ASIS International

10 Ways GSX Takes You to the Next Level of Your Career

There are only 10 days until GSX 2019— where thousands of security professionals will convene to learn, network, and be surrounded by top products and services. Whether you’re a student, transitioning out of the military, or simply looking towards the next step in your career, GSX offers many resources to give you a jump-start on your future. Here are the top 10 ways GSX can take you to the next level:

1. Career HQ

The Career HQ is where you’ll find FREE resume reviews, the Headshot Studio, career coaching, professional development sessions, and networking opportunities with employers and peers. Sign up for resume review and career coaching with our expert coaches.

Career HQ Education Sessions

Tuesday, 10 September

10:45 am – 12:00 pm| Career Stages: Move from Management to CSO/CEO
2:30 – 3:30 pm | Keep It Professional: Navigating Social Media Beyond LinkedIn
4:30 – 5:30 pm | Resume Writing: Secrets to Get More Interviews

Wednesday, 11 September

10 – 11 am | Scavenger hunt
10:30 – 11:30 am | Career Stages: Move from Entry Level Professional to Management
12:45 – 1:45 pm | ASIS Certifications and Your Career
3:30 – 4:30 pm | Successful Transitions From the Public to Private Sector

2. Mentoring Day

Close out the week with Mentoring Day on Thursday, 12 September. If you’re looking for guidance from a mentor in the security field, join us for relaxed mentor networking events featuring seasoned mentors who will share their lessons learned and best tips. You might even leave with your own mentee/mentor match!

10:30 – 11:30 am | Mentoring Success Stories: Tools You Can Use
11:30 am – 12:30 pm | Mingle with mentors

3. MLEAD

Military and Law Enforcement Appreciation Day honors the individuals who make our communities and world a safer place. GSX provides opportunities to aid in the successful transition to the private sector and connects you with a global security network. As a thank you for your service, all law enforcement, military, and first responders get FREE one-day admission to GSX on Wednesday, 11 September. Register today, using the promo code “THANKS” when registering to receive the free pass.

4. Networking

GSX convenes security professionals from all vertical markets throughout the world. Connections are made all throughout GSX—in sessions, receptions, lunches, and the exhibit hall—you never know who you’ll meet next! And there’s no better place to network with the global security community than these must-attend events.

5. Pre-Conference Programs

Join your colleagues prior to GSX in Chicago this September for a certification review program, an accelerated review that provides a high-level overview of the security concepts and practices assessed on the ASIS certification exams. The classroom experience encourages networking with your peers and board-certified instructors. Sign up for this course via the GSX registration form.

6. Certifications

Already have your certification? GSX is the best place to earn CPE credits to help you maintain this important credential. CPPs, PCIs, PSPs, and APPs can all earn CPEs for their participation.

All-Access Pass: 23 CPEs (15 for sessions + 8 for visiting the exhibit hall)
One-Day Pass:
- Monday: 5 CPEs for sessions (no exhibit hall today)
- Tuesday: 7 CPEs (4 for sessions + 3 for visiting the exhibit hall)
- Wednesday: 7 CPEs (4 for sessions + 3 for visiting the exhibit hall)
- Thursday: 4 CPEs (2 for sessions + 2 for visiting the exhibit hall)
Expo-Only: Up to 8 CPEs
Pre-Conference: Up to 12 CPEs
Exhibitors: 9 CPEs + 1 CPE per session attended

Note: exhibitors must submit a copy of their badge as proof of completion

Credits will be automatically posted in your record (allow up to four weeks for credits to be viewed online).

7. Exhibit Floor

Step onto the exhibit floor to experience the interactive learning lab first-hand. Connect face-to-face and network with professionals from all verticals across the private and public sector, allied organizations and partners, and the industry’s leading service and solution providers. Be sure to collect business cards and follow up within a week of returning to your office.

8. Sessions

Propel your career by building a wealth of knowledge. You’ll find 300+ sessions delivering valuable, actionable takeaways to help shape your organization’s strategy today and in the future. Learn more about the more than 20 professional development courses offered at GSX.

9. Lounges

Take a break from the exhibitor booths to relax and connect with peers in the lounges. The CSO Lounge, Diamond Club Lounge, and International Lounge provides their respective members with private conference rooms and other amenities to facilitate networking and meetings.

10. Free GSX Pass with Student Membership

ASIS student members have the unparalleled opportunity to take advantage of free registration to GSX. A $20 membership grants access to a wide range of career resources, networking opportunities, educational content, and potential employers.

No matter what stage you are in your career, GSX offers the tools and resources needed to take it to the next level. Leave Chicago with a suitcase full of business cards, fresh headshot, and new connections on LinkedIn!

15 Days to Prepare for GSX

With only 15 days left until this year’s Global Security Exchange (GSX) at Chicago’s McCormick Place, it’s time to start preparing for your trip! Whether this is your first time attending GSX or your 65th, figuring out which sessions to attend or which exhibitors to visit can be overwhelming. However, to ease that bout of anxiety and understand how to best plan your time in Chicago, you’ve come to the right place!

