https://sm.asisonline.org/Pages/Striving-for-Higher-Standards.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Striving for Higher Standards0

 

 

https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Performance Conversations: Checking In & Coaching Up

 

 

https://sm.asisonline.org/Pages/Preserving-Precious-Property.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Preserving Precious Property

 

 

https://sm.asisonline.org/Pages/Newsroom Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Newsroom Shooting Highlights Challenges of Securing Open Offices

 

 

https://sm.asisonline.org/Pages/VIDEO-Charleston-International-Airport-Modernizes-Security-with-Pivot3.aspxGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Video: Charleston International Airport Modernizes Security with Pivot3

 

 

https://sm.asisonline.org/Pages/Warning-of-Workplace-Violence.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Warning of Workplace Violence2012-03-01T05:00:00Z
https://sm.asisonline.org/Pages/April-2018-ASIS-News.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465April 2018 ASIS News2018-04-01T04:00:00Z
https://sm.asisonline.org/Pages/21st-century-security-and-cpted-designing-critical-infrastructure-protection-and-crime-prev-0.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a434446521st Century Security and CPTED: Designing for Critical Infrastructure Protection and Crime Prevention, Second Edition.2014-05-01T04:00:00Z
https://sm.asisonline.org/Pages/Taking-Off.aspxGP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Taking Off2018-06-01T04:00:00Z
https://sm.asisonline.org/Pages/Curing-What-Ails-Training.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Curing What Ails Training2010-11-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/Striving-for-Higher-Standards.aspxStriving for Higher StandardsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The cannabis industry is full of contradictions. Although more than half of the United States has legalized—and therefore legitimized—some form of cannabis commerce and usage, it remains illegal under federal law. The drug's stringent controlled substance label prevents it from being researched, and banks take a risk if they accept money from cannabis companies.</p><p>The industry's strict state-by-state regulations mix policy, political influence, and borrowed best practices to create detailed rules that vary vastly by location and can be difficult to interpret and implement, and a lack of overarching guidance can leave organizations vulnerable. </p><p>And where the security industry falls into all of this—with its reliance on metrics, experience, and best practices—is still being explored. The challenge of protecting a product that just years ago was considered criminal cannot be ignored. And, as each U.S. state implements different regulations that are enforced by different entities, it's difficult to compare notes with other security practitioners trying to navigate the nascent industry.​</p><h4>A Growing Industry</h4><p>Tim Sutton, CPP, was working as a senior systems engineer for a security integrator in 2013 when his company received a call from someone who was going to apply for a cultivation center permit. Medical cannabis legalization in Illinois was going into effect at the start of 2014, and the caller needed someone to write a security plan—one that would set the standard for cultivation center security in Illinois.</p><p>The task fell to Sutton, who used his experience with creating security plans for other industries to outline a proposal to win the contract. He integrated foundational security principles, including asset identification, threat assessment, hazard vulnerability analysis, and physical security measures, into the proposal. The plan also took other factors into consideration, such as geographical, architectural, and operational elements, as well as electronic security systems and policies and procedures. </p><p>His firm won the job, and that's when the real work began, Sutton says.</p><p>"There really aren't too many resources available for security plans in general, let alone within the medical cannabis industry," Sutton explains. "As much as security principles remain constant, the application of these security principles must remain variable to be effective."</p><p>Site security plans had to follow the newly outlined laws, which differ from state to state and range from vague to incredibly detailed—and, at times, confusing, Sutton says.</p><p>"Many of the requirements under the law really made me wonder how in the world they were included, but the security plan had to meet all of the requirements," he says. "The security plans are generally considered for between 20 to 30 percent of the total score for the application depending upon the particular state, and many times the score of the security plan is used as a tie-breaker in the awarding of a permit."</p><p>Sutton was able to tour established cultivation centers and dispensaries in another state to better understand how they worked, what security measures were in place, and how those compared to what Illinois would require. "This also allowed me to see many things that I wanted to be sure to avoid or improve upon when writing plans for other organizations," he adds.</p><p>The application Sutton created was approved, and the cannabis company was able to open two cultivation centers. "That was huge," Sutton says. "Illinois is very highly regulated."</p><p>Sutton went on to work with another cannabis company, won three dispensary permits for them, and suddenly found himself an expert in the industry's security. "That's the way it was," he says. "You win one permit in Illinois and that means something. I didn't realize how important that was."</p><p>Since then, Sutton has helped cannabis organizations all over the country apply for dispensary and cultivation center permits and now works as the director of security for Grassroots Cannabis, where he's responsible for security at sites in several states, including Illinois, Pennsylvania, and Maryland. Many cannabis organizations are consolidating, since it takes a lot of money—and expertise—to successfully open and run a dispensary or cultivation center. </p><p>"Nobody knows what they are doing," Sutton notes. "I've never grown marijuana and not many people have ever even seen it. These organizations are consolidating and trying to branch out to other states."​</p><h4>Varied Governance</h4><p>The path a state takes to legalize medical or recreational cannabis—and who is involved in that process—is one of the biggest indicators of what the law looks like and how it's regulated, says Bob Morgan, special counsel for Much Shelist and former statewide project coordinator for Illinois' medical cannabis pilot program. Morgan was involved in crafting the legislation and framework for the program and managed its implementation once the law was enacted in January 2014. </p><p>"Every state that develops a medical cannabis program creates it in its own image, which reflects the political, cultural, and administrative structure of its respected law," Morgan tells Security Management. "Illinois was no different. It had multiple agencies that were responsible for implementing the program—the Illinois State Police and the Departments of Agriculture, Public Health, and Financial and Professional Regulation (IDFPR). Those agencies collectively were responsible for establishing security measures and regulations for the industry, from start to finish."