Attendees had the opportunity on the second day of GSX 2018 to listen to experts share their personal experiences in security, lead deep dives and panels, and gain insights from impact learning sessions.
Read below about a few of the sessions that the GSX Daily team attended throughout the day.
An active shooter opens fire at your company's corporate campus during an innovation contest for entrepreneurs. You are the senior security manager. How do you transmit critical communications to your staff? What resources are available to you? What do you prioritize?
This was the scenario attendees were immersed in during the two-hour workshop "Converged Security: All Risk Is Shared." Divided into several groups and given maps of the corporate campus, as well as other information on the company, teams were tasked with explaining how they would react during the crisis.
Jeffrey Slotnick, CPP, PSP, president, Setracon Enterprise Security Risk Management Services, encouraged attendees to identify competencies needed by senior security managers to respond to the scenarios, as well as to consider what the company could have done to prevent the incident.
"We want to learn what is truly critical as a senior manager when responding to a risk-based event," he said.
Another session, "Active Assailant Workplace Violence Management Training," offered insights into the liability issues, personnel considerations, and legal hurdles that go along with establishing an active assailant training program.
James Cameron, CPP, CEO/founder, Security Concepts Group, explained that no matter how much active shooter preparation a company does, employees must take the potential threat of an active assailant seriously before the training takes hold.
"It doesn't matter how much training you want to provide within your organization," Cameron said. "If you can't get people's mindsets to change—that the probability and the possibility is there—that training will go in one ear and out the other."
He added that there's a narrow focus on active shooters within the workplace and at businesses, which can leave them vulnerable to other types of attacks. He noted that definition should be broadened to include active assailants of all types.
"When you broaden that scope and take a look at your facilities, maybe now that opens up some gaps and vulnerabilities," he said. "Because you were planning for an active shooter, but you weren't trying to stop a packing truck from running people over in the break area."
The security industry is moving forward at an incredibly rapid rate, so even the most educated and accomplished security professionals must realize that new skills need to be learned every few years, a panel of experts told attendees at an afternoon education session on succeeding in the global job market.
"We have to be aware that we all have gaps. We are in a business where we need lifelong learning," said Axel Petri, senior vice president of group security and governance at Deutsche Telekom AG, at the session, "How to Stand Out in a Competitive Global Job Market."
During the session, panelists discussed a range of issues faced by those looking to advance in the security job market. The topics included getting one's boss and human resources department to support career development and maintaining a consistent professional online presence.
All panelists agreed that new skills can be acquired through different means. One is through mentoring.
Petri gave an example of reverse mentoring, in which he asked a much younger employee at his company to mentor him in areas where the young worker was especially strong, such as the use of new technologies.
Security professionals who are members of ASIS may also find a younger member in ASIS' Young Professionals Council, Petri added.
"It's a bidirectional thing, where both parties can benefit from it," he said.
Bryan Weisbard, director of online safety operations for Twitter, agreed. He said that professionals could look in many places for mentors—within their company, within ASIS, or within any professional networks they have established.
"There's no secret rule that you can't have more than one mentor," Weisbard said. So, a security professional may have an informal mentor outside of his or her firm, and also be involved in a reverse mentoring program within the company.
Weisbard also emphasized that the mentee should take the initiative and be proactive. Sometimes, a mentee feels he or she should defer to the mentor to set up meetings and other interaction, but it's often more productive if the mentee requests meetings.
"It's on the mentee to make sure you drive this forward," Weisbard said. "Set a [meeting] cadence, whether it's every two weeks or every two months."
Anders Noyes, CPP, director of security for Skywalker Properties and another mentoring advocate, emphasized that mentoring programs maximize their chances of success if they put effort into the matching process to make sure that the mentor possesses the skill sets that the mentee is interested in building.
Before the relationship moves forward, expectations and parameters of the relationship should be discussed and established.
Three power grid experts led a wide-ranging panel on the challenges of complying with regulations while acquiring cutting-edge technology solutions in Tuesday morning's session, "Protecting the Energy Sector from High-Impact, Low-Frequency Events," sponsored by the ASIS Physical Security Council.
Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, posed questions to Ross Johnson, CPP, senior manager of security and contingency planning at Capital Power Corporation, and Ryan Frillman, director of information security and compliance at Spire Energy.
They discussed what it takes to prevent high-impact, low-frequency events on the power grid, the regulations that inform critical infrastructure security, and how to approach and respond to risk.
"High-intensity, low-frequency events don't happen often, but when they do, they can kill you or your organization," Johnson noted. "If it's a once-in-twenty-years event, people say that they have 19 more years before they have to worry. It's extremely difficult to convince people. We end up creating fictional scenarios to try to solve the problem—ones that we don't even believe ourselves."
The panel discussed the various barriers to adopting new technology—specifically rigorous standards such as the North American Electric Reliability Corporation's (NERC's) Critical Infrastructure Protection (CIP) standard, along with the reliance on preferred vendors.
"I've been trying to convince NERC that the current standards drafting process simply doesn't work in an innovative environment," Weatherford noted. "We need to be able to take advantage of the cloud and newer technology that isn't even addressed in CIP standards. Most utilities are rightfully very apprehensive about doing something from a technological perspective that could subject them to those million-dollar-a-day fines."
Frillman pointed out that emerging technology like supervisory control and data acquisition (SCADA) could allow critical infrastructure systems to operate in a more secure and efficient way, but regulations like CIP are slow to embrace new technology.
"That's where we have this disconnect," Frillman said. "We need to manage the risk that is acceptable and keeps us operational. That's one of our concerns, to find a happy medium from a regulation perspective and still protect critical infrastructure."
Johnson pointed out that the industry habit of relying on preferred vendors is another barrier to technology growth in the energy sector.
"I come back to Canada, and after brimming with great ideas, realized that it's really difficult to field an idea in North America," Johnson said. "On the issue of innovation—it's a great world out there, things are moving forward at very great speed, but the problem in the electric sector is that we're creating barriers that make it difficult for us to succeed. You should never get in your own way, but I think in that area we are."