Don’t you love it when a plan comes together?

When facing myriad evolving risks, security managers are forced to make tough choices on the fly. However, by having a strategic or master plan in place ahead of a crisis, professionals can manage risk and reduce the potentially overwhelming effects of incident response while improving buy-in and support.

In this short interview, Bernard Scaglione, founder and principal at The Secure Hospital, shared some of the key points of strategic security management planning with Security Management.
Want to learn more about this topic? Check out Scaglione’s GSX+ session, Strategic Planning: Managing the Chaos, Not Reacting to It, available on-demand 21–25 September at GSX+.

Security Management: What is the value of a strategic or master plan in a security management program?

Bernard Scaglione: A strategic plan helps security management define direction and focus organizational resources. Strategic planning is the process of documenting and establishing the direction of the organization by assessing its current state comparing it to the future state. It provides strategic direction and goals so that the security department can function with more efficiency and effectiveness. It allows for C-suite buy-in so that the security department can continue to grow and develop.

What are three common mistakes or pitfalls when developing a strategic plan?

Many people think that creating a strategic plan is an easy process, taking very little time or effort to create. In reality, the opposite is true. Creating a strategic plan takes dedicated resources and personnel to complete. It is a team approach, requiring the input of administration and key stakeholders. The good news is: it will pay off in dividends once implemented.

Many also feel that once the plan is complete, the work is done. The plan then ends up on a shelf—only referenced when purchasing equipment or requesting more staff. In reality, the plan is an active and changing document that needs to be reviewed annually or when a significant event occurs within the organization.

Developing a strategic plan is data-centric, requiring the gathering and analysis of large amounts of data to help in the proper development of strategic goals. This part of the strategic plan process is not always completed because of its complexity. It is important as part of the creative process to gather at least one full year of data and analyze it to determine trends and patterns. Done correctly, a minimum of two years of data should be gathered so that the developed patterns or trends are statistically significant and point the security department in the right direction.

How can a strategic plan help reinforce organizational resiliency?

Strategic planning helps to identify all potential threats and risks within the organization and provides a path to minimize those risks. It also allows the security department to change or shift gears when an adverse event occurs. Enabling the security department to quickly and efficiently adjust to changes within the organization. The plan lays out an operational structure designed to minimize threats and provides a plan to respond to those risks.

What else should GSX+ attendees look forward to learning in your session?

Strategic plans are not commonly used in the security field but are a useful tool in providing direction and growth. ASIS members should strongly consider viewing this session to learn more about strategic planning to see if it is something that would assist them in creating a more effective security operation.

By Eddie Sorrells, CPP, PCI, PSP

At this point it seems beyond banal, and painfully obvious, to state that 2020 has been a time of unprecedented change in our society. Remote work, virtual school, and that often fleeting hope that tomorrow, or possibly next week, …ok maybe next month…. things will get back to normal. Like most, I viewed the situation we are currently in much differently in March than I do now. Back then when someone would raise the prospect of still “doing this” in the fall, let alone winter, I scoffed. “Of course, things will be back to normal by then” I declared when faced by the prospect of cancelling an industry event, customer meeting, or family vacation. I was motivated only by a desire to get back to business as usual. But here we are still dealing with change and grappling with ways to still do the things that are important. But when it comes to our industry, instead of bemoaning all the routines of life that have been upended, let’s take a moment and spotlight the things that haven’t changed for the security professional.

The Need for Continuing Education

The beginning of 2020 ushered in a renewed call for security professionals to expand their knowledge base in many different areas. Security technology is advancing at a rapid rate, while threats are evolving just as quickly. And this was pre pandemic! Security professionals in early 2020 were in need of cutting-edge information related to best practices, recognized security standards, and ways to mitigate threats that change almost daily. Has this changed considering what we have gone through the past few months? Only in one very important way—now the need is greater! While the delivery method is different, and the dynamic of learning in itself has shifted in many ways, now is the time to run towards continuing education and best practices. Regardless of where you find yourself in your career, whether you are a CSO or in an entry level position, there is no greater strategic value for anyone working in security than continuing education. If we have learned nothing as security professionals in uncertain times it is to arm ourselves with information about what we are going through now, and what the future holds.