</p><p>Ultimately, each state will model the cannabis industry after another existing industry—often based on what agencies are responsible for its implementation, Morgan notes.</p><p>"Colorado's medical cannabis program was overseen by its Department of Revenue," Morgan says. "So, the culture and process and structure of the Department of Revenue has laid the groundwork for the subsequent medical, and now recreational, marijuana industry. In Illinois, our agencies here all put a significant imprint of their agency culture on the program we have now. In a state like Florida, the Department of Health is overseeing implementation of the medical marijuana program. That determines whether a state will treat the cannabis industry like a pharmacy, or a bank, or a casino."</p><p>Sutton has experienced firsthand the challenges of the differing approaches to the industry. Despite being proficient at writing security plans for the cannabis industry in Illinois—a notoriously highly regulated state—he says navigating security specifics in many states can be daunting for an unexperienced practitioner. "I always read the rules and the law, and every part of the law," he says.</p><p>For example, Sutton was tasked with developing a security plan for a cannabis organization in Hawaii. Its permitting rules are broken down into sections, including one for security, which dictates that, among other things, an organization must retain 30 days of video in its archives.</p><p> "An inexperienced person would design a system that retains 30 days of footage and feel like they're doing what they should do," Sutton says. "But, if you read the rest of the rules and the section on records retention, there's a retention requirement of a year for you to keep inventory reports, employment files, and electronic video archives. If you didn't read that whole rule, you'd never know that and would design the system for 30 days and it would be 12 times too small. It's terrible. That's how I attack it—I read the whole rule, not just the security section."</p><h4>Regulations vs. Best Practices</h4><p>To overcome the challenge of crafting Illinois' medical cannabis regulations in 2014 without national guidance, Morgan created a listserv of state cannabis program directors from around the country to share best practices. He also pulled ideas from the rules in place for pharmacies and casinos in the states.</p><p>"We weren't really recreating the wheel, we were taking the best ideas and security measures we could find and incorporating that into the industry as we shaped it," Morgan explains. "Part of this is driven by the problem of the federal government's prohibition, which requires each state to do this in a haphazard way."</p><p>Some states—including Illinois—may have "gone overboard" with regulating the nascent industry due to a lack of national best practices, Morgan notes. For instance, Illinois is the only state that requires patients to be fingerprinted to get a medical cannabis card. </p><p>"That was a political consideration—it had nothing to do with policy or security, it was politics, unfortunately," Morgan says. "Almost every state has some variation of that."</p><p>Sutton agrees, noting that he has had to comply with head-scratching security requirements in both Illinois and other states. Illinois' Department of Agriculture oversees regulation at cultivation centers, while distribution centers answer to the IDFPR. The two departments wrote the regulations for their respective facilities, meaning that an organization trying to open both cultivation and distribution centers may need to abide by two separate sets of rules. And sometimes those rules don't align with overarching best practices in the security industry, Sutton says.</p><p>"For cultivation centers I record on motion, at five frames per second, even though the rules require three frames per second on an alarm—that's it," Sutton says. The video surveillance rules for dispensaries were initially vague, and Sutton says most security directors defaulted to using security industry best practices and designed their systems to record on motion. However, IDFPR later clarified that dispensaries would require constant recording, not motion-based.</p><p> "Now you jump up about three or four times the storage and processing power, just to satisfy that," Sutton says. "And then they went and arbitrarily pulled this number out of their back pocket that we would need to record at seven frames per second—I have no idea where that came from."</p><p>Sutton has run into similar challenges in several states. </p><p>"There are a lot of things written that don't make sense with why they were done—it depends on who contributed to writing the law," Sutton says. "They all think they are very secure and are writing the best plans, but there are some really big variants out there. Some do not have many requirements at all and leave them written pretty vaguely and open for interpretation, which has its own pitfalls, and a lot of others are so extremely specific, and I don't know where they get this stuff. They've got a lot of old technology and use terminology that's really outdated."</p><p>Morgan says this type of experience is not unusual. "With cannabis, it's still such a new industry and so heavily influenced by politics that we result in these kinds of sometimes unnecessary regulations," he notes. "The political pressures and ideology drives ridiculous regulation and laws that are based on fear as opposed to pragmatic security measures."</p><p>Regulation enforcement is a regular part of the cannabis industry, even after an organization is approved for a license. In Illinois, the state police enforce the state's regulations, while one of the two designated departments makes sure each facility is adhering to its permit specifications. Sutton says that while the inspections help prevent people from skirting regulations, they can also focus on the wrong problems. </p><p>"The Illinois Department of Agriculture comes every week and audits us against our security plan that we submitted," Sutton says. "All they care about is what we said we'd do in our application. If I said in my plan that all my cameras are going to be three megapixels and that I will have 200 days of archives, they'll come inspect those things every week. The Illinois State Police come in and audit to the actual law. They're going to make sure you have a video system that meets whatever the law says. They don't care how you're using it or that you're being effective and proactive."</p><h4>Above and Beyond</h4><p>These challenges were apparent to a group of people who last year started the National Association of Cannabis Businesses (NACB), the first and only self-regulatory organization in the cannabis industry. NACB President Andrew Kline, a former federal prosecutor and White House advisor, says that the organization establishes industry best practices that help cannabis businesses transcend varying state regulations and hold themselves to a higher standard.