Here are our tips on how to set yourself up to have a successful week in the Windy City:

Have so many questions, you don’t know where to start?
The best place to get an overview of the conference, and familiarize yourself with what this years’ exchange will entail, is the GSX My Show Planner. Here, you can create your account, learn about the education sessions and exhibits being offered, learn about pre-conference opportunities, and even find out what to do if there are sessions you can’t make it to.

Download the GSX App
With the GSX app, you can save information on the exhibitors you want to visit, use the maps feature to get around, and even check on show and education information and times. Make it easier for yourself while meeting new friends or catching up with old ones. To download the app, search the App Store or Google Play for GSX 2019.

Pack your business cards!
Remember, GSX will be hosting specific events for networking purposes to help you boost your career or get answers from fellow colleagues and peers. Having a business card will make it easier to share your information or know how to keep in touch with someone new while in Chicago! Learn more about the networking events and receptions taking place.

Speaking of packing…
There are a few essentials to remember to pack, especially if this is your first time at GSX. You may gravitate to wear what you normally would in the office but be wary of how much you will be walking! It’s best to wear comfortable shoes, which will make it much easier to get around. And don’t forget to bring a sweater! It might be warm outside, but it can get chilly inside the convention center.

Tell your friends!
With 15 days to go, there’s still plenty of time to get your friends and coworkers to join you! GSX will bring the best of security together – subject patter experts, next-level solutions, and practical applications – all under one roof. So register today, and find out why GSX is home for all security practitioners and their partners.

Top 20 Sessions to Check Out at GSX

The security industry is changing– and it’s changing fast. New technologies are taking over and it is imperative for security professionals to keep up. Global Security Exchange (GSX) not only delivers a space to explore emerging, groundbreaking innovations, solutions, and products across the security industry, we also provide an immersive and interactive learning experience.
GSX will feature sessions that spotlight game changing technologies and discuss how security professionals can prepare for the future with exciting learning opportunities that put you at the forefront of the industry’s transformation, including:

20. The Courage to Lead – A Strategic Enabler (additional fee required)
Sunday, 8 September 2019 • 8:00 am – 5:00 pm • N230 B

19. Introduction to Enterprise Security Risk Management (additional fee required)
Sunday, 8 September 2019 • 8:00 am – 5:00 pm • N229

18. The Battle Over Security at Commercial Properties
Monday, 9 September 2019 • 10:30 – 11:45 am • S503 A

17. First Look at the Official ASIS Guideline on ESRM
Monday, 9 September 2019 • 10:30 – 11:45 am • S401 D

16. The Ever-Changing Drone Landscape: What You Need to Know
Monday, 9 September 2019 • 10:30 – 11:45 am • S100

15. What to Expect in the Future Security Awareness Standard
Monday, 9 September 2019 • 1:15 – 2:30 pm • S504 A

14. Accelerating Digital Transformation: Insights and Applications
Monday, 9 September 2019 • 1:15 – 2:30 pm • S100

13. Are the Lines Blurred? Transforming the Human Factor – Parts 1-3
Monday, 9 September 2019 • 11:00 am – 12:20 pm • X Learning – X1 – Booth 3601

12. Is Intelligence a Human Function? Synthetic Intelligence at Scale – Parts 1-3
Tuesday, 10 September 2019 • 12:30 – 12:50 pm • X Learning – X1 – Booth 3601

11. Implementing Digital Transformation: A Case Study
Tuesday, 10 September 2019 • 1:30 – 2:30 pm • X Learning – X2 – Booth 3601

10. The Current and Changing Cannabis Landscape: An Industry Overview
Tuesday, 10 September 2019 • 2:00 – 3:00 pm • S100

9. The Opioid Crises in the Financial and Healthcare Industries
Tuesday, 10 September 2019 • 2:00 – 3:00 pm • S503 B

8. Can the Human Factor be Multiplied? Innovation and Force Multiplication – Parts 1-3
Tuesday, 10 September 2019 • 2:30 – 2:50 pm • X Learning – X1 – Booth 3601

7. ASIS/SHRM Workplace Violence Prevention and Intervention Standard: Active Assailant Protocols
Tuesday, 10 September 2019 • 3:30 – 4:30 pm • S401 D

6. Is Risk a Condition of Trust? Societal Disruption and the Erosion of Trust – Parts 1-3
Wednesday, 11 September 2019 • 11:00 am – 12:20 pm • X Learning – X1 – Booth 3601

5. Change Driver: Artificial Intelligence (AI) – Parts 1-4
Wednesday, 11 September 2019 • 11:30 am – 12:30 pm • X Learning – X2 – Booth 3601

4. Can Privacy be Disrupted? BioDigital Convergence and the Evolved Identity – Parts 1-3
Wednesday, 11 September 2019 • 12:30 – 1:50 pm • X Learning – X1 – Booth 3601

