Kelly Murray, the associate director at CISA, discusses the best ways to secure chemical facilities, which can be popular targets for dangerous actors. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Susan Friedberg

Over the past two years, workers around the globe have reconstructed their workplaces, as driven by health guidelines to prevent the spread of COVID-19. Many employees are not back at the office and instead continue to work from home remotely or work hybridly, reporting to an office on a part-time basis. Regardless of where the employee works, the security policies and procedures that were in place when 100% of the workforce was in the office no longer apply to the current workforce.  

The GSX session, “Adapting Workplace Violence Strategies to Accommodate a Modern Flexible Workforce,” explored how workplace safety needs have changed and discussed how security leaders are now able to integrate learnings from the past two years to build new programs that protect employee and company safety. Even if employees are not in the physical office, employers are still responsible for providing a safe workplace.  

Presenters Deb Andersen, PSP (Security Administrator, Physical and Cyber Security at MWI Direct) and Robert Achenbach (CSO and Director, Corporate Security and Safety at First National Bank of Omaha) shared how the core principles of developing a security program have adapted and evolved to support a new, diverse, workforce. 

Leverage the Environment and Understand the Impact 

Access management is considered the first line of defense for protecting onsite workers and employees. Security providers must first consider: who are we responsible for and where do they operate? 

Classifying occupants and identifying the risks that come with where they report is a good place to start. Determine where employees sit – are they on or offsite, and depending on their seat, what sort of security privileges or access to physical assets or cyber information do they have? Does access to information and tools need to be different if they are in the office or working remotely?  

Look at how traffic has changed in and out of the office. Employees that are reporting to an office are decreasing in number, but they may not be the only ones accessing an office building. Security leaders must continue to prioritize all categories of occupant access and their associated inherent risks. Many offices share a building with other tenants, who may have varying degrees of access to the building. Additionally, vendors, technicians, and other support staff will still need intermittent access. Guests that come onsite, whether preplanned or not, need to be monitored, and if the office has public access, office security must also continue to consider unplanned arrivals.  

Understanding the Workplace Environment, Pre- and Post-Pandemic  

When employees were completely in the office, security teams had direct, physical access and the ability to monitor activity and engage in safety-related activities. Pre-pandemic, employers could directly communicate in the office via speaker systems, run onsite drills and emergency planning, and understand the flow of employee traffic via access controls.  

Today, those practices need to be adapted for the remote workforce; we may not always know where employees are seated, whether in their home office or elsewhere, but employers can continue to monitor the information they are accessing while remote. Security teams are also now considering societal stress levels that have become commonplace for remote employees, from social isolation, reduced resources, supply chain delays, and changed communication access to their teams, management, and leadership. Larger companies may have had the resources to provide a comfortable at-home workplace, but most employers needed to adapt existing resources to fit the needs of their teams.  

Ultimately, the most important prevention measure for mitigating workplace stress is to build trust within the workplace, provide open communication channels with key leaders, and have open and transparent policies. For example, new communication technologies available today can deploy mass notifications or provide secure communication channels via an employee’s phone. No worker needs to feel isolated in their own home – smart policies can continue to engage them and ensure they feel seen and heard.  

Changing the Training Environment for Onsite and At-Home 

As there is no longer a singular workplace, there is no longer a one-size-fits-all approach to safety training. Employers need to have a full view of who is on-site to protect them against workplace safety risks and to provide them with training and resources to respond safely or evacuate.  

For occupancy-related emergencies, onsite employees need to continue emergency response training, from locating first aid or fire extinguishers, knowing evacuation routes, and assigning and identifying team members who have a specialized role in emergency management, such as de-escalation or mental health emergency training.  

Offices with a force protection team may need to update their training based on how many people are in the office on a given day. New technologies, such as unmanned check-in or access points, or AI-driven identification cameras, can help establish occupancy and access and streamline response efforts. Force protection teams can continue to conduct site surveys and identify new operational vulnerabilities and any consequent gaps in employee training, policies, or security equipment. 

