There are six questions that are always asked in post-incident reports. If we can answer these questions in post-incident reports, why can’t we answer them while an at-risk individual is progressing up his or her pathway to violence?

At 2 PM ET on Wednesday 29 September, Jason Destein and Rick Shaw will present on the Six Fundamental Questions That Identify At-Risk Individuals on Their Pathway to Violence. They will discuss the pathway to violence and examine the stages where the warning signs exist and what methods are available to discover a pathway to prevention.

Destein and Shaw join ASIS TV host Chuck Harold to discuss this topic. Register for an All-Access pass to attend this session digitally or in-person.

While monitoring for root causes of insider risk and addressing precipitating events in the insider-threat kill chain are established best practices, political extremism represents a unique challenge. On one hand, employee extremism can threaten the organization’s workforce, brand, and reputation and may result in significant financial loss. On the other hand, organizations must consider legal issues, free speech rights, privacy interests, employee morale, and workplace culture.

While not easy, determination of a “comfort zone” between these competing factors, tripwires, and response plan must be done in advance. Using case studies as illustrations, presenters of the Political Extremism and Insider Threat Early Warning session at GSX 2021 will outline a formula for dealing with political extremism and insider risk decision-making, with pointers on tailoring these strategies for specific organizational types. 

Presenter Elsine Van Os, CEO, Signpost Six, joins ASIS TV host Chuck Harold to discuss this delicate topic. Register for an All-Access pass to attend this session digitally or in-person when it takes place at 2 pm ET on Monday 27 September.

By Amit Samani

Across the world, drone regulations are being passed, aimed at supporting the productive use of drones in our society and leading to the inevitable increase in the number of drones in our skies. Airspace security is becoming a wide-scale, cooperative effort, with capabilities like Remote ID being launched globally to monitor cooperative drone activity. By applying smart airspace security intelligence and insights, security teams can identify the compliant drones while exposing unauthorized or hostile drones.

Preparing for & Mitigating Against Drone Threats

How should security teams react when an unauthorized drone enters protected airspace? Key to the success of a smart airspace security program is developing proactive response protocols in the event of a drone incursion. 

Before developing airspace security standard operating procedures (SOPs), security teams must first uncover patterns in their drone activity and answer the following questions:

• How many drones are in my airspace?
• What time of day, and on which days, are drones appearing?
• What kinds of drones are being flown?
• What are the most common areas for drone activity? 

Using these questions as a guide, security teams can use airspace security intelligence and insights to advance their response protocols before, during, and after a drone incursion.

Before the incursion:

• Practice with your security team: Airspace security programs should begin under ideal, “blue sky” conditions
• Engage local law enforcement: Work with local law enforcement to determine the information they require to approach and apprehend an unauthorized drone pilot

During the incursion:

• Respond to automated alerts: Alarms are triggered as soon as a drone is detected
• Deploy security team to follow drone, and approach or apprehend pilot: By using flightpath information and localization of the drone, security teams can efficiently collect the evidence needed to locate a pilot
• Protect assets with passive countermeasures: This can include lowering blinds, monitoring WiFi networks, leading people away from exposed areas, or halting operations
• Alert local law enforcement: Local law enforcement can deploy additional resources to apprehend drone pilots

After the incursion:

• Build a threat profile: Summaries of drone activity, provide information such as most frequent times and days drones appear and drone hotspots
• Update security procedures: It may be that drones are appearing during shift changes, shipping/receiving, or concurrent with significant events at the site, such as game days or executive meetings
• Post “No-Fly-Zone” signage: Aerial trespassers will think twice with awareness of the risks they take when flying in your airspace

Prevent Losses with Results-Driven, Smart Airspace Security Programs

The consequences of drone incursions can be costly, from operational downtime to physical property damage and even data breach. Installing and launching a smart security program will deliver complete airspace situational awareness. A philosophy of develop, test, and enhance is essential for security teams and must be considered adjacent to the technology investment. 

Amit Samani is the Vice President of UK and Americas for Dedrone. Join Amit at GSX Learning Session, “Achieving Complete Airspace Security Amid Loosening Drone Usage Regulations and Emerging Threats” on 29 September at 11:30-12:30 PM ET, located the Offensive Strategies: Preparing for an Attack Theater. Meet the Dedrone team at Booth #2114.

Thank goodness companies have IT security specialists to protect those vital business systems that are the target of so many sophisticated hacker attacks. Sure, physical security professionals have to protect some systems, such as business controls or other less sensitive systems.

The thing is, those business control and security systems are increasingly tied to each other and other business systems. And the business control and security systems can be the easiest for hackers to attack and exploit. Uh oh.

