https://sm.asisonline.org/Pages/Securing-Special-Events.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Securing Special Events0

 

 

https://sm.asisonline.org/Pages/Book-Review---Mental-Health.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Mental Health

 

 

https://sm.asisonline.org/Pages/Containment-Strategies.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Containment Strategies

 

 

https://sm.asisonline.org/Pages/The-Strategic-Leader.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Strategic Leader

 

 

https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Cyber Pipeline

 

 

https://sm.asisonline.org/Pages/Securing-Special-Events.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Securing Special Events2018-02-23T05:00:00Z
https://sm.asisonline.org/Pages/How-to-Learn-from-Las-Vegas.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Learn from Las Vegas2018-02-01T05:00:00Z
https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Five Insights on ESRM2017-09-01T04:00:00Z
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Cyber Pipeline2018-02-01T05:00:00Z
https://sm.asisonline.org/Pages/Vancouver-Shoots-for-Gold.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Vancouver Shoots for Gold2009-03-01T05:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/How-to-Learn-from-Las-Vegas.aspxHow to Learn from Las VegasGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The Las Vegas massacre on October 1, 2017, surpassed the 2016 Orlando Pulse Nightclub tragedy as the deadliest mass shooting in recent U.S. history. Fifty-eight people lost their lives and hundreds were injured when a gunman rained down automatic weapon fire from the 32nd floor of a hotel suite on concertgoers below.</p><p>Months later, investigators are still struggling to piece together a motive for the tragedy. They classify the shooter as a nondescript, wealthy retiree who spent tens of thousands of dollars gambling at casinos on the very strip he attacked. But these clues offer little insight as to why he would carry out such a deadly rampage. </p><p>In the wake of the tragedy, security professionals must grapple with the known facts surrounding the event, and investigators continue to  revise the timeline of events as details emerge. However, as reported by CBS News, the assailant managed to take nearly two dozen weapons contained in luggage to his room via a freight elevator in the Mandalay Bay Resort and Casino.</p><p>A do not disturb sign hung on the door of his suite for 72 hours after he reportedly checked into the hotel on September 28. He shot out of two windows from the hotel tower after shattering them with a hammerlike device, according to The New York Times. </p><p>The assailant also shot a hotel security guard, who was responding to an open-door alarm on the same floor, around the time he began firing on the crowd.</p><p>Whether or not the hotel and Live Nation Entertainment, Inc.—the event company hosting the concert—met their legal duty of care during these circumstances has yet to be determined, and several lawsuits have been filed by victims. </p><p>Difficult questions regarding security have been raised by the shooting, including whether hotels should apply airport-­style screening measures to guests as they enter the property, and whether it's possible to spot suspicious behavior in guests before an incident occurs.</p><p>As investigators continue to probe into the specifics of the massacre, hospitality, event, and gaming security experts all agree: While the circumstances in the Las Vegas shooting are unlikely to happen the exact same way again, the event underscores the importance of having strong security policies and procedures, staff training, and appropriate technological tools to combat future threats.</p><p><strong>Event safety. </strong>The October shooting ravaged a section of the Las Vegas strip called Vegas Village, which has become a popular spot for festivals and other live events. The gunman attacked concertgoers at the sold-out Route 91 Harvest Festival, which featured country music performers. The event was growing in popularity, and attracted about 25,000 people a day last year, the Los Angeles Times reported. </p><p>Steven Adelman is an attorney at Adelman Law Group, PLLC, and vice president of the Event Safety Alliance, a nonprofit he helped form after a stage collapsed at the Indiana State Fair in 2011, killing seven people. He emphasizes that the Las Vegas shooting and the circumstances surrounding it are unlikely to repeat themselves, and calls the incident a "black swan" event. </p><p>"A black swan is a highly unusual, impactful event—and in retrospect people suddenly think it was inevitable," Adelman says. "Las Vegas fits that profile. There had never been a shooting at a live event venue from a great ele­vation or from an adjacent building."  </p><p>While the University of Texas clock­tower shooting in 1966 in Austin harkens closely to the positioning of the shooter, experts say it does not make what happened from the 32nd floor of the Mandalay Bay Hotel and Casino foreseeable. </p><p>"If we had been talking on September 30, the day before this happened, and you had asked me what the most reasonably foreseeable threat at a live event space is, based on what's happened over the last year…it probably would have involved a truck," he says, referencing the vehicular terrorist attacks that have occurred in cities including Barcelona, New York City, and Stockholm. </p><p>While Vegas may not have been preventable, Adelman underscores the best practices that can be applied to event safety moving forward. </p><p>"When there is an adjacent building to a live event, where someone potentially has a perch over a site where people are gathered, law enforcement and security should have eyes on that building," he notes. "In fact, the smarter trend, if it's in one's control, is to just clear the building." </p><p>At a major event in Phoenix just weeks after the shooting, event organizers did exactly that. Law enforcement cleared a nearby parking structure and used the building to have a crow's nest vantage point over the event. </p><p>"That's the kind of positive learning experience that can be applied from a horrific event like the Vegas shooting," Adelman adds.</p><p>Also, having a no-weapons policy is a simple way to at least deter people carrying guns, Adelman says, but he concedes that enforcing that policy is another matter. When possible, event organizers should limit the points of ingress and egress for attendees, and deploy magnetometers at each of those points. </p><p>"Make sure that applies equally to the production people, and even the talent who are doing set-up," he adds. "Make sure the artists and their entourage all go through these magnetometers and security guard scrutiny while we're at it, because they can have weapons, too." </p><p>Adelman adds that the special event industry could spend all its time and resources focusing on trying to prevent black swan events, and he emphasizes that the key is to triage the reasonably foreseeable risks. </p><p>"You should spend your finite amount of resources addressing the risks that are most likely to happen at whatever venue or event it is that one is talking about," he says. "That's the reasonable thing to do." </p><p><strong>Hotel security. </strong>There is no one-size-fits-all approach for hotels when it comes to their security programs, says Russell Kolins, chair of the ASIS International Hospitality, Entertainment, and Tourism Security Council. </p><p>"Each hotel has its own culture of management, its own corporate attitude, so each hotel is going to address its properties differently than their neighbors next door," Kolins adds. </p><p>This means that each property or hotel chain must constantly reinforce whatever safety protocols it has in place across management, staff, and guests. </p><p>Many hotel properties have policies on weapons, which vary from state to state. Nevada is an open-carry state, though most casinos don't allow patrons carrying a gun to enter the property. Hotels have typically allowed hunters with weapons permits to carry guns to their rooms or store them in lockers. Kolins says a weapons check would have to be conducted on every guest and bag to enforce these policies. </p><p>"If someone wants to get a weapon up to their room, they are going to do it, unless you're inspecting every single bag and every single piece of luggage, including clothing bags," Kolins says. "It's not going to be absolutely controlled." </p><p>Technology already plays a major role in hotels, says Stephen Barth, a professor of hospitality law at the Conrad N. Hilton College of Hotel and Restaurant Management at the University of Houston. </p><p>"Hotels employ a variety of technological measures to enhance security and the smooth flow of business for guests," he says. "We've got significant technology that's helped a lot—being able to track guests that go in and out, making sure a key is changed from guest to guest."