https://sm.asisonline.org/Pages/LinkedIn-Invalidates-Millions-of-Passwords-in-Response-to-2012-Data-Breach.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465LinkedIn Invalidates users' Passwords in Response to 2012 Data Breach0

 

 

https://sm.asisonline.org/Pages/Six-Questions-Security-Experts-Should-Ask-in-a-Crisis.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Six Questions Security Experts Should Ask in a Crisis

 

 

https://sm.asisonline.org/Pages/Feds-Take-on-Assault.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Feds Take on Assault

 

 

https://sm.asisonline.org/Pages/Cyber-Pulls-the-Plug.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Cyber Pulls the Plug

 

 

https://sm.asisonline.org/Pages/Managing-Age-Diversity.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Managing Age Diversity

 

 

https://sm.asisonline.org/Pages/Book-Review--Breakthroughs-in-Decision-Science-and-Risk-Analysis.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Breakthroughs in Decision Science and Risk Analysis2016-05-01T04:00:00Z
https://sm.asisonline.org/Pages/Keeping-Chaos-Under-Control.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Keeping Chaos Under Control2004-03-01T05:00:00Z
https://sm.asisonline.org/Pages/Beyond-the-Active-Shooter.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Beyond the Active Shooter2015-01-01T05:00:00Z
https://sm.asisonline.org/Pages/business-travel-safety-0013433.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Business of Travel Safety2014-06-01T04:00:00Z
https://sm.asisonline.org/Pages/Protection-on-Display.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Protection on Display2016-05-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/Book-Review--Breakthroughs-in-Decision-Science-and-Risk-Analysis.aspxBook Review: Breakthroughs in Decision Science and Risk AnalysisGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Wiley; Wiley.com; 328 pages; $130.</p><p>Decision and risk analysis is the discipline comprising the philosophy, theory, methodology, and professional practice necessary to address important decisions in a formal manner. It includes many procedures, methods, and tools for identifying, clearly representing, and formally assessing important aspects of a decision. </p><p>In <em>Breakthroughs in Decision Science and Risk Analysis</em>, Dr. Louis Anthony Cox and 14 contributors have written a valuable text that describes the current state and recent advances in decision and risk analysis. Besides addressing breakthroughs in the psychology and brain science of risky decisions, it also includes methods for deciding what actions to take when information is sparse and useful probabilities cannot be determined.</p><p>Written for the decision and risk analysis professional, it is in no way an introduction to the topic. The authors cover the various elements that make up the discipline, including psychology, economics, statistics, engineering, and more. </p><p>Numerous discussions explain how decision and risk analysis can be applied to make better policy and management decisions, using empirical evidence, as opposed to gut feelings. Those in the field will find this a valuable reference.</p><p>--</p><p><em><strong>Reviewer: Ben Rothke</strong>, CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a principal eGRC consultant with the Nettitude Group.</em></p>
https://sm.asisonline.org/Pages/Protection-on-Display.aspxProtection on DisplayGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">While driving from Toledo, Ohio, to New York City in November of 2006, the two drivers of an art transport truck stopped for the night in Pennsylvania at a Howard Johnson Hotel. They parked the truck in an unlit parking lot adjacent to the hotel, out of sight of the hotel’s rooms and the main office.</span></p><p>In the morning, when the drivers returned to the truck, they found the locks on the truck broken and the painting inside, Goya’s Children with Cart, valued at $1.1 million, gone. </p><p>The authorities were notified and an extensive publicity campaign was launched to locate the painting. The Guggenheim Museum, which had planned to display the painting in its upcoming exhibition Spanish Painting from El Greco to Picasso: Time, Truth, and History, released a joint statement with the painting’s home museum, The Art Museum of Toledo. </p><p>The two museums said the painting would be “virtually impossible to sell and therefore has no value on the open market,” in an effort to prevent a clandestine sale. They also announced that the painting’s insurers were offering a reward of $50,000 for any information leading to the recovery of the painting.</p><p>The strategy worked, and the FBI received a tip which led to the recovery of the painting less than two weeks later. It was in “good condition” and appeared to “be unharmed,” the FBI said in a press release announcing the Goya’s recovery.</p><p>That tip came from Steven Lee Olson, 49, who reported that he discovered the painting in his basement. Olson was a self-employed truck driver, and was later charged with stealing the painting himself. </p><p>Olson contacted the FBI, but not for the reward money. “I really wanted to get rid of it,” he told U.S. District Judge Dennis M. Cavanaugh in a court proceeding. After stealing the painting with his neighbor, “they realized it was more than they could handle,” Olson’s attorney, Joe Ferrante, said to the AP. </p><p>The two men pleaded guilty to conspiring to steal the painting. Olson, who had a criminal record, was sentenced to five years in prison for his crime and his neighbor, Roman Szurko, received one year and a day.</p><p>While the painting was successfully recovered and eventually returned to Toledo where it’s displayed today, the theft brought new awareness to the security concerns associated with museum special exhibitions.​</p><h4>Planning</h4><p>Located in the middle of America in Bentonville, Arkansas, Crystal Bridges Museum of American Art is well aware of the challenges that come with transporting art to and from various museums. </p><p>The museum, which opened in 2011, has a collection that spans five centuries of American art ranging from the Colonial era to the current day. Its masterpieces include Asher B. Durand’s Kindred Spirits, Norman Rockwell’s Rosie the Riveter, and Andy Warhol’s Dolly Parton—to name a few. </p><p>In addition to its vast collection, the museum also hosts a wide variety of special exhibitions each year. Planning for these exhibitions starts years in advance, says Niki Ciccotelli Stewart, Crystal Bridges’ chief engagement officer. </p><p>“Right now we have an idea for our large exhibition space of what we’re doing through 2018,” she explains. “We’re green-lighted through 2017 with some yellow lights in late 2017, 2018, and 2019.”</p><p>Crystal Bridges receives a variety of proposals for special exhibitions, which are originally looked over by the curatorial and exhibitions teams to determine what value the exhibition would have for visitors, whether the content is appropriate, and whether the exhibition fits the larger arc of the stories the museum wants to tell with its programs.</p><p>“We’re telling stories about the founding of America,” Stewart says. And since Crystal Bridges is a relatively young museum, it has to consider what its visitors will want to see—such as American Chronicles: The Art of Norman Rockwell, which drew thousands of visitors to see 50 original paintings and 323 Saturday Evening Post covers by the artist.</p><p>Once the curators and exhibitions team have decided that an exhibition is a good option for the museum, they start discussing the viability of the exhibition itself—the size of the art, the kind of climate it will need, and the security conditions needed to display it.</p><p>This is when Director of Security Geoff Goodrich is brought into the discussion to review the initial draft of what requirements Crystal Bridges will have to meet in order to host the exhibition. Goodrich analyzes the contract not just to see what the security requirements are, but what the impacts will be on the museum’s facility, how the exhibition will be shipped, and the security requirements necessary, such as the number of physical security officers and cameras in the gallery.