The learning sessions at GSX 2021 will feature theaters carrying themes where like sessions are grouped. Kicking off the Offensive Strategies theater at 10 a.m. EDT on Monday, 27 September, Coleman Wolf, CPP, will lead a session on “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems.” In the session, Wolf will give participants knowledge and strategies to try to prevent the “uh oh” from ever happening.

This session and all other Offensive Strategies Learning Theater sessions will be available in-person at GSX and livestreamed to all digital attendees. Register now for an All-Access Pass so you don’t miss it!

Wolf is a 25-year security management and security engineer veteran, currently serving as senior security consultant at ESD Global, Inc. The GSX Blog caught up with Wolf to gain insight on the issue of the vulnerabilities of business control systems.

What are the vulnerabilities of these systems and why should people care?

Building control systems were not traditionally built with security of the system in mind. They were self-contained systems, nearly impervious to external access—it would take physical breach to compromise them. That’s all changed. More and more, these systems are connected to each other and to other systems, becoming part of the larger IT infrastructure. A lot of people will build a connection between a building control or operational control system and, for example, a remote access IT system, but they would build this connection without first really thinking through the security ramifications of that.

One of the reasons is because the building controls were not seen as highly valuable targets. Maybe someone gets in and gains access to turn the lights off. Annoying sure, but it’s not worth expending a ton of resources to stop a practical joker when the resources could be used to fortify actually mission critical systems. One of the things we’re going to spend some time on in the session is how wrong this perception is. Not only can they be an access point to do additional damage, a hacked building control system can cause serious harm to a company.

If these systems are becoming more vulnerable, why not just revert to more self-contained, unconnected systems? What are the advantages to the interconnected trends you describe?

The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with there being a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations and you want to monitor them from a central location.

In addition to the functional reasons, companies realized that they can use information from these systems to improve. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using intelligence from a variety of systems, and make strategic decisions. An example that relies heavily on building control data might be operating at peak energy efficiency—the savings to a company with a large footprint could be significant.

What do you say to a physical security professional who sees it as IT’s job to secure building control and security systems from cyber attacks?

Everyone in the session will leave with a good understanding of the differences between operational technology and systems and information technology and systems. Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks didn’t want to be burdened by IT controls. Similarly, IT folks recognized that these systems were different animals, and they didn’t want the responsibility of securing systems that sat outside the traditional IT framework and thus did not have various IT protections and protocols built into it. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.

I’m the physical security professional and one of the operational technology systems under my purview is hit successfully with an attack. What do I need to be thinking about?

There are two fronts. You’re going to be pressured first and foremost to resume operations ASAP. That’s somewhat at odds with the other front, which is forensics to identify what the cause is and, in the case of something like ransomware, you’ve got complex political calculations to make: Do you pay the ransom and hope that your operations will return to normal? Do you pay the ransom and hope that other malware other bad actors won’t try to hold you for ransom again? A lot of companies are finding it might be more prudent to go ahead and pay that ransom because the compromised system is crippling operations.

So those are the two primary things you will have to deal with. In the best situation you’ve got a business resumption, emergency response plan for cyber incidents. Some companies will incorporate this into a comprehensive business continuity plan.

In a lot of ways, you’re talking about a different approach or mindset. How do you get people responsible for building controls and people responsible for IT security to speak the same language?

In traditional IT and cybersecurity approaches, you look at what they call the CIA triad, which stands for confidentiality, integrity, and availability. Those are the elements that need to be addressed. When you look at these building controls and operational controls systems, you have to add something to that mix. You have to add safety. If these systems are compromised, it’s not just the business aspects you have to worry about, you have to add the health, safety, and well-being of anyone—staff, customers, the public—who might be in an environment that is affected by one of the compromised systems. Going back to the attitude that hacking a building control is akin to perpetrating a practical joke—turning the lights off. The breaches can be very serious in any number of ways.

And finally, I’m hoping to do a bit of a demonstration. A demonstration that will show just how easy it is to identify, locate, and access some of these systems—and discuss what people need to about the vulnerabilities.

By Luann Edwards

Security professionals: You might not realize this, but you have a superpower. It helps you predict the future, enhance physical security, and generate return on investment. It’s your data, and with it you can demonstrate and deliver measurable value for your organization.

At GSX+ on Wednesday 23 September, Louis Boulgarides of Ollivier Corporation and Jonathan Moore of AMAG Technology presented The real story of how analytics affect physical security. This session looked at security systems data, the capabilities of new analytics technology, and how insights from these can deliver organizational ROI. (If you missed the session, you can watch it on demand here until December 31^st.)

“Data analytics take sources from multiple systems in the organization and analyzes behavior and other trends to yield important information.”