</p><p>Barth, founder of hospitalitylawyer.com, argues that adding on more technology for security purposes wouldn't necessarily be rejected by guests, if it's obvious it keeps them safer. </p><p>"Technology for sure needs to be involved in these conversations," he says. "What if every hotel window had a sensor on it so that if the glass was broken, the hotel would know immediately what floor and which room it was in?" </p><p>Management may hesitate initially to go to such measures, but Barth argues that security should keep it in mind as a possible option. "There's going to be resistance, no doubt, but it does seem to me that there is potential," he says. </p><p><strong>Training. </strong>Security experts agree that hotel staff, including housekeeping, engineers, bellhops, and front desk workers are the most likely ones to observe unusual behavior among guests. </p><p>Therefore, training those workers thoroughly and consistently will help reinforce what they can look for as suspicious or possibly harmful behavior. </p><p>"There needs to be ongoing training, so that there is an awareness given to the employees to be the actual eyes and ears for security and management of a property," Kolins says. </p><p>While metal detectors and individual bag checks may be a far-flung approach, staff can be trained on behavioral cues to look for in guests, such as the way someone walks when they may be carrying a weapon. </p><p>"I think the trend now for all the hotels is going to be to take the See Something, Say Something campaign and make it effective," says Darrell Clifton, CPP, executive director of security at Eldorado Resorts in Reno, Nevada, and a member of the ASIS Hospitality, Entertainment, and Tourism Security Council. "Right now it's kind of a shotgun approach. If it's working right, you get 10,000 pieces of data and 9,999 of them are useless, and it's hard to comb through all that."  </p><p>Instead of just repeating the See Something, Say Something mantra, he says that managers should sit down with employees and tell them exactly what to look for, and what to do with that information. </p><p>"Frankly, the housekeepers know what's suspicious better than I do because they see all the different people that come into the hotel," Clifton notes. "They know what looks right and what doesn't look right." </p><p>When it comes to room inspections, Kolins suggests hotels conduct safety checks at least every other day, even if a do not disturb sign is on the door. These check-ins give hotel staff the opportunity to verify that the various sensors in the room are operating properly, such as smoke detectors and carbon monoxide monitors.</p><p>"I think the biggest change with that will be reinforcing that policy, more than creating a new one, for most hotels," Clifton notes, adding that most hotels have policies to check rooms every other day or more often, but have not enforced them consistently. </p><p>As of January, four Disney hotel properties had done away with the do not disturb sign, The New York Times reported, swapping it out for a "room occupied" sign and alerting guests that staff may check on the room. In December, Hilton revised its policy to still allow the signs but will conduct a staff-led alert system if it stays up for more than 24 hours. </p><p>The data collected at these check-ins, as well as any other security concerns reported to management, should all be kept in a log. </p><p>"The security industry is data-driven, and it's very important to record anything that gets reported," Kolins notes. "And on a periodic basis, whether it's a weekly basis or bimonthly basis, the reports should be part of an incident log." </p><p>Down the road, these data points can be connected and lead to an impending threat or other incident, he says. </p><p><strong>Duty of care.</strong> The Las Vegas shooting raises the question of duty of care—the reasonable level of protection a venue is legally obligated to provide its guests—and whether or not Mandalay Bay and Live Nation met that standard. </p><p>A victim who survived the shooting has already filed a lawsuit, and there is the potential for more litigation. In the suit filed against MGM, which owns Mandalay Bay, the plaintiff argues that the hotel failed to "maintain the Mandalay Bay premises in a reasonably safe condition," according to court documents. </p><p>From a legal standpoint, Adelman says the hotel property or venue hosting an event has an obligation to provide a reasonably safe environment for its guests under the circumstances.</p><p>Experts say a number of factors come into play in the legal process, including whether the hotel followed its own security policies and procedures. </p><p>"I think most juries and most judges would argue, at least until now, that the event was not foreseeable in the United States," Barth says.</p><p>Given the fact that the shooter brought in a cache of weapons and fired from a hotel suite, Barth says the property's policies and procedures will come into question. </p><p>"Responding to a particular incident is a part of the duty of care in places of public accommodation like hotels," Barth notes. "So, you would want to consider, what was their protocol for an active shooter situation? Did they have training, what was their communication system setup, what was supposed to happen, and did they in fact follow their training?" </p><p>He adds that the facts surrounding the Vegas shooting as investigators understand them are not necessarily unusual. </p><p>"This fellow in Vegas specifically requested a particular room. In and of itself, that happens all the time in a hotel," Barth says. He adds that people travel to Las Vegas to gamble or party, and often stay up all night and sleep during the day. "This fellow also had a do not disturb sign on his door for 72 hours. Again, that in and of itself is not a big deal, particularly in Vegas." </p><p>The large containers the weapons and other items were stored in wouldn't necessarily sound the alarm bells, he notes. In a city like Las Vegas, convention exhibitors frequently bring large containers to their rooms, and guests who gamble may be protecting valuables such as cash. </p><p>The duty of care applies equally to event venues as it does to hotels, Adelman says. "The main duty for providing a safe and secure environment generally falls on the shoulders of the venue," he points out, noting that the venue should know what its biggest risks are, and what resources are available to address those risks. </p><p>He adds that, when necessary, the location can contract with a private security company or with law enforcement to take on some of the security responsibilities. </p><p>All properties should take an all-hazards approach to security, paying just as much attention to the threat of a natural disaster as an active shooter. "The threat you prepare for probably isn't going to be the precise threat that actually appears on your doorstep," Barth says.  </p><h4>Gaming Community Reacts to Vegas Tragedy​<br></h4><p>Casinos are no strangers to security. With swaths of surveillance cameras, guards, and cash-protection measures, these venues are used to large volumes of people toting valuables. Most gaming properties have no-guns policies, and uniformed and plainclothes security officers keep careful eyes on the property. </p><p>Guests at casinos are looking for privacy and comfort, so hospitality professionals must strike a balance between providing security and making sure their clients feel at ease. </p><p>"Most security has to be unobtrusive, yet effective," says Dave Shepherd with the Readiness Resource Group and a member of the ASIS International Gaming and Wagering Protection Council. "We're not trying to prevent people from crossing a border or boarding an airplane. We have to be very cognizant of the rights of people as they are coming onto the properties." </p><p>In the wake of high-profile incidents, an opportunity arises to engage the C-suite, says Alan Zajic, CPP, with AWZ Consulting and chair of the Gaming and Wagering Protection Council. </p><p>"Any security director knows that when an event like what happened in Las Vegas occurs, your bosses are going to be asking you what you intend to do," he says. "That's the greatest opportunity to say, 'I need a commitment out of you to be able to put some of these programs into place and help protect our employees and our guests.'"</p><p>He explains that gaming properties should prioritize training employees on situational awareness, and proposes a technique. </p><p>"You observe something and investigate it until you understand it," he notes. "If you observe something unusual about a person, you should watch for a while until you understand whether it's legitimate. And if it's not, you investigate."</p><p>These types of training programs are going to become more prevalent in the industry, Zajic says, adding that airport level screening would be too burdensome for hotels and guests alike.</p><p>"Should there be screening or metal detectors inside bell rooms?" he asks. "Those are all kneejerk reactions that I'm not sure are going to float. People are going to be resistant to the invasion of their privacy."​​​</p>