3. What’s New in the ASIS PSC.2 Standard?
Wednesday, 11 September 2019 • 2:00 – 2:15 pm • ASIS Hub – Booth 2027

2. Using High Beam Leadership to Navigate Disruption and Change
Wednesday, 11 September 2019 • 3:45 – 4:45 pm • S503 BC

1. Finding Chinks in the Armor: Getting More Value from Your Penetration Testing
Thursday, 12 September 2019 • 10:30 – 11:15 am • X Learning – X1 – Booth 3601

The security landscape is evolving– make sure you are too. Join us for these important programs to understand where you fit in terms of the future of the industry.
To create a personalized schedule and ensure you don’t miss any of these exciting sessions, download the GSX 2019 app in the App Store or Google Play Store.

Hear Ye, Hear Ye! Help Us Spread the Word

Published 26 July

Global Security Exchange (GSX) is designed to prepare security professionals to tackle the challenges of tomorrow. We are extending our Advanced registration deadline to 2 August—affording your peers an extra week to save $100 on their All Access Pass—so there’s never been a better time to help us spread the word to your friends and colleagues.

Please take advantage of the following resources to let your friends know: GSX is where security pros go to grow!

Our Justification Toolkit is chock full of tips that highlight the value of GSX. Hopeful attendees can use our helpful justification letter to help convince their supervisor to approve their attendance.
Download the below social media graphics to help get the word out. Don’t forget to use the official GSX hashtag, #GSX19!

Stumped about what to say? Try this sample post:
I’m getting excited to head to Chicago for #GSX19! Unsure whether you should join? Check out why you (and your boss) will both agree you’ve gotta be there: https://www.gsx.org/event-info/justify-your-attendance/

GSX Social Media Header

Download for Facebook, LinkedIn, Twitter, Instagram

GSX Social Media Animated GIF

Download for Facebook, LinkedIn, Twitter, Instagram

Going from Evolution to Revolution

There is evolution – and then there is revolution.

Evolution is gradual change over time to adapt to a new environment, while revolution is a sharp and rapid change which is more complete and fundamental.
In 2019, Global Security Exchange (GSX) brings you a revolution.

This year, we have so many new things to show you, it’s almost easier to list what’s not new. You’ll still find a vast array of educational sessions – over 300 this year – to expand your knowledge and build your credentials within the industry. Once again you will have the opportunity to network with thousands of your peers. Our exhibit floor will again be filled with technology and solution providers showcasing the most advanced hardware and software available addressing today’s most challenging security issues—areas of keen focus for today’s security management, law enforcement, and homeland security professionals.

But it’s what’s new that makes this year revolutionary for GSX.

The exhibit hall will be transformed into a learning laboratory environment, showcasing new and emerging products and technologies such as machine learning, robotics, forensic analysis, and artificial intelligence.

There will be well over 100 new exhibitors at GSX 2019. Many are from new solution categories such as the audio/video and unmammed vechicle markets, as well as systems integration and managed service suppliers (IT integrators), who recognize the expanded role traditional security systems are playing across the enterprise.

GSX 2019 will propel the advancement and presentation of technology even further with a new dedicated area on the exhibit floor aptly named the Disruption District. Here, the latest technology innovations will be displayed, demonstrated, and discussed in a variety of micro-venues, including:

X Learning Stages, which will feature experiential sessions with topics and content designed to actively shape the future of security professionals.
The D3 (Drones, Droids, and Defense), which has been greatly expanded to provide demonstrations of the latest drone technologies for the air, land and underwater. Equally important, D3 will also feature solutions designed to counter infiltration from drone attacks.
The Startup Sector is dedicated to highlighting new companies at the forefront of new and emerging technologies impacting the security industry.
The Pitch Competition brings together an elite group of entrepreneurs, investors, and industry leaders to experience how some of the world’s most exciting early-stage startups pitch their innovations and concepts. Each company is given time to pitch, followed by Q&A and feedback from world class investors and top CSOs.
Innovative Product Award (IPA) winners will also have a dedicated area to showcase the industry’s newest, most innovative products, services, and technology solutions.

This year, we are extending learning opportunities beyond the traditional classroom setting. Our live-streaming Global Access LIVE! program will deliver GSX education sessions beyond the walls of the conference center to hundreds of security professionals around the world. These sessions – over 300 in number, led by ASIS and Infragard subject matter experts – will provide an immersive and interactive learning experience for security professionals at all experience levels—including an exclusive CSO track focusing on strategic security, business, and leadership topics.

The program is organized into 17 subject matter tracks, four general sessions, six certification reviews and pre-conference courses, and (new this year) gamechanger sessions. More than 220 ASIS subject matter experts across a wide spectrum of security subjects will deliver this massive education program.

Our new era of revolution is also reflected in the conference name itself, Global Security Exchange. While our new name was introduced last year, this year GSX fully delivers on its promise, demonstrating ASIS International’s commitment to uniting the full spectrum of security—cyber and operational security professionals from all verticals across the public and private sectors, allied organizations and partners, and the leading service and solution providers—for the most comprehensive security event in the world.

