https://sm.asisonline.org/Pages/Catastrophe-on-Delivery.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Catastrophe on Delivery0

 

 

https://sm.asisonline.org/Pages/Eye-on-the-High-Life.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Eye on the High Life

 

 

https://sm.asisonline.org/Pages/Preserving-Precious-Property.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Preserving Precious Property

 

 

https://sm.asisonline.org/Pages/The-Returned.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Returned

 

 

https://sm.asisonline.org/Pages/Bridging-Worlds.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Bridging Worlds

 

 

https://sm.asisonline.org/Pages/Warning-of-Workplace-Violence.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Warning of Workplace Violence2012-03-01T05:00:00Z
https://sm.asisonline.org/Pages/April-2018-ASIS-News.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465April 2018 ASIS News2018-04-01T04:00:00Z
https://sm.asisonline.org/Pages/21st-century-security-and-cpted-designing-critical-infrastructure-protection-and-crime-prev-0.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a434446521st Century Security and CPTED: Designing for Critical Infrastructure Protection and Crime Prevention, Second Edition.2014-05-01T04:00:00Z
https://sm.asisonline.org/Pages/australia-security-industry-gets-tough-its-guards.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Australia: Security Industry Gets Tough on Its Guards2008-03-04T05:00:00Z
https://sm.asisonline.org/Pages/cisco-introduces-push-talk-application-0012672.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Cisco Introduces Push-to-Talk Application2013-08-20T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxPerformance Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  </p>
https://sm.asisonline.org/Pages/Bridging-Worlds.aspxBridging WorldsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Effective security professionals are great innovators by nature. Continually forced to do more with less, security managers create new ideas in an ever-changing industry.</p><p>However, in the security field, the ways in which value is created are changing all the time. So are the strategies required to protect that value. For security managers, the challenge is to be the type of leader who understands how the value creation process is changing, and to then lead the security department so that it best leverages its value for success. </p><p>This type of leadership works best through collaboration. Kevin Kruse, the founder and CEO of LEADx.org, de­scribes leadership as "a process of social influence which maximizes the efforts of oth­ers towards the achievement of a goal." Undoubtedly, the process of social influence is key for security leaders, who typically do not have the authority to tell every­one in the organization what to do and have them comply.</p><p>Moreover, the environment that today's security manager is trying to lead in is filled with rapid change. These changes include massive shifts in technology in both software and hardware, as well as vast changes in the compliance landscape. For security leaders who are not experts in cybersecurity, such as physical security managers, these developments can be daunting to understand and get a handle on. But avoiding them and staying completely within one's silo or area of expertise can make collaboration difficult, and it will lessen the likelihood of effective social influence. </p><p>On the other hand, physical security managers who make the effort to gain an understanding of the effects of these technology and compliance changes, and how their effects can be harnessed to bolster the security of the overall enterprise, can then build bridges between different sections of the security world. These bridges break down silos, and they increase the social influence of the security manager and the chances of successful collaboration. </p><p>With that in mind, this article will discuss a few current technology and compliance developments, and the impact they might have on enterprise security.  ​</p><h4>DevOps</h4><p>DevOps, a software engineering culture and practice aimed at unifying software development (Dev) and software operation (Ops), is changing the way that digital experiences are being created in software.</p><p>One of the main characteristics of the DevOps movement is a push to automate and monitor all steps of software construction, including integration, testing, and deployment. As a result, some of the aims of Dev­Ops are shorter development cycles, in­creased deployment frequency, and releases that are closely aligned with business objectives. </p><p>DevOps specialists John Willis and Damon Edwards have used four terms to define the movement—culture, automation, measurement, and sharing. Under this approach, which is radically different from the traditional one, software is delivered continuously. Teams that had previously worked in silos come together to achieve common goals. As soon as someone comes up with an idea for a new digital experience, a cross-functional team can quickly turn it into reality.</p><p>The DevOps movement is catching on. Currently, 27 percent of surveyed organizations are using a DevOps methodology, according to the latest version of the annual report, The State of DevOps, published by software services company Puppet in 2017. Clearly, the use of DevOps is on the rise, and it is something that security managers should be up to speed on. </p><p>Compare the execution of some security functions in a DevOps versus a pre-DevOps world. In the pre-DevOps world, organizations built technologies in private data centers, and security professionals focused on protecting the perimeter of those centers. Similarly, the traditional brand of waterfall software development (where progress flows in only one direction—down—like a waterfall) takes time, enough time for lengthy cybersecurity reviews and approvals to take place. During this painstaking process, there is a strong focus on preventing breaches from occurring.