By Susan Friedberg

As security practitioners continue to harden the security posture of clients and customers against physical and cyber threats, a new dimension of our world is now emerging and growing – the virtual domain, or the Metaverse.  

Perhaps we have accessed the Metaverse through VR technology and are beginning to engage in gaming, trading, and commerce actively. Many of us are just starting to hear of this emerging technology and concept, hearing stories on the news about cryptocurrency or the newest VR headset. Our heads may be actively buried in the sand – avoiding any discussion that would prevent us or distract us from focusing on our work, as we believe something like an “avatar” or “blockchain” and the Metaverse will never really manifest or impact our customers, and the communities we serve.  

Presenters Mary Gamble (Gamble Legal, PLLC), Lee Oughton (CEO, Co-Founder, Fortress Risk Management), and Jon Harris (Senior Product Manager, HiveWatch) shared in their presentation, “The Metaverse, NFTs and the Future of Security in a Virtual World,” that the world of the Metaverse is real and growing exponentially.  

The Metaverse is not only available for entertainment and gaming but also fast becoming a resource for enterprises to engage in commerce, trading, and banking. We must start to consider the inevitability of how virtual engagement will be a part of our day-to-day lives, both personally and professionally, in the immediate future.  

As with any other fast-growing and underregulated technology, security practitioners have the opportunity to extend our expertise in physical and cybersecurity to understand and start to map out the vulnerabilities in virtual worlds and build security programs that protect users.   

Start with the Basics: Understanding the Lingo of the Metaverse  

First, Gamble, Oughton, and Harris shared that security practitioners should have a basic grasp of the technologies referenced when discussing issues in the Metaverse and some of their applications before we can identify security issues.  

• Web3: The next generation of the world wide web that is based on a decentralized structure incorporates blockchain and token-based economics 
• Avatar: a picture or animated character selected by an online user, which represents the online user 
• Metaverse: a connected network of 3D virtual worlds; an immersive virtual space made possible through the use of virtual and augmented reality technology for users to shop, game, interact, train, and experience 
• Blockchain: A digital ledger technology that records transactions and distributes these records, or blocks, across a network 

• Digital Assets: Any type of asset that is created, traded, and stored in digital form that has or will create value and usage rights  
• Digital Currency: Currency, money, or financial asset that is managed, stored, or exchanged digitally 
• (Crypto) Token: Units of value that are developed on top of existing blockchain networks, that hold value, and represent a physical or digital asset 
• Non-fungible token (NFT): A crypto asset that represents real-world objects, such as art, property, goods, or identities 

The Metaverse interacts with core objectives and functions of the security industry such as asset protection, access control, data protection, privacy, executive protection, and ESRM. For example, the use of an NFT, or a non-fungible token, is as ubiquitous as an identity or credential in the physical world but in the virtual world.   

With this understanding, security practitioners can begin to assess opportunities and threats with these technologies and what adaptations are required to remain relevant and practical. 

The Metaverse is Here and Showing Up to Work and Play 

10-15 years ago, we started thinking about how automation, machine learning, and computer vision technologies would be integrated into security systems – simply a vision. Now today, these things are commonplace. McKinsey & Co research indicates that the Metaverse industry will reach nearly $5 trillion by 2030.  

While the Metaverse came to prominence through gaming and social media applications, today, enterprises are using the Metaverse to help view floorplans, tour facilities, or hold remote meetings and conduct crisis and emergency management drills without having to be onsite. Additionally, defense organizations using virtual technology for simulations now benefit further through accessing the Metaverse by bringing new dimensions and overlays to their training exercises.  

Oughton points out to the audience a fundamental reality – we have risk management in the physical and cyber domains, but we are behind on virtual. When a friend, family member, or colleague accesses the Metaverse, we cannot necessarily enter the same world or monitor their activity. Oughton, a Metaverse user, initially took an interest in Metaverse security in the context of executive protection. He cannot fully protect his clients when they enter this virtual domain, so instead of standing idly by, he decided to dive in and see for himself.  