Managing Cybersecurity Risks: Tarah Wheeler at GSX 2019

Tarah Wheeler

Reports of cybersecurity leaks – and major scandals – have dominated headlines for years. Cybersecurity attacks are doubling every year. Phishing scams are at an all-time high. These days, it isn’t only an IT manager that is answering for security breaches, it is also CEOs and business owners.

Join us for the GSX General Session on Thursday, 12 September, from 8:30 – 10:30 am, as Tarah Wheeler shares her insights on how the evolving cyber threat is impacting organizations across the globe.

An enterprise security industry veteran, strategist, international conflict scientist, and cybersecurity expert, Wheeler will present Protecting Assets in the Age of Cybersecurity Leaks and Scandals: How to Plan When Risk is a Moving Target. This fascinating session will engage attendees with questions such as: Do you have a comprehensive plan in place to protect your most important assets? If something goes wrong, how will you react, put out fires, and recover lost trust? Have you considered the consequences of information falling into the wrong hands in 10, 20, 30, or 40 years?

Throughout her career, Wheeler has held leading roles with some of the world’s top red teams and data privacy teams. An Offensive Security researcher, she is currently the Cybersecurity Policy Fellow at New America, driving a new international cybersecurity project. She is an inaugural contributing cybersecurity expert for the Washington Post and a foreign policy contributor on cyber warfare. Wheeler is also author of the best-selling book Women in Tech: Take Your Career to The Next Level with Practical Advice and Inspiring Stories, dedicated to teaching women how to succeed in tech careers.

Don’t miss this highly anticipated talk at GSX 2019, where Wheeler will bring depth, warmth, and humor to an otherwise complex subject. From cryptocurrency to how the Internet of Things might provide a gateway to hackers, and from absorbing how a robust cybersecurity plan operates to covering security at live events, Wheeler will provide a razor-sharp breakdown of what you need to know – and do – to protect yourself, your partners, and your clients.

Wheeler will be introduced by Brigadier General Stefanie Horvath, current leader of enterprise service delivery for the state of Minnesota. After her presentation, General Horvath and Wheeler will lead a lively Q&A session drawn from their very different vantage points related to cybersecurity.

Zen and the Art of Motorcycle Security Connections

Douglas Florence, CPP

Douglas Florence, CPP, has made countless industry contacts over his 36 years as a member of ASIS International, but some of the most lasting—and unlikely—networking experiences have taken place at ASIS’s annual security event, Global Security Exchange (GSX).

Florence says while the education events at the annual event are unparalleled, the connections he makes during GSX can be just as impactful—and those great connections are made not only in education sessions and networking events, but on the trade show floor as well.

Florence reflects fondly on the many ASIS events over the years, but one that sticks out the most took place during last year’s GSX in Las Vegas. The U.S.
Department of Commerce (DoC) had reached out to ASIS about creating vertical-specific connections—in this case, with the gaming and hospitality market, due to the event’s prime location, Florence notes. At the last minute, the department announced that a contingent of about 50 security leaders from Brazil was to attend GSX as a part of the program, and Florence was involved in showing the delegates what Las Vegas had to offer.

“We were able to facilitate a tour for a group of security leaders and DoC representatives from Brazil, and we took them to The Flamingo Hotel and Casino where they could see the unique surveillance operations,” Florence says.

But when it came to the highly-anticipated preconference motorcycle ride hosted by the ASIS Las Vegas chapter, the visitors from Brazil were unable to attend. So, the week after GSX, Florence took about a dozen delegates out for a motorcycle trip along the same route.

“It was great, and a valuable networking opportunity because we got to spend some quality time with this group of international security executives,” Florence recalls. “We still talked about security, but we were in an environment doing something that we enjoy. Riding motorcycles with this group out of Brazil, seeing the joy that riding through the deserts of southern Nevada brought to them, and then learning a little more about Brazil and some of the issues they were facing as security executives—it was unforgettable.”

How Exchanges Can Pivot Your Strategies

Jonathon Harris, CPP, PSP

When Jonathon Harris, CPP, PSP, now a senior security consultant at Guidepost Solutions, arrived in Dallas in the fall of 2017 to attend what is now the newly rebranded GSX, he was eager to see what the event had to offer. Harris has been a member of ASIS since 2009 and attended his first seminar the previous year in Orlando. Little did he know, though, that his approach to risk management—and entire career trajectory—would drastically change within a matter of days.

Harris and his former colleague attended a multi-hour business continuity tabletop exercise on enterprise security risk management (ESRM), a security management philosophy that had recently become an organizational priority for ASIS. Harris says he was vaguely familiar with the concept of ESRM, but the presenters at GSX kicked off the session with a detailed explanation of the approach and laid the foundation for the rest of the exercise.

