By Sara Mosqueda

Every entry into the security profession is unique. For David Weiner, founder and CEO of global management consulting firm Secure Measures LLC, that entry point was as a military policeman for the U.S. Air Force in 1993.

Weiner worked as a patrol officer field training officer, K-9 handler, a training coordinator, and as a member of a special response team. After leaving the military, he then began serving the local community by entering law enforcement and ultimately rising to the role of regional chief of police of the U.S. Department of Veteran Affairs Police in Long Beach, California.  

During his tenure in law enforcement, Weiner worked with other agencies to address veteran-related issues and implemented a mental health outreach program for veterans—Veteran Mental Evaluation Unit—that was adopted by the U.S. Department of Veteran Affairs.

Many individuals at that point might decide to retire. Instead, Weiner left public service and decided to enter the private sector by starting his own company.

Ahead of Military and Law Enforcement Appreciation Day at GSX 2022, The GSX Daily interviewed Weiner about his experiences, insights, and recommendations on skills he gained during his service, the power of a professional network in transitioning to the private sector, and other tools that veterans carry into careers in private and corporate security.

You can read the rest of this article from Security Management here.

For more Security Management content about career transition and army recruitment, check out the articles below:

Making the Most of Mentorship

How the U.S. Army Is Changing Its Recruitment Strategy for Gen Z

By Sara Mosqueda

Even when an organization or government knows well in advance that it may have to fly or drive employees or citizens to a safer location, a large-scale evacuation can present pitfalls.

During the GSX 2022 education session “Large-Scale Evacuations: Tactics, Techniques & Protocols,” experts from International SOS discussed trends based on recent evacuations that organizations may want to plan for in advance.

The Basics

Evacuation procedures can be broken down into five stages:

1. Preparation
   
2. Warning
   
3. Stand-by
   
4. Evacuation of non-essential personnel
   
5. Full evacuation

Jeremy Prout, CPP, security director of security solutions for International SOS, noted that administering the actual evacuation could often be the trickiest part. For organizations with facilities or personnel in foreign nations, having a policy and detailed plan, complete with redundancies and back-ups, is essential.

This also applies to organizations with a smaller footprint or staff in a region, added Julian Moro, senior vice president and regional security director for International SOS.

You can read the rest of this article from Security Management here.

For more Security Management content about mass evacuations as well as the situations in Turkey and Ukraine, check out the articles and podcast below:

Focus on Mass Evacuations

Are You Ready for What’s Next? Evacuations, Resilience, and Pitching New Ideas

Security Contractors and Aid Organizations Ramp-Up Ukrainian Evacuations

Turkey: Election Moved Up as Earthquake Recovery, Response Efforts Continue

One Year Later: Ukrainian Security Practitioners Reflect on Invasion Anniversary

By Sara Mosqueda

As in previous years, ASIS takes time during GSX to recognize the invaluable efforts of ASIS members across the globe with awards that mark and spotlight their hard work, dedication, and achievements that contribute to the professional security industry.

ASIS recognized the following members with individual awards for their achievements during the past year at an awards ceremony on Tuesday, 13 September, at GSX 2022.

🏆 President’s Award of Merit 🏆

Brigadier General Ahamed Mohammed Abdi, CPP, PCI, PSP, and Danny Y. Chan

Issued and presented to the recipients by the ASIS president, this award honors an individual member for distinguished service, achievement, or contributions. This includes significant contributions to the knowledge of the profession, literature of the profession, outstanding service to ASIS, and/or service to other organizations affiliated with the security profession.

🏆 Don Walker CSO Center Security Executive Award 🏆

Michael Brzozowski, CPP, PSP

This award is bestowed to a senior-level executive who has demonstrated a commitment to the security management certification, education, and the standards and guidelines for the executive management level of the security discipline within a specific enterprise.

🏆 E.J. Criscuoli, Jr., CPP, Volunteer Leadership Award 🏆

Stephen P. Somers, CPP

The Volunteer Leadership Award celebrates an ASIS member who exhibited selfless devotion at the volunteer level, emphasizing significant contributions at the chapter and regional levels throughout an extended period of time.