</p><p>"Professional organizations like banks and insurance companies had no idea who to do business with," Kline says. "The idea was to start a self-regulatory organization where we would vet our members and then develop national standards and use those standards as rules for our member companies. We want to demonstrate that these companies meant business, that they were trying to go above and beyond what they were required to do at the state level in terms of compliance requirements, and signal to professional entities that these businesses can be trusted, because it's a new industry and there are some actors who aren't as trustworthy."</p><p>NACB is also setting its sights to a future where the cannabis industry would be federally recognized, and a set of national guidelines would be needed. Kline says that when the organization started, it positioned itself to create best practices in line with the Obama Administration's priorities, but with the rescission of the Cole memo—which culled enforcement of the federal marijuana prohibition—and the Trump Administration, there is less clarity of national priorities.</p><p>In fact—despite the vague or overregulation issues Sutton and Morgan experienced—Attorney General Jeff Sessions suggests that many of the individual states' regulations that are on the books today are not sufficient to protect the public interest, Kline notes.</p><p>"The national standards that we're looking to build are in alignment with federal priorities for public health and safety, and as we develop them with our members, in many cases we will be more rigorous than state law to show just how serious these members' businesses are in demonstrating they are good actors," Kline says. "We're baking into our standards what we believe the federal government should care about, but there isn't as much clarity today as there was a few months ago."</p><p>The current environment of regulatory uncertainty—both at the state and federal levels—can be a hindrance to cannabis organizations, and the NACB's approach is especially useful for organizations that operate in several states with disparate regulations.</p><p>For instance, Nevada's regulations do not permit fruit imagery on cannabis product packaging, while Colorado—which has more liberal regulations than Nevada—does allow fruit imagery, Klein explains. In such a case, NACB would create a standard that would be more akin to Nevada's rules than Colorado's.</p><p>Well-researched best practices are especially important when it comes to security, since dispensaries have products and financial assets that are lucrative to criminals (see Security Management's May 2018 News and Trends department for more on how banks and cannabis businesses interact).</p><p>"Security becomes even more complicated when you're dealing with people who are taking in large amounts of cash and don't necessarily have a good place to put it," Kline says. "It's costly, particularly for companies who are operating in more than one state."</p><p>Sutton agrees that overarching guidance is needed in the cannabis industry, especially when it comes to the nuanced role of security. Those who want to start a cannabis-based organization may not know what to look for in a security director, Sutton notes, and operational security personnel may be reluctant to work for an industry that remains taboo. The cannabis industry needs experienced operational security practitioners to continue paving the way, and Sutton says he would like to see more security directors become board-certified through ASIS or similar organizations.  </p><p>"I refuse to be siloed and just be the guy who is worried about video and access control," Sutton says. "I worry about it and I love it; however, there are so many other things you have to make sure you're following that do involve security. It touches everything. Security has to be at the table in deciding how you're going to operate, it's more than just your physical systems."</p><p>Morgan says he has seen a shift in the role security and law enforcement are playing in the cannabis industry. Initially, he says the Illinois State Police and local law enforcement were opposed to medical cannabis programs, but today his successor who runs the program at the state level is a former sheriff who changed his way of thinking. "He has seen the way the program works and can articulate how it's safe," Morgan notes.</p><p>"Everyone who knew me beforehand was shocked to hear that I was writing security plans for the medical cannabis industry," Sutton says. "I was the no-fun guy who was very much anti-drug and, for the most part, toed the line when it came to abiding the law. I rationalized it as making sure these companies were tight when it came to security and felt that as it was not illegal, I had no problem with it.... The turning point for me was the passion of the people in the industry and the fact that I wasn't dealing with hippies growing pot in their basement or garage. I was working with people who genuinely believed in their cause and truly considered cannabis as medicinal."  </p><p>Morgan continues to help governments and businesses create medical cannabis programs and says he hopes Illinois—which renewed its medical cannabis program through 2020—will revisit some of its more stringent regulations.</p><p>"It would absolutely be fair to say that Illinois has more than enough data points to show that our regulations can be scaled back in some areas where they were overly politicized," Morgan says. "Regulations such as fingerprinting patients and the extent of security measures each facility has to have in terms of the number of cameras and other requirements. This was an experiment to see how it was working and what wasn't working well, and to improve it. And that's what's happening throughout the country."  </p>
https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxPerformance Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  </p>
https://sm.asisonline.org/Pages/The-Future-CSO.aspxQ&A: The Future CSOGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​CSO roles are becoming more prevalent in corporations while evolving to address security challenges. Scott Klososky, founding partner of Future Point of View, shares how.</p><p><strong><em> Q. </em></strong><em>What do you think the CSO role will look like in five years?</em></p><p><strong>A. </strong>The CSO role will have complete responsibility for integrated security across physical, electronic, and cyber. CSOs will report directly to the board in many cases and will have a long list of specific dangers they are charged with preventing. They will be responsible for things like stopping employee theft of data, preventing employees  from giving up passwords or compromising systems, and drone defense. They will be heavily involved in the organization's risk management system and will have a say in the insurance that is purchased to offset risk in specific threat areas. Another responsibility will be providing personal protection and intelligence in regard to travel for senior executives, board members, and their families. That will include social media scrubbing for the company, as well as for senior executives and board members.