Communication is key for offsite workers, and employers can adopt new strategies to engage all employees. Hybrid workers who are not available onsite for training may need access to virtual simulations and office blueprints. Remote employees may benefit from internal newsletters with regular updates on security tips – from reminders about password management, clean desk policies, and any new information or policies they need to consider as they remain fully remote. In an emergency, remote workers can be relied upon for business continuity and should also understand how to support the company in the event of an emergency or event that would otherwise prevent their access and communication with leadership, management, and fellow employees. 

All departments of a company, from security, legal, HR, and leadership, must come together for a complete approach to reaching all employees, regardless of their location. Each team has its own line into company risks and vulnerabilities and has a department-level approach to incident response and post-event recovery. All parties and approaches need to be considered if the company is to take a converged approach to safety and policy enforcement. 

Holistic Security Brings Onsite, Offsite, and Hybrid Security Models Together 

Security leaders and employers create healthy, safe working environments when they continually test all aspects of their security program, share information, and adjust, adapt, plan, and execute. In return, security leaders and teams build better relationships, meet the expectations of the leadership, and get to keep a finger on the pulse of their organization’s vulnerabilities and needs. 

Our current and future workplace is supported through leadership and security partnership and transparency, with the objective to continually improve the organization’s security and posture while complying with workplace safety regulations and promoting a healthy and safe place to work. Remote work remains a new model, and regulators are now beginning to assess what standards need to be in place to protect offsite or remote workers, as employers remain responsible for their safety and well-being.  

New security elements being explored include ensuring employees have the tools to be successful and supported, from access to secure Wi-Fi networks, appropriate equipment, cybersecurity, and access control. But beyond the tools that an employee needs to complete their job, employers are now considering how their duty of care is evolving, and how to check in with employees to ensure their home workspaces are safe from domestic violence or unrest, that their workplace tools are secured against theft or damage, and if employees need access to new employee assistance programs or mental health resources to support their transition into a fully remote work environment.  

Today’s workplace is diverse and will continue to evolve, and security providers understand there will never be a silver bullet resource that addresses all elements of security, from protecting critical assets, information, and people. Workers around the globe have been able to enjoy the benefits of a remote or hybrid work model, and employers want to continue to provide this resource, but not at the expense of the company or their employees’ safety. By continually assessing the security landscape and taking advantage of innovative technologies, security providers and companies can support workers where they perform best and support continual operational health and growth. 

For more information, contact:  

Deb Andersen, PSP, Security Administrator, Physical and Cyber Security at MWI Direct (LinkedIn) 

Robert Achenbach, CSO and Director, Corporate Security and Safety at First National Bank of Omaha (LinkedIn) 

Susan Friedberg is the Director of Communications at Pronto.ai and Pollen Mobile and an ASIS Member. Reach her on LinkedIn.

Antoinette King, PSP, the founder of Credo Cyber Consulting LLC, discusses how security professionals can learn through failure. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Mike Gips, CPP

At GSX 2022, I moderated a panel called Learning From Failure. Featuring renowned security practitioners Jeff Slotnick (Setracon), Antoinette King (Credo Cyber Consulting), and Ricky Davis (RICE Security and Consulting), the presenters shared some of the most painful failures in their career, but also explained how those letdowns became professional turning points or led them to wisdom and success they wouldn’t have obtained otherwise. We then offered guidance on how to turn failure to success.

Other industries welcome, even embrace, failure. Not security. Amazon founder Jeff Bezos famously blessed innovation through failure when he said, “If you are going to take bold bets, they’re going to be experiments. And if they’re experiments, you don’t know ahead of time if they’re going to work. Experiments are by their very nature prone to failure.”

Take Amazon’s delivery drones. It’s been at almost 10 years since Amazon promised them, but recent crashes in testing have delayed the rollout. Fortunately, the crashes have not caused any injuries.

News like that makes us security practitioners practically tremble at the word failure. We’ve been trained that no news is good news. When we think of failure, we often go to worst case scenarios: an active assailant that got past our officers; a background check that didn’t flag a fraud artist in our midst; a hack that cost the company invaluable proprietary information and incalculable reputational loss. Or a delivery drone injuring a child.