</p><p>One of the most important parts of the process is determining how many security officers need to be present in the exhibition gallery based on the layout of the gallery and how the artwork will be presented. For instance, certain exhibitions make visitors want to touch the artwork. These exhibitions might merit more security officers.</p><p>“We have a folk art exhibition coming up later this year, and it’s a very touchy-feely exhibition,” Goodrich says. “It’s folk art from years past and now, so for some people it’s like going to a giant craft show. And when they go to a craft show, they get to touch everything. But this is antique stuff…and whether it’s something handmade or a quilt hanging on a wall, people want to have that sense of touching.”</p><p>This means he’ll have more staff patrolling in the gallery than he would for another exhibition coming to Crystal Bridges that features photography and video. </p><p>Additionally, Goodrich will consider what level of explanation an exhibition might require. Security staff are often the most visible museum staff, so visitors may look to them to explain portions of an exhibition.</p><p>“Knowing that early on allows me to plan my staffing, if I need to hire some additional staff members or shift people around—it gives us a plan to be able to get in on a budget process a year early,” he explains.</p><p>After Goodrich has an idea of how many security officers will need to be on staff for the exhibition, the exhibits designer and curatorial department begin planning how to display the artwork itself.</p><p>They come up with an initial plan and then sit down with Goodrich to look at the proposed layout of the exhibition to identify any issues, such as safety from the fire marshal’s standpoint. “As we all know, 90 percent of the time there’s always something,” Goodrich says. </p><p>To help mitigate this problem, Crystal Bridges has made a collaborative effort to work with the local fire department to bring in the fire marshal for regular walk-throughs throughout the planning process.</p><p>“Not just to make sure it’s up to code, but also to decide this is a smart thing to do,” Goodrich says. “Even though it does meet code, is it smart? Is this the wise way to do this?”</p><p>Sometimes this results in great advice from the fire marshal on small changes that can be made to ensure that the exhibition is displaying the art in a secure manner that also creates a safe environment for visitors.</p><p>For instance, the fire marshal may walk through the exhibition space with Goodrich and other facilities staff and recommend adding another exit to the layout. The additional exit may not be necessary for the space to be code compliant, but would provide easier access out of the exhibition space in the event of an emergency.</p><p>During this process, Goodrich also looks at the layout of the exhibition gallery to determine “pinch-point areas,” where a group of people might gather in front of one painting and create a bottleneck for people to go around. </p><p>If this is the case, and it will interrupt the traffic flow of the gallery, Goodrich can work with the exhibition team to change the layout to reduce congestion—keeping the art safe while also improving visitors’ experience.</p><p>After determining the design of the exhibition—from the wall placement to the entrance and exit—Crystal Bridges then looks at how to place security cameras throughout the gallery and how lighting will impact those cameras. The museum just upgraded the cameras in its special exhibition space so they are all digital and have infrared capabilities. </p><p>“Which means they can see in the dark so we can do lower light levels and still have excellent video quality,” Goodrich says.  </p><p>At this point, the planning phase is complete and Crystal Bridges just has to wait for the exhibition itself to arrive—one of the most difficult aspects of the process.</p><p>“It’s hard to get everything here, easily, because of where we’re located,” Goodrich explains, as the museum sits in the bottom of an Ozark ravine in a relatively rural area. “So most things come to us over land.”​</p><h4>Transporting</h4><p>In the Goya theft case, the truck drivers transporting the painting parked their truck and left it unattended, overnight, in the parking lot. For many security professionals, that scenario is unimaginable if not panic-inducing. </p><p>Fortunately, not all art handlers operate that way. Instead, many require that art shipments be monitored from pick-up to drop-off without overnight stops in between. One company that provides this service in the United States and Canada is FedEx Custom Critical, a freight carrier under the FedEx umbrella.</p><p>As part of Custom Critical, FedEx has a White Glove Services Department that “handles anything that is special care,” says Carl Kiser, operations manager for the department. </p><p>The department has an internal staff that handles customer service and makes the arrangements for pick-up and delivery of art work for clients.</p><p>The drivers, however, are contracted out and must pass a background check before being hired for the department. Drivers pick up shipments, transport them to their destination, and drop them off. They do not, however, pack or unpack artwork.</p><p>As part of this contract service, clients can request certain requirements through White Glove Services, including temperature controlled trucks and single shipment on a single truck.</p><p>That “in and of itself is a security measure because there are no unnecessary stops along the route,” Kiser says. “The freight goes from the point of origin straight through to delivery, if that’s what the art customer wants.”</p><p>Drivers—who often operate in teams for art shipments—are also required to monitor the freight at all times so the truck is never left unattended. “That’s critical in making sure that nothing happens to that shipment,” Kiser says.</p><p>As an added layer of security, when a driver is contracted to pick up a shipment, the department sends the museum or client a Positive Driver Identification (PDI). The PDI contains photos of the drivers that are approved to pick up the shipment, ensuring that the driver who shows up to pick up the shipment is not an imposter.</p><p>The teams of drivers work together, trading off driving duties while one sleeps in the cab of the truck on what are typically long drives across the United States or into Canada. The department will also work with clients who want to send a courier or an escort vehicle with the shipment—a common practice in the art world.</p><p>If drivers need to stop, or there’s a delay in when a museum can unload a shipment, they have the option to use one of FedEx’s freight locations to secure the truck overnight in a gated, locked facility. </p><p>To ensure that trucks are traveling on the approved route and on schedule, the White Glove Services Department monitors the progress of trucks once a shipment is picked up by using a GPS tracking system. </p><p>“We have the system set up to send back a service failure notification if the truck is running more than 15 minutes behind the allotted schedule,” Kiser says. “And then our agents would investigate to find out what’s going on, and then notify the customers so they’re aware of the status of that load throughout the entire shipment.”</p><p>If there are no service failures en route, the department would notify the customer when the shipment arrived at its destination, had been signed for, and delivered. </p><p>However, if there is a problem, the department has Qualcomm wireless communication devices in each of its trucks, which use a satellite connection to send messages back and forth to the truck from the department’s headquarters.</p><p>“So if there is a scenario that occurs, we have tracking on that truck and we also have the ability for the contractor or driver to reach out to us to let us know that something’s taken place,” Kiser says. “Or they call us directly. </p><p>We are a 24/7 facility that can respond to a situation at any time of the day <span style="line-height:1.5em;">or night.”