</p><p><strong><em>Q</em></strong><em>. What will the reporting structure to CSOs look like in the future?</em></p><p><strong>A.</strong> CSOs will have a VP of cyber, VP of physical, and VP of electronic security reporting to them. They will have specific people who are dedicated to the three different areas of security: the company, access control and surveillance systems, and cybersecurity. They will also be more closely aligned with HR because the human firewall is becoming such a problem. There is no way to protect an organization properly if the CSO does not have control over all aspects of security defense. Today, it is broken up across organizations and is too far removed from HR to be completely effective. The threats we are defending against will require this level of integration and collaboration.</p><p><strong><em>Q.</em></strong><em> Will the dynamic between security and the rest of the organization shift?</em></p><p><strong>A. </strong>To do security well, the CSO will have to develop strong collaboration with HR, IT, and operations. Then the CSO will have to participate in areas like risk and insurance. I see a future where a strong CSO is well-known and well-liked by all leadership. The CSO will be involved in lots of departmental meetings across the organization to determine new threat vectors and to build the relationships necessary to put up a solid defense. Today, CSOs can hide behind the scenes, and that needs to stop. They need to be out front with relationships across the organization, so they are looked at as a necessary element in the strategy of the organization.</p><p><strong><em>Q. </em></strong><em>What about smaller businesses and organizations? How will they keep pace with emerging security threats?</em></p><p><strong>A. </strong>There is only one real answer and that is to use contractors and vendors. Small and medium-sized organizations cannot pay for a full-time CSO in many cases, yet they need a smaller version of an integrated security model. They can rent the talent for a price they can afford by using local and regional security firms who are used to dealing with smaller clients. I suspect that security firms will build processes and systems to better handle these customers, so they are not left out in the cold.   </p>
https://sm.asisonline.org/Pages/Preserving-Precious-Property.aspxPreserving Precious PropertyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In late 2011, Ricardo Sanz Marcos received a disturbing phone call. As a consultant with the cultural properties firm PROARPA Security Asset Protection and Cultural Heritage, he was used to receiving security inquiries about cultural properties, but he dreaded this type of news the most. An ancient Roman villa known as the Villa of Santa Cruz, in the province of Burgos, Spain, had been robbed.</p><p>Thieves had carelessly removed tiles from a centuries-old mosaic, called "The Return of Bacchus of India," situated in the middle of the house. The 5th century floor mosaic, which depicted a Roman god, was one of the largest and best preserved in Europe and was rare for its size of 66 square meters. </p><p>"The mosaic was destroyed when they stole it," Sanz Marcos recalls. "It was a pity because it was a beautiful mosaic." </p><p>Normally, art thieves who rob archaeological sites are careful to preserve the works they steal, but Sanz Marcos notes that the economic crisis in Spain has left many thieves desperate to make off with precious artifacts. </p><p>Thankfully, the artwork was restored to match the original as closely as possible. "Now there is a replica of the mosaic at the site," he notes. "The art technicians are very talented." </p><p>After the incident, which occurred in December 2011, Sanz Marcos was called to evaluate security measures at the Roman villa and assess how they could be improved. He says that visit was when he "fell in love" with an ancient archaeological site in Spain, known as the site of Colonia Clunia Sulpicia, not far from the villa. </p><p>Just a few years later, Sanz Marcos and a fellow cultural properties expert would complete a comprehensive site and survey risk assessment for the ancient archaeological site, one of only a few such assessments ever conducted.  ​</p><h4>Cultural Properties</h4><p>For ASIS Cultural Properties Council member James Clark, CPP, bringing value to the international membership around cultural properties security was a challenge he wanted to solve. "We were trying to increase our own knowledge base and our own body of knowledge, because we really needed that," he says of the council. "Things are going on in Europe that haven't been going on in the United States—there's the whole business of terrorism at sites in Syria, and a few years ago in Iran." </p><p>Threats. Clark, managing partner of Clark Security Group, LLC, an independent security consultancy in Cleveland, Ohio, notes that terrorism has had a destructive effect on cultural properties worldwide. Many headlines have been dedicated to Syria, where the Islamic State has purposefully destroyed countless ruins and artifacts.</p><p>But warfare is not the only threat to these historic sites. People who simply pick up relics, not understanding or knowing their value, can be a major threat to site preservation, he says. Lack of preventative measures, such as onsite security and technology systems, puts cultural properties at risk as well. </p><p>"My experience in South America and Central America—in Mexico in particular—is that there are varying degrees of security," he says. "There are some really fabulous sites in Mexico where there is no security. There are sites all over Central America—even Machu Picchu in Peru—that have periodic security. It's a challenge in all these places." </p><p>So, when Clark met fellow council member Ricardo Sanz Marcos, they immediately connected over their joint desire to bring more recognition and security to international cultural properties. </p><p>"We hit it off pretty quickly, and we started talking about how we could bring benefit to what he's been practicing in Europe, and particularly in Spain," Clark says. </p><p><strong>CRISP Grant.</strong> Sanz Marcos was passionate about creating a standard of protection for smaller cultural properties around the world that didn't draw the same level of attention as larger sites like the Mayan Ruins, or other locations designated as World Heritage Sites by the United Nations Educational, Scientific, and Cultural Organization (UNESCO). </p><p>"South of the Mexican border, down to South America, the south of Africa, the southwest of Asia—they are developing countries and they don't have the same level of industry or economy as developed nations, but they have cultural properties in the middle of the jungle or the middle of the desert," Sanz Marcos says. "That was the cornerstone of the Clunia report, to make a standard of protection for cultural properties in developing countries."