Stellar Sessions
On Monday afternoon and Tuesday, the learning continued with a plethora of sessions.?
Insider Threats
They might have the same name, but the three experts who spoke on a panel during Monday afternoon's "Insider Threats�Effectively Identifying and Mitigating the Risks from Within" each had unique approaches to developing a corporate insider threat program.
Michael Gelles, director of Deloitte Consulting; Michael Dorsey, CSO of Brocade Communications, Inc.; and Mike Stehn, director of private sector solutions at Astrella Corporation, shared their expertise on proactively detecting anomalous behavior in the workforce.
Lester Rosen, president of Employment Screening Resources, led the joint ASIS/(ISC)� session, which was sponsored by the ASIS Defense and Intelligence Council. Dorsey defined an insider as an individual with access to a company's facilities who could compromise the organization's workplace or assets, either through complacency or with malicious intent.
Gelles noted that insiders are not just malicious individuals or those who cause workplace violence. The context of an insider threat has changed over time, he said, but their behavior and motivations haven't.
To develop a strategic plan to address the insider threat, Stehn recommended building an insider threat working group or other committee that has key buy-in from leadership. That group should develop policies, training to educate employees on those policies, and an investigative process if a person of interest is reported.
"If a company spots an insider threat, its first reaction is to fire that person, but that doesn't go back to the root cause of why they're doing it," Stehn noted. "If you look at it from an espionage standpoint, someone is controlling that person so that they will bring that information to the outside. I need to find that root cause by doing some sort of internal investigation."
Gelles endorsed building a holistic insider threat program that addresses what a person does, not who the person is, and what that means.
"When we think about looking for an insider proactively, we're looking not just from a counterintelligence perspective but from the business process," Gelles said. "You need to focus on your workplace's policy, communication, and culture; the employee's lifecycle, from backgrounds to vetting to how they are managed in the company; and information security controls to see what a person is doing on the company's systems."
Data analytics can be a game changer when it comes to noticing anomalous behavior from an employee, the panelists agreed. Dorsey suggested allowing technology to do some of the early triage.
"What we need to begin to do with large problems is allow big data analytics and the IT technology to do much of the work for us," Dorsey said. "Allow the technology to drill down into the data and into the behaviors, the possible risk indicators, so your team can look at the most egregious behaviors, and then do additional inquiries and investigations. You take your few resources that you have and vector them onto the problems of greatest risk rather than trying to tackle everything."
Beyond the technology, it's important to teach the workforce to recognize signs of anomalous behavior and to report it appropriately, the experts agreed. Historically, high-profile insiders had displayed a number of classic suspicious behaviors that others did not report but recognized after the incident, Dorsey noted.
Ultimately, though, an insider threat program should monitor the overall culture and health of the workforce�any anomalous behaviors should be addressed, whether they might lead to an incident or something else.
"Anomalous behavior within your workforce, while it may indicate a malicious insider or a complacent insider�someone who's going to exploit assets or commit workplace violence�it will also identify someone who could be potentially suicidal," Gelles noted. "We're looking to proactively identify anomalous behavior and determine what's driving that, as that behavior is different from an individual's baseline and from what their peer group is doing. And that's the most important aspect."
Proactive Security
Securing Disney entails much more than protecting Mickey Mouse from harm or attack. In Monday afternoon's "Become a Proactive Security Organization" session, Robert Grant, vice president for global security for the Walt Disney Company, detailed the many different types of businesses his company needs to protect.
Disney still likes to call itself "the world's largest entertainment company," Grant said, and its holdings include much more than just the Disney parks in Florida, California, Paris, Tokyo, Shanghai, and Hong Kong. It also includes cruise lines, an adventure backpacking tour group, theaters all over the country, movie studios, broadcast stations like ABC and ESPN, and Disney retail stores. All of these require different types of protection. "We have a wide variety of different risks," Grant said.
For example, with the current migration crisis in Europe, Disney cruise ships in the Mediterranean now have to contend with European regulations that sometimes require ships to pick up migrants in distress at sea. "What do we do? How do we do it? Are we prepared for it?" Grant asked.��
In terms of a proactive security approach, Grant advocated for an emphasis on prevention, not response. As a former special agent for the FBI, Grant gave the example of the FBI after 9-11 changing its focus to preventing attacks, not solving crimes after they happened.