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspxA Cyber PipelineGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​It was a tense moment. Twenty minutes before taking the stage at the 2016 RSA Conference in San Francisco, U.S. Secretary of Defense Ash Carter had signed an agreement to create the first U.S. government bug bounty program.</p><p>"I was sitting in the front row there, just shaking my head and praying everything would work out the way it was supposed to," says Lisa Wiswell, former U.S. Department of Defense (DoD) bureaucracy hacker who oversaw the bug bounty program.</p><p>And work, it did. Dubbed "Hack the Pentagon," the program allowed 1,400 security researchers to hunt down vulnerabilities on designated public-facing DoD websites. More than 250 researchers found and reported those vulnerabilities to the DoD, which paid them a total of $150,000 for their efforts.</p><p>"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said in a statement. </p><p>Based on the program's success, the DoD launched "Hack the Army" in 2016, followed by "Hack the Air Force" in 2017, to continue to address security vulnerabilities in its systems. This method of crowdsourcing cyber­security is one that many organizations are turning to as they continue to struggle to recruit and retain cyber talent.</p><p>According to the most recent Global Information Workforce Study, the cybersecurity workforce gap is on pace to increase 20 percent from 2015—leaving 1.8 million unfilled positions by 2020.</p><p>"Workers cite a variety of reasons why there are too few information security workers, and these reasons vary regionally; however, globally the most common reason for the worker shortage is a lack of qualified personnel," according to the report's findings. "Nowhere is this trend more common than in North America, where 68 percent of professionals believe there are too few cybersecurity workers in their department, and a majority believes that it is a result of a lack of qualified personnel."</p><p>To help address this issue, study respondents reported that more than one-third of hiring managers globally are planning to increase the size of their departments by 15 percent or more. However, the report found that historically, demand for cybersecurity talent has outpaced the supply—which will continue to exacerbate the current workforce gap if the trend continues.</p><p>"It is clear, as evidenced by the growing number of professionals who feel that there are too few workers in their field, that traditional recruitment channels are not meeting the demand for cybersecurity workers around the world," the report explained. "Hiring managers must, therefore, begin to explore new recruitment channels and find unconventional strategies and techniques to fill the worker gap."</p><p>One technique to fill the worker gap is being used by the FBI, which has a long history of workforce training and development to keep agents—and Bureau staff—at the top of their game to further its mission.</p><p>In an appearance at ASIS 2017, FBI Director Christopher Wray explained that the Bureau has created a training program to identify individuals with cyber aptitude and train them so they have the skills necessary to identify and investigate cybercrime.</p><p>"We can't prevent every attack or punish every hacker, but we can build our capabilities," Wray said. "We're improving the way we do business, blending traditional techniques, assigning work based on cyber experience instead of jurisdiction, so cyber teams can deploy at a moment's notice."</p><p>In an interview, Assistant Section Chief for Cyber Readiness Supervisory Special Agent John Caliano says the FBI is looking internally to beef up all employees' cyber abilities.</p><p>"There is a notional thought that all the cybersmart people are in the Cyber Division," he adds. "There are a lot of very talented people outside the Cyber Division, some have worked in other areas…the goal is to start to pick up in the investigative realm and lift the abilities of all employees, so they have a basic understanding of cyber and digital threats today."</p><p>To do this, the FBI has employees undergo a cyber talent assessment which looks at the skill sets they brought with them when they were hired, the skills they have learned on the job, and their aptitude for formalized and informalized training on cybersecurity and technology. </p><p>The FBI then sorts employees into three categories: beginners, slightly advanced, or advanced. Employees are then sent to outside educational courses, such as those provided by the SANS Institute or partnering universities, to learn more about cybersecurity and bring that knowledge back to the FBI. The FBI also works with the private sector to embed employees to teach them specialized skills, such as how SCADA networks operate.</p><p>In 2016, Caliano says, the FBI identified 270 employees for cyber training who were not part of the Cyber Division. Approximately two-thirds of those employees were categorized as beginners at the outset, and Caliano says the Bureau plans to continue the assessments and training for the foreseeable future.</p><p>And for its specialized teams, the FBI is continuously developing in-house training that will eventually be offered to the entire FBI. </p><p>"One day, all FBI employees will take these courses and pass these courses," he says. "People will understand what depth and defense mean, how to secure networks, and trace IP addresses."</p><p>These specialized teams include its Cyber Action Team (CAT), which is made up of employees who deploy when a major cyber incident occurs. For instance, when the Sony hack occurred in 2013 the initial FBI response team had a few members who were also CAT members who were sent to the scene.</p><p>Once the FBI became aware of the severity of the incident, it sent a full CAT to Sony's headquarters to sit with the network operators to comb through their logs to see how the attack spread.</p><p>While this training provides professional development opportunities to current employees, the FBI is also focused on identifying future talent that can be recruited into the FBI. </p><p>"We can't compete with dollars, but we can compete on mission," Caliano says, adding that the FBI often gets to look at cyber threats and address them in a way that the private sector does not, providing employees a "deeper sense of fulfillment."</p><p>To attract talent, the FBI has a variety of initiatives including an Honors Intern Program open to all college students. It also has a postgraduate program where the FBI will pay for a graduate or doctoral student's degree. It's also reaching out to students at the high school level through its Pay It Forward program, which engages students in math, science, and technology who might show cyber aptitude.</p><p>"We are, as a workforce planning objective, training at schools—driving down to the high school level," Caliano tells Security Management.</p><p>Another new recruiting channel has been championed by Wiswell since she left the DoD in 2017. After leaving the public sector, she went to work at GRIMM, a cybersecurity engineering and consultant firm, as a principal consultant. One of her main responsibilities is to oversee its GRIMM Academic Partnership Program that runs the HAX program.</p><p>Through HAX, undergraduate cybersecurity clubs can participate in friendly competitions and gain hands-on cyber experience. GRIMM has partnered with Penn State University at Altoona's Security Risk Analysis Club and Sheetz Entrepreneurial Fellows Program, the Michigan Technological University (MTU) Red Team, George Mason University Competitive Cyber Club, and the Rochester Institute of Technology's Rochester Cybersecurity Club.