</p><p>He and Clark worked with then council chair Robert Carotenuto, CPP, PCI, PSP, associate vice president of security at the New York Botanical Garden, to write a CRISP (Connecting Research in Security to Practice) grant proposal to the ASIS International Foundation. Carotenuto says that he hoped the grant would give the council a way to produce a document of critical significance for the field and international members. </p><p>Carotenuto credits former ASIS Foundation Board member Dr. Arthur Kingsbury, CPP, who had extensive experience in archaeological security, and Gary Miville, another former Cultural Properties Council chair, with helping them put together the grant. </p><p>After submitting the proposal, they were awarded the CRISP grant, and chose to do several site surveys and a security risk assessment at the place near and dear to Sanz Marcos's heart—Clunia. </p><p>"The grant was helpful because it gave us the ability to pick a topic, a subject, and a location that were nonthreatening," Clark says, referring to the lack of terroristic threat in Spain. "But there were some challenges because it was in a remote location, it's a huge property, and nobody was really taking care of it to a great degree." They began their research in November 2016, and published their findings in a CRISP report in January 2018. </p><p>Clark and Sanz Marcos conducted a four-day site survey, assessed the threats and risks to the property, and provided recommendations for increasing security at Clunia. They paid visits to nearby historic sites as well, and conducted meetings with stakeholders, including employees working on-site, cultural ministries, mayors of surrounding towns, and a security advisor in charge of the site's contract with Securitas. </p><p>Based on their findings, the authors provided detailed recommendations to the stakeholders, which they hoped would increase tourism, community involvement, and overall prosperity at Clunia. </p><h4>Challenges</h4><p>Clunia is situated on a plateau in the Province of Burgos in the Castilla y León region of North Central Spain, approximately 150 miles north of Madrid. The location is all but remote, nestled next to the town of Peñalba de Castro, which has a population of fewer than 85 people. Excavation of the site began in 1915, and archeologists found over the following decades that the colony was once a significant Roman city of the Iberian Peninsula, known as Hispania. </p><p>Clunia, which dates to the first century BC, is believed by scholars to be "the most representative of all the archaeological ruins that have been found from the Roman period in the Northern Iberian Peninsula," according to the site survey. The site includes a forum with a basilica, a temple, Roman baths, an aqueduct, and one of the largest theaters on the peninsula. Pottery, mosaics, sculptures, Roman coins, glass, and pieces of jewelry have been discovered at the site, as well as Christian symbols that indicate one of the first Christian communities in Hispania may have lived in Clunia. </p><p>The inhabitants were skilled, Clark says, as evidenced by the colony's remains. "They had farms, they had grain, they grew grapes, they made wine, they had hot and cold running water, and they were phenomenal engineers," he notes. "They could do whatever they wanted because they had those skills."</p><p>Still, only about 15,000 visitors a year come to see Clunia. Limited financial resources were found to be a major factor contributing to the site's poor security, with most funds coming from public administration budgets.</p><p><strong>Threats.</strong> Clunia's remote location, Clark explains, contributes to the property's security challenges. "The police response is an hour away," Clark notes, based on information he received from the Spanish Ministry of Culture. He adds that the threat of fire, as well as fire response, is another obstacle. The area is mostly dry grassland, making it prone to brushfires, and departments have limited resources to fight blazes in large remote areas. </p><p>"Those are the primary issues: fire, theft, and then just damage to the site," Clark notes. "When the grasslands are destroyed, the rains just wash away the soil which takes away the protection of the yet-to-be uncovered ruins." </p><p>While terrorism was not found to be a significant risk to Clunia, one of the biggest challenges was theft of material over time from the site. Security around the 6-kilometer (3.5 mile) perimeter and within the site was severely limited, leaving precious artifacts exposed to potential theft and the fragile ruins unguarded. </p><p>"The town right next to the site has homes and buildings adorned with all kinds of artifacts from Clunia, and anybody can go to the site and pick something up," Clark says. "Fortune seekers who bring their metal detectors in are able to find Roman coins and other objects that were obviously not excavated." </p><p>With limited security patrols, intruders were often able to dig large numbers of holes in search of artifacts. "On a single day in 2015, site personnel discovered more than 165 holes dug into the ground by unknown intruders who had sufficient time to render such destruction without discovery," they write in the report. "It is unknown what, if anything, was removed during these incidents."</p><p>While there was a lock on the gate that guarded the site entrance, several keys had been given out to members of the community, and to shepherds who needed to pass through with their flocks to graze.</p><p><strong>Resources.</strong> Clark and Sanz Marcos found in their assessment that security personnel and technologies at Clunia were severely limited. During public hours, a staff member who sold tickets at the gate and a guide who explained the history of the site were the only people consistently on the property. Additionally, a contract guard worked between 11:00 p.m. and 6:15 a.m., but the guard had no patrol vehicle to make tours. </p><p>The visitor center and artifact building, plus specific high-value artifacts inside, had alarm systems, but no one was monitoring video in real time. And with slow law enforcement response times, even if an alarm was triggered, the bad actors would have time to get away. ​</p><h4>Recommendations</h4><p>Based on their assessment, Clark and Sanz Marcos made several recommendations to increase both security and community involvement at Clunia. Their final recommendation was a holistic security approach with three components. The approach aimed to get the community on board with a sense of ownership of Clunia, provide policies and practices that complement the security technology and officers in place, and provide those officers with tools and technology that allow them to deter or stop bad actors from accessing the site. </p><p><strong>Intrusion detection.</strong> The authors recommended several security technologies, providing a detailed summary of costs for each specific purchase, such as re-keying the perimeter gates, adding thermal cameras, and purchasing an all-weather, all-terrain vehicle for the security guard. </p><p>Re-keying the gate would solve the issue of several missing keys that had been given out over the years. But the authors recommended that shepherds could continue grazing on the property, because it turned out the sheep helped prevent fire outbreaks by eating the dry brush. </p><p>Strategically placed cameras would notify security staff when someone penetrates the fence or trespasses on the site. "One of the technologies that we recommended were thermal imaging cameras mounted on poles, which can detect movement or motions up to a mile," Clark says. "We recommended four or five of those on the site."