In addition, since the company knows that "it's tough to sell security" in a business environment, Disney tries to follow a security-made-fun practice, Grant said.
For example, it sends out a monthly tip e-mail and videos, designed with the help of a creative team, which offer security advice in a humorous vein. However, joking about active shooters is off limits, he added.
Strategic Security
Mike Howard, chief security officer for the Microsoft Corporation, reflected on the recent evolution of the private sector security profession from "corporate cops" to strategic business enablers in a Tuesday morning session, "Building a Strategic Security Organization."
Howard has close to 40 years of experience in the security field. Before his 13 years at Microsoft, he spent 22 years at the CIA, and two years before that as a police office in Oakland, California. At the session, Howard sketched out some insights he learned along his career journey.
When Howard joined Microsoft in 2002, the company had roughly 40,000 employees. Its security apparatus was still in the "GGG" era�guns, guards, and gates, Howard said. It had a central Life Security Control Center where analysts would watch DVD recordings for events and security breaches. At that time, many private sector business leaders "still looked at security as the corporate cop."�
But the company was rapidly growing. In two years, the company's workforce doubled in size. Now, Microsoft products are used in more than 190 countries, in 46 languages, and the company has 221,000 employees worldwide.�
In this era of cloud computing, Microsoft is focused on enterprise-wide virtual security. "We're really leveraging the cloud, and we're headed in that direction," he said. To ensure that security is aligned with all business objectives of the company, Howard said his department over the years had focused on developing strategic partnerships with many other departments, including IT, human resources, finance, and legal.
"It took a lot of doing. When I first got there, my team knocked on a lot of doors. We wore out a lot of shoe leather," he said.
The company also focused on building a security team which has leadership skills, strategic capabilities, tactical abilities, and subject matter expertise. Not all staffers have all four of those skill sets, but as a whole, each skill component is well represented, he said.�
And in the wider corporate worlds, Howard said that more and more companies are looking for security leaders and staffers to have business experience and training. "They want people to run security like a business," he said. Given this trend, in 15 to 20 years it will probably be seen as normal for companies to hire security staffers who have business backgrounds, but need to be trained in security matters.
Business-savvy security leaders will also be cognizant of concepts such as their company's "security identity," or the brand of the security company. Microsoft's security operation has tried to cultivate a brand which communicates the idea that the departments knows where the company is going and is aligned with its business objectives, yet it is also willing to admit mistakes and learn from experience.
Such development is not always an easy process, Howard acknowledged. With changing technologies, work environments, and global threats, some organizations fall behind the curve, and then struggle to do an honest assessment of where they need improvement.� "Sometimes it's painful to go through the process of looking at the organization realistically," he said.
But good things await those leaders who can push through that difficult assessment process, and who are serious about committing the time and resources needed for improvement.� "Usually the people who say 'you can do more with less' are not the ones that actually have to do the job," he said.
The ASIS Information Technology Security Council sponsored this session.
Executive Protection
At a Tuesday afternoon session entitled "Unravel the 'How' of Executive Protection," Robert Oatman, CPP, of R. L. Oatman & Associates offered best practices in delivering successful executive protection. Oatman, who is chair of the ASIS Executive Protection Council, was accompanied by a video of a simulated executive protection exercise, which featured a Mexican official traveling to Baltimore on business.
One of the most difficult challenges of executive protection is to translate what is supposed to be done into actual real-world assignments. He quoted President Dwight Eisenhower, a former general, on preparing for battle: "Plans are useless, but planning is indispensable." Executive protection is similar, Oatman said. Conditions may be widely unpredictable, so nothing may go according to plan. But preparation and practice is crucial, so almost any turn of events can be responded to.
In the assignment planning phase, the protection firm should strive for clarity on all key points: exactly what the principal's itinerary will be, who will be the point of contact, what accommodations and transportation will be needed, and who needs to be contacted in case of emergency. Locations and routes should be scouted out in advance.