Metaverse users, without these controls or security measures, are vulnerable to the same risks as in the cyber world – harassment, stalking, and hacking. However, in the cyber world, there are monitoring and security systems to help users navigate their digital experience, minimize risk, and prevent compromising their or their employer’s safety.  

The chasm of adoption is not far. Oughton shares that if we as a security industry don’t enter the Metaverse, see where there are threats, and come up with the solutions, threats will come from the outside that does not bring security principles into it, and we will struggle to adapt. 

Anonymity is the Foundation of the Metaverse, Leading to Legal Ambiguity  

When it comes to privacy and data collection, the more you put out, the more that’s being collected. There are no actual structures to ensure your data security and safety in the Metaverse. Users must be mindful of whom they are engaging with on the other side. 

Gamble emphasizes that while there are many laws and regulations worldwide and at the federal and state level related to online commerce, communication, and privacy, there is no clear “internet law” or “digital law.” Instead, we have different laws targeting different components of our digital worlds. Virtual worlds are a new frontier for legislation and regulatory oversight, leaving gaps in legal protections when we personally, our families or our companies engage in virtual worlds.  

Among the most crucial legal gray areas when users engage in the Metaverse include intellectual property rights and regulating virtual assets. Big questions yet to be answered – what happens if you win money through gambling or a lottery or get scammed? How do we authenticate identities, validate information, and track where it goes?  

Jurisdiction is just as much of a gray area – if a person logs on to a virtual world in one state or country, do the laws of their physical residence have domain over the activities they conduct?  

These questions may not have clear answers yet. Still, as more users engage with the Metaverse, there will be more demand for company-level policies and procedures that account for the lack of regulation and oversight of our engagement in virtual domains. Control what you can control.  

Ultimately, Oughton and Gamble emphasize that whether you are engaging in the Metaverse for professional or personal reasons, user conduct in a virtual world should mirror the ethics and standards applied for any physical or digital transactions you engage in. 

Grab a Headset, and Dive In 

Virtual technology and the Metaverse is evolving quickly, with recent public announcements and advancements in this technology. For example, in 2014, Facebook acquired Oculus VR for $2 billion, and in 2021 they launched a significant branding change from Facebook to Meta and announced their investment spending of over $10 billion into Metaverse development.  

There is a tremendous technological opportunity ahead with the Metaverse. Oughton and Gamble share that we do not know today enough about the power of the Metaverse and how commerce and society will change as it grows. The development and use of the Metaverse are developing faster than policies and procedures can be put in place.  

As risk practitioners, we must stay ahead of the threat by first inserting ourselves into the virtual domain, understanding the infrastructure, creating smart policies, and deploying protective measures for users.  

Start small. Start with a first step – learn the language, keep an open mind, and enter this new domain. Oughton shares that he started his understanding of the Metaverse by watching online videos and tutorials on how to access and engage, and it gave him new channels to connect with people who specialize in the Metaverse. Gamble adds practical advice for security practitioners to begin their Metaverse journey – to start with something fun and to explore an area that excites you in your personal life. We do not have to take on understanding this vast technology on day one, but maybe we can start with cooking classes or virtual hikes in remote destinations.  

While ultimately, the Metaverse is designed for fun, community, and engagement and to create a more connected world, any new technology will soon show gaps in its security posture, and bad actors will be able to filter in. The sooner security practitioners engage and understand the power of the Metaverse, the sooner we can apply new standards and practices to protect our companies, families, and assets from emerging threats while also harnessing the power of the Metaverse to enhance our day-to-day lives. 

For more information, contact:

Mary Gamble, Attorney at Gamble Legal PLLC (LinkedIn) 

Lee Oughton, CSMP, COO and Co-Founder at Fortress Risk Management (LinkedIn) 

Jon Harris, CPP, PSP, Senior Product Manager at HiveWatch

Susan Friedberg is the Director of Communications at Pronto.ai and Pollen Mobile and an ASIS Member. Reach her on LinkedIn

Deb Anderson, PSP, security administrator at MWI Direct, and Robert Achenbach, CSO and director corporate security and safety at First National Bank of Omaha, discuss preventing and minimizing workplace violence in a post-pandemic world. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Steve Somers, CPP, regional vice president at Garda World, discusses the advantages of being a security professional in both the public and private sectors. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