🏆 Ralph Day Memorial Security Officer Heroism Award 🏆

Aaron Wallace Salter, Jr. (Posthumous)

This award recognizes an officer who exhibited outstanding service or acts in the security profession. The honor is meant for those who perform a heroic act involving circumstances where a private security officer risks his or her life to save another. It is bestowed by the ASIS Security Services Community.

Aaron Wallace Salter, Jr., was a security officer killed while protecting shoppers and staff from a gunman at a Tops Friendly Markets grocery store in Buffalo, New York, on 14 May 2022. Prior to his security officer role, Salter served as a Buffalo police officer for three decades.

You can read the rest of this article and the full list of award winners from Security Management here.

You can read the full Security Management article on Aaron Salter, Jr., and more about how security professionals have dealt with similar attacks in the below articles:

Beyond the Call of Duty: Aaron Salter, Jr., Recognized with Security Heroism Award

In the Wake of More Mass Shootings, Americans’ Dissatisfaction with Gun Laws Reaches New High

By Megan Gates

Hackers backed by the Chinese military breached consumer credit reporting agency Equifax in 2017, carrying out what was then known as the largest theft of personally identifiable information (PII) ever committed by state-sponsored actors.

The hackers were able to obtain addresses, birth dates, Social Security numbers, and other data on approximately 145 million Americans, as well as individuals from Canada and the United Kingdom. A subsequent investigation by the Federal Trade Commission (FTC) revealed that Equifax [had] failed to secure the PII stored on its network, which made it easier for the hackers to gain access to their systems.

One of the reasons the hackers were able to get so much data off Equifax’s network was because of a “failure in security controls,” said Jake Williams, director of cyber threat intelligence at SCYTHE, in his keynote address at GSX 2022.

“They had security controls in place. They broke down on process…and that killed their technology,” Williams explained, adding that Equifax’s systems were not configured properly due to a process failure that did not renew its certificates.

And that process failure, followed by the data breach, led to Equifax settling with the FTC for $575 million—potentially up to $700 million—along with compensating consumers who bought credit or identity monitoring services from Equifax or other third parties because of the incident. The FBI also issued indictments, charging four Chinese military-backed hackers in connection with the attack.

While the Equifax breach was a unique incident with high-stakes players, the lack of security control validation is an all-too-common issue. Williams walked attendees through why security controls matter, the importance of validating security control efficacy, and guidance on how to initiate this process within your own organization.

You can read the rest of this article from Security Management here.

For more Security Management content about security controls, check out these articles:

Why Mergers and Acquisitions Don’t Need to be a Security Professional’s Nightmare (asisonline.org)

Your Cyber Response Plan Needs These 6 Components (asisonline.org)

ICS 2022 in Review: The Rise of PIPEDREAM and Ransomware Attacks (asisonline.org)

Jon Harris, CPP, PSP, senior product manager at HiveWatch, Lee Oughton, CEO and co-founder at Fortress Risk Management, and Mary Gamble, attorney at Gamble Legal, PLLC, discuss securing the virtual world and the metaverse. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Mateo Salvatto, Head of Innovation at ORT schools and CEO of Asteroid Technologies, discusses how new tech, communication, DE&I, and security all intersect. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

By Susan Friedberg

As security practitioners continue to harden the security posture of clients and customers against physical and cyber threats, a new dimension of our world is now emerging and growing – the virtual domain, or the Metaverse.  

Perhaps we have accessed the Metaverse through VR technology and are beginning to engage in gaming, trading, and commerce actively. Many of us are just starting to hear of this emerging technology and concept, hearing stories on the news about cryptocurrency or the newest VR headset. Our heads may be actively buried in the sand – avoiding any discussion that would prevent us or distract us from focusing on our work, as we believe something like an “avatar” or “blockchain” and the Metaverse will never really manifest or impact our customers, and the communities we serve.  