</p><p>Throughout the academic year, participants in HAX break into teams to complete programs designed by GRIMM engineer Jamie Geiger that are similar to computer Capture the Flag challenges. While participants have the option to compete individually, Wiswell says she encourages students to create a team to hone their communication skills.</p><p>"A lot of this field has an individualist focus a lot of the time, and what's really needed is the ability to communicate well, both up and down, to work well on teams, and to have effective analytical skills," she explains. "The kinds of things that you learn well by doing these kinds of team-based challenges."</p><p>GRIMM chose these programs in particular to create a talent pipeline for the company, which has offices in the Washington, D.C., area and in Michigan—near two of the universities it's partnered with. By engaging college students through HAX, GRIMM hopes to create a talent pipeline and increase diversity on its own staff.</p><p>"HAX is an effort to do both those things," Wiswell says. "We are kind of do-gooders on one hand. If folks that are participating in the program have no interest in coming to work for GRIMM, that's fine. We just hope that they use their talents and go somewhere."</p><p>That's why the challenges and the experience to connect with people working in cybersecurity are important, according to Wiswell, because it helps students make informed decisions about what they would like to do after graduation.</p><p>"We're trying to think outside the box in ways that students feel very well rounded, so students can make decisions on what sliver of this workforce is most interesting," Wiswell says, explaining that current challenges are focused on Linux and Microsoft systems, but in the future, might include hardware and other areas. </p><p>And to gain even more experience before graduation, Wiswell says she encourages students to take part in bug bounty programs to get connected to companies that might one day hire them.</p><p>"If you already have a lot of good skill and you're trying to hone skill—and make some cash—we think that bug bounty programs are a great way to do that," Wiswell explains to Security Management. "GRIMM is partnered with a couple bug bounty as a service providers to help them get in a broader group of individuals who are interested in participating, as well as companies that could benefit from hosting bug bounties themselves."   ​</p>
https://sm.asisonline.org/Pages/The-Strategic-Leader.aspxThe Strategic LeaderGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In this current era of enterprise security risk management (ESRM), there are no shortages of risks to contend with. Most surveys of the top global business risks identify several that are security-related, including terrorism, cyberthreats, pandemics, national disasters, water security, and government instability or collapse. </p><p>But as ominous a backdrop as these risks may provide, they have not changed one of the fundamental realities of business: all functions within a company compete for a finite set of resources, and senior executives will fund those that are most likely to help fuel growth.  </p><p>Given this reality, the problem for support functions like security is that, certain exceptions aside, they are not seen as revenue generators. As a result, the security department must prove that its efforts are strategically aligned with the objectives of the company, and that they are part of the company's overall growth effort. This demands strategic leadership from the security manager.   </p><p>And such strategic leadership goes beyond being the subject matter expert on all things security. It is not simply about possessing the right kind of knowledge. It is, instead, about being someone able to make that knowledge relevant to, and an integral part of, the company's business goals.  </p><p>To succeed in this effort, security professionals must fully understand the myriad ways security affects the larger company. With that knowledge in mind, they must focus on creating relationships inside and outside the organization that will enable the security function to produce results valued by the company. </p><p>Delivering these valued results often requires the need to think and work differently–that is, to think and work strategically. It demands that security professionals become strategic leaders.</p><p>This article will focus on the need for strategic leadership by security professionals and what that leadership requires–namely, an alignment between the security function and the company's business goals that is only achievable through the effective execution of strategies. It does this by first explaining the concept of strategy, and then offering several examples of strategic leadership to demonstrate how it plays out in the real world of security.​</p><h4>Vision and Execution</h4><p>The concept of strategy emerged more than 2,500 years ago in ancient Greece with a one-dimensional perspective that focused on how generals waged war. Under this concept, a general is responsible for multiple units, on multiple fronts, in multiple battles, over various spans of time. The general's challenge is to provide the vision and preparation for orchestrating the subsequent comprehensive actions. </p><p>The general's strategy, then, consists of an integrated set of choices designed to achieve specific goals. But it is important to remember that strategy is not an accurate term for every important choice that the general faces. </p><p>This is where organizations fail in the business world. Many executives have begun calling everything they do strategic. Too often, strategy becomes a catchall term, used to mean whatever the executive wants it to mean. </p><p>And all too often, the result is that the organization undertakes a collection of business activities that create confusion and undermine credibility because they are not strategically aligned. Sometimes these executives confuse actions or tactics—which are the means by which strategies are executed—with strategies themselves. They are then left to wonder why they failed to achieve their desired goals. </p><p>Strategy addresses how the business intends to engage its environment in pursuit of its desired goals. Without strategy, time and resources will be wasted on piecemeal, disparate activities. Sometimes, managers will fill the void with their own (often parochial) interpretation of what the business should be doing. The result is usually unsuccessful initiatives that are incomplete, disjointed, and confusing.  </p><p>Strategic leadership rises above this confusion. But it does not come easy. Studies show that fewer than one in 10 leaders exhibit strategic skills, a woefully inadequate number. </p><p>It would be a mistake to believe that strategic leadership is only needed in times of crisis. During the good times, strategic leadership is just as important as during the bad times, because it ensures valuable resources are focused on the right areas and in the right ways.</p><p>At its essence, strategic leadership is the ability to learn, anticipate, challenge, interpret, decide, and align organizational capabilities and competing interests in ways that effectively engage the everyday opportunities and problems presented by the competitive environment. It is the ability to translate vision into reality by seeing the bigger picture and longer time horizons, then creating the strategies necessary to achieve goals that deliver valued results.</p><p>Here are five real world examples to illustrate strategic leadership. The first is relatively simple and straightforward, to ease into the concept. The next four are more involved and complex. ​</p><h4>Honing a Process</h4><p>A global security company once had a system for suggestions that required employees to fill out a four-page form each time they had an idea they wished to submit for consideration. </p><p>While the form was lengthy, executives believed the information it solicited was valuable and worth requesting. In a period of four years, 2,500 employees submitted 252 ideas for consideration, or about 63 ideas per year.