David Dodge, CPP, PCI, Founder and CEO at David Dodge and Associates, and Tim Sutton, CPP, PSP, Senior Security Consultant at Guidepost Solutions, LLC, discuss ASIS’ recently released Pre-Employment Background Screening and Vetting (PBSV) guideline. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Randy Spivey, the CEO and founder of the Center for Personal Protection & Safety, Inc., discusses the importance of training not just security professionals, but all employees in security protocol. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Kelly Murray, the associate director at CISA, discusses the best ways to secure chemical facilities, which can be popular targets for dangerous actors. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Susan Friedberg

Over the past two years, workers around the globe have reconstructed their workplaces, as driven by health guidelines to prevent the spread of COVID-19. Many employees are not back at the office and instead continue to work from home remotely or work hybridly, reporting to an office on a part-time basis. Regardless of where the employee works, the security policies and procedures that were in place when 100% of the workforce was in the office no longer apply to the current workforce.  

The GSX session, “Adapting Workplace Violence Strategies to Accommodate a Modern Flexible Workforce,” explored how workplace safety needs have changed and discussed how security leaders are now able to integrate learnings from the past two years to build new programs that protect employee and company safety. Even if employees are not in the physical office, employers are still responsible for providing a safe workplace.  

Presenters Deb Andersen, PSP (Security Administrator, Physical and Cyber Security at MWI Direct) and Robert Achenbach (CSO and Director, Corporate Security and Safety at First National Bank of Omaha) shared how the core principles of developing a security program have adapted and evolved to support a new, diverse, workforce. 

Leverage the Environment and Understand the Impact 

Access management is considered the first line of defense for protecting onsite workers and employees. Security providers must first consider: who are we responsible for and where do they operate? 

Classifying occupants and identifying the risks that come with where they report is a good place to start. Determine where employees sit – are they on or offsite, and depending on their seat, what sort of security privileges or access to physical assets or cyber information do they have? Does access to information and tools need to be different if they are in the office or working remotely?  

Look at how traffic has changed in and out of the office. Employees that are reporting to an office are decreasing in number, but they may not be the only ones accessing an office building. Security leaders must continue to prioritize all categories of occupant access and their associated inherent risks. Many offices share a building with other tenants, who may have varying degrees of access to the building. Additionally, vendors, technicians, and other support staff will still need intermittent access. Guests that come onsite, whether preplanned or not, need to be monitored, and if the office has public access, office security must also continue to consider unplanned arrivals.  

Understanding the Workplace Environment, Pre- and Post-Pandemic  

When employees were completely in the office, security teams had direct, physical access and the ability to monitor activity and engage in safety-related activities. Pre-pandemic, employers could directly communicate in the office via speaker systems, run onsite drills and emergency planning, and understand the flow of employee traffic via access controls.  

Today, those practices need to be adapted for the remote workforce; we may not always know where employees are seated, whether in their home office or elsewhere, but employers can continue to monitor the information they are accessing while remote. Security teams are also now considering societal stress levels that have become commonplace for remote employees, from social isolation, reduced resources, supply chain delays, and changed communication access to their teams, management, and leadership. Larger companies may have had the resources to provide a comfortable at-home workplace, but most employers needed to adapt existing resources to fit the needs of their teams.  

Ultimately, the most important prevention measure for mitigating workplace stress is to build trust within the workplace, provide open communication channels with key leaders, and have open and transparent policies. For example, new communication technologies available today can deploy mass notifications or provide secure communication channels via an employee’s phone. No worker needs to feel isolated in their own home – smart policies can continue to engage them and ensure they feel seen and heard.  

Changing the Training Environment for Onsite and At-Home 

As there is no longer a singular workplace, there is no longer a one-size-fits-all approach to safety training. Employers need to have a full view of who is on-site to protect them against workplace safety risks and to provide them with training and resources to respond safely or evacuate.  

