to, you know, to know certain things. Whereas the chief operating officer, one of his constituents is the CEO, another one is the operations team, right? So that's the other thing around risk, is that not only how do I present the scenario, but what are the things that they might need to be thinking about for in addressing their constituents, right? So helping them around that. So in addition to the to the risk conversation, it's also guiding them into the things that how are they gonna answer this, right? And how do I help it help them, how do I enable them answering that clearer and faster? Yeah, that's how those conversations have changed.

Tim McCreight 29:17

I'm gonna sneak in one last question before we let you go, Joe. It's if if you're gonna if you were gonna give advice to somebody who wants to come into the profession of security, what would you give to somebody new coming in or who wants to look at a career in security? I would I would say say yes.

Joe Olivarez 29:36

And and and what I and and what I mean by that is not just say yes to security, but to your point earlier, Tim, say yes to investigations, say yes to cyber, say yes to physical security, you know, say yes, right? Early on in my career, you know, when people started asking me to, you know, support safety, I said no. But then when you step back and you look at the interdependencies of safety and security into emergency and crisis management and continuity, into incident response, into how you manage the health and well-being of people, right? If we think about our jobs and security and how stressful that is, but if I can take our positive mental health and well-being aspects and and and integrate them into our security processes, how much better would that be? Yeah. So my my answer is say yes, right? Say yes to the industry, say yes to the opportunities that are presented in front of you, you know, be curious and don't think about am I a practitioner, a supervisor, a manager, executive? Go take the journey. The journey will lead you to the right place. If you're true to yourself, understand your individual purpose, my individual purpose and my business purpose lines up. It's this simple. Help other people up. That's it. And that has served me well, certainly in this profession, right? Helping people up, it aligns with that. But I think that if we stay core to our your values, say yes, be curious, experience the journey, right? That's what I'd say too.

Tim McCreight 31:15

That's the perfect way to end it, Joe. Thank you so much for being on the podcast. We really appreciate it. Thank you again. Wonderful.

Joe Olivarez 31:21

Thank you, Jens, for inviting me. I really appreciate that. It was great time. Thank you. Thank you.

Tim McCreight 31:31

Thanks for listening to the latest podcast from Caffeinated Risk. Make sure you visit our website, caffeinatedrisk.com, to stay up to date on what we've been working on. Our website has bios of our podcast guests, posts about topics we're passionate about, and even a library reference material we find valuable in the work we do every day. And don't forget to subscribe to Caffeinated Risk on your favorite podcast service. This way you'll be notified when we release our next podcast. And you can listen to our previous guests just in case you missed it. Thanks so much for listening to Caffeinated Risk.