“My colleague and I were in the midst of kicking off a refresh within our global security organization of our business continuity and emergency response planning,” Harris explains. “We were redoing procedures and taking a new approach, so it was timely to attend this session.”

The exercise involved breaking into small groups and conducting a tabletop exercise on a security incident, including roleplaying in different security and nonsecurity positions to better understand the importance of proactively interacting with stakeholders throughout the organization, Harris notes.

The most powerful part of the session took place when each of the dozen small groups debriefed on how they approached the same scenario, he says.

“Everyone got all this feedback, and hearing how people would approach it or what they would have done differently to prepare for this incident—that synthesizing of 40 security professionals in a single room at a single time talking about this one scenario and approach, it all really started to click,” Harris says.

The impact of the session continued to grow during dinner that evening, when Harris and his colleague rehashed the lessons of the day and started discussing how they could implement an ESRM approach in their own organization.

“That’s the journey we went through in those 12 hours—going through the exercise, hearing this information, distilling it down, and learning how to translate our objectives into business language, which then generated the spark for how we decided to pivot our approach to security to adding value to the organization,” Harris says.

By the end of dinner that night, Harris and his colleague called their organization’s senior analyst, who was about to deploy the business continuity and emergency response plan they had built before attending GSX, and told him to put it on hold.

“We apologized profusely for all the work he’d done, because we were going to scrap it and start over, kind of,” Harris laughs. “A lot of the stuff we had previously come up with would be reused, but we reframed and rebranded it to involve other stakeholders within the organization.”

The ESRM session made a lasting impact on Harris and his organization, but GSX still had more to offer. Harris also participated in a CPP preparation course that he says was the catalyst for his success in earning the certification. And later that week in Dallas, he attended a customer appreciation event and met the president of a security organization he admired—which led to him being hired by the organization months later. Even more recently, connections Harris made at GSX with fellow members of the ASIS Young Professionals council brought him to his current organization.

“My career trajectory and journey have been highly solidified and developed through not just ASIS as an entity, but through GSX,” Harris says. “It’s hard to quantify the amount of value I’ve received out of the three I’ve attended, and it’s well worth the ticket price for what you can get out of a single event. It’s impacted my career, professional capability, and me personally, so I’m greatly appreciative for what I’ve received.”

Making Smart Investments in Careers and Technology

Shayne Bates, CPP

Today, Shayne Bates, CPP is a seasoned security consultant, involved ASIS International volunteer leader, and perpetual traveler throughout the United States, but 25 years ago he was just beginning to find success in the information security field in New Zealand. He joined ASIS in the mid 1990s and was involved with the ASIS New Zealand chapter.

During the chapter study sessions for his certification preparation, Bates began to understand the role information security played in the larger security industry.

As Bates learned more about the broader security industry and his role in it, he realized it was time to invest in himself and his goal of becoming a career security practitioner. Despite the substantial commitment involved in attending ASIS’s flagship event—which included leaving his growing business for two weeks and flying across the globe to Orlando—Bates and a half dozen other New Zealanders took the leap, and he hasn’t looked back since.

Bates describes carefully planning his approach to the ASIS Seminar and Exhibits—now known as GSX—including attending as many educational sessions as possible. Between sessions, Bates would walk through the exhibit hall, learning about the latest security technology offerings.

“It’s hard work to try to get around there and see everything that’s relevant in three days—there’s so much value to be discovered just by walking up and down the aisles and collecting information and taking notes,” Bates explains. “I was able to see new product innovations and talk to product manufacturers firsthand. I’d make that contact, swap business cards, and have a more detailed conversation with them when I got back home to New Zealand.”

After attending that first event in Orlando, Bates understood the importance of investing in himself and his career and has attended every seminar and GSX event since.

Facial Recognition: Balancing Privacy and Security

A combination of Internet of Things (IoT) technology, holistic urban development models, and more widespread and reliable connectivity have evolved the concept of smart cities from a futuristic ideal to a series of real-life initiatives that have already been adopted by municipalities across the world. Smart cities, which rely on IoT sensors to collect and analyze data, provide a world of opportunity to create more intuitive, efficient, and sustainable solutions to urban living. Security plays a large role in smart cities, and the industry is approaching the initiative as a way to revolutionize what safety looks like in urban environments.

Donald Zoufal, CPP, founder and CEO of Crowz Nest Consulting and ASIS International Security Applied Sciences Council chair, says the city of Dubai was an early adopter of the smart city approach and has lead the way in integrating innovative security technology such as robotic police officers, roadway safety lighting, and advanced surveillance.

“Dubai is in the lead, internationally, of understanding the capabilities of technology for cities,” Zoufal says. “In the United States, Chicago has done some interesting things to utilize technology to make the city safer.”

He points to Chicago’s strategic decision support centers, where law enforcement and data analysts work side-by-side to reduce gun violence using technology such as a citywide network of cameras, acoustic sensoring to detect gunshots, and computer-aided officer dispatches to close the response time for violent crime.