</span></p><p>These situations can include anything from a traffic jam to a storm that could be slowing or stopping the truck altogether. If it’s an emergency situation, such as a truck getting into an accident, the department has escalation procedures in place to alert Kiser and FedEx’s security group to respond. It can also alert the authorities if a law enforcement response is necessary.</p><p>For especially sensitive shipments, the department also offers a device, called SenseAware, that can be placed inside the shipment itself to provide tracking information directly to <span style="line-height:1.5em;">the client. ​</span></p><h4>Exhibiting</h4><p>Once Crystal Bridges knows the arrival date for an exhibition, its exterior security team will assist with the delivery—via truck—entering its receiving area, which is designed to allow a 52-foot truck with a cab to enter and then be sealed off with a gate.</p><p>“That way we have a secure area for them to offload the art,” Goodrich says. “Once the truck is here, then we have a process in place where our receiving clerk will shut down the whole dock area.”</p><p>The clerk will send out an e-mail and a radio alert that the receiving dock area is closed, except to essential personnel who are involved in offloading the truck. Signage is posted in the museum’s elevators so staff are aware of the closure, and only approved personnel using access cards will be allowed into the receiving area.</p><p> Based on the contract with the lending institution, additional security measures might also be required once the exhibition reaches Crystal Bridges, such as having security officers present in the gallery while the artwork is being installed. </p><p>However, with the improvement of access control capabilities at museums, many lending institutions are not requiring this, Goodrich says. </p><p>“Only those people who are directly related to the exhibit can enter, and they only enter through one designated door to get into the gallery space to work,” he explains. “So that limits the need to have a physical body there.”</p><p>Goodrich also places temporary cameras in the gallery while exhibitions are being installed in case a worker is injured while installation is taking place. “If somebody gets hurt, we still have video of the activity in the space for our records,” he says.”</p><p>While installation is taking place, Stewart works with Goodrich to educate security staff about the exhibition so they can answer questions and engage with visitors. Stewart will meet with security staff on a Wednesday when Goodrich has created a standard time for different departments to come in and brief the security team on what they’re doing. </p><p>For her brief, Stewart provides security staff with a program of what exhibitions are coming up and printouts of information about the exhibition, such as what pieces of art will be included and who the artists are.</p><p>After the exhibition opens, Stewart goes back for another Wednesday briefing to discuss what security staff are seeing in the gallery—how people are moving through the gallery, what kinds of questions staff are being asked, and what behaviors they’re seeing.</p><p>For instance, when the Rockwell exhibition was at Crystal Bridges, 120,000 people came through the museum to see it. Managing the crowds became a major challenge, and security staff had to work closely with the exhibitions team to manage the flow of people to prevent overcrowding in the gallery.</p><p>Another challenge came with Crystal Bridges’ State of the Art: Discovering American Art Now exhibition, which featured 102 different artists from across the country and took over the entire footprint of the museum. </p><p>“We had art on the pond, art in the stairwells, art in the hallways, so it was very engaging and textured,” Stewart says. “Everyone wanted to touch the art, but that wasn’t allowed, so it created an operational challenge for staff.”</p><p>Crystal Bridges met this challenge by deploying more security staff to the galleries, so they could engage with visitors, answer questions, and enforce the no-touching rule. </p><p>“We really had to be ready for lots and lots of questions from visitors, and our security team was energized rather than annoyed by that,” Stewart adds.</p><p>With 35 special exhibitions under its belt and more slated for the rest of 2016, Crystal Bridges is now sending its own special exhibition to other institutions. State of the Art made its first stop at the Minneapolis Institute of Art in February and will stay there until the end of this month, when it will travel to Telfair Museums in Savannah, Georgia.</p><p>And the trucks transporting it won’t be making any unattended overnight stops along the way.  </p>
https://sm.asisonline.org/Pages/Managing-Age-Diversity.aspxManaging Age DiversityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Dealing with a disciplinary issue was not the way I wanted to start my Monday at the museum where I work. But there we all were, sitting in my office, about to discuss a problem that occurred over the weekend. The security supervisor was upset. The security officer was upset. And neither person thought they did anything wrong.</span></p><p>But after both staffers gave me their versions of what happened, I could clearly see the reality of the situation. The problem wasn’t that the supervisor was being overbearing, nor that the officer was being obstinate. Their problem, at its heart, was simply an enormous communication disconnect.</p><p>The supervisor was in her early 30s, and the officer was almost 60. Partly because of this generation gap, they did not send and receive information the same way, nor did they have the same social values and manners. Misunderstandings came quickly. </p><p>Now came the job of bridging the communication generation gap—teaching each of these security professionals how the other sends and receives information, so that both could be better understood and the disconnect could be repaired. </p><p>In this specific situation, the supervisor, from the Millennial generation, had a tendency to be more relaxed in her work environment and in her style of communication. In contrast, the officer, from the Baby Boomer generation, preferred a more formal and traditional work setting and communication style.</p><p>In this instance, the conflict occurred when the officer brought up an issue to the supervisor. The officer thought it was an issue critical to the operation of the museum, but the supervisor believed that the officer was going overboard, and she didn’t think the issue needed to be addressed immediately.</p><p>Resolving this communication issue took several steps. First, it required a breakdown of the situation and the dynamic at work, so that any misunderstandings could be cleared up. I began by explaining that neither was being intentionally rude to the other, but that they simply had different communication methods.</p><p>Then, I became more specific. For each, I detailed the ways in which the other communicates. More importantly, I also described what each might find upsetting in the other’s manner and style of communication. For example, being overly formal in reporting the incident could imply criticism of the younger person’s job performance. And, informally dismissing the incident seemed disrespectful to the older officer. I urged them both to stop and think about what the other way saying before reacting—to respond to the words, not the tone.​</p><h4>Workplace Generations</h4><p>The above episode was living-and-breathing testament of a development that demographers and human resource specialists grapple with: The American workplace is becoming more generationally diverse. </p><p>Work-life expectancy, or the number of years people spend working, is increasing, experts say, and the number of U.S. workers still employed after age 70 is on the rise. By 2020, the American workplace will host members of five different generations. This age diversity has many ramifications for organizational culture. For managers, a wide-ranging workforce can be a tremendous resource, but it also poses challenges. </p><p>One particular challenge comes in the area of communication. It’s become a truism that effective communication in the workplace leads to increased productivity, greater efficiencies, and fewer misunderstandings. But different generations have their own style and preferred methods of communication, so, a key initial step toward better communication across generational lines is to learn about behavioral trends among the different generations and understand their general makeup.