For occupancy-related emergencies, onsite employees need to continue emergency response training, from locating first aid or fire extinguishers, knowing evacuation routes, and assigning and identifying team members who have a specialized role in emergency management, such as de-escalation or mental health emergency training.  

Offices with a force protection team may need to update their training based on how many people are in the office on a given day. New technologies, such as unmanned check-in or access points, or AI-driven identification cameras, can help establish occupancy and access and streamline response efforts. Force protection teams can continue to conduct site surveys and identify new operational vulnerabilities and any consequent gaps in employee training, policies, or security equipment. 

Communication is key for offsite workers, and employers can adopt new strategies to engage all employees. Hybrid workers who are not available onsite for training may need access to virtual simulations and office blueprints. Remote employees may benefit from internal newsletters with regular updates on security tips – from reminders about password management, clean desk policies, and any new information or policies they need to consider as they remain fully remote. In an emergency, remote workers can be relied upon for business continuity and should also understand how to support the company in the event of an emergency or event that would otherwise prevent their access and communication with leadership, management, and fellow employees. 

All departments of a company, from security, legal, HR, and leadership, must come together for a complete approach to reaching all employees, regardless of their location. Each team has its own line into company risks and vulnerabilities and has a department-level approach to incident response and post-event recovery. All parties and approaches need to be considered if the company is to take a converged approach to safety and policy enforcement. 

Holistic Security Brings Onsite, Offsite, and Hybrid Security Models Together 

Security leaders and employers create healthy, safe working environments when they continually test all aspects of their security program, share information, and adjust, adapt, plan, and execute. In return, security leaders and teams build better relationships, meet the expectations of the leadership, and get to keep a finger on the pulse of their organization’s vulnerabilities and needs. 

Our current and future workplace is supported through leadership and security partnership and transparency, with the objective to continually improve the organization’s security and posture while complying with workplace safety regulations and promoting a healthy and safe place to work. Remote work remains a new model, and regulators are now beginning to assess what standards need to be in place to protect offsite or remote workers, as employers remain responsible for their safety and well-being.  

New security elements being explored include ensuring employees have the tools to be successful and supported, from access to secure Wi-Fi networks, appropriate equipment, cybersecurity, and access control. But beyond the tools that an employee needs to complete their job, employers are now considering how their duty of care is evolving, and how to check in with employees to ensure their home workspaces are safe from domestic violence or unrest, that their workplace tools are secured against theft or damage, and if employees need access to new employee assistance programs or mental health resources to support their transition into a fully remote work environment.  

Today’s workplace is diverse and will continue to evolve, and security providers understand there will never be a silver bullet resource that addresses all elements of security, from protecting critical assets, information, and people. Workers around the globe have been able to enjoy the benefits of a remote or hybrid work model, and employers want to continue to provide this resource, but not at the expense of the company or their employees’ safety. By continually assessing the security landscape and taking advantage of innovative technologies, security providers and companies can support workers where they perform best and support continual operational health and growth. 

For more information, contact:  

Deb Andersen, PSP, Security Administrator, Physical and Cyber Security at MWI Direct (LinkedIn) 

Robert Achenbach, CSO and Director, Corporate Security and Safety at First National Bank of Omaha (LinkedIn) 

Susan Friedberg is the Director of Communications at Pronto.ai and Pollen Mobile and an ASIS Member. Reach her on LinkedIn.

Antoinette King, PSP, the founder of Credo Cyber Consulting LLC, discusses how security professionals can learn through failure. Watch her interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Mike Gips, CPP

At GSX 2022, I moderated a panel called Learning From Failure. Featuring renowned security practitioners Jeff Slotnick (Setracon), Antoinette King (Credo Cyber Consulting), and Ricky Davis (RICE Security and Consulting), the presenters shared some of the most painful failures in their career, but also explained how those letdowns became professional turning points or led them to wisdom and success they wouldn’t have obtained otherwise. We then offered guidance on how to turn failure to success.

Other industries welcome, even embrace, failure. Not security. Amazon founder Jeff Bezos famously blessed innovation through failure when he said, “If you are going to take bold bets, they’re going to be experiments. And if they’re experiments, you don’t know ahead of time if they’re going to work. Experiments are by their very nature prone to failure.”

