Preseminar Programs Leverage Learning
?On Saturday and Sunday, the Anaheim Convention Center was the site of preseminar programs on a wide spectrum of security topics.?
School security professionals were offered an array of techniques and approaches for cultivating an effective security program in Sunday's preseminar program "Developing a School Security and Safety Plan for the Next Five Years," sponsored by the ASIS International School Security Council. Experts discussed topics including risk assessments, active shooter programs, emergency planning, access control, and how technology can be leveraged to create safer school environments.
Two presenters discussed how school professionals and communities can work together to "connect the dots," looking for indicators that might prevent a future tragedy. Rick Shaw, CEO and chief data officer of Awareity, used the investigative report from Sandy Hook as an example of tell-tale signs that may have pointed to shooter Adam Lanza's intentions to carry out a massacre. "Think of this as a puzzle. If we were to hand a puzzle piece to each one of you as you walked in the room, if you just looked at the one piece you may not be able to figure out the bigger picture," he explained. "But if you're all on the same threat assessment team, there's a pretty good chance you could figure out what it is."
For everyday incidents, school administrators can also connect the dots visually by building a map of the school to indicate when and where incidents occur, said Jason Destein, owner and CEO of Securable Consulting, LLC. These events can be noted by different colored sticky dots.
In order for security programs to effectively protect critical infrastructure, those plans must be made keeping governance, compliance, evaluation, and continual improvement in mind. In addition, professionals can use existing standards and programs as models for their own security plans.
"Governance is the first component and the first critical step in building a security program," said Doug Powell, CPP, PSP, manager of privacy and safety for BC Hydro, who led the program. He pointed out two program models that can serve as guidelines for security practitioners are the Canadian Standards Association (CSA) z246.1 and the Transportation Security Administration (TSA) Pipeline Security Guidelines. Those examples provide insight into how security program management can be aligned, and aspects of the models can be applied to any industry.
Establishing metrics to keep track of how the program is going and what changes need to be made is also critical. "We need to understand how to build metrics," said Powell, who is vice president of the ASIS Utilities Security Council, the sponsor of the program. "If we build a program and know what we're trying to accomplish by building a program a certain way, then we should be able to look at those metrics to be able to tell if we've done it, or haven't done it."
Securing Healthcare Facilities
During "Securing Healthcare Facilities: Bringing Physical, Cyber, and IT Security Together to Form a Comprehensive Program," participants discussed some of the unique and complex challenges of health security, from potential hacking vulnerabilities to access control challenges. The program was sponsored by the ASIS Healthcare and the ASIS IT Security councils.
Speaker Coleman Wolf, CPP, security practice leader with ESD Global, discussed how a variety of intersecting factors make the practice of hospital security more complex, as modern facilities contain a complex population and more sophisticated medical devices that can be hacked.
In addition, company mergers are becoming more common in the healthcare sector, and combining two separate security programs into one merged program can be challenging. However, a merger can sometimes be leveraged as an opportunity. If a facility is using an aging identification card system, a merger with another company can be used as a reason to update the program, since the ID cards will have to be changed anyway. "It's a good time to move to the new technology," Wolf said.
Another challenge involves anti-elopement programs, or measures to keep some patients from wandering off premises, such as those with brain injuries or under heavy medication. While access control bracelets can be used that would send signals if a patient walks out the door, they can often be removed or cut off.
Emergent Security Technologies
Participants discussed the latest technological tools available for security programs in "New Frontiers: Legal and Operational Principles for Evaluating and Managing Emergent Security Technologies," sponsored by the ASIS Security Applied Sciences, Physical Security, and Information Technology Security councils.
Speaker Donald Zoufal, CPP, a safety and security consultant and attorney with SDI, cautioned practitioners to explore the operational and legal implications of using such tools. "We have to make sure the technologies we utilize fit into a framework that we're comfortable with."