</p><p>A lower-level manager in one business unit, who found the process frustratingly inefficient, successfully engaged the organization to change it. This manager realized that the information submitted on the four-page form had value to company leaders. But he also knew that if the submission process were made easier, the organization would ultimately receive more ideas, and it would benefit greatly from their implementation. </p><p>The manager's suggested changes were made. Today, anyone at the company can submit a description of an idea for improvement via email, instead of a four-page form. Moreover, rather than waiting for a time-consuming process to unfold, the submitter is allowed to act upon the idea if there is no response by management within 30 days. </p><p>Under the streamlined submission process, employees sent in more than 6,000 ideas for improvement within the first year. When some of these were implemented, organizational performance was enhanced and operating costs reduced. </p><p>This is a textbook example of an individual who looks at the bigger picture, and sees an opportunity to change a process that would lead to a positive outcome. This is strategic leadership.</p><h4>Advancing on Many Fronts</h4><p>A security executive sought an opportunity to show that security was aligned with his company's transformational efforts in ways that would help produce clear and valuable results. </p><p>To do that, the security executive engaged in a brainstorming session with his staff, eventually arriving at a consensus decision to improve the company's access control systems.</p><p> The executive knew this was no small undertaking. However, to have the desired outcome he needed buy-in from employees involved in a range of functions that were both inside and outside the business.  </p><p>He began the process by meeting with people. He met with the finance department to work through the numbers and arrive at a reasonable capital expenditure budget. He met with legal to identify any liability issues that might arise from the new system. He met with human resources to develop a training program in support of the effort. He also held a joint meeting with human resources, operations, and legal to create a new policy to ensure that there would be progressive discipline for any violations.</p><p> He then met with outside suppliers to engage in an open bidding process and ensure the effective delivery of the approved products. He also met with his company's business development group to ensure that the systems would be installed during site redevelopment to enable the costs to be capitalized, and thereby reduce the overall financial impact on the company. Finally, he met with senior management and presented the strategic plan. It was approved. </p><p>What this security executive's experience shows is that the security function must position the business to succeed in a larger sense, through the involvement of the many, not the few. He realized that the new access control system would result in threat reduction combined with increased security visibility, while controlling costs. </p><p>To achieve that positive outcome, the security executive showed an ability to think, act, and influence others in strategic ways. Like the military general cited earlier, he designed a plan of integrated actions, working on several fronts—budgetary, legal, employee training, and logistics—and, in so doing, demonstrated strategic leadership.    ​</p><h4>Imitation is Not Strategic</h4><p>When given the same challenges to improve security, managers may take actions that are not always strategic. </p><p>For example, in an effort to improve security, a manager undertook a formal benchmarking process. In his benchmarking effort, the manager compared the overall security at his company to that of another well-known company, one with a long-standing, well-respected, and well-funded security department.  </p><p>Since this second company was a competitor within the same business industry, a benchmarking comparison seemed apt, and so the manager expected the findings to be relevant to improving security. Flush with information and data, the security manager met with senior management and, in a highly professional set of Powerpoint slides, presented the logic for his budgetary request.  </p><p>Now if we stop there, we might expect that the security manager met with success. After all, it is a common practice in business to identify processes and practices used by other successful firms to understand and recommend competitive positioning. One reason this approach is well regarded in business is that it can be efficient—it can help managers make effective choices by avoiding approaches already judged to be failures by other companies.  </p><p>But contrary to expectation, the security manager's proposal was rejected.</p><p>Although the analysis was logical and the findings sound, the competitor's values, culture, and operational capabilities were drastically different from the manager's company. Senior leaders realized that, although something worked at a competing company, it would likely not work in their company, given the operational differences guided by their company's strategies, core values, and organizational culture. These are important differences because they determine how a company chooses to grow through its current or desired product and geographic markets. Unlike a larger company with greater financial and operational capabilities, a smaller business is often less willing or able to fund new ventures. </p><p>So to imitate another company, particularly an industry leader, is to chase a moving target that captures what was effectively yesterday's success. As mentioned above, identifying practices used by other successful firms can be valuable as a means of understanding competitors. But merely copying other firms, even those of industry leaders, is not strategic. Where a benchmarking effort becomes strategic, however, is when it seeks an adapted approach tailored to the individual needs of the organization. ​</p><h4>A Piece of the Puzzle</h4><p>Those in security who come from law enforcement, the military, or government service should recognize that the strategic role they are expected to play will be different from the one they previously fulfilled.  </p><p>As one security executive once said, things improved when she recognized that success in government life did not necessarily translate into success in a business setting, because business offers fundamentally different challenges. </p><p>In her new business setting, this executive's credibility came by demonstrating an ability to think and act strategically. This occurred early in her transition, when she was asked to help provide input toward improving the background screening process for new hires. This seemingly small-scale involvement actually had the potential for a large-scale impact across the business.</p><p>From her experience in government service, she knew the importance of hiring well, and how it provides longer-term employees who, over time, possess greater institutional knowledge. Consequently, rather than merely offering a single bit of input, she asked for and was given a place on the working group that was developing a better background screening process. </p><p>In this role, she helped develop a screening process that produced strategic and valued results by minimizing turnover, reducing overall costs, and limiting liability exposure.</p><p>With what appeared to be a small involvement in process improvement, this security executive helped deliver a larger benefit to the company. In so doing, she also created relationships that enabled security to meet other challenges that delivered value to the company. Without fanfare and without question, she was a strategic leader. ​</p><h4>Adjusting to Realities </h4><p>A senior security manager had overseen the growth of his firm's security function from humble beginnings. Once part of a small cadre of people responsible for investigations at a company aspiring to get bigger, he had seen the company grow through acquisitions into a business powerhouse. His responsibilities as a security manager grew accordingly.</p><p>As the company opened more offices and plant locations throughout the country, the manager's budget and capital expenditures increased dramatically, in keeping with the need to secure the growing number of sites, assets, and employees. </p><p>However, a companywide satisfaction survey revealed that employees believed the security department was impersonal, bureaucratic, and unresponsive to employee needs. In turn, employees treated security procedures as mere suggestions. </p><p>Based on these findings, the security manager sought to determine the source of the dissatisfaction. He completed a strategic review of the security function, including a small but significant "employee as customer" survey. </p><p>What he discovered was surprising: the problem was rooted in the everyday interactions employees had with the security department, specifically the security officers.