“The city seems to be showing some significant benefits from the implementation of this approach—statically, where these support centers have been deployed, there’s been a drop in violent crime,” Zoufal notes. “Chicago is a concrete U.S.-based example of the kind of multisensory world that we find ourselves in, in terms of the technology available to provide security and other services.”

A key component of the initiative to build safer, more connected cities is the seamless integration of advanced technology and connectivity into citizens’ everyday lives. But one aspect of smart cities has recently come under closer public scrutiny: facial recognition technology. Biometric matching technology is not new to the security industry—it’s been used for years in access control and other identification applications—but Zoufal says what’s novel today is the ability to use facial recognition in real time to gather information and relate it to individuals.

“People are realizing the amount of data that is being collected about them because of IoT—all the sensors out there in environment,” Zoufal explains. “The concept behind smart cities is tapping into all that information and data so we can deliver services more effectively, look for problems, and assess environments more accurately. All those are great things, but they create this digital footprint, this data that can be related to individuals.”

There has already been pushback against facial recognition technology: the city of San Francisco recently banned all forms of government-operated facial recognition programs, and nearby cities are planning to follow suit. A bill has been introduced in California that would make it the first state to ban the use of facial recognition technology from being used in police body cameras. And the lack of the technology’s regulation has raised concerns both among privacy activists and legislators—a recent congressional hearing on the use of facial recognition software by law enforcement forged a rare alliance between Democrats and Republicans, who agreed that legislation may be necessary to rein in use of the technology.

Zoufal acknowledges that there are problematic ways in which facial recognition technology is being used but says it’s all about the context—biometrics are frequently used in more traditional security applications without encroaching on privacy, as is frequently seen in the exhibit hall at Global Security Exchange (GSX)—an annual event for security practitioners.

“There are some clear use cases where everyone can agree that facial recognition is extraordinarily useful technology,” Zoufal says. “You can use it as access control in a security context—rather than using fingerprints, we’re using a facial match to grant or deny access. I don’t think that’s particularly controversial for most people.”

Zoufal points out that airports are continuously developing biometric identification programs to expedite the passenger journey—a model that follows the smart city initiative principles of seamless integration and security.

“The vision for airports is that once you get a ticket for a flight, your face will become your token for travel,” Zoufal explains. “If I registered for the program, my face is matched to the picture in my passport, so the bag drop can recognize my face and give my bag to me, or I can go to the security checkpoint and be recognized without having to show my passport. And at the gate they’ll let me on the aircraft using facial recognition. Those systems are already being piloted in U.S. airports and powered by facial recognition.”

Privacy and transparency issues emerge, though, when facial recognition is used for general surveillance and identifying people of interest, Zoufal notes—and that’s an issue that goes beyond the use of the technology by law enforcement, as discussed during the congressional hearing and outlawed in San Francisco.

“The truth of the matter is, facial recognition is already being used extensively in the commercial sector—they use the technology to identify customers and their shopping habits, so they might send you an e-coupon for the products you’ve been seen buying in store,” Zoufal explains. “Some people will be creeped out when they get the coupons, and some will think it’s the greatest thing to get customized promotions.”

The same technology is being used by retailers to identify shoplifters, an application that might be of interest to security professionals but also raises civil rights concerns, Zoufal notes.

“That kind of real-time surveillance on individuals is difficult for some to accept, and I think there are some concerns that are more legitimate,” he says. “Operationally, if you’re going to utilize facial recognition technology in this way, you’re looking for bad people. But if you’re running tens of thousands of photographs through that system on daily basis, what’s the error rate in terms of identifying people? Even at an error rate of .5 percent, you’re still talking about a large number of false IDs. And do you have the ability to respond to all those alerts? That creates operational issues.”

Pairing such data with identities can also cross the boundary into personally identifiable information (PII), which creates its own security and privacy challenges.

“When the data is collected and connected to other PII, that data field becomes extremely concerning if it is involved in a breach or used inappropriately,” Zoufal notes. “At the end of the day a lot of this is about data and making sure you have good policies and procedures around governance for the use of that data collection, maintenance, and disposal.”

Zoufal plans to discuss the balance between technology and privacy at GSX this September during his session, Secure and Safe Cities: Emerging Technologies and the Law. These concepts are being exposed by smart cities in a new light but are ideas that security professionals should always take seriously, he notes.

“As we’re looking at these new and different technologies and collecting and analyzing this information, I think security professionals truly want to participate in the conversation—this information becomes extremely valuable, not just for commercial purposes but for security services as well,” Zoufal says. “The real issue is making sure that you’re attuned to the fact that we’re becoming a more data-driven world, and security has to become a more data-driven profession, but with the ability to access and use data comes the responsibility to make sure we’re doing it in an appropriate fashion.”

To hear Zoufal and other experts speak on these topics and to meet with reputable companies who supply facial recognition and surveillance technology, register for GSX at www.gsx.org.

We Hacked a Commercial Office Building. Here’s What We Learned.