Our panel emphasized that we don’t have to think about success and failure as all or none. Obviously, we don’t want to fail when the stakes are high—a TSA officer failing to detect explosives that take down a plane is obviously unacceptable—but as long as we limit the potential consequences, failure can be our friend. In fact, it could lift us up to greater levels than we would have reached otherwise. After all, Amazon’s drone crashes have been occurring during testing. That’s the time to fail, so their drones can soar higher, metaphorically, at least.

In our session, Jeff shared a profound learning experience from his days stationed in the U.S. Army in Europe. He was tasked with writing a nuclear spill response plan for an Army civilian military engineer, which he labored on over an IBM Selectric typewriter. Two days after he turned it in, the civilian called Jeff into his office and handed him the document—which was “bleeding green from his felt-tip marker,” Jeff recalls. “I threw the report on his desk and said, ‘If you think you can do it better, then you do it,’ and I turned to leave. He called me back in a tone I was not used to hearing from a civilian and read me the Riot Act.”

By swallowing his pride, Jeff transformed his career and life. “The skills he taught me in writing, management, and leadership have lasted a lifetime,” Jeff says, starting with three Army promotions. He uses those skills today to write standards, prepare reports, mentor executives, and lead teams. Best of all, decades later he remains friends with his one-time nemesis.

Antoinette’s failure came from the opposite problem: not having enough confidence. She told the audience about her entry into the security field as an installation technician. “Unbeknownst to me, it was highly unusual for a woman to be a technician pulling cable, installing devices, and building head ends,” she says. As the only woman on a typical job, she would blend in or try to become invisible. “For the next several years I did everything in my power not to be seen. This resulted in many missed opportunities.” She eventually realized that her differences made her valuable, and today she spends time mentoring women in technology and ensuring that they don’t minimize themselves like she did.

Probably the most inspirational parts of the session occurred when we invited audience members to share their stories of failure—whether they led to redemption or not. One attendee related how he had recently been turned down for a prestigious credential, but the feedback he received in the process showed him that he needed to evolve from an operational to strategic mindset. 

Ricky, Antoinette, and Jeff then discussed how to grow from setbacks, such as by acknowledging failure, accepting responsibility, pausing and reflecting, seeking advice and criticism, extracting lessons, keeping perspective, making incremental changes, staying positive, and taking care of yourself. They then turned toward a more clinical approach to overcoming failure, exploring topics such as process inadequacy, task challenge, process complexity, and hypothesis testing. 

Today’s security professionals are risk managers. Though we manage risk and usually don’t try to eliminate it, risk gives us anxiety. But we also know there is no reward without risk. So how do we adjust our risk tolerance to accept failure?

Akshay Bhargava, Chief Product Officer at Malwarebytes, developed a philosophy called Failing Toward Zero, and it can work for security professionals of all types. He writes that “Failing toward zero is a state in which each security incident leads to a successive reduction in future incidences of the same type.” In corporate security, this may mean reducing the number of tailgating incidents, security policy violations, or incidences of theft successively over time. It involves identifying the source or cause of the failure and remediating it, iteratively improving security and yielding better results. But be careful not to focus on the results alone. Sometimes good processes yield bad results and bad processes yield good results. It’s improving the process that’s key. In short, test, tweak, and test again.

Michael Gips, JD, CPP, CSyP, CAE, is the Principal of Global Insights in Professional Security, a consultancy focusing on security thought leadership, content, strategy, research, insights, and influence within the profession. Reach him on LinkedIn.

Rya Manners, a Director of Solutions at Securitas Security Services, and Erwin Van de Weerd, an Area Physical Security Manager BeNeLux at SAP, talk about the future of the security industry and the role of upcoming professionals. The two also announce a big change – the ASIS Young Professionals Community will now be called NextGen. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Susan Friedberg

The security of the American electoral infrastructure is of critical national interest. Free, fair, and safe elections are a vital priority of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), which supports the state and local election communities and the American public to ensure they have the necessary tools to manage risk and build resilience in the nation’s election infrastructure.