In addition, the political environment of the location that the principal will be in must be researched and understood. As a live example, the video featured clips of the Baltimore riots in April, when a politically tense city with a rising crime rate suddenly exploded into violence.� "In the real world of executive protection, sometimes you're not dealt the best hand," Oatman said.
A key component of the planning process is the interview with the principal. Oatman advised that the principal be asked general questions first, which will allow him or her to express their concerns about the upcoming travel. Avoiding yes and no questions, and allowing the principal to elaborate and digress, will let the principal offer a wealth of relevant information that might otherwise never be obtained.���
Each security component of the assignment should also be broken down and analyzed, Oatman said.� For example, threats to transportation security include potential motor vehicle accidents, road rage incidents, and planned vehicle attacks. Less deadly�but more�likely, threats include getting lost, being late to appointments, and reckless driving. "Keeping your speed within reason is paramount," Oatman said. Routes should always be well researched; the executive protection firm should identify common traffic choke points and potential safe havens if the environment becomes unstable.
Interactions with a variety of contacts, including transportation providers, hotel security personnel, and venue management representative, may also be required. Relationships can be important here; if an executive protection firm works well with a certain hotel's staff, the familiarity and knowledge of the facility can give the firm a home field advantage. "Hotel security is a force multiplier," Oatman said.�
Finally, Oatman advised executive protection firms to "go practice this stuff," conduct simulation exercises, and also to learn from any mistakes made. "Good decisions come from experience, and experience comes from bad decisions," he said.
Behavior Detection
The Tuesday afternoon session, "Behavior Detection and Assessment at the Mall of America" was a timely offering, given that in just February of this year, Al Shabaab released a video threatening attacks against the West, and mentioned the giant retail center near Minneapolis, Minnesota, as a possible target.
Ashly Hesler, special operations manager at Mall of America, said the media asked her what the security team had been doing to prepare for the possible threat from Al-Shabaab, and that they were more than prepared to answer the question. "It's not, 'What are we doing in response to it?'" she told those at the session, which was standing-room-only. "The question is, 'What have we been doing?'"
The Mall of America, which attracts 42 million visitors a year, has established a threat detection program based on the Behavior Detection and Assessment (BDA), a security method developed during the course of 30 years by the Israel Security Agency. Michael Rozin of Rozin Security Consulting, LLC, advises the Mall of America on the program, and was also a speaker in the session.
The driving force behind the security program is a Risk Assessment and Mitigation (RAM) team that is trained to be on the lookout for odd or potentially threatening behavior at the 5.3 million square-foot mall. When RAM officers notice individuals who may pose a threat, they approach them and conduct a simple interview, deciding whether or not the individuals have intentions to cause harm or theft. Annually, 1,400 such verbal assessments are conducted, of which 8 to 9 percent end up being individuals with criminal intent, and 1 percent are cases with a nexus to terrorism.
Cybersecurity
Keeping hackers out through traditional cybersecurity measures like firewalls and antivirus is becoming less and less important than paying attention to who you freely give access to your data and what they do with it. That was the topic of the Tuesday afternoon session, "The Evolving Cybersecurity Perimeter."
Charles Foley of Watchful Software advised attendees on just how profitable an enterprise's data is to hackers. "According to a study done by the RAND Corporation, cybercrime is a bigger margin opportunity than illegal drugs in 2014, 2015, and predicted in 2016," he said. And the cost to companies is growing, as the average data breach now costs $3.5 million.
He said the most expensive problems faced by corporations are not hackers trying to hack firewalls, but by someone who was either physically or logically close to an organization's data doing something�most of the time inadvertently�unsafe with it. A recent survey by Market Connections and SolarWinds showed that more than half of federal IT leaders identified careless and untrained insiders as the greatest source of cyberthreats against their industry.
To curb this, Foley recommended not only more effective training, but the possibility of adding software that makes sure users are compliant with the data as they handle it. There are, for example, software capabilities that can recognize when an e-mail contains classified material. Even if the user doesn't realize the info is sensitive, the software will pick up on a phrase that triggers a rule, which in turn triggers classification and protection. "If you do this right and you line up your policies, procedures, and technologies, your electronics can do the job," said Foley.