Presenters Mary Gamble (Gamble Legal, PLLC), Lee Oughton (CEO, Co-Founder, Fortress Risk Management), and Jon Harris (Senior Product Manager, HiveWatch) shared in their presentation, “The Metaverse, NFTs and the Future of Security in a Virtual World,” that the world of the Metaverse is real and growing exponentially.  

The Metaverse is not only available for entertainment and gaming but also fast becoming a resource for enterprises to engage in commerce, trading, and banking. We must start to consider the inevitability of how virtual engagement will be a part of our day-to-day lives, both personally and professionally, in the immediate future.  

As with any other fast-growing and underregulated technology, security practitioners have the opportunity to extend our expertise in physical and cybersecurity to understand and start to map out the vulnerabilities in virtual worlds and build security programs that protect users.   

Start with the Basics: Understanding the Lingo of the Metaverse  

First, Gamble, Oughton, and Harris shared that security practitioners should have a basic grasp of the technologies referenced when discussing issues in the Metaverse and some of their applications before we can identify security issues.  

• Web3: The next generation of the world wide web that is based on a decentralized structure incorporates blockchain and token-based economics 
• Avatar: a picture or animated character selected by an online user, which represents the online user 
• Metaverse: a connected network of 3D virtual worlds; an immersive virtual space made possible through the use of virtual and augmented reality technology for users to shop, game, interact, train, and experience 
• Blockchain: A digital ledger technology that records transactions and distributes these records, or blocks, across a network 

• Digital Assets: Any type of asset that is created, traded, and stored in digital form that has or will create value and usage rights  
• Digital Currency: Currency, money, or financial asset that is managed, stored, or exchanged digitally 
• (Crypto) Token: Units of value that are developed on top of existing blockchain networks, that hold value, and represent a physical or digital asset 
• Non-fungible token (NFT): A crypto asset that represents real-world objects, such as art, property, goods, or identities 

The Metaverse interacts with core objectives and functions of the security industry such as asset protection, access control, data protection, privacy, executive protection, and ESRM. For example, the use of an NFT, or a non-fungible token, is as ubiquitous as an identity or credential in the physical world but in the virtual world.   

With this understanding, security practitioners can begin to assess opportunities and threats with these technologies and what adaptations are required to remain relevant and practical. 

The Metaverse is Here and Showing Up to Work and Play 

10-15 years ago, we started thinking about how automation, machine learning, and computer vision technologies would be integrated into security systems – simply a vision. Now today, these things are commonplace. McKinsey & Co research indicates that the Metaverse industry will reach nearly $5 trillion by 2030.  

While the Metaverse came to prominence through gaming and social media applications, today, enterprises are using the Metaverse to help view floorplans, tour facilities, or hold remote meetings and conduct crisis and emergency management drills without having to be onsite. Additionally, defense organizations using virtual technology for simulations now benefit further through accessing the Metaverse by bringing new dimensions and overlays to their training exercises.  

Oughton points out to the audience a fundamental reality – we have risk management in the physical and cyber domains, but we are behind on virtual. When a friend, family member, or colleague accesses the Metaverse, we cannot necessarily enter the same world or monitor their activity. Oughton, a Metaverse user, initially took an interest in Metaverse security in the context of executive protection. He cannot fully protect his clients when they enter this virtual domain, so instead of standing idly by, he decided to dive in and see for himself.  

Metaverse users, without these controls or security measures, are vulnerable to the same risks as in the cyber world – harassment, stalking, and hacking. However, in the cyber world, there are monitoring and security systems to help users navigate their digital experience, minimize risk, and prevent compromising their or their employer’s safety.  

The chasm of adoption is not far. Oughton shares that if we as a security industry don’t enter the Metaverse, see where there are threats, and come up with the solutions, threats will come from the outside that does not bring security principles into it, and we will struggle to adapt. 

Anonymity is the Foundation of the Metaverse, Leading to Legal Ambiguity  

When it comes to privacy and data collection, the more you put out, the more that’s being collected. There are no actual structures to ensure your data security and safety in the Metaverse. Users must be mindful of whom they are engaging with on the other side. 