</p><p>According to Dr. Jill Novak, a management expert and Texas A&M professor, there are six living generations at this time: the Veteran’s Generation; Mature/Silents; Baby Boomers; Generation X; Generation Y, also known as the Millennials; and Generation Z, also known as the Boomlets. </p><p>Novak cautions that, as we examine the characteristics of each generation, it is important to remember that everyone is a distinct individual, and not everyone behaves according to a generational framework. But although the qualities and attributes sketched out below do not apply to all, they are common enough to guide the understanding of generational behaviors.</p><p><strong>Veteran’s Generation.</strong> Born between 1901 and 1926, there are very few members of this generation remaining in the workforce. However, they have made such a lasting mark that their influence and values still remain in some organizations. Many were the children of World War I and the fighters of World War II. </p><p>They saved the world, then helped build a new nation. They are assertive, energetic doers, and excellent team players. They have a strong sense of loyalty, and near absolute standards of right and wrong. They appreciate a more formal communication style and can find e-mails and texting to be cumbersome and cold.</p><p><strong>Mature/Silents. </strong>Born between 1927 and 1945, most of this generation has left or is currently leaving the workforce. They were groomed by their parents to conform to authority during the prosperous postwar period. Women of this generation usually stayed home to raise children; if they did work, it was in specific professions acceptable for females such as teaching and nursing. Many men got a job and kept it for life. They are often disciplined, self-sacrificing, and cautious. </p><p>As a general rule, Mature/Silents do not like change. They find face-to-face discussions more appealing but can grasp some of the concepts of electronic communication.</p><p><strong>Baby Boomers.</strong> One of the largest generations in American history, with 77 million people, the Baby Boomers were born between 1946 and 1964. Theirs is the first TV generation and also the first to believe in using credit to buy goods. </p><p>Although some came of age in the hippie era of the 1960s, their attitudes often evolved with age, so members of this generation tend to be more positive about authority, hierarchal structure, and tradition. Generally, Boomers are optimistic, driven, and team-oriented. </p><p>For the most part, they have a good understanding of communicating through computers and cell phones. The majority also have profiles on one or more social media sites.</p><p>As we’ve discussed, Veterans, Mature/Silents, and Baby Boomers often favor communicating in person. Although a one-on-one approach is preferred, they also don’t mind e-mails or texts as long as they are not too informal and do not have abbreviated language that they don’t understand. This is extremely frustrating and considered rude to them.</p><p><strong>Generation X.</strong> Often thought of as the generation that doesn’t see themselves as a generation, members of Generation X were born between 1965 and 1980. Gen Xers tend to be individualistic and average seven career changes in their lifetime. </p><p>Most of them were raised during the transition from the age of writing and paper to the age of digital media, and they often feel misunderstood by other generations. </p><p>They tend to commit to self rather than a specific company or career, but they do feel a strong desire to learn, explore, and make contributions. They are often skeptical and unimpressed with authority. Because they were at the transition of technology, they are comfortable with either communicating in person or electronically and are less observant about social formalities.</p><p><strong>Millennials.</strong> Also known as Generation Y or the 9-11 generation, Millennials were born between 1981 and 2000. They are deemed to be a sharp departure from Generation X. Millennials generally respect authority, and tend to want to schedule everything. They envision the world as a place that operates 24/7; they want everything immediately. </p><p>Through commonalities, like participation trophies and graduation ceremonies for every grade, Millennials have been continuously told that they are special and they expect to be treated that way. They do not live to work and prefer a relaxed work environment with lots of accolades. They also feel enormous academic pressure, and they prefer to work in teams.  </p><p>As a general rule, they prefer to communicate electronically with people they do not know. Some Millennials even prefer electronic communication with people they do know. Texting in acronyms is an accepted language.</p><p><strong>Generation Z.</strong> Born after 2001, Generation Z is also known as the Boomlets. This is the generation that will be in the workforce next. They are often divided into two groups: tweens (those currently 8-15 years old) and children (elementary students and younger). </p><p>The number of births for this generation far outnumber the Baby Boom generation; they will easily be the largest American generation. There are roughly 29 million tweens in the United States, and although they are only 8 to 15, as a group they spend $51 billion annually. </p><p>Thus, Boomlets are savvy consumers; they know what they want and how to get it. Roughly 61 percent of Boomlets have televisions in their rooms, and about 4 million already have their own cell phones. They will never know a world without computers or cell phones. </p><p>Due to this electronic age, Boomlet children are leaving toys behind at an earlier age. By the time they are 4 or 5, they become less interested in toys and begin playing with cell phones and video games. Most of their communications with others are electronic, and some social commentators question whether they would have discussions in person at all if it weren’t for school.</p><p>As previously mentioned, Gen­erations X, Y, and Z would rather communicate electronically. They are comfortable with texting and tweeting; many feel that communicating in person can take too long and can be uncomfortable or awkward. They have known the abbreviated texting and social media language for most, if not all, of their lives, and it is second nature to them.​</p><h4>Bridging Gaps</h4><p>Novak’s generational thumbnail sketches can help managers understand the common characteristics and underlying values of the different generations. How do these differences play out in the workplace? Some veteran security managers discuss their experiences below and provide best practice guidance for their peers. </p><p>Chelsey Lundin, who reports to me as the assistant director of operations in charge of security for the Nevada Museum of Art in Reno, Nevada, works with a generationally diverse staff, so she deals with generations crossing communication boundaries on a regular basis.</p><p>“I try to make sure that I am constantly up on the differences in communication styles in an effort to keep issues from happening with our security officers,” she says. “A problem can quickly come up due to either what is seen as an error in communications etiquette, or because a person of one generation simply does not understand what is being said by a person of another generation.”