Countless high-profile, high-stakes incidents over the past few years have made it clear: anyone can be hacked, and there is no limit to the scope or reach of cyberattacks. New reports seem to emerge every week of international retailers, government organizations, political groups, and even entire cities suffering a major data breach or aggressive ransomware attack, resulting in leaked data and costly response. It’s a security professional’s nightmare, and organizations large and small have been taking steps to lock down networks filled with sensitive personal or proprietary information that might tempt a cybercriminal.

But not all cyberattacks are equal, and if you look more closely at the headlines you might notice an entirely different threat: the digital disruption of physical systems. As more physical security systems, including access control, lighting, building operations, and other industrial control systems are linked to and controlled by Internet-connected networks, the more risk there is that these systems might be caught up in—or even targeted by—cyberattacks.

As someone who has worked in both physical security and cybersecurity, I have long been concerned about this gray area where, often, nobody owns the responsibility to protect it. Even in the early days of convergence, there was always the question of whether engineers, facilities managers, or the security department owned the physical spaces where networks exist, and that has evolved today into building control and automation, including elevators, sprinklers, chillers, and more.

All of these components connect to the same data network, but who is responsible for protecting industrial control systems, and what security gaps does that gray area create?

This is a question me and others in the security industry have been asking for more than a decade. And as more physical security components are getting caught up in digital breaches, concrete answers are more important than ever. After much research, I realized that others were talking about the susceptibility of integrated physical systems, but nobody was publicly discussing just how vulnerable these systems are.

So, about a year ago, a group of security professionals made up of physical security experts, building automation and controls security leads, and cybersecurity experts began strategizing a way to gather this information, and in March 2019 we carried out a cyberattack on a Class A commercial office tower. Through my organization CISO Insights, we funded a simulation of a full-on attack of physical and cyber systems against a commercial real estate organization’s 16-story commercial building. This type of attack presentation has rarely been seen before because of the implications—organizations are hesitant to open themselves up to exposing vulnerabilities and the corporate liability that comes with that knowledge.

But thanks to our strategic partnership with the organization and the building’s owners, we were able to provide an actionable assessment to the organization while documenting significant results about the state of today’s physical security systems and their ability to detect, respond to, and withstand attacks. The results of this testing shook the multibillion-dollar organization to its core and provoked a complete realignment of how they design and maintain their buildings. It also provided us with valuable data that we used to build a set of basic rules and principles for buying, installing, and configuring connected physical systems.

The types of systems attacked in the plan included access control, camera and alarm systems, building automation and control systems, and local IT infrastructure and wireless connections.

The attack plan used publicly accessible information to identify external attack options available from the Internet, as well as a physical site visit to confirm onsite technology in use. Much of what we will expose in the full report are the commonly available tools and methods that intruders use today, and just how easy they are to acquire.

When carried out, the planned attack quickly escalated, bringing a number of unintended systems into scope. This is the reality of the way today’s networks are built and buildings are connected: it’s all integrated. For years we have known it was cheaper and more efficient to integrate technology, but as today’s legacy building systems and company data networks are combined with Internet of Things connectivity, this approach gets much more interesting—and risky.

The full results of the attack and their implications will be shared in our session this September at Global Security Exchange (GSX) in Chicago. They will confirm some of your worst fears about real world security protections, identify common weaknesses in similar building control, building automation, IoT, and physical security systems.

Much of what we learned, though, are the same big-picture lessons applied throughout the security industry—do you know how secure your environment is? When you add a new piece of technology, have you assessed the risks and engaged security professionals before deploying it? How do you know it will stay secure, and who is responsible?

Access control, CCTV, alarms, and similar systems are all connected with different software programmed by different manufacturers. Very little of what we found suggested a holistic approach to understanding the problem. Often these components are maintained by third parties, integrators, or internal resources from IT, leaving common gaps that you should look for to protect these systems.

Besides the standard security issues like passwords taped to HVAC systems and power systems vulnerable to physical attacks, the building control systems use connect points that leave them vulnerable. Much of what we learned during the exercise revealed a new way in which building systems need to be managed and maintained to protect them for the next 20 years.

We found several physical vulnerabilities, but it was the cyber vulnerabilities—and the converged threats that live between the physical and cyber worlds—that were not properly mitigated, which proved to be very valuable in discovering where the building was easiest to attack.

At one point or another, all of these systems operate on the company network, and the details of how IT manages the data network makes a difference in how secure the systems are. At GSX, we will discuss the fundamental mistakes made when connecting data networks to building systems and physical security applications. Further, we will discuss common techniques for protecting physical buildings against these types of attacks.

—————————————————————————————-
Dave Tyson is CEO at CISO Insights and a former ASIS International president and board member. His presentation at GSX, Cyber Attack on a Commercial Building, will discuss the full findings of the building cyberattack exercise conducted earlier this year. To hear Tyson and other experts speak on these topics and to meet with reputable companies who supply security technology, register for GSX at www.gsx.org.