Moore set the stage by outlining the sources of data that exist within the security function:  access control, video surveillance, alarm management, and incident management systems are just a few. Analytics have grown increasingly sophisticated in this space. They give today’s security professional the ability to analyze the past, predict the future, and help you identify ways to solve problems you might not have realized even existed.

“Security tech is helping educate the larger business on how to analyze and become more proactive for better decision making,” shared Kristin Lennardson, protective intelligence programs with the Association of International Risk Intelligence Professionals.

As I attended this session, two important themes became clear: Security systems data can paint a complete picture that benefits the entire organization. And, it is critical that you build relationships with leaders across departments to understand their needs and challenges to identify where your own data can help.

Consider this hypothetical scenario: You’re in a Zoom meeting with your counterparts from across the organization, and you note that more employees are entering your building each week per data from your building access system. Your facilities management team takes this information to identify where they need to increase cleaning protocols in high-traffic areas due to COVID-19. Your IT colleagues can factor this in as they ensure that their cyber security efforts and connectivity levels align with the number of remote workers versus those in-house. And if an employee is accessing the building at times that are outside of his normal routine, it might give human resources an indication that he’s considering leaving the company. One data insight, multiple applications.

Not surprisingly, the information that your colleagues can share with you can inform your own program. With strong relationships and communication across departments, you can understand your colleagues’ unique challenges and motivations and create real value through aggregated data. This shift changes the view of the security function from one of overhead to that of a strategic partner. The speakers outlined the likely needs of key players in an organization to help you visualize how this collaboration might look.

One of the greatest opportunities for security technology and data is presented through this “new normal” of COVID-19, as Boulgarides explained. Security professionals are now creating “security, safety and health programs – the scope has broadened a great deal.”

Social distancing, monitoring the number of people in a location, contact tracing, and assessing mask-wearing compliance tend to be manual tasks, but those with the technology in place will be able to automate some of those activities. Think about a turnstyle or an access control system that can also count how many people enter or exit.

“Security is still viewed as a grudge purchase, especially in the economic times like we find ourselves in now.” Edward Baes, head of security consulting at BUROHAPPOLD, shared with ASIS recently.

When security systems provide data that saves an organization money and automates processes in addition to its security objectives, the value is right there in the analytics.

Luann Edwards is a social media marketing consultant and blogger. She is the founder of Socially Professional, a social media marketing consultancy, based in Providence, Rhode Island, USA.

by Randall Rosenbaum, Executive Director, Rhode Island State Council on the Arts

I’m the director of the Rhode Island State Council on the Arts, and as such, the director of public art for the State of Rhode Island. In September, I “attended” a Global Security Exchange Plus (GSX+) virtual presentation by Art Hushen, the President of the National Institute of Crime Prevention in Tampa, FL. Art was going to talk about “Corporate and Public Art as a CPTED Strategy”.

Since my degree is in music education I had to first discover what CPTED stood for, what it meant, and how public art applied to Crime Prevention Through Environmental Design.

Art did a masterful job connecting the dots for me as an arts professional and advocate for public art in our community. We advocate for public art as a way to enhance and enliven a community, and so does Art. What Art adds to the conversation are all the arguments that we should be using in convincing people to support the inclusion of art – in all its forms – into and around their buildings and communities. As budgets grow tighter, the resistance to art increases. The added benefits of art, as explained by Mr. Hushen, may help those who don’t entirely “get” art, and may not be enthusiastic about spending money from their budget to commission work.

I understand the concept of “Territorial Reinforcement” (although never by that name), and how art can and should be a reflection of the community in which it resides. I never in a million years would have thought about “Natural Surveillance” as a benefit of public art, and the way that art, strategically placed, can help focus people’s attention so that it focuses attention – even of passersby – and helps promote a safe environment.

I was particularly taken with Art’s examples of work that helps extend the footprint and designate entrances to buildings (“Celebrated Entryways” and “Focal Points”) while at the same time promoting a safe and secure environment. And his examples of the placement of human-like sculptural pieces and murals that mimic an apartment house façade with people looking out the windows, all designed to discourage “bad behavior” from unruly folks, was particularly enlightening. It made me long for statistics that measure the decline in police activity around areas where such artwork is located.

I came away from Art’s presentation with a new vocabulary to use in my work, one borrowed from a field that is highly respected and different from the fields in which I operate. I can’t wait to employ this language in my next meeting with a potential public art client.

Much has been made of generational differences and their effects on the workplace. Few generations have not found fault with those who came before or followed after, but the acceleration of technology and services has forced many organizations to contend quickly with the need to recruit and retain a digital native workforce. Security is no exception.

Here, Security Management connected with Angela J. Osborne, PCI, PSP, regional director for Guidepost Solutions and an advisor to the ASIS Young Professionals Community, to discuss multigenerational management and how recruiting a diverse workforce can benefit security departments and organizations—as well as some pitfalls to avoid.