On Sunday morning, Zoufal led the program through a discussion of body-worn cameras. Given their increasing adoption by law enforcement agencies, $20 million in federal funding was awarded to the U.S. Department of Justice for body cameras in 2015, with an additional $15 million possibly available for 2016. However, the funds are not to be used for camera footage storage costs, which is often the largest cost for organizations that use body cameras. "That's going to be challenge," Zoufal said.�
In the last few years, various state legislatures have passed statues and regulations regarding the use of body cameras, but these rules vary significantly from state to state. In New Jersey, for example, use of body cameras are mandatory for "certain police officers," but not for all law enforcement. In North Carolina, lawmakers made the state's body cameras requirement contingent on adequate funding, so if the funding is not there, the requirement would not hold, Zoufal said.
For law enforcement agencies that plan to adopt body camera use, there will be other issues to contend with. For example, media organizations, activists, and others may file Freedom of Information Act requests to obtain footage after certain incidents. Legal requirements on honoring those requests will likely vary, and are not always clear.
In terms of physical usage, some camera users have found that wearing it dead center on the chest works best in capturing footage that most closely represents the wearer's point of view. There's also the question of what quality resolution film should be. Some studies have shown that the average human eye sees at the level of 8 megapixels of resolution. Some argue that film resolution quality should be no higher than that, as more enhanced footage would show things that the average eye is not picking up or discerning. "Enhanced imagery is not something that, as a lawyer, I would find desirable," Zoufal said.
Banking and Financial Services Security
Attendees learned about more than just financial security trends during Sunday's Banking and Financial Services Security preseminar program, cosponsored by the ASIS Banking and Financial Services Council and the American Bankers Association. Michael J. Bacon, CPP, discussed using the Internet and social media to gather intelligence on individuals, groups, and businesses. Investigations and incident response have drastically changed with the advent of social media, and Bacon outlined how open-source intelligence�information collected from publicly-available sources�is both scary and useful.
"Profiling used to be just collecting basic information on a person, but now it's a story about this person, and understanding that will really help you in your investigation," Bacon noted.
He illustrated the power of online evidence gathering by showing examples of the information he was easily able to collect on different businesses and even program attendees. Bacon also walked attendees through the advanced search functions of platforms such as Google, Facebook, and Twitter that can be used to reveal hard-to-find information, as well as tools such as reverse image searching and geofencing. "Before you use this to conduct your investigations, use yourself as a subject matter to see what's out there," Bacon said. "Practice on your family, practice on your company. And keep in mind what you're trying to figure out. Are you dealing with a threat case? Are you trying to profile somebody?"
While investigators who use open-source intelligence should be mindful of legal and ethical issues, and should follow best practices such as documenting their investigations and making sure the information gathered is validated through other sources before acting on it, Bacon stressed that not everything found on the Internet is accurate.
Willem Teuben, CSO of MCB Bank in the Dutch Antilles, discussed the types of threats executives can face, the pros and cons of relying on police and secret service for help, and the importance of proactive risk assessments. Teuben also outlined patterns of kidnapping, including the fact that 40 percent of executives are kidnapped while leaving their residence.
A discussion on violent crime trends was held by Steve May, a special agent with the Los Angeles FBI, and Gary Gerlach, a vice president and senior agent with Wells Fargo Bank Corporate Security. Chris Terzich and Jarret Brachman, both vice presidents with Wells Fargo, also outlined how to anticipate crises before they happen. The program wrapped up with a subject matter expert panel discussion on financial security trends.
Reducing Security Vulnerability
Attendees gathered Sunday morning to learn how to calculate risk during "Reducing Security Vulnerability: Mitigation Strategies." Phillip Banks, CPP, discussed different types of security programs and the businesses that use them. Program attendees delved into specific tactics of establishing a security risk assessment program, which Banks illustrated through formulas and calculations. Banks explained how vulnerability, probability, and impact all play into how risk is affected, and discussed the risk of high-impact, low-probability events. He also touched on how to effectively communicate a company's risk profile to executives who may not understand how such an assessment works.