The Need for Networking and Mentorship

OK, let’s state the obvious from the outset: it is hard to match the value and benefit of in-person networking. But because of the times we are living in, this of course presents many challenges. So, do we place this aside until things get back to normal? I do not believe we can afford that kind of delay. Just as with continuing education, the need to freely exchange ideas, challenges, and potential solutions has never been more critical. Associations and networking events have taught me one critical lesson, even as I approach 30 years in the industry: I need mentoring at every stage of my career. The day that I decide I have nothing left to learn from an educational session, a talk with colleague, or friendly advice from someone who has walked where I am heading, is the day I shall realize it is time to do something else . The need for networking and mentorship never goes away, it just grows stronger.

So, have things changed in 2020? Of course, they have. But as we enter the final phase of this unique year in our history let us concentrate on what has not changed! Our industry is poised for bigger, better, and greater things than ever before. But we must continue to invest in ourselves, our peers, and our profession If we truly hope to reap the benefits for years to come. I look forward to taking another such step on my journey at GSX+.

Eddie Sorrells, CPP, PCI, PSP is chief operating officer and general counsel at DSI Security Services. Sorrells has two sessions at GSX+ this year: The Role of Off-Duty Police in Disaster Planning and Recovery and COVID-19-Related Emerging Lawsuits and Liability Issues.

By Claire Meyer, managing editor, Security Management

Insider threats have long been an issue of concern for security professionals. Whether they are acting unwittingly or maliciously, employees, contractors, and other insiders can put intellectual property, data, assets, and other people at risk. Now, with workforces worldwide shifting to remote work due to the coronavirus pandemic, security leaders are shifting gears to focus on how to monitor for threats when employees are out of sight.

For an update on this topic, Security Management magazine checked in with Val LeTellier, chair of the Insider Threat Committee at the ASIS Defense and Intelligence Council and author of How to Create an Insider Threat Early Warning System for a Remote Workforce from Security Management’s May 2020 issue. LeTellier will be presenting on this topic on Thursday, 24 September at GSX+, along with operational psychologist Dr. Malique Carr and corporate security senior strategist Scott Stewart.
Read more about the upcoming session here, and learn more about GSX+ here.

Security Management: How do remote workers create unique risk to the organization?

Val LeTellier: Put simply, remote workers create unique insider risk because an organization has far less control over the workplace environment and far less observation of employee behavior.

Control is important because insider risk countermeasures can be reinforced far more easily when workers are on-site. Within their own office, an organization can ensure that specific information technology infrastructures are used, that data and material is handled and stored in a certain way, and that the physical environment enables other security practices and policies. Outside their own office, the organization loses standardization and control and must take on the challenge of instituting, monitoring, and enforcing security measures within each employee’s different environment.

Beyond the physical reinforcement of security measures, the traditional workplace includes more nuanced value—in the form of social and group cohesion. This is important because in all workforces, the building of authentic relationships between workers creates a satisfying bond between employee, manager, and the organization. While beneficial to job satisfaction, morale, and productivity, this bond also strengthens organizational resiliency to insider attacks because cohesive groups have higher levels of trust and emotional unity and tend to look out for each other. Conversely, a lack of organizational cohesion can create or exacerbate negative issues, increase stress, and prevent timely responses to suspicious or disruptive behavior.

The second way in which remote workers create a unique risk is by the degraded level of organizational observation. This is important because independent behavioral assessment has traditionally been a leading way in which malicious behavior identified. Specifically, fellow employees and managers have played a large role in identifying threats.

With remote workers, this early warning resource is limited to email, conference calls, and occasional meetings, which can fail to provide enough exposure to for others to identify early indicators of problems. This is best illustrated in by the path an employee takes along the “insider kill chain.” With on-site employees, this process occurs is largely under a leader’s oversight, and those close to a potential attacker may recognize and report behavioral changes. With off-site employees, all bets are off.