Want to learn more about this issue? Hear more from Osborne, plus Jairo Borja and Michael Brzozowski, in their session How to Recruit and Retain Gen Z in Security Organizations on Monday, 21 September, at GSX+.

Security Management. How does having multigenerational talent—Generation Z in particular—bring value to an organization?

Angela Osborne. Having multigenerational talent in security departments is highly useful as we bring distinct perspectives based on our shared experiences as members of different generations. Our baby boomer colleagues often bring institutional memory, experience in working in the field, and an understanding in how to get things done within an organization.  These individuals often know where the landmines are placed and the past interactions with different departments and stakeholders.

Gen X is a bridge between baby boomers and millennials, and GenXers often have the ability to translate baby boomer expectations and explain the rationale behind the department’s structure, the method of working, and the means to navigate the entity.

For millennials, they bring a diversity of live experience, savviness with technology, and understanding of perceptions on how security guidance can be understood by millennials and Generation Z colleagues. Gen Z, in particular, is known for its openness, focus on practicality and fiscal responsibility, and digital nativism.

A strong team will focus on having representatives across these groups due to the fact that our organizations and client bases are made up of these different groups.  In security, much of our work is on training and awareness, gaining compliance on security protocols, and achieving buy-in to security culture. We need to present guidance and plans for our organizations by considering these distinct groups, keeping in mind that people are individuals, and we cannot assume things about people solely based on their generational range as well.

Security Management. What strategies have you seen succeed in attracting and retaining multigenerational talent?

Angela Osborne. Often in the security field, recruitment takes place based on people’s professional networks, as our work focuses on trust and integrity. The challenge with this is that we are limiting ourselves to our own pool of contacts. We will tend to attract people like ourselves with similar backgrounds and life experiences. Here are three best strategies that I have seen:

• Reach out to college and university career centers. Universities often have career posting pages to allow potential employers to promote new positions for recent graduates.
• Consider engaging interns. It is important to reach out to Gen Z early for internships as well. From personal experience, I joined the Archer Daniels Midland Corporate security team as an intern when I was in college.  It had a tremendous impact on my life.  Prior to this, I did not realize the diverse careers in private sector security.  We have to get the word out about the careers in our sector to attract key talent.  We want to identify people early in their careers.
• Engage the ASIS Communities and LinkedIn. I recommend reaching out to the ASIS Young Professionals Community leadership and posting about positions in Communities and on LinkedIn.
• Connect with high performers and ask for recommendations. It is a good idea to talk with high performers from the security department and from other departments to identify potential candidates.
• Place new joiners with supportive managers. The next recommendation is to match up the new joiner with a supportive manager. Studies show that people, particularly Gen Y and Gen Z, leave jobs because of bad managers. This is a critical element, and a check-in process must take place with both the manager and the new employee.

Security Management. How can a security leader successfully manage someone transitioning into or beginning their career in security?  

Angela Osborne. First and foremost, it is important to be clear about expectations. People transitioning into this field need to know what is expected of them, and I try to put these expectations in very clear terms for people.

The next step that goes hand-in-hand with clear expectations is to communicate continually, and don’t assume people will interpret your tasks and direction in the way that you would. We have to maintain open lines of communication, so if people have questions, we can address them early on in the process. The communication should take the form of phone calls or virtual meetings, email, and messaging to cover the bases.

As an example, when I first joined TAQA in the UAE, I reported to a manager based in The Netherlands. Our communication was all virtual for my first summer. This person was very engaged in ISO terminology and put everything in terms of ISO. He asked me to submit a deliverable plan. I submitted a list of goals in the SMART format in order to meet this requirement. We had a very circular conversation after this list, and I realized that we were not speaking the same language. He was looking for me to put my content in MS Project and to use ISO terminology. Once we clarified the terminology, we were able to work together in a more productive manner.

We also have to recognize that among generations we are likely to see things differently based on our life experiences. We should be able to express ourselves but to be mindful that not everyone will agree with us and some topics are not appropriate or productive for the workplace. I encourage teams to avoid discussing politics, religion, and controversial topics in the workplace. We should focus on our entity and department values and use these to guide our interactions. Our societies have a number of exceedingly divisive issues, but our teams must be able to function effectively without alienating people. This is why training and awareness on diversity and inclusion is needed.

We also cannot make assumptions that people joining an entity for the first time or joining a security department for the first time have the same understanding of ethical responsibilities—for instance reporting improprieties. We must stress the importance of acting in ethical manners and reporting concerns, and this should be communicated not just to full-time employees but also contractors and part-time employees. Security departments depend on their reputations, and the team members must hold each other to a higher standard to maintain stakeholder trust.