In the GSX presentation, “Combatting Insider Threats in Election Infrastructure,” Chris Piper,

(COO, Elections Group), Kim Wyman (Senior Election Security Lead at CISA), Amanda Grandjean (Director of Elections, Deputy Assistant Secretary of State at Ohio Secretary of State’s Office), and Matt Crane (ESI Subject Matter Expert Consultant at CISA) shared their collective experience implementing and advancing security tools and techniques for elections, to prevent any intentional or unintentional harm.

Understanding the Business of Elections

Departments of elections are continually assessing threats to their processes, conducting resilience training, and updating their standard operating procedures. The speakers discussed three primary security considerations: cybersecurity, physical security threats, and insider threats, including the spread of misinformation.

Grandjean said election security leaders are faced with the challenge of creating a comprehensive election infrastructure for a decentralized system. State and local elections may vary in the types of ballots, the voting timeframe, and the cadence of elections. Comprehensive election security cannot be focused on one single area, but rather must be a program with multiple layers.

Utilizing Federal Resources to Strengthen Elections

Regardless of the size of the election resources in a city or county, local election officials have the resources to investigate any threats to their election. Wyman shared information about the Help America Vote Act of 2002, which established the Election Assistance Commission (EAC). This organization is dedicated to assessing and improving voting systems and voter access and provides funding to help states meet mandatory minimum election administration and security standards.

CISA also works with local governments to quickly identify and mitigate any threats and provide year-round training for local election officials to identify common threats and harden their security posture. 

Deploying a Layered Approach to Election Security through Standard Operating Procedures

Piper emphasized that multiple security techniques and processes need to be in place to help cover various security considerations at each election, starting with robust standard operating procedures, hardened access control, strict chain of custody, and zero-trust security.

With standard operating procedures, election officials recognize quickly when a task or role deviates from protocol. Piper shares that election officials can learn from the security community to create these SOPs and execute them.

Every community that holds elections must also have a policy in place for access control. CISA helps election officials create SOPs that document the chain of custody of election equipment and ballots. A zero-trust security approach eliminates implicit trust and continuously validates every stage of the voting – from ballot printing to post-election audits. For example, this end-to-end technique is applied to how a voting tabulator is stored, tested, transported, and deployed, and to securing, transporting, and counting ballots. Election officials strictly document this process to show that the chain of custody has been met perfectly.

Addressing Constantly Evolving Election Security Challenges

Security directives are continually updated, incorporating advancing cybersecurity techniques and reflecting the desire from voters for transparency. For example, security approaches include stress testing software, increasing physical on-site security with the latest surveillance technology, enforcing additional logging, deploying seals to voting equipment, and securing devices with double-locking keys.

Poll workers also undergo special training, reflecting new security directives, and are mandatory reporters should they observe any wrongdoing. Insider threats are continually monitored so that polling workers and their efforts can also stand under scrutiny.

Building Public Trust Through Transparency

According to CISA, “securing election infrastructure from new and evolving threats is a vital national interest that requires a whole-of-society approach.”  American voters have many open avenues to connect and learn about election security practices. Grandjean shared an infographic from the Ohio Secretary of State that describes to voters the core tenets of the voting security process. CISA also has a public library of election security resources for the public.

Every speaker emphasized that boards of elections and election officials must also include public relations as a part of their role. Ultimately, whenever there is a public demand or question of election security, election officials will have the tools, checklists, and transparent processes to demonstrate their commitment and compliance with federal election standards.

Susan Friedberg is Marketing Communications Consultant based in San Francisco and an ASIS Member. Reach her on LinkedIn.

Sherrod DeGrippo, the Vice President of Threat Research and Detection at Proofpoint, Inc., discusses how security professionals can become better at protecting their organizations from outsider threats. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Jim Sawyer, CPP, discusses the importance of diversity, equity, and inclusion in the security world. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Lida Citroen, CEO of Lida360, discusses personal branding and how you can build trust in your security brand. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.