</p><p>Lundin offers an example of a workplace episode involving a young security officer who was on duty and tasked with communicating with an older officer, who was off duty, to advise him of a scheduling change. </p><p>To accomplish this, the younger on-duty officer sent the other officer an e-mail, but the language of the message was informal, and it included acronyms commonly used in text messages. As a result, the off-duty officer complained to Lundin, asserting that the younger officer’s communication was disrespectful and confusing, which made him frustrated. </p><p>Because of her experience and her understanding of generational differences, Lundin realized that she needed to serve as a bridge between the two officers, to help them better understand each other and avoid communication breakdowns in the future. </p><p>Lundin did this through patient explanation. She did not simply say to the older officer that the younger officer meant no disrespect in his communication. Instead, she went further and explained the differences in communication preferences, and the underlying values and generational circumstances that each brought to the table.  </p><p>This helped each of them better understand how to interact in a way that the other would find acceptable and avoid areas of communication that can cause irritation and misunderstandings. In this case, this means that the younger officer will avoid using confusing abbreviations in messages, and the older officer will try to be more accepting of a certain degree of informality. </p><p>This type of involved conversation does more than help resolve conflict. Facilitating a deeper understanding of your coworkers makes for a more highly functioning workplace.  </p><p>Another example is offered by Robert Carotenuto, CPP, PCI, PSP, associate vice president for security at the New York Botanical Gardens. Carotenuto’s security team has a reputation for working well together, but at times generational conflicts can arise, he says.  </p><p>Carotenuto remembers an episode in which he was contacted by one of his older security officers. The officer complained that he had witnessed another officer, much younger than he, who had what he felt was an inappropriate interaction with a guest. </p><p>The older officer explained that, although the younger officer was informative and not discourteous with the guest, he believed that the interaction was too informal and reflected poorly on the facility. He explained that the young officer maintained a casual stance and had his hands in his pockets when talking to the guest.</p><p>Carotenuto says he dealt with the issue in several steps. He communicated his appreciation to the older officer regarding efforts made to ensure that staffers are not discourteous to guests. But Carotenuto also noted that maintaining a strictly formal atmosphere was not in the garden’s best interests, because administrators want guests to be able to relax and have a good time at the facility. Further, he explained that the younger officer’s informality did not amount to disrespect.</p><p>However, Carotenuto went further, with explanatory goals similar to Lundin’s. He spoke to the two officers together and helped them understand the differences in the ways that generations typically communicate. </p><p>He explained the values underlying these differing communication styles, which helped the officers understand that methods and manners different from their own were not necessarily inferior, or wrong. In the end, both officers were able to walk away from the issue with better understandings and a more positive view of future interactions with members of different generations.​</p><h4>Managing Expectations</h4><p>“The test of a first-rate intelligence,” writer F. Scott Fitzgerald once said, “is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function.”</p><p>Fitzgerald’s maxim applies to the concept of management across generations. Knowledge and familiarity of common generational behaviors can be a valuable tool for a security manager with a diverse workforce. </p><p>But this knowledge should not hinder a manager’s ability to learn about and understand each employee as a distinct individual. It is likely that the individual will share some traits with others in their generation, but that will vary from person to person, and it may not be true in all cases.  </p><p>Indeed, security managers should get to know every employee, whatever their generation, and truly try to understand their professional values. Then, the manager’s goal should be to try to connect with them through that value system, and to keep the employee connected to the organization through the same value system. </p><p>With that in mind, here are some best practices for bridging generational differences in the workplace.  </p><p><strong>Set clear ground rules. </strong>Sometimes, members of different generations will have different expectations about appropriate behavior in the workplace.  </p><p>Dana Brownlee, an organizational expert and trainer for the professional development firm Professionalism Matters, suggests that executive staff should set clear ground rules regarding the culture they want their business to maintain, and what is acceptable and what is not within that culture. This will help reduce misunderstandings and arguments over issues like the correct level of formality in different situations. </p><p><strong>Learn motivators.</strong> Managers should learn what motivates each individual employee. Generational knowledge can help here; Millennials may need frequent accolades to remain motivated. Again, stereotyping by generation should be avoided, but generational definitions can be helpful as guidelines.</p><p>Some may be motivated by enjoyment of the job itself. Some may respond to greater levels of responsibility. Once a manager understands what positively motivates an employee, that knowledge should be used, within reason.  </p><p>But a manager needs to tread carefully, being cautious not to give praise awkwardly that can come off as insincere or praise someone when it isn’t warranted, which can incite bad behavior from other staff members.  </p><p>Sometimes, however, an individual’s motivation is hard to discern, even with a strong effort by the manager to understand it. In these cases, a manager should simply ask the employee about it. Most employees will be grateful that the manager cares enough to ask, and so will be happy to share.</p><p><strong>Training.</strong> Managers and employees should take advantage of training opportunities, such as diversity training, that will help them better understand the different generations that they work with.  </p><p>Many supervisors also use team building exercises where staff members must interact with each other. This allows them to experience firsthand how each generation communicates effectively. Employees and managers will work more efficiently and get along better with each other if they understand where their coworkers are coming from, and how they can best communicate with them.</p><p>In the end, instituting these principles and understanding the attributes of workers of all ages will help managers deal with all the challenges of the workplace, putting them in the position to best leverage its prize resource—the most age-diverse and experience-rich workforce in history.</p><p>--</p><p><em><strong>James “Jes” Stewart, CPP</strong>, is the director of operations and human resources for the Nevada Museum of Art in Reno, Nevada. ​</em></p>