</p><p>This struck at a long-standing concern. Controlling costs was one of the company's competitive strategies, and so the decision had been made to outsource the security guard function. But the security review discovered significant problems with this approach. </p><p>Over time, the number of security services firms providing guard services had grown. The company continually sought the lowest-priced local provider, but managing this operation became more and more problematic. </p><p>Hiring and retaining quality officers was particularly difficult; many were poorly paid and inadequately trained, and they felt disenfranchised from the company they served. This all contributed to a costly turnover cycle.</p><p>Recognizing an opportunity for positive change, the security manager recommended to his company that they forgo the use of contract services and make the security officers full-time company employees. He presented a strong argument, complete with sup­porting data.</p><p>Nonetheless, senior management decided that this proposal was counter to the company's cost control strategy. The security manager was told to consider another approach to solve the problem.</p><p>Rather than being defeated by this setback, the manager sought approval from senior management to increase the security services budget to obtain better quality services and reduce the confusion that stemmed from juggling multiple contracts. </p><p>Senior management agreed to a reasonable increase in the security budget, so the security manager began the improvement process by putting the contract out for bid, seeking a single company capable of providing nationwide service in various settings. </p><p>Subsequently, a new security company was awarded the nationwide contract to manage guard services based on a range of factors, including adherence to more professional business attire and a commitment to a process designed to develop and retain effective officers. And the selection of the new services company kept the contract within the budgeted increase provided by senior management.</p><p>A few months after the new services firm was in place, the security department conducted a new survey. Employees reported feeling that company security seemed more professional, more respectful of their needs, and more helpful. Gone was the adversarial attitude, replaced by a feeling of business partnership. And the company maintained its desired level of security, as evidenced by fewer security violations and fewer security issues. </p><p>At its essence, this story illustrates strategic leadership in action. Despite setbacks, the security manager adapted to the situation and aligned security efforts so that they were consistent with his company's cost containment strategy and business needs, and fulfilled the firm's protection and customer service requirements.   ​</p><h4>The Future</h4><p>The only certainty about the future is that it is uncertain, and past success does not guarantee future success. These two maxims, sometimes applied to business in general, certainly apply to the security field. </p><p>Some of the factors driving this uncertainty include advances in technology and the quantity of information being produced; shifting customer needs; internal competition within companies for resources; struggles to maintain profitability as the economy changes and evolves; and the new normal of doing more with less for countless business operations, including security. </p><p>But we also see markets offering greater opportunities to those able to adapt. The ability to influence others to engage in efforts that enable organizational success, while acknowledging the constraints of time and resources, is at the heart of being strategic. It is why security leaders must prove they are capable strategic leaders.</p><p>These leaders recognize situational constraints and adapt to their environment. By necessity and design, they are flexible, and able to adjust their strategies to achieve the stated goals. What they do is measurably tied to goals. </p><p>Their attributes go beyond charisma, experience, and expertise. Aspirations are not enough; businesses want to see results. And results, more often than not, take strategic leadership. </p><p><em><strong>Chris Walker, D.B.A.</strong> (doctor of business adminstration), is a management development consultant and a longtime member of ASIS International. A former law enforcement officer responsible for high-level financial investigations, Walker served as the head of global security for a multibillion dollar division of a Fortune 50 company. He is former executive professor of strategy for Northeastern University. ​ ​</em></p>
https://sm.asisonline.org/Pages/Book-Review---Mental-Health.aspxBook Review: Mental HealthGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Butterworth-Heinemann; elsevier.com; 370 pages; $125.</p><p>Following a disaster, the issues surrounding the mental health issues affecting both rescuers and survivors are frequently overlooked. <em>Integrating Emergency Management and Disaster Behavioral Health </em>is an excellent exploration of the topic, written by multiple contributors. Looking at mental health from both emergency management and behavioral health perspectives allows the authors to seamlessly transition between these two disciplines and make a convincing argument that both need to be considered throughout each stage of disaster management.  </p><p>While the book sometimes reads like a research paper, the topic is fascinating. The chapters include ample references and diagrams to convey both the seriousness and credibility of the material. Real-world examples illuminate the text. </p><p>Some chapters explore topics in a depth that may be too advanced for general security practitioners, especially those not involved with planning or coordinating emergency response efforts.</p><p>The ideal audience for this book would be emergency managers and those seeking to learn more about this discipline. The book would be a great addition to training courses on the National Incident Management System because those learning about emergency management for the first time would be exposed to the behavioral health implications following a disaster. Individuals working with or studying human behavior, such as clinical psychologists, mental health counselors, and aid workers, will also find value in understanding how people individually and collectively react to the stress of major disasters.</p><p>Overall, this book presents a unique and desperately needed argument for integrating two vital but sometimes distant disciplines. At a time when factions debate over what constitutes mental illness and what such a diagnosis means, this book becomes a timely resource.</p><p><em><strong>Reviewer: Yan Byalik, CPP, </strong>is the security administrator for the City of Newport News, Virginia. He has 16 years of security experience in multiple industries, managing security officers, campus security officers, and special conservators of the peace. Byalik is the assistant regional vice president for ASIS Region 5A in Southeast Virginia. ​</em></p>
https://sm.asisonline.org/Pages/Opening-Up.aspxOpening UpGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The research arm of the U.S. Department of Homeland Security (DHS) needs your help—and it is not afraid to open up about those needs. In a new industry guide, the Science and Technology Directorate (S&T) outlines its six key mission areas and details where its technology is lacking.</p><p>Moreover, the document serves as a call to action to the private sector for its help in discovering and developing technology that will help DHS tackle some of its biggest challenges.</p><p>DHS Senior Industry Advisor Kathleen Kenyon acknowledges that this isn't the first time DHS has reached out to the private sector for help in developing new technologies for government use, but this time around, officials are being more specific—and transparent—about the types of advancements they are willing to invest in.</p><p>"In the past, when we've talked to the private sector, many asked us what we need, and when, and how," Kenyon says. "This time, we took a concerted effort to go into a little more detail, to really explain to industry not only what we need but where we're investing our dollars and the types of technology we are looking for."