The value of observation is even more relevant when the impetus for the accelerated remote work movement—the COVID-19 pandemic—is considered. Insiders are often driven forward by critical events, and the world is in the middle of a generational critical event. The related financial, emotional, health, and co-habitation anxiety brought on by the pandemic will naturally move some susceptible insider personalities to action either on their own or through outside manipulation. Without the daily in-person engagement of the traditional workplace, early indicators will be more difficult to spot.

Taken together, the expansive recent growth of remote work has created a new paradigm in which traditional insider risk countermeasures are degraded while the factors leading to insider action are simultaneously exacerbated.

Security Management: What else will security professionals learn about this topic in your GSX+ session?

Val LeTellier: By nature, insider risk programs for both on- and off-site workers are unique for each organization. They must be tailored to the organization’s risk profile, goals, strategy, resources, and culture.

Thus, the intention is not to provide participants a remote workplace insider threat checklist but to equip them with an understanding of the paradigm shift that is created by the remote work movement and highlight the window of opportunity they have to strengthen programs before temporary changes become permanent.

Using the remote workplace perspective, we then have an operational psychologist review the personality types known for different insider attacks, their common characteristics, and common precipitating events.

Based upon this, we together offer considerations for developing remote workplace strategy and tactics. Understanding that funding for insider threat programs is limited, these practical recommendations focus limited resources on the most relevant and impactful insider risk, with results that will not only improve insider resiliency but also overall morale and productivity.

TorchStone’s David Niccolini, executive vice president and co-founder, and Scott Stewart, vice president, describe insights security leaders can take away from their pandemic experiences.

1. The need for scenario-based planning

   Tabletop exercises or “blue sky” sessions before a crisis hits are extremely useful in helping company leadership develop an understanding of probable and possible crises. This type of scenario-based planning can help prevent what the 9/11 commission called “a failure of imagination.”

2. The importance of contingency plans to build resilience

   Based on your scenario-based planning, company leadership must develop contingency plans. While contingency planning cannot provide you with the exact solution for every possible crisis that might occur, the planning process will force leadership to think through and plan out issues such as communication, corporate priorities, and potential emergency actions. While no one could have precisely predicted how COVID-19 would unfold, in the wake of SARS and MERS, many companies did develop plans for a potential global pandemic, and when COVID-19 hit, they were much better prepared to face it than companies without plans.

3. The need for flexibility

   Since it is very unlikely that a crisis will play out exactly as your contingency plan anticipates, a great deal of flexibility is needed during a crisis and plans must be adjusted to account for unknowns. If you attempt to follow a plan too rigidly, you can develop tunnel vision and your response will become fragile and prone to shatter. Thus, plans should be viewed as guidelines that provide general direction and guard rails, not an exact recipe for success. However, the need for flexibility does not mean that planning can be abandoned altogether, attempting to build a plan reactively during a crisis will often lead to failures or perhaps disaster.

4. There are business opportunities during a crisis

   While many companies will suffer during a crisis event, there are always business opportunities available to those in a position to capitalize upon them. Companies who have items 1-3 above will be able to move more rapidly from “crisis mode” to “maintenance of a crisis,” which are two very different things. Once a company reaches maintenance point, they will be able to recognize and seize upon real opportunities that present themselves. This provides a distinct advantage over competitors who remain in crisis mode.

5. The need to prepare for the next crisis

   Moving into maintenance mode also allows you to begin to look for – and plan for – the next crisis – and as we’ve learned in the post 9/11 world, the next crisis is coming. For example, at the present time many people are laser focused on the challenges that the COVID-19 crisis is presenting; and with good reason, as these are unprecedented and challenging times. However, we believe that a myopic focus on COVID-19 is preventing some from preparing for the very real possibility of a crisis caused by significant civil unrest in the U.S. (and elsewhere) in the coming months.