https://sm.asisonline.org/Pages/A-Head-Start-on-Insider-Threats.aspxA Head Start on Insider ThreatsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Before government employees can access sensitive government information, they must pass an extensive background check and receive a security clearance under federal guidelines. But when private-sector employees need to access that same classified information, the security requirements are a bit hazier. That’s why the National Industrial Security Program (NISP) is working to develop a change to the NISP Operating Manual (NISPOM), which prescribes requirements, restrictions, and other safeguards to private-sector employers to prevent unauthorized disclosure of classified information.</span></p><p>Known as Conforming Change Two, these newest modifications to the NISPOM are seen as the industry interpretation of the National Insider Threat Policy, which was enacted in 2012 and requires government agencies handling classified information to develop an insider threat program. Daniel McGarvey, director of security programs at Global Skills X-change and the chair of the ASIS International Defense and Intelligence Council, has had a hand in developing the guidance for the private sector. He tells Security Management that although the implementation of Conforming Change Two has been delayed by at least six months, government contractors have already started enacting the program in their companies.</p><p>“We’ve been doing workshops for implementing the Conforming Change, just talking to companies about how to set up for it, and presentations we’ve given through ASIS International have been standing-room only,” McGarvey explains. “We’ve had two to three hundred attendees at each presentation.” </p><p>There’s little time to spare in enacting the program: once the change is officially pushed forward by the Defense Security Service under the U.S. Department of Defense (DoD), private sector companies with access to classified material will have 180 days to fully implement the program. The change will require contractors to gather, integrate, and report relevant information indicative of a potential or actual insider threat, and a senior official from each organization must personally accept responsibility for the security of classified information systems. Contractors must also report any indications of an insider threat by using counterintelligence, security, information assurance, and human resources records.</p><p>The updated NISPOM was supposed to be released last summer, but it was delayed due to revisions to include more cybersecurity-related elements, McGarvey says. The procedures will also now apply to the U.S. Department of Homeland Security, making all of the department’s agencies and contractors fall under the comprehensive security requirements. </p><p>McGarvey says that many contractors are overwhelmed by the impending change and believe it’s “an onerous process” because they don’t understand the value it provides. “Once we go through the explanation of what you can do with this program, people find it eminently reasonable,” he notes. “I’ve talked to several CSOs at large companies that have implemented the process, and they say it works extremely well.”</p><p>Art Davis, the director of corporate security at Booz Allen Hamilton, tells Security Management that before the new NISPOM requirements were realized, his organization did not have much of an insider threat program. “We had concerns that every major corporation had,” he explains. “We had policies that dealt with employee privacy, the protection of proprietary information, and acceptable use of IT systems.” </p><p>As Davis and his team learned more about the federal insider threat policy, they decided to implement a program at Booz Allen modeled after how federal agencies were implementing the new program. “We knew that it would be imposed upon industry, and as we looked at the provisions of what was being done to the various government departments and agencies, we kind of made the assumptions that it would look and smell and taste an awful lot like that in industry,” he explains. </p><p>Despite not knowing exactly what the Conforming Change Two will entail—since a final draft hasn’t been released—Davis said there was no hesitation in building such a stringent insider threat program.</p><p>“We’re concerned about staff wellness, we’re concerned about intellectual property theft, we’re concerned about any variety of things over and above the stuff the government had initially voiced a concern about, which was just people with clearances,” Davis explains.</p><p>The first step was to work more closely with other departments at the firm that would logically be involved in such a program, such as the legal office, employee relations, and human resources. The hardest part, Davis says, was developing a governance structure within Booz Allen and ensuring buy-in from shareholders. A steering committee ranging from the working level to the executive vice president level, as well as the firm’s ethics committee, all had a say in what the insider threat program would look like at Booz Allen. “As you might suspect, that did not happen overnight,” Davis notes.</p><p>The leadership also agreed that insider threat training and practices would apply to everyone who works at the firm, not just employees with clearances, as required by NISPOM. “I think initially making the decision to apply it to the whole corporation was an awfully good decision on the part of the leadership,” Davis says. “It doesn’t discriminate against any individual group in the firm. It puts everybody at the same level.”</p><p>The idea of applying this insider threat program to all employees, not just the ones in contact with classified information, has proven to be popular, McGarvey notes. The well-attended implementation workshops, which are hosted by the ASIS Defense and Intelligence Council, have attracted far more than the contractors required to adhere to the program, including security leaders from other industries and international organizations, McGarvey says.</p><p>“There’s a whole lot of interest in terms of trying to deal with the insider threat, and not just in the defense and intelligence communities,” McGarvey explains. “It affects every company. The NISPOM deals only with classified contracts, but insider threat is happening to people at every company.”</p><p>McGarvey notes that the NISPOM does not apply to third-party subcontractors who handle classified information, and it’s something that he has brought up to the DoD. Because there’s no industrywide language on how subcontractors should be vetted before handling classified information, McGarvey says the workshops encourage the primary contractors to take the initiative and incorporate the same policies in their relationships with subcontractors. </p><p>“If the subcontractors have issues internally, that’s a big problem for the primary contractors,” McGarvey explains. “By incorporating the requirement within subcontracts, the primary contractors are given the legal authority to minimize those issues.”</p><p>For example, for a defense contracting company to be given a contract to build a military airplane, the company must adhere to the NISPOM to receive the contract because the aircraft will be built in a classified environment. The primary contractor would then take those same contractual NISPOM requirements and stipulate them in their agreements with any subcontractors involved in building the plane. </p><p>“The challenge is that the government can only look at the primary contractor, they can’t look at the subcontractors unless there’s a specific issue,” McGarvey notes. “But the primary contractors can go make sure the subcontractors they work with follow the same guidelines.”</p><p>McGarvey says the upcoming changes will have the added benefit of requiring security officers to work with the legal, IT, and human resources departments to make sure the workplace complies with the NISPOM. It enables security officers to lead the process and pulls together a cohesive group of individuals to work the issue jointly, he explains. </p><p>Davis agrees, and says that since Booz Allen has implemented the program in its workplace it has “already paid dividends in the company.</p><p>“We’re getting input now from across the firm,” Davis explains. “It’s not just an IT tool that gives us input, it’s people who tell us about problems, people that have problems and aren’t afraid to bring problems forward; it’s preventing violence in the workplace, and it’s doing a whole variety of other things.”</p><p>Although the industry is still waiting for the DoD to release the official changes to the NISPOM, McGarvey encourages government contractors and others to begin educating themselves about the new program.</p><p>“It’s really a 21st century approach to security, because we take a look at what security exists and say, okay, if we repurpose some of these areas that are already in the company, you can have a much more robust security structure that deals with the insider,” McGarvey says. “And if you couple that with your external controls and cybersecurity, you have a really nice comprehensive program.”  </p>