</p><p>Technology-sharing partnerships between DHS and the private sector have long faced challenges due to slow procurement processes, cancelled contracts, and a lack of detailed communication about exactly what S&T is willing to invest in. The directorate is stepping up its efforts to build a bridge between the public and private sectors—in addition to the industry guide, it's conducting online and in-person outreach efforts. New contract rules that shorten application response times, as well as programs reaching out to nontraditional partners, take away some of the pain associated with working with the government. </p><p>One such effort is the Silicon Valley Innovation Program, which allows startups to apply for a contract and receive government feedback more quickly—many contracts are issued within 10 days, Kenyon says, allowing companies to make investment decisions early on.</p><p>"I do understand the industry's hesitancy to work with the government—we hear that quite a bit—so we want to take that information and translate it into ways that we can be more agile," Kenyon says. "We're trying to be a little quicker when it comes to working with us—speeding up deals and money and how we work and brainstorm together."</p><p>Kenyon stresses that public-private partnerships will be mutually beneficial, allowing private organizations access to government funding and business. Additionally, Kenyon notes that the industry is only as secure as the government, so a more capable public sector means stronger business. </p><p>"Industry leaders like those in ASIS are security professionals who are looking to secure their company and contribute to the larger effort of securing the nation," Kenyon says. "We want to make sure we are really reaching those who can be impactful in their own organizations to help secure the nation."</p><p>S&T's industry guide serves as a touchstone for the private sector and names six mission areas: securing aviation, securing borders, preventing terrorism, protecting from terror attacks, securing cyberspace, and managing incidents. Additionally, the document outlines the types of solutions it seeks from industry partners: future innovations, near-term capabilities, and new applications of existing technologies. </p><p>"The vast majority of what we're looking at is going to be near-term or adapting in some way existing technology, because we have urgent needs right now that our homeland security operators need to have in use and be out in the field," explains Melanie Cummings, deputy director of private-public partnerships. "We know there's a lot of low-hanging fruit out there in terms of sensing and detection technologies that might not be an exact fit for a particular application, but we can modify and combine some things to get them out on the streets."</p><p>This most recent push by DHS S&T to make meaningful connections with private sector manufacturers comes at a time when corporations are far outpacing the government in terms of research and development, Kenyon explains. Additionally, agencies are more often turning to off-the-shelf solutions, and Kenyon envisions a type of marketplace that would allow companies to tweak these solutions to perfectly fit governmental needs, as they would for any client.</p><p>"The private sector is far outpacing us when it comes to research and development and spending billions of dollars more than we are on it, and in some cases they're ahead of us," Kenyon says. "How do we tap into that knowledge base and technology development so that the technology they're developing can also be used by DHS?" </p><p>Kenyon describes the marketplace as one where a product could be used by U.S. Customs and Border Protection agents and commercial companies alike. The U.S. Department of Defense (DoD) has done this successfully for decades, she notes, but DHS's breadth and people-based agencies require more specific products.</p><p>"We have a much more diverse mission set, and that requires us to explain better to our customers and technology developers, and those who also commercialize technology and put it in the marketplace, what our needs are," Kenyon says.</p><p>Donald Zoufal, CPP, an independent consultant with CrowZnest Consulting, Inc., says S&T's efforts are a long time coming—and seem promising.</p><p>"There's always been a lack of communication, particularly on the government side, in terms of clearly articulating what its priorities are," Zoufal tells Security Management. "We don't know what the requirements and priorities are, so it's hard for us to attune our R&D initiatives to meet those requirements. I think this is a really positive step—it's recognition by the government that if they're more clear in providing direction about where they want to put their money, the market will positively respond to that. A lot of times DHS has paid lip service to the notion of partnership, but I see this as a really concrete effort to try to move that forward."</p><p>Zoufal worked at Chicago's Department of Aviation in the early 2000s and said the S&T industry guide touches on challenges he saw in airports—the upgrading of aviation security technology after 9/11 and the off-the-shelf purchases local agencies made to try to solve urgent problems in security.</p><p>"In a nutshell, this addresses a longstanding set of concerns that go back to when I was a security director at O'Hare and Midway, seeing big technology issues as inline baggage screening was brought in to replace other machines," Zoufal explains. "This cooperative spirit is much needed and will benefit the industry in being able to understand the direction the government wants to go in, but also for government to understand that there may be other technologies out there that are able to help."</p><p>S&T is looking ahead, too. The industry guide details its research and development investment outlook through 2021, outlining specific technologies it hopes to invest in.</p><p> "We really want to look at and be aware of what's coming over the horizon, what technologies will be in place in five to 10 years, that are either going to change the way we operate, or that might potentially become threats to the homeland," Cummings notes. </p><p>However, some private sector organizations may be wary of working with the government to develop an idea from the ground up, Zoufal says.</p><p>"Part of the problem with working with the government is that as administrations change, priorities change, so the current priorities may not be the same if there's an administration change in three years," Zoufal explains. "When you think about R&D and the investment of time, money, pace, and the lag to develop a new product, it's a dedicated effort. Businesses tend to plan in long-term strategies, and the government may talk in those terms but oftentimes doesn't plan as well. Better communication will help with that."</p><p>Zoufal, who also teaches a course about homeland security technologies at the University of Chicago, says that the industry guide seems to be a sign of an attitudinal shift at DHS to connect with the private sector. However, the success of the outreach lies in the follow-through, he says.</p><p>"This part is the easy part—information sharing on the front end, brainstorming, discussing it," Zoufal explains. "But at the end of the day, the part of this process that will be the most challenging is addressing technology issues in the procurement cycle. Having technology tested and procured and fielded is the part that's probably more bedeviling than general intelligence about what they are looking for."</p><p>Cummings says that S&T has already begun committing resources to show the private sector that the partnership will be a successful one—from start to finish.</p><p>"We're putting a lot of our programs and non-R&D dollars into making sure that the technologies that we're developing are getting out in the field and being commercialized for those operators and end users who primarily buy in the commercial market," Cummings explains. "Beefing up commercialization, our transfer program, and working with the private sector manufacturing and distribution channels are priorities for us over the next fiscal year."  ​</p>