"We have to make sure that everyone sitting around the executive table can understand the difference between probability and possibility," Banks said.
Attendees discussed the pros and cons of qualitative versus quantitative risk analysis, including how to evaluate a company's risk profile using each technique and working with corporate executives to determine how risk impacts security.
The program also covered addressing known and foreseeable threats as well as identifying and reducing vulnerability. Program leaders also conducted group exercises during which attendees worked together as a security team to assess the vulnerabilities and identify solutions for fictional scenarios.
Facility Security Design
Attendees received a primer on the facility security design process on Sunday when the ASIS Security Architecture and Engineering Council took them through a crash-course in the preseminar program titled "ASIS Facility Security Design Workshop." The program was developed from a three-day program the council will put on throughout 2016 that focuses on the lifecycle of a facility security design project from top to bottom.
The council took this approach so attendees "can actually pick up and learn where the most important factors are in that time frame" of the project, explained Mark Schreiber, CPP, council chair, in his opening remarks.
Rene Rieder, Jr., CPP, PSP, explained that one of the most important aspects of a security design project is finding out why the organization is initiating this project now and what the security professional's role is. "Projects are typically triggered for different reasons depending on the department," added Rieder, who is an associate principal at Ove Arup & Partners. Finding out this reason and understanding the "pain point" that is making the organization want to spend money to relieve it is crucial to the success of the project, he explained.
Security professionals then need to figure out where they're sitting when it comes to the project team, whether that's as part of the design team or at the project management level. Knowing this will help shape their involvement in the project, Rieder explained, as professionals who are at the project management level do "more soul searching" while those on the design team will take a "more integrated" and team oriented approach to the project.
Once security professionals understand the reasoning behind why the project is happening now and their role in it, they can embark on the process of implementing an efficient and effective security project. This process involves analyzing the risks that brought the project to the table, determining the needs that the project will address, designing the means to meet those needs, integrating the pieces of the project, implementing the project itself, and finally operating the project.
One part of the analyzation phase of the process that is critical to a successful outcome is identifying the project stakeholders, from the obvious ones who bring up their concerns directly to those who may not be as quick to voice their opinions and problems. "Make sure everyone who needs a voice gets a voice in the project," Lane said.
Another crucial aspect of the analyzation phase is assessing the risk the project is designed to mitigate. To do this properly, everyone involved in the project needs to have a common definition of what risk is and how that risk needs to be assessed, said Jim Black, CPP, PSP, senior security program manager for Microsoft.
Instead, organizations should use a definition and assessment that fits their unique needs. They should also reference historical data about threats to their organizations themselves, which will be "more helpful than reading a guide of what generalists are comping up with in the sphere of potential threats," Black added.
Successful Security Consulting
You've decided to leave corporate or government security and strike out on your own as a security consultant. How do you develop and showcase your expertise to create a successful new career for yourself?
These are the questions that the International Association of Professional Security Consultants sought to answer on Sunday in a joint preseminar program with ASIS titled "Successful Security Consulting." The program brought in leading technical and management security consultants to show attendees how to develop, market, and deliver security consultant services.
Key to gaining this understanding is knowing what a successful consultant does, said Frank Pisciotta, president of Business Protection Specialists, Inc. Successful consultants are those that can establish a "trust relationship" as a business, help clients solve security problems and issues, integrate systems and programs, and identify and justify security's value to the organization, among other characteristics, he explained.
Another criteria for success is knowing how to market yourself as a consultant, said Harold Gillens, president and CEO of Quintech Solutions, Inc. He explained that this means taking time to understand the uniqueness of your background and your practice as a consultant as you cannot be a subject matter expert on all things security.
Being an independent consultant with a small firm, however, doesn't mean that you have to eliminate large opportunities, Gillens said. Instead, consultants can use teaming to grow their business by presenting themselves as someone who can handle a larger project by bringing in other subject matter experts that they personally know and may already have business agreements with.