https://sm.asisonline.org/Pages/Hidden-from-Hacks.aspxHidden from HacksGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Students at Marist College in Poughkeepsie, New York, have the chance to participate in the 2016 presidential race in a big way. Their school partners with NBC News to produce the Marist Poll, which reflects public opinion at the local, state, and national levels. The polls are conducted entirely by students, who do everything from writing the questions to analyzing the results, which are frequently cited by media outlets and political campaigns across the country.</span></p><p>Bill Thirsk, vice president and chief information officer at Marist College, says the Marist Institute for Public Opinion began as a research project in 1978 and has evolved into a high-powered technology center. “The technology that we use to run the analytics and the predictives is running on our mainframe. It’s running on some very sophisticated technologies and making fast analytics transactions,” says Thirsk.</p><p>The polling center is just one of many reasons why protecting the college's mainframes, which house its servers, is so critical, Thirsk explains. The college, which offers both un­der­graduate and graduate degrees, also provides private cloud services, known as the Academic Community Cloud, to like-missioned institutions for a low fee. Marist has 25 such clients, including the Franklin D. Roose­velt Presidential Library and Museum and The College of New Rochelle.  </p><p>Technology students at Marist also get the opportunity to develop software that often winds up in the marketplace using this cloud-computing platform. “Not only do our students learn a whole lot, but they get to say that they’ve actually impacted the markets,” says Thirsk.</p><p>Recently, the Marist IT team and students and faculty from the computer science department launched LinuxONE, one of three mainframes at the college. The mainframe runs on IBM z Systems. Marist has made certain servers on the mainframe available to anyone around the world to develop apps using open-source software. Within two weeks of launching in February 2016, 500 users had signed up to participate.</p><p>But maintaining the open environment, not only for open-source developers but for students to freely access the Internet, presents a security challenge for the IT staff. With such large servers, Marist’s network is a high-value target for hackers. “They’re trying to get in and sniff around and see what’s there, and hopefully take over a very high-power machine that they can use to their benefit.” He adds that attacks on the college are persistent, and come mostly from China and eastern Europe. This information is gleaned from logs that are studied by the IT staff and the tech students.  </p><p>In early 2014, the school started a cybersecurity project with technology students and faculty. “We wanted to give ourselves the opportunity to think about, if no one had ever invented firewalls or done cybersecurity, what would we do now?” Thirsk says. Given the project, one of Thirsk’s IBM contacts approached him that fall about a company called BlackRidge Technology, which had clients in the military space. BlackRidge wanted to work alongside Marist’s IT department to refine its advanced network protection capabilities. </p><p>BlackRidge works by cloaking particular servers on a network so that hackers can’t see them, using advanced end-to-end encryption technology patented by John Hayes, an engineer for the company. Data sent from the client is heavily encrypted and cannot be changed or tampered with without the data being dropped, which means it will not reach the server hackers are trying to get at. </p><p>Thirsk and other IT staff, along with eight technology students and some faculty members, worked alongside the company to tailor the product to the LinuxONE IT environment. Thirsk told IBM that the network was particularly vulnerable to advanced persistent threat attacks, and that the technology could potentially help protect the Marist network. He adds that the price point was just right for Marist, which faces budget constraints much like other higher education institutions. The college paid $23,000 for the BlackRidge platform, which is tailored to Marist’s unique needs. </p><p>The development phase with BlackRidge began in February 2015 and lasted for a few months. During this time, staff produced and tested the system. As part of the school's cybersecurity project, IT had begun putting out honeypots, or decoy systems that look like attractive targets to hackers. Marist detected thousands of hacks a week using these honeypots. Since these decoys were in place during the testing phase with BlackRidge, the college was able to use the honeypots as an indicator of how successful the new technology could be. </p><p>“When we turned on the BlackRidge equipment on our network…to protect certain servers, they literally disappeared off the network, and the honeypots went silent on those servers,” said Thirsk.</p><p>Essentially, the hackers could no longer see the servers with the honeypots, so there was nothing for them to attack. “Meanwhile, other scans continued looking for servers that we don’t have protected by BlackRidge,” Thirsk explains. “So we had proof in our hands that it works really well.” </p><p>There were plenty of challenges to work through, Thirsk notes, especially since they were working in partnership with BlackRidge to tailor the technology. </p><p>“When we’re helping an entrepreneur [like BlackRidge], we’re in a supporting role, so their engineers would say, ‘we need to write code to do this one particular function,’ and then we supervise the students in writing some of that code, we hand it back to them, make sure it’s quality assured, and then it goes into the product,” he explains. “There were countless Thursday, Friday nights where some code just wouldn’t work or one of the components wasn’t working correctly, and we had to hammer through that stuff,” he says. </p><p>Marist also uses BlackRidge’s identity access management feature that works off the college's active directory, which gives users different levels of privilege depending on their trust level. Out of 55 IT staff, for example, about 20 have “high-trust” positions. The feature also manages access levels based on anomalous activity. “If a person’s behavior changes in some way, their identity trust level goes down, and if it goes down too far, they get cut off,” notes Thirsk.  </p><p>The college launched the beta version of the protection system it customized with BlackRidge in September, and the full version in December 2015. Not all the servers are protected by the technology, but it covers the network admin­istration side and areas that house sensitive information. “Being a college, we have academic freedom and freedom of speech, so there are areas on our network that are largely public domain and you don’t want to put too much security on those,” Thirsk says. </p><p>Since that beta testing, the mainframe’s servers that are cloaked remain completely untouched by hackers. “They can’t see the networks,” Thirsk says. “It’s not like one out of 10 [attacks] get through–nothing gets through.” </p><p><em>For more information: Mike Miracle, mmiracle@blackridge.us, <a href="http://www.blackridge.us/">www.blackridge.us​</a>, (855) 807-8776.</em><br></p>