At this year’s GSX+, Stewart will present on Insider Threats in a Borderless Work Environment. Stewart is also a contributor to Security Management magazine, including an online exclusive Q&A earlier this year on Security’s Role During a Pandemic Response.

Never before has the security profession been so tested. From COVID-19 to global threats, the challenges are adding up. The GSX+ education lineup, announced 15 July, is designed to give you a voice and the opportunity to stay current on the latest topics affecting the global security profession. Plus, each session will offer a real-time Q&A chat feature to further the conversation with your fellow attendees and session speakers.

What’s more, All-Access attendees can earn up to 25 CPEs toward their recertification and will be able to access on-demand recordings of GSX+ sessions through 31 December.

Take a sneak peek of eight sessions waiting for you at GSX+ this 21-25 September:

• How Today’s Drones Affect Privacy and Security

  The increased use of drones in the workplace and in law enforcement increases privacy concerns and the complexity of security environments. Understanding the basics of drone regulation is imperative when planning an appropriate response to the current threats posed by drones.

• Influencing the C-Suite for Security Program Success

  Often the biggest obstacle to launching a security program is getting final approval from the C-suite. Explore how to develop business case objectives for any security project, discuss the key items that should be included, and define how a cost-benefit analysis will help support the business case.

• Managing Stress During a Crisis

  Emotional intelligence is at the heart of crisis management, including managing an individual’s emotions and stresses. Combining technical expertise with these soft components is the key to sustainable resilience for both a corporation and its employees.

• Why the Security Industry Needs Women Leaders

  The security industry can build on the research and strategies used by others when making hiring decisions that make good business sense. A dedicated diversity and inclusion program in the workplace leads to a healthy and rich balance of voices and better outcomes.

• People Risk Management: A New Paradigm

  Companies around the globe have sophisticated risk management programs for financial, information, travel, and supply chain risks. However, a similar risk management program rarely exists for an organization’s most important asset: its people.

• The Business of Security Is the Strategy of the Business

  A quality risk assessment is a fundamental component of enterprise security risk management. Learn to analyze whether uncertainty is within acceptable boundaries of your organization’s capacity to manage it.

• Visitor Management in a Healthcare Environment

  Healthcare institutions are realizing that the opportunity to prevent violence starts with managing who enters the facility. Consider the case study of how one large academic healthcare institution accomplished this.

• Why a Cybersecurity Crisis Management Plan is Vital to an Organization’s Survival

  Understanding the difference between cyber crisis management and security-incident response is a critical component of an organization’s survival. Your senior executive team must be prepared and trained to respond quickly to crisis-level attacks. Are they ready?

By Susan Friedberg, ASIS Guest Drone Blogger
Communications Manager, Dedrone
[email protected]

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Infrastructure Security Division has established a strategic partnership approach to securing the nation’s critical infrastructure. Brian Harrell, the Assistant Director for Infrastructure Security, discussed at GSX 2019 CISA’s specific collaborative efforts with industry and community partners, and how their organization helps secure critical infrastructure and civilians.

Among the top national security threats posed today in the U.S., according to Harrell, is the rise of unwanted or hostile drones in the airspace. Drones, when in the wrong hands, are interrupting operations at military bases, airports and correctional facilities, and threatening the safety and security of public events, such as those at stadiums and festivals.

The issue of unwanted drones will only continue to escalate, and according to Harrell, “Unmanned aircraft systems do not represent an emerging threat, but rather, an imminent threat, given their retail availability here in the United States.” In the U.S. and abroad, drones have interrupted operations at airports, such as Newark and Gatwick, at correctional facilities and stadiums, and critical infrastructure such as pipelines managed by Saudi Aramco. The U.S. Federal Aviation Administration (FAA) announced at GSX that the agency has registered five times more drones (more than 1.5 million) in just four years, than all the commercial aircraft that have been registered up to now (300,000) in the history of the agency. As more drones enter the international airspace, regulations and policies must also follow suit to address the increasing safety and security risks they pose.

