As the U.S. cannabis industry expands, so do the opportunities—and risks—for security professionals. From an illegal status at the Federal level and operating largely in cash to a complex supply chain that demands seed-to-sale tracking software and accountability, vulnerabilities are everywhere.
The ASIS International Cannabis Security Standard is now available, including an annex diving into the specifics of individual components that make up a PPS and offers reasoning behind their design and use. Basic PPS requirements are listed as well as options for consideration.
We sat down with Guidepost Solutions’ Tim Sutton, CPP, PSP, PCI, co-chair of the ASIS Cannabis Security Standard Technical Committee, to learn more about this new standard.
Q: How has the cannabis security landscape changed in past decade?
A: The most notable change in the cannabis industry is the creation of a legal adult use/recreational cannabis industry alongside the established medicinal cannabis industry. This opened the door for anyone 18 years or older to purchase cannabis as opposed to being limited to only individuals suffering from certain medical conditions that qualified them as medical cannabis patients.
Q: What are some of the most pressing security issues the cannabis industry faces?
A: The most well-known security issue the U.S. cannabis industry faces remains the fact that cannabis is listed in the Controlled Substance Act’s (CSA) Schedule I as federally illegal to grow, manufacture, or possess. This translates to a lack of banking options available to the cannabis industry that are available to every other legal industry, making cannabis a cash-only business and inherently high-risk.
Q: Can you please share a brief overview of the new ASIS International Cannabis Security Standard? Who was involved in developing this new standard?
A: The Cannabis Security Standard creates a detailed recommendation for a security program within a cannabis organization based on long established security principles and concepts used by every other type of organization across the globe. Regulations vary wildly across jurisdictions and generally require physical and technological security measures that fail to align with the Enterprise Security Risk Management approach to security risk. This standard addresses the security program in its entirety providing mitigation strategies to protect cannabis organizations and their assets from a security practitioner’s vantage point. The technical committee that worked on this standard was made up of 25 security practitioners, half of whom are board certified by ASIS International as security professionals holding either the CPP, PSP, or PCI or some combination of the three. Some work within the cannabis industry as security managers and directors, others work with the cannabis industry as consultants or security service and products providers, and one is a compliance enforcement and training officer within one of Illinois’ cannabis regulating bodies.
Q: How does the standard approach the most pressing challenges this industry faces while ensuring business continuity in the wake of a security event?
A: The standard establishes requirements for a security program including operations, management, and technology and includes an annex with further options for consideration to strengthen the organization’s security posture beyond simple compliance with their jurisdictional regulations. There is also guidance to establish, implement, and maintain procedures for incident prevention, preparedness, and response to ensure the integrity and operability of its cannabis security program during situations that may impact the organization.
Q: The cannabis industry is a complex network connecting production, transportation, and point of sale. How does the standard apply to these (and other) elements of the industry?
A: The cannabis standard applies to all areas of the cannabis industry including cultivation, processing, manufacturing, transporting, and retail distribution. By using Enterprise Security Risk Management principles, the standard gives a strategic approach to security management that ties an organization’s security practice to its mission and goals, using globally established and accepted risk management principles.
Q: What makes cannabis security different from security in other industries?
A: Cannabis security shouldn’t be any different from security in other high-risk industries such as jewelry or retail establishments. However, the cannabis industry tends to implement security for compliance with its regulations. Unfortunately, the regulations have been written by individuals who are not security professionals and are often impractical, outdated, or simply based upon practices and concepts that are misunderstood by the regulating bodies.
Q: How can cannabis security professionals leverage this standard in conversations with the C-suite?
A: This new standard will help justify expenditures or practices aligned with its requirements and options for consideration. The annex to this standard contains educational elements that will help explain the “why” and “how” to implement physical protection systems (PPS) for the purpose of building a strong security program meeting, and in many cases, exceeding the requirements of their local jurisdiction.
Tim Sutton, CPP, PSP, PCI, works as a senior security consultant at Guidepost Solutions and volunteers with ASIS as the vice chairman of the Professional Standards Board (PSB) and co-chair of the technical committee for the Cannabis Security Standard’s development. Sutton has been an ASIS member for twenty years.