</p><p>Establishing a full-time security presence during all hours Clunia is closed to the public was suggested, which would include two officers: one to staff a control center within the visitor center, and another to perform patrols.</p><p>Clark adds that a new visitors center currently under construction could house a new video monitoring location and would serve as a further deterrent to people trying to desecrate the site. "This would allow people to park their vehicles, go through a pedestrian gate, go through the visitors center, pass a small museum there, then go up on the site," he says. "They wouldn't be able to bring metal detectors and shovels—and things of that nature—where they could desecrate the site." </p><p><strong>Community awareness.</strong> Because the Spanish Cultural Ministry has limited financial resources, Clark and Sanz Marcos determined that increasing community buy-in around Clunia could generate more revenue for protecting it. By educating surrounding communities about the history and significance of the site, the authors indicated the value that Clunia could bring to restaurants, hotels, and other nearby merchants. </p><p>"This process should begin by first working with community leaders such as mayors, legislative representatives, and business people, followed by focused community meetings, informational brochures, and regular communications from the cultural ministry," they write in the report. </p><p>They suggested a training program to educate schools, neighborhood associations, and other institutions about Clunia, and recommended a marketing strategy in conjunction with nearby properties to draw tourism. </p><p>Sanz Marcos iterates the importance of community buy-in for the success of any historic site. "If you transform the cultural property into a sustainable industry that creates jobs, health, wealth, and a better life for the population around it, you can preserve the property," Sanz Marcos notes. "We have to leave our cultural properties for our children in better condition than we received them."</p><p>While Clunia was Clark's first archaeological site survey, he has performed risk assessments at museums, libraries, and other cultural properties throughout his career. He says he found that the basic principles of effective physical security applied to Clunia. "The biggest surprise to me was how relatively simple the solutions are," he says. "You really need to do vulnerability assessments on all these sites. There's a lot of common ground here. but there are also a lot of idiosyncrasies about each individual site."</p><p>Carotenuto echoes the importance of paying attention to the uniqueness of each cultural property and says it's a best practice for any risk assessment. "As security professionals, we don't just go in and tell someone, 'Well, this is what you need,'" he says. "It has to be tailored to that environment, it has to fit with the culture of that place, and that to me is the most interesting thing about the Clunia report—they realized they needed to embrace the culture of that site." </p>
https://sm.asisonline.org/Pages/Bridging-Worlds.aspxBridging WorldsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Effective security professionals are great innovators by nature. Continually forced to do more with less, security managers create new ideas in an ever-changing industry.</p><p>However, in the security field, the ways in which value is created are changing all the time. So are the strategies required to protect that value. For security managers, the challenge is to be the type of leader who understands how the value creation process is changing, and to then lead the security department so that it best leverages its value for success. </p><p>This type of leadership works best through collaboration. Kevin Kruse, the founder and CEO of LEADx.org, de­scribes leadership as "a process of social influence which maximizes the efforts of oth­ers towards the achievement of a goal." Undoubtedly, the process of social influence is key for security leaders, who typically do not have the authority to tell every­one in the organization what to do and have them comply.</p><p>Moreover, the environment that today's security manager is trying to lead in is filled with rapid change. These changes include massive shifts in technology in both software and hardware, as well as vast changes in the compliance landscape. For security leaders who are not experts in cybersecurity, such as physical security managers, these developments can be daunting to understand and get a handle on. But avoiding them and staying completely within one's silo or area of expertise can make collaboration difficult, and it will lessen the likelihood of effective social influence. </p><p>On the other hand, physical security managers who make the effort to gain an understanding of the effects of these technology and compliance changes, and how their effects can be harnessed to bolster the security of the overall enterprise, can then build bridges between different sections of the security world. These bridges break down silos, and they increase the social influence of the security manager and the chances of successful collaboration. </p><p>With that in mind, this article will discuss a few current technology and compliance developments, and the impact they might have on enterprise security.  ​</p><h4>DevOps</h4><p>DevOps, a software engineering culture and practice aimed at unifying software development (Dev) and software operation (Ops), is changing the way that digital experiences are being created in software.</p><p>One of the main characteristics of the DevOps movement is a push to automate and monitor all steps of software construction, including integration, testing, and deployment. As a result, some of the aims of Dev­Ops are shorter development cycles, in­creased deployment frequency, and releases that are closely aligned with business objectives. </p><p>DevOps specialists John Willis and Damon Edwards have used four terms to define the movement—culture, automation, measurement, and sharing. Under this approach, which is radically different from the traditional one, software is delivered continuously. Teams that had previously worked in silos come together to achieve common goals. As soon as someone comes up with an idea for a new digital experience, a cross-functional team can quickly turn it into reality.</p><p>The DevOps movement is catching on. Currently, 27 percent of surveyed organizations are using a DevOps methodology, according to the latest version of the annual report, The State of DevOps, published by software services company Puppet in 2017. Clearly, the use of DevOps is on the rise, and it is something that security managers should be up to speed on. </p><p>Compare the execution of some security functions in a DevOps versus a pre-DevOps world. In the pre-DevOps world, organizations built technologies in private data centers, and security professionals focused on protecting the perimeter of those centers. Similarly, the traditional brand of waterfall software development (where progress flows in only one direction—down—like a waterfall) takes time, enough time for lengthy cybersecurity reviews and approvals to take place. During this painstaking process, there is a strong focus on preventing breaches from occurring.