https://sm.asisonline.org/Pages/The-Lessons-of-Flint.aspxThe Lessons of FlintGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">The crisis in Flint, Michigan, which resulted in local residents ingesting dangerous levels of lead from their drinking water, is an emergency</span><span style="line-height:1.5em;"> on all levels of government and a national tragedy.  “Getting clean water is literally what decides whether you live or die. We were poisoning our own people,” says Harry Rhulen, CEO of the crisis management firm Firestorm and a member of the ASIS Crisis Management and Business Continuity Council.</span></p><p>The crisis, which unfolded over the course of the last few years, also touches on many critical issues of emergency and crisis management—an illustrative case that provides several lessons learned, especially regarding where the response functions may have faltered. In separate interviews, Rhulen and two other crisis council members, Jerome Hauer and Hart Brown, recently discussed and analyzed the Flint emergency with Security Management. </p><p>“Situations like this generally occur not as a result of a single decision or event, but as a result of a progressive series of decisions,” says Brown, who leads the organizational resilience practice for insurance brokerage HUB International. “In this case, ignored warning signals, inaccurate assessments, inattention to feedback from the residents, and the force of momentum with financial goals ultimately led to the health [crisis].”</p><p>The crisis started when the state of Michigan declared that Flint was in a fiscal emergency and assumed control of the city’s finances; in October 2013, Governor Rick Snyder appointed an emergency manager to oversee city operations. </p><p>As a result, Flint found itself in a potentially problematic situation, common in jurisdictions across the country—having an emergency manager who is a political appointee with insignificant emergency management training and experience. “We’ve seen this over and over again,” explains Hauer, who has worked in emergency management for several U.S. mayors and governors, including former New York City Mayor Rudy Giuliani. Hauer is now a professor at Georgetown University’s Center for Security Studies.</p><p>Nonetheless, as a cost-cutting move, the state-controlled city switched its water source from Lake Huron to the Flint River in April 2014. The move was considered temporary until a new supply line to Lake Huron was ready under a new regional water system.</p><p>According to Rhulen, the decision to switch water sources is similar to the decisions that managers of all stripes, including security managers, make on a regular basis. In considering those decisions, the cost savings are examined versus the potential for damage if the decision does not work out.  </p><p>But in Flint’s case, officials did not sufficiently evaluate the possible hazards—which in the case of a public water supply are immense. “The potential for damage is so huge,” Rhulen says. Such potential for damage should have required adequate testing before the switch was made, he adds.   </p><p>Rhulen advocates a “predict, plan, perform” model of crisis management, and says that Flint officials skipped the “predict” step—which requires that managers brainstorm different outcomes and potential problems—when they decided to switch water sources. “The predictive piece is so important,” Rhulen says. “They jumped right to ‘perform.’ No one thought through all of the ramifications.” </p><p>Moreover, Michigan officials should have done extensive testing. “Before you switch to a different water source, you darn well better have tested it and be 100 percent comfortable that you will be getting a quality of water that will be as good or better,” Hauer says.</p><p>Immediately after the water source switch was made in Flint, residents complained about the water’s smell and taste, with some reporting health issues like hair loss and rashes. By the summer, the water tested positive for coliform bacteria, and residents were advised to boil their water. By January 2015, more water concerns were raised, potentially harmful levels of a disinfection byproduct. Nonetheless, in the spring, Flint officials declared that state testing found that the water met all state and federal standards.</p><p>Not responding to residents’ complaints, and instead insisting the water was safe, was a crucial management error, experts say. “That should have immediately triggered something. They should have said, ‘Something is going on here that we did not expect,’ ” Rhulen says. </p><p>“They had an obligation to investigate, and nobody took it seriously, or nobody wanted to deal with it,” Hauer says. “You have to react to crisis aggressively no matter how small it may seem. There has to be an immediate reaction to ensure that you’re not seeing the tip of the iceberg and there’s something greater underneath.”</p><p>Indeed, only six months after Flint officials declared the water safe, doctors from Flint’s Hurley Medical Center reported that they found high levels of lead in the blood of some children. A few days later, Governor Rick Snyder pledged that the state would respond to the lead levels–the first acknowledgment by the state that lead was a problem. </p><p>The extent of the problem was revealed shortly thereafter by a Virginia Tech research team, whose testing found that 10 percent of homes in Flint had water with 25 parts per billion (ppb) of lead or more, exceeding the Environmental Protection Agency’s recommendation of keeping lead levels below 15 ppb. Several samples exceeded 100 ppb, and one sample exceeded 1,000 ppb, the scientists found. </p><p>That the findings by Virginia Tech and Hurley were much more negative than the state testing is telling, Hauer says. In situations when testing is needed, it’s often wise to bring in outside experts who will provide scientifically sound information and advice, and not just what officials want to hear. Academic scientists are known for providing unvarnished results, because they have a reputation to defend in the scientific community, he adds: “If they start fudging the books, they’ve got a real problem.”</p><p>In October 2015, more than a year after the switch, Michigan officials finally declared a public health emergency, with Flint Mayor Karen Weaver and Snyder both making emergency declarations. Responding to cries for federal assistance, President Barack Obama also issued a state of emergency in January of this year, making Flint an emergency on local, state, and national levels. </p><p>On the national level, Washington’s response will be led by the Federal Emergency Management Agency and the U.S. Department of Homeland Security. On the state level, Snyder called on the National Guard to help deliver clean water to the city’s nearly 100,000 residents. Problems remain, despite the emergency declarations and ensuing actions, however; earlier this year, federal officials said state and city leaders were not doing enough to comply with an emergency order to resolve the lead situation. And Michigan Attorney General Bill Schuette continues to lead a legal investigation into how the crisis unfolded, to see whether any laws were broken.</p><p>In general, Brown says that emergency management works best when a management team uses collaborative critical thinking and combined resources to develop an effective response. “When the situation is a natural disaster, a security event, or an incident related to public health, the goal is generally to bring a team together in order to identify integrated solutions, holistically,” he says. </p><p>But since the Flint situation began as a fiscal crisis, leaders went in with the overriding need to “prioritize financial solutions,” Brown explains. This created a difficult environment in which the holistic emergency management process became secondary, leading to a compromised response with a focus on short-term savings.</p><p>“Emergency management should be more than just a financial problem solver,” Brown says.</p><p>--</p><p><em>Editor’s Note: “News and Trends” will feature coverage on ensuring a resilient U.S. water supply in an upcoming issue of Security Management.</em></p>

 UPCOMING EVENTS AND EDUCATION

05/11/2016
CS​O Roundtable ​Webinar (Webinar)

05/16/2016 - 05/17/2016
Security Practices in a High Rise Environment​​ (Education)​

05/18/2016 - 05/19/2016
Security Force Management​​ (​Education)​

05/18/2016
La Evidencia y el Testimonio dentro de las Investigaciones Privados​​​ ​(Webinar)

05/22/2016 - 05/24/2016
9th Annual CSO Roundtable Summit​​ ​(Webinar)​

05/23/2016 - 05/26/2016
ASIS Assets Protection Course™​ (Web​inar)

05/25/2016
Soft Targets in 2015 and 2016​ ​(Webinar)​

05/31/2016 - 06/03/2016
IE/ASIS Program: Effective Management for Security Professionals (Education)​