Q&A: How Companies Are Using Drones for Security

We sat down with Jason Cansler, owner of UASidekick, LLC, which provides software for UAV pilots to maintain compliance with FAA requirements, to discuss the challenges and opportunities security organizations face when using drone technology.

Q: The use of drones and other unmanned systems in the security industry has been a hot topic over the past few years. How are drones affecting an organization’s approach to security?

A: There’s so much drones can do to augment security. They are being used to look at perimeters and conduct constant surveillance over large areas. Drones can also be sent out as a response mechanism before personnel can respond and conduct an initial site assessment, so people know what they’re getting into before they get there. It’ll take a little bit for people to get used to what they can do with drones, and when regulations loosen up, it will open up a whole other world in the security industry.

Drones are getting smaller, and their battery and fuel sources are getting more efficient. You’re finding more drones with better camera systems and a smaller footprint. The key aspects that make people buy certain drones are flight time and payload capacity, but the best drone you have is the one you have with you.

Organizations also need to consider how to protect their assets from drones. This is another aspect to security that’s taking longer for people to understand the impact. And, policies need to be made so employees know what to do when they see a drone. Do they notify someone? Is there a ground sweep? Do they see if anything was dropped from the drone? Do you check rooftops for listening devices? Every company should have a drone policy, just like any other health or safety policy, whether you’re a school that would need to protect children, or a company with assets on their property, and especially jails and prison systems. Whether or not an organization has a drone program, they need drone policies.

Q: There are a lot of people in the security industry who are curious about the possibilities drones can provide as a physical security tool. Are you seeing an increase in the use of drones for security purposes?

A: Recently, there are more options that can support and provide drones as a security function. Companies need turnkey devices—they don’t want to go through the process of learning this on their own. If you can have a consultant or integrator that already has this experience under their belt, you’ll start seeing this implemented more, especially once integrators understand the systems and what it takes to actually incorporate them.

But overall, the growth is still slow—the industry is trying to determine where the technology is going and what they can do with it. There’s not a lot of litigation that supports how drones are used, even in law enforcement circles, which often looks at case law to know how it might be used for or against you in a case. And the lack of legal permission to fly drones beyond line of sight is causing some disruption for companies that want to patrol a thousand acres—they would have to someone in view of that drone at all times, which defeats the purpose.

Q: When do you think we will see more clarity on how drones can be used in security or law enforcement capacities? Is that the biggest barrier to the adoption of this technology?

A: We thought this year we’d be able to operate drones beyond the line of sight and over people, but the law is still not there. Regulations are being held up by the lack of remote identification—the requirement for a drone to signal that its flight has been authorized. Right now, law enforcement can’t tell whether the drone operators are good or bad guys.

The whole key is to find bad actors, not keep track of good ones. In a perfect world, if you see a drone but don’t have any ID pings, you’d know that is a bad actor. It will be very important in the future to have remote ID capabilities for traffic management and security. They want that capability in place before they allow people to fly drones beyond visual line of sight.

Q: During this time of uncertainty surrounding regulations, how are organizations using drones? What challenges do they face?

A: There are some organizations who have taken up the mantle and are using drones because they’re more concerned about the safety of their product, property, or people, and will take whatever hand-slapping they get as long as they’re able to protect their assets. You’ll find that taking place more overseas in Mexico, Venezuela, and Africa—people are using it because they need it, they have assets they have to protect. Most of the time it’s in coordination with local governments, but here in United States, we’re kind of stuck until we get this approval through the FAA or Congress.

Some organizations are taking a more careful approach and won’t really use drones until they find out how other companies fare, but the question of enforcement is unknown. Some fines have been given, but they aren’t broadcast, which kind of defeats the purpose. The FAA licenses pilots to be able to fly, but they aren’t an enforcement agency. They can revoke licenses, but actual enforcement is left up to the Department of Justice or FBI. For them to go after drone pilots, there has to be some other precipitating issue, like they crashed and hit something or used them nefariously. We’ll start to see more and more of this—the FAA is providing resources to get local law enforcement to help.

Q: What can security professionals do to stay up-to-date on advances in drone technology, regulations, and use cases?

A: In our presentation, Drone Evolution: Security Tools or Security Threats?, that we’ll be leading while at Global Security Exchange (GSX) this September in Chicago, we will discuss information from regulatory requirements and case studies on how drones can interfere with security measures for a small or large company, or even a government agency. The three of us giving the presentation—myself, Nathan Ruff, and Mark Schreiber, offer a good combination of perspectives with my pilot’s point of view, Mark’s engineering background, and Nathan, who’s an expert in the unmanned systems industry. We participate in different rulemaking committees, NASA groups, and a safety team for FAA. Some of the information that comes through these channels we’re privy to, and we can and will talk about what we’ve learned.

—————————

To hear Cansler and other experts speak on these topics, see live drone demonstrations in the GSX D3 (Drones, Droids, and Defense) learning theater, and to meet with reputable companies who supply drone technology, register for GSX at www.gsx.org