Gamble emphasizes that while there are many laws and regulations worldwide and at the federal and state level related to online commerce, communication, and privacy, there is no clear “internet law” or “digital law.” Instead, we have different laws targeting different components of our digital worlds. Virtual worlds are a new frontier for legislation and regulatory oversight, leaving gaps in legal protections when we personally, our families or our companies engage in virtual worlds.  

Among the most crucial legal gray areas when users engage in the Metaverse include intellectual property rights and regulating virtual assets. Big questions yet to be answered – what happens if you win money through gambling or a lottery or get scammed? How do we authenticate identities, validate information, and track where it goes?  

Jurisdiction is just as much of a gray area – if a person logs on to a virtual world in one state or country, do the laws of their physical residence have domain over the activities they conduct?  

These questions may not have clear answers yet. Still, as more users engage with the Metaverse, there will be more demand for company-level policies and procedures that account for the lack of regulation and oversight of our engagement in virtual domains. Control what you can control.  

Ultimately, Oughton and Gamble emphasize that whether you are engaging in the Metaverse for professional or personal reasons, user conduct in a virtual world should mirror the ethics and standards applied for any physical or digital transactions you engage in. 

Grab a Headset, and Dive In 

Virtual technology and the Metaverse is evolving quickly, with recent public announcements and advancements in this technology. For example, in 2014, Facebook acquired Oculus VR for $2 billion, and in 2021 they launched a significant branding change from Facebook to Meta and announced their investment spending of over $10 billion into Metaverse development.  

There is a tremendous technological opportunity ahead with the Metaverse. Oughton and Gamble share that we do not know today enough about the power of the Metaverse and how commerce and society will change as it grows. The development and use of the Metaverse are developing faster than policies and procedures can be put in place.  

As risk practitioners, we must stay ahead of the threat by first inserting ourselves into the virtual domain, understanding the infrastructure, creating smart policies, and deploying protective measures for users.  

Start small. Start with a first step – learn the language, keep an open mind, and enter this new domain. Oughton shares that he started his understanding of the Metaverse by watching online videos and tutorials on how to access and engage, and it gave him new channels to connect with people who specialize in the Metaverse. Gamble adds practical advice for security practitioners to begin their Metaverse journey – to start with something fun and to explore an area that excites you in your personal life. We do not have to take on understanding this vast technology on day one, but maybe we can start with cooking classes or virtual hikes in remote destinations.  

While ultimately, the Metaverse is designed for fun, community, and engagement and to create a more connected world, any new technology will soon show gaps in its security posture, and bad actors will be able to filter in. The sooner security practitioners engage and understand the power of the Metaverse, the sooner we can apply new standards and practices to protect our companies, families, and assets from emerging threats while also harnessing the power of the Metaverse to enhance our day-to-day lives. 

For more information, contact:

Mary Gamble, Attorney at Gamble Legal PLLC (LinkedIn) 

Lee Oughton, CSMP, COO and Co-Founder at Fortress Risk Management (LinkedIn) 

Jon Harris, CPP, PSP, Senior Product Manager at HiveWatch

Susan Friedberg is the Director of Communications at Pronto.ai and Pollen Mobile and an ASIS Member. Reach her on LinkedIn

Deb Anderson, PSP, security administrator at MWI Direct, and Robert Achenbach, CSO and director corporate security and safety at First National Bank of Omaha, discuss preventing and minimizing workplace violence in a post-pandemic world. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Steve Somers, CPP, regional vice president at Garda World, discusses the advantages of being a security professional in both the public and private sectors. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

David Dodge, CPP, PCI, Founder and CEO at David Dodge and Associates, and Tim Sutton, CPP, PSP, Senior Security Consultant at Guidepost Solutions, LLC, discuss ASIS’ recently released Pre-Employment Background Screening and Vetting (PBSV) guideline. Watch their interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.

Randy Spivey, the CEO and founder of the Center for Personal Protection & Safety, Inc., discusses the importance of training not just security professionals, but all employees in security protocol. Watch his interview on SM Live with Security Management Editor-in-Chief Teresa Anderson below.