</p><p>In the DevOps world, use of cloud infrastructure and automation transforms technology infrastructure so that it is now managed as software via application programming interfaces (APIs). The focus is on application and API security, instead of the traditional focus on host and network security. In this world, almost every software company is both a vendor to other software companies and a customer. </p><p>The connected ecosystem of the DevOps world pushes enterprise security away from its previous commonly assumed role as a cost center and pushes it toward the clear position of business driver. It is explicitly requested during the sales process—usually in the form of a vendor security questionnaire. A DevOps world assumes that security incidents are happening all the time and acts accordingly.</p><p>But security managers should know that buying a DevOps product can be different from buying a more traditional enterprise IT product that is installed in a private data center. </p><p>The purchase of the traditional product often meant building a long-term, old-school relationship that required significant investment by both parties. This eventually built trust, if both parties acted in good faith. </p><p>In contrast, Cloud, Security as a Service (SaaS), and other DevOps solutions have been described as "easy come, easy go," and they are often acquired in a low-friction transaction environment, over a shorter time frame. The quality, security, and regulatory compliance of these solutions must be expressed to the security manager in a more explicit way.</p><p>To illustrate, consider the following example. A DevOps vendor has begun to close a deal with its first big enterprise client. Now that the enterprise client has decided that it is interested in purchasing the DevOps vendor's product, it's time for the enterprise client's security team to get involved (just as the legal and purchasing departments will get involved regarding the contract and payment components of the transaction). </p><p>The enterprise security team sends the DevOps vendor a security questionnaire, which typically contains many questions. In some cases, receiving these types of security questionnaires can be intimidating to a DevOps vendor. In other cases, it can inspire the vendor to help drive and continue to mature the security program. </p><p>But no matter what the DevOps vendor's initial reaction is, the role of security has been transformed. It's an obvious and crucial part of completing the sale, from the point of view of both the vendor and the enterprise organization. Thus, the perception of security here is as an explicit business driver, which was not necessarily the case in the traditional IT product world. </p><p>Of course, physical security managers do not need to become technical experts on software development. However, understanding how DevOps changes the transaction process and the perception of security could become valuable knowledge for security managers of all types, including physical security managers. </p><p>Moving forward, the potential commercial advantages of the DevOps approach will likely make the software development trend an attractive one for many more organizations. Physical security managers who can meet this trend with a basic understanding of its potential impact will be well-positioned to collaborate with technology managers, for the benefit of the enterprise's overall security. ​ </p><h4>IoT Security</h4><p>In a recent survey by Business Insider Intelligence, executives were asked various questions about the Internet of Things (IoT). Security was found to be one of the most consistent concerns, chosen by 39 percent of survey respondents, well ahead of other concerns like questionable ROI, lack of a use case, and price. The security concern, in a nutshell, is that increased adoption of IoT technology may expose organizations to new, more prevalent hacks.</p><p>In the past few years, security ex­perts have executed, for demonstration purposes, alarming hacks on connected vehicles (2015), sniper rifles (2015), and cardiac devices (2017). Technically, many of the security vulnerabilities exploited in these hacks are similar to those of more conventional technologies such as servers, but the methods for detecting and addressing vulnerabilities in a connected web of smaller and less capable devices can be much more complex. </p><p>"Paradoxically, the very principle that makes the IoT so powerful—the ability to share data with everyone and everything—creates a huge cybersecurity threat," write Christopher J. Rezendes and W. David Stephenson in a recent Harvard Business Review article, "Cyber Security in the Internet of Things." As with any software product, the best approach for reducing the risk of software-connected vehicles and other types of systems is to assess and monitor security during the product development lifecycle. </p><p>Security managers should evaluate IoT systems with misuse and abuse cases in mind, considering how IoT features might be unintentionally misused or intentionally abused. In this way, the approach to reviewing an IoT system is not much different from the approach that has been commonly used for years to assess software security.</p><p>The methodology is called threat modeling, and this can be done either by an internal security team or outsourced to a third party that specializes in this type of analysis. The first step in creating a threat model is to identify the assets, security controls, threat agents, and threats within the system. The next step is to estimate the likelihood and impact of each threat within the system. Then, an associated mitigation plan for each potential flaw is developed.  </p><p>It is also critical for security managers to ensure that security fundamentals remain in place when working with the IoT environment. One of the founding principles of IoT security is that access should always be shut down where it's not necessary.</p><p>In addition, because IoT devices are primarily consumer facing, it's also important for security leaders to ensure that consumers are aware of and actively implementing cybersecurity basics such as the use of strong passwords and software updates.</p><p>Like DevOps, IoT systems are very likely to become more widespread in the next few years. Familiarity with the threat modeling process and other means of evaluation and sustaining bedrock principles will be valuable tools for security leaders, including physical security specialists, to possess. In addition, managers who supervise enterprise security risk management (ESRM) programs will find that IoT threat models often complement the overall ESRM program. This is because both take the same approach of using risk management principles to identify potential threats and their likelihood, and then strategically allocating resources to fight the threats.  ​</p><h4>GDPR</h4><p>For the past decade and a half, security professionals have been navigating a changing regulatory environment. To date, many regulatory compliance frameworks have been applicable to only one specific industry. Payment Card Industry (PCI) standards apply to financial services, the Health Insurance Portability and Accountability Act (HIPAA) applies to the medical field, and the Sarbanes–Oxley Act (SOX) applies to public companies. </p><p>Additionally, each set of rules and regulations has different enforcement mechanisms. PCI, for example, applies differently to various tiers of an organization, and the actual fines that have been paid by noncompliant organizations have been fairly limited. </p><p>But all of that changes with the General Data Protection Regulation (GDPR). GDPR enforcement officially began in May 2018, and it applies to organizations located within the European Union (EU) and to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU citizens. Organizations that do not comply with GDPR requirements can be fined up to 4 percent of annual global revenue or up to €20 million (roughly $24 million), whichever is greater.</p><p>While the focus is on consumer privacy, GDPR has a lot to say about processes and procedures surrounding data breaches, vendor security, and data protection in general. At a high level, the regulation requires organizations to develop a data inventory and continuously track how data is processed, stored, and transferred. </p><p>Given this, many proactive security leaders will be developing plans for how to proceed when it comes to either providing vendor services or leveraging a vendor for data processing, storage, or transfer. Many will also develop plans for responding to an incident that takes into consideration what action is required by GDPR in the case of a breach. A physical security manager who has sufficient working knowledge of GDPR can be a valuable asset as a participant in this plan development, and the enterprise at large will benefit from the fact that the plan was a collaborative effort between different security specialists.</p><p>For more information, the full GDPR document is available publicly. There are also many guides, runbooks, and "do's and don'ts" online that professionals can review to learn how others are interpreting the information. ​</p><h4>Bridging Worlds in Person</h4><p>DevOps, IoT security, and GDPR comp­liance are all rapidly changing areas within the overall technology and regulatory landscape, and they all offer opportunities for security managers who are not cybersecurity specialists to build bridges into the worlds of technology and information compliance. </p><p>Physical security managers who had educated themselves on the basics of these topics can then learn more when meeting with technology specialists. Such meetings often proceed more smoothly if the physical security manager goes into the meeting with a productive eager-to-learn attitude.    </p><p>So, when meeting with technology and compliance experts, ask questions and save your demands. Spend twice as much time listening as talking. The more curious you are, the more likely you are to learn something that will benefit you as you put together an approach toward improving overall enterprise security.</p><p>Some important questions for a physical security manager to ask a technology manager or engineer might include: What's important to you? What are your top priorities this quarter? What worries do you have about getting your job done? This information can be used to align security goals with technology goals. It can also provide context, and a more accurate answer, for a security manager who is mulling over the question of why security tasks do not seem to receive the time or resource allocations that they should. </p><p>A similar approach will also benefit physical security managers who want to build bridges with the organization's business leaders. Before meeting with these leaders, security managers should spend time learning about the business side of the organization. Then, they can dive into specifics during the meeting, using the same types of open-ended questions used with technology leaders. </p><p>Astute security leaders know that they cannot approach business and technology teams and order them to work in a certain way. If security managers do not spend time and effort learning about how other specialists work, what their priorities are, and what risks matter to them, trust will be hard to build. When was the last time you listened to the advice of someone you didn't trust?    </p><p><em>Caroline Wong, vice president of security strategy at Cobalt.io, has held executive security and management positions at eBay, Symantec, Cigital, and Zynga.</em></p>
https://sm.asisonline.org/Pages/Book-Review---Credit-Card-Fraud.aspxBook Review: Credit Card FraudGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Rowman & Littlefield Publishers; rowman.com; 264 pages; $36.</p><p>Credit card fraud is a huge issue. It keeps everyone, from banks and merchants to customers and police departments, up at night. Attackers are savvy and think of ways to break new credit card protection mechanisms, often only a few hours after they are implemented.</p><p>While the problem will never go away, in <em>Preventing Credit Card Fraud: A Complete Guide for Everyone from Merchants to Consumers,</em> Jen Grondahl Lee and Gini Graham Scott have written a most valuable guide that can be used by everyone within the credit card lifecycle to better protect themselves. </p><p>The book is written for two different audiences and divided into corresponding sections: "Protecting Yourself as a Consumer or Client" and "Protecting Yourself as a Merchant or Service Provider." Each provides a lot of information and helpful tips readers can put into play to ensure they don't become victims of credit card fraud.</p><p>For customers, the authors describe "free trial" scams, where devious merchants offer a free trial, but with odious terms and conditions. Customers supply valuable credit card information, and by the time they know what has happened, they are often on the hook for hundreds of dollars of worthless products.</p><p>For merchants, there is guidance on knowing your customer to obviate credit card fraud. But the authors don't paint a pretty picture, in that when fraudsters are caught, they rarely face jail time. And even when they do, it's often for insignificantly short sentences. </p><p>The rate of credit card fraud is not slowing down. Small efforts can go a long way toward avoiding becoming a victim. For those looking to put in the effort, Preventing Credit Card Fraud is a helpful and valuable guide..</p><p><em>Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), PCI, QSA (Qualified Security Assessor), is a principal security consultant with Nettitude.</em></p>

 UPCOMING EVENTS AND EDUCATION

​2 - 5 July 2018
ASIS / IE Business School​​ (Madrid)

9 - 10 July 2018
Executive Protection​ (Chicago)​

11 July 2018
Critical Systems Protection (Webinar)

26 - 27 July 2018
ASIS International African Security Conference​ (Lagos)

​More Events>>​​​
​​​​