https://sm.asisonline.org/Pages/An-Expert-Partnership.aspxAn Expert PartnershipGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was a monumental task. The Ontario Provincial Police (OPP) needed to conduct security assessments of all the courthouses in the province it polices—approximately 100 locations—with only three people to carry out the work.</p><p>In an unprecedented move, Security Assessment Unit Sergeant Laura Meyers, PSP, proposed bringing in outside help from the private sector. Senior executives approved of the idea, and Meyers reached out to the ASIS Toronto Chapter to bring on Michael Thompson, CPP, PCI, PSP, and Gregory Taylor, CPP, PSP. </p><p>Both had public sector experience—Taylor was former military and Thompson a former Toronto police officer. Meyers thought those qualifications, along with their extensive security backgrounds, would not only help them conduct the assessments OPP needed, but also gain the respect of OPP officers they would be working with in the field.</p><p>Her predictions were correct. Taylor and Thompson were well received, and the project was completed on time without exhausting OPP's resources—funding or personnel—to complete. It also marked a new era with OPP in bringing security professionals in-house to assist law enforcement in addressing security threats.​</p><h4>The Mandate</h4><p>In 2007, the province of Ontario issued the Ontario Public Service Physical Operating Policy, which required all public service facilities within the province to complete a physical security threat risk assessment. </p><p>The OPP, which polices more than 1 million square kilometers of land and waterways in Ontario, was subject to this mandate. It's one of North America's largest deployed services with more than 5,800 uniformed officers, 2,400 civilian employees, and 830 auxiliary officers. </p><p>To comply with the mandate, the OPP's four-member Security Assessment Unit was assigned to carry out threat assessments of more than 200 facilities across the province. The four members went to each region and trained OPP staff at the facilities on crime prevention through environmental design (CPTED) strategy and the Royal Canadian Mounted Police's (RCMP) Harmonized Threat Assessment Methodologies. </p><p>"It was like a mass attack for the four-person unit to do that within a couple of years," Meyers says. "By 2011, all [facilities] were visited and threat assessments completed." </p><p>During that time frame, Staff Sergeant Rob Fournier was placed in charge of the newly created OPP Justice Officials Protection and Investigations Section (JOPIS). The section was created in 2009 to ensure the safety and protection of justice officials and to address threats, harassment, and intimidation directed at justice officials.</p><p>The Security Assessment Unit and JOPIS regularly began working together to address threats, and in 2015, JOPIS was instructed to complete physical security threat risk assessments on all justice facilities in the province.</p><p>Meyers and Fournier both knew it would be a major task to carry out the assessments, especially if they had to train additional OPP staff to conduct them. </p><p>"In the police world, when you're building your team you're looking for an individual with a ton of experience," Fournier says. "In the security aspect, we have to use that same premise. Why would you want to be retraining someone in security work, when you can get someone who's been involved for years?"</p><p>Meyers and Fournier were both active in the ASIS Toronto Chapter, so they pitched the idea of contracting out the justice facility assessments to a few security professionals they knew through the chapter.</p><p>The idea was approved, and Meyers and Fournier recruited two security professionals with certifications and backgrounds in the public sector—Thompson and Taylor. ​</p><h4>Justice Site Visits</h4><p>After Thompson and Taylor were brought on board, they traveled to 92 different sites across the province—ranging from remote areas to urban settings, with everything from historic courthouses to courtrooms in mini plazas.</p><p>Their job was to review each site, evaluate the training protocols, and identify any gaps that might pose vulnerabilities, Fournier says. </p><p>Thompson's and Taylor's recommendations were critical at one site in particular following a series of events over a six-month period that impacted the security of the facility in eastern Ontario. </p><p>During that six-month period, a local individual murdered three former lovers. Law enforcement launched an extensive manhunt to locate the person. During that same time frame, an OPP officer was threatened and forced to temporarily relocate for personal safety. And there was another unrelated high-risk threat to an officer at the facility. </p><p>"There were obviously a bunch of people at that older facility, and it needed attention," Fournier says. Thompson and Taylor were able to take the previous threat assessment of the facility and suggest specific actions to take to address the new vulnerabilities due to the heightened threat environment.</p><p>The facility then improved its exterior parking lot lighting, and made other changes that Fournier could not disclose due to security concerns. </p><p>This process of going back to reassess facilities has helped the province distribute its funds to better address security concerns, Fournier says. </p><p>"It's helped paint the picture when we're earmarking where limited funds are going, to say, 'This might not be on your list but it's on ours,' and that helps get things done sooner," he adds.​</p><h4>OPP Sites Revisited</h4><p>While Thompson and Taylor were wrapping up the justice site assessments, the OPP decided to update its original threat assessments that were completed in the wake of the 2007 mandate. </p><p>"Some of the recommendations from that set were dated, not the best security practices," Meyers says. "So, we came up with a criticality schedule—how often we should revisit them…looking at it as a continual working project."</p><p>To carry out this work, OPP once again reached out to the Toronto Chap­ter; this time to Chapter President Patrick Ogilvie, CPP, PSP. Meyers knew that Ogilvie was looking to both build his personal brand as a professional and give back to the community. </p><p>Ogilvie is currently conducting this second round of threat assessments, using the RCMP methodology that was established during the initial round. Having that first set of assessments has been a useful benchmark, Ogilvie says, to score threats and vulnerabilities and then make actionable recommendations for the facilities. </p><p>"Even before I step foot onto a facility, I communicate with commanders that I'm looking for documented evidence or stories of different threats and occurrences," he adds. "I get them thinking not as police officers, but essentially as security people who can identify different threats and vulnerabilities that they have experienced."</p><p>This is because sometimes a security threat hasn't been identified by law enforcement because it is not a deliberate act—such as vandalism—that is intended to harm the facility.</p><p>For instance, Ogilvie says he found that most facilities did not identify building structure or leaks as vulnerabilities.</p><p>"What I found in getting out and talking to [people] was that accidents were happening, natural hazards that could have an impact on our business, and our business is policing," he explains. But because these threats weren't identified, nothing was being done to address or mitigate them.</p><p>Ogilvie has made it a point to educate OPP personnel at the facilities that he's looking at all threats—deliberate acts, accidents, and natural hazards—that could harm the organization. For instance, a leak in the facility could cause structural decay and ultimately become a hazard for personnel inside. </p><p>Thus far, Ogilvie says the OPP officers he's interacted with have been receptive to his suggestions, and Meyers adds that the feedback she's received has been highly positive—including that security deficiencies have been pointed out in a respectful manner.</p><p>Due to the success of the program, Fournier says that several First Nation police services across the province have reached out to OPP for assistance on conducting similar threat assessments. </p><p>Many of these facilities, especially in the northern part of Ontario, are in remote locations and have deteriorated or don't adhere to the same standards as other facilities in Ontario. To address this, OPP is working with the police programs to conduct threat assessments of approximately 15 different sites. </p><p>The Security Assessment Unit has also been called on to provide assistance to Ontario government facilities—overviews, recommendations, and security advice—because they have proved themselves in the field. </p><p>It has also showcased how civilian personnel can be brought in to a law enforcement agency to help in addressing security concerns. </p><p>Ogilvie, Thompson, and Taylor are all under contract right now using existing funding that OPP secured. Down the road, Fournier says he hopes to change a few positions in the Security Assessment Unit to hybrid roles that either a police or civilian security professional could fill.  </p><p><em>Laura Meyers, PSP, is a Sergeant in the Ontario Provincial Police. ​</em><br></p>

 UPCOMING EVENTS AND EDUCATION