Take Amazon’s delivery drones. It’s been at almost 10 years since Amazon promised them, but recent crashes in testing have delayed the rollout. Fortunately, the crashes have not caused any injuries.

News like that makes us security practitioners practically tremble at the word failure. We’ve been trained that no news is good news. When we think of failure, we often go to worst case scenarios: an active assailant that got past our officers; a background check that didn’t flag a fraud artist in our midst; a hack that cost the company invaluable proprietary information and incalculable reputational loss. Or a delivery drone injuring a child.

Our panel emphasized that we don’t have to think about success and failure as all or none. Obviously, we don’t want to fail when the stakes are high—a TSA officer failing to detect explosives that take down a plane is obviously unacceptable—but as long as we limit the potential consequences, failure can be our friend. In fact, it could lift us up to greater levels than we would have reached otherwise. After all, Amazon’s drone crashes have been occurring during testing. That’s the time to fail, so their drones can soar higher, metaphorically, at least.

In our session, Jeff shared a profound learning experience from his days stationed in the U.S. Army in Europe. He was tasked with writing a nuclear spill response plan for an Army civilian military engineer, which he labored on over an IBM Selectric typewriter. Two days after he turned it in, the civilian called Jeff into his office and handed him the document—which was “bleeding green from his felt-tip marker,” Jeff recalls. “I threw the report on his desk and said, ‘If you think you can do it better, then you do it,’ and I turned to leave. He called me back in a tone I was not used to hearing from a civilian and read me the Riot Act.”

By swallowing his pride, Jeff transformed his career and life. “The skills he taught me in writing, management, and leadership have lasted a lifetime,” Jeff says, starting with three Army promotions. He uses those skills today to write standards, prepare reports, mentor executives, and lead teams. Best of all, decades later he remains friends with his one-time nemesis.

Antoinette’s failure came from the opposite problem: not having enough confidence. She told the audience about her entry into the security field as an installation technician. “Unbeknownst to me, it was highly unusual for a woman to be a technician pulling cable, installing devices, and building head ends,” she says. As the only woman on a typical job, she would blend in or try to become invisible. “For the next several years I did everything in my power not to be seen. This resulted in many missed opportunities.” She eventually realized that her differences made her valuable, and today she spends time mentoring women in technology and ensuring that they don’t minimize themselves like she did.

Probably the most inspirational parts of the session occurred when we invited audience members to share their stories of failure—whether they led to redemption or not. One attendee related how he had recently been turned down for a prestigious credential, but the feedback he received in the process showed him that he needed to evolve from an operational to strategic mindset. 

Ricky, Antoinette, and Jeff then discussed how to grow from setbacks, such as by acknowledging failure, accepting responsibility, pausing and reflecting, seeking advice and criticism, extracting lessons, keeping perspective, making incremental changes, staying positive, and taking care of yourself. They then turned toward a more clinical approach to overcoming failure, exploring topics such as process inadequacy, task challenge, process complexity, and hypothesis testing. 

Today’s security professionals are risk managers. Though we manage risk and usually don’t try to eliminate it, risk gives us anxiety. But we also know there is no reward without risk. So how do we adjust our risk tolerance to accept failure?

Akshay Bhargava, Chief Product Officer at Malwarebytes, developed a philosophy called Failing Toward Zero, and it can work for security professionals of all types. He writes that “Failing toward zero is a state in which each security incident leads to a successive reduction in future incidences of the same type.” In corporate security, this may mean reducing the number of tailgating incidents, security policy violations, or incidences of theft successively over time. It involves identifying the source or cause of the failure and remediating it, iteratively improving security and yielding better results. But be careful not to focus on the results alone. Sometimes good processes yield bad results and bad processes yield good results. It’s improving the process that’s key. In short, test, tweak, and test again.

Michael Gips, JD, CPP, CSyP, CAE, is the Principal of Global Insights in Professional Security, a consultancy focusing on security thought leadership, content, strategy, research, insights, and influence within the profession. Reach him on LinkedIn.