According to Harrell, as it relates to the rise of drone technology and airspace threats, the threat landscape is ever-changing. There have been significant technological advancements in drones, and they are solving problems and helping industries with important tasks like inspections, search and rescue, and videography. With these advancements, however, comes the opportunity for misuse. Although the airspace threat will always be evolving, Harrell provided GSX attendees with practical information and questions to ask their teams on how to build a security program that addresses and advances with the drone threat.

Building Resilience Against Drone Threats Through Counter-Drone Technology Data

Organizations can act today to start understanding their security gaps in their airspace. Harrell posed to the audience the question, “is your organization prepared to be overwhelmed?” As it relates to the airspace threat, without counter-drone technology, security leaders are working with incomplete information about their airspace activity. However, this gap of knowledge can change with the integration of counter-drone technology. With drone activity data, teams can then defend what assets matter most to them and protecting what Harrell qualifies as “pencils like pencils, and diamonds like diamonds.”

With consideration of the evolving threat landscape, the rise and advancement of drone technology is a clear demonstration that security threats no longer fall clearly into the “physical” or “cyber” security categories. Drones can cause damage both to physical and cyber infrastructure. Without counter-drone intelligence to help identify airspace activity, organizations are powerless against protecting against all drone threats. Counter-drone technology is an essential tool that addresses this hybrid threat landscape.

Four Steps to Advancing Security Programs

Harrell prompted GSX attendees to ask themselves, what can security providers do today to increase our understanding of security threats at our organization. He continued by outlining a four-step framework for building out a new security program or advancing an existing one.

• Connect: Connect with local law enforcement to determine what steps you should take should there be an unwanted drone in your area. This proactive approach will ensure that those who need to respond to emergencies are aware of the threats at your operations, and can begin the next step, which is to plan.
• Plan: If it can happen there, it can happen here. There are drone incidents reported in the news from all over the world. No organization is immune to drone threats. If a drone incursion can paralyze operations at Heathrow and Gatwick, it can also do the same to JFK and Newark.
• Train: Counter-drone technology provides data about the airspace activity at a particular area and exposes where there may be vulnerabilities in an organization’s operations. Data from counter-drone programs can include flight times and durations, the types of drones flown, and the flightpath or point of origin. With situational awareness, security teams can develop new safety and response protocols to respond to drone incursions, direct resources to “hot spots,” and execute training exercises. Organizations shouldn’t wait for a crisis to occur, but rather, use a crisis as an opportunity to showcase the strength of their security operations.
• Report: The picture is always clearer from the rear-view mirror. Post-event analysis determines where organizations can better streamline resources, achieve security goals, and grow in their understanding of how to prevent damage or disruption from a drone incursion.

“A drone is a computer in the sky,” Harrell reminds the audience. Drones are small and discrete enough to operate unnoticed, but powerful enough to drop payloads, hack into systems, or covertly spy on operations. By considering these four steps, organizations will be able to stay ahead of the drone threat and ensure the strongest defense should there be an incursion or unwanted drone activity.

Going Beyond the Current Standards to Manage Today’s Threats

Many organizations will focus their efforts on compliance with standard practices and regulations. Resilience is not built on compliance, but rather, by continuing to advance and go beyond standard practices and operations. As regulators and legislators continue to research and respond to drone incursions, individual organizations will need to decide whether or not they want to go beyond the current standards or wait for additional federal guidance. Harrell states that organizations can be proactive in defending their operations against the growing threat of uncooperative drones.

Harrell points to GSX attendees to challenge their teams with the question, “are we ready?” Can security teams confidently answer whether they have taken steps to build resilience into their existing security programs? And if not, what assets and technologies are available to make an impact today?

Counter-drone programs should begin under “blue sky” conditions, where security teams can connect, plan, train, and report under ideal conditions. Data collection with passive counter-drone technologies, such as radio frequency sensors, can begin immediately and without any interference with existing operations. The first step to understanding airspace activity and the threat to an organization is to build awareness and gain access to data sets and analysis. From there, organizations can which can help identify the most vulnerable or essential areas for protection.