</p><p>In the DevOps world, use of cloud infrastructure and automation transforms technology infrastructure so that it is now managed as software via application programming interfaces (APIs). The focus is on application and API security, instead of the traditional focus on host and network security. In this world, almost every software company is both a vendor to other software companies and a customer. </p><p>The connected ecosystem of the DevOps world pushes enterprise security away from its previous commonly assumed role as a cost center and pushes it toward the clear position of business driver. It is explicitly requested during the sales process—usually in the form of a vendor security questionnaire. A DevOps world assumes that security incidents are happening all the time and acts accordingly.</p><p>But security managers should know that buying a DevOps product can be different from buying a more traditional enterprise IT product that is installed in a private data center. </p><p>The purchase of the traditional product often meant building a long-term, old-school relationship that required significant investment by both parties. This eventually built trust, if both parties acted in good faith. </p><p>In contrast, Cloud, Security as a Service (SaaS), and other DevOps solutions have been described as "easy come, easy go," and they are often acquired in a low-friction transaction environment, over a shorter time frame. The quality, security, and regulatory compliance of these solutions must be expressed to the security manager in a more explicit way.</p><p>To illustrate, consider the following example. A DevOps vendor has begun to close a deal with its first big enterprise client. Now that the enterprise client has decided that it is interested in purchasing the DevOps vendor's product, it's time for the enterprise client's security team to get involved (just as the legal and purchasing departments will get involved regarding the contract and payment components of the transaction). </p><p>The enterprise security team sends the DevOps vendor a security questionnaire, which typically contains many questions. In some cases, receiving these types of security questionnaires can be intimidating to a DevOps vendor. In other cases, it can inspire the vendor to help drive and continue to mature the security program. </p><p>But no matter what the DevOps vendor's initial reaction is, the role of security has been transformed. It's an obvious and crucial part of completing the sale, from the point of view of both the vendor and the enterprise organization. Thus, the perception of security here is as an explicit business driver, which was not necessarily the case in the traditional IT product world. </p><p>Of course, physical security managers do not need to become technical experts on software development. However, understanding how DevOps changes the transaction process and the perception of security could become valuable knowledge for security managers of all types, including physical security managers. </p><p>Moving forward, the potential commercial advantages of the DevOps approach will likely make the software development trend an attractive one for many more organizations. Physical security managers who can meet this trend with a basic understanding of its potential impact will be well-positioned to collaborate with technology managers, for the benefit of the enterprise's overall security. ​ </p><h4>IoT Security</h4><p>In a recent survey by Business Insider Intelligence, executives were asked various questions about the Internet of Things (IoT). Security was found to be one of the most consistent concerns, chosen by 39 percent of survey respondents, well ahead of other concerns like questionable ROI, lack of a use case, and price. The security concern, in a nutshell, is that increased adoption of IoT technology may expose organizations to new, more prevalent hacks.</p><p>In the past few years, security ex­perts have executed, for demonstration purposes, alarming hacks on connected vehicles (2015), sniper rifles (2015), and cardiac devices (2017). Technically, many of the security vulnerabilities exploited in these hacks are similar to those of more conventional technologies such as servers, but the methods for detecting and addressing vulnerabilities in a connected web of smaller and less capable devices can be much more complex. </p><p>"Paradoxically, the very principle that makes the IoT so powerful—the ability to share data with everyone and everything—creates a huge cybersecurity threat," write Christopher J. Rezendes and W. David Stephenson in a recent Harvard Business Review article, "Cyber Security in the Internet of Things." As with any software product, the best approach for reducing the risk of software-connected vehicles and other types of systems is to assess and monitor security during the product development lifecycle. </p><p>Security managers should evaluate IoT systems with misuse and abuse cases in mind, considering how IoT features might be unintentionally misused or intentionally abused. In this way, the approach to reviewing an IoT system is not much different from the approach that has been commonly used for years to assess software security.</p><p>The methodology is called threat modeling, and this can be done either by an internal security team or outsourced to a third party that specializes in this type of analysis. The first step in creating a threat model is to identify the assets, security controls, threat agents, and threats within the system. The next step is to estimate the likelihood and impact of each threat within the system. Then, an associated mitigation plan for each potential flaw is developed.  </p><p>It is also critical for security managers to ensure that security fundamentals remain in place when working with the IoT environment. One of the founding principles of IoT security is that access should always be shut down where it's not necessary.</p><p>In addition, because IoT devices are primarily consumer facing, it's also important for security leaders to ensure that consumers are aware of and actively implementing cybersecurity basics such as the use of strong passwords and software updates.</p><p>Like DevOps, IoT systems are very likely to become more widespread in the next few years. Familiarity with the threat modeling process and other means of evaluation and sustaining bedrock principles will be valuable tools for security leaders, including physical security specialists, to possess. In addition, managers who supervise enterprise security risk management (ESRM) programs will find that IoT threat models often complement the overall ESRM program. This is because both take the same approach of using risk management principles to identify potential threats and their likelihood, and then strategically allocating resources to fight the threats.  ​</p><h4>GDPR</h4><p>For the past decade and a half, security professionals have been navigating a changing regulatory environment. To date, many regulatory compliance frameworks have been applicable to only one specific industry. Payment Card Industry (PCI) standards apply to financial services, the Health Insurance Portability and Accountability Act (HIPAA) applies to the medical field, and the Sarbanes–Oxley Act (SOX) applies to public companies. </p><p>Additionally, each set of rules and regulations has different enforcement mechanisms. PCI, for example, applies differently to various tiers of an organization, and the actual fines that have been paid by noncompliant organizations have been fairly limited. </p><p>But all of that changes with the General Data Protection Regulation (GDPR). GDPR enforcement officially began in May 2018, and it applies to organizations located within the European Union (EU) and to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU citizens. Organizations that do not comply with GDPR requirements can be fined up to 4 percent of annual global revenue or up to €20 million (roughly $24 million), whichever is greater.</p><p>While the focus is on consumer privacy, GDPR has a lot to say about processes and procedures surrounding data breaches, vendor security, and data protection in general. At a high level, the regulation requires organizations to develop a data inventory and continuously track how data is processed, stored, and transferred. </p><p>Given this, many proactive security leaders will be developing plans for how to proceed when it comes to either providing vendor services or leveraging a vendor for data processing, storage, or transfer. Many will also develop plans for responding to an incident that takes into consideration what action is required by GDPR in the case of a breach. A physical security manager who has sufficient working knowledge of GDPR can be a valuable asset as a participant in this plan development, and the enterprise at large will benefit from the fact that the plan was a collaborative effort between different security specialists.</p><p>For more information, the full GDPR document is available publicly. There are also many guides, runbooks, and "do's and don'ts" online that professionals can review to learn how others are interpreting the information. ​</p><h4>Bridging Worlds in Person</h4><p>DevOps, IoT security, and GDPR comp­liance are all rapidly changing areas within the overall technology and regulatory landscape, and they all offer opportunities for security managers who are not cybersecurity specialists to build bridges into the worlds of technology and information compliance. </p><p>Physical security managers who had educated themselves on the basics of these topics can then learn more when meeting with technology specialists. Such meetings often proceed more smoothly if the physical security manager goes into the meeting with a productive eager-to-learn attitude.    </p><p>So, when meeting with technology and compliance experts, ask questions and save your demands. Spend twice as much time listening as talking. The more curious you are, the more likely you are to learn something that will benefit you as you put together an approach toward improving overall enterprise security.</p><p>Some important questions for a physical security manager to ask a technology manager or engineer might include: What's important to you? What are your top priorities this quarter? What worries do you have about getting your job done? This information can be used to align security goals with technology goals. It can also provide context, and a more accurate answer, for a security manager who is mulling over the question of why security tasks do not seem to receive the time or resource allocations that they should. </p><p>A similar approach will also benefit physical security managers who want to build bridges with the organization's business leaders. Before meeting with these leaders, security managers should spend time learning about the business side of the organization. Then, they can dive into specifics during the meeting, using the same types of open-ended questions used with technology leaders. </p><p>Astute security leaders know that they cannot approach business and technology teams and order them to work in a certain way. If security managers do not spend time and effort learning about how other specialists work, what their priorities are, and what risks matter to them, trust will be hard to build. When was the last time you listened to the advice of someone you didn't trust?    </p><p><em>Caroline Wong, vice president of security strategy at Cobalt.io, has held executive security and management positions at eBay, Symantec, Cigital, and Zynga. ​</em></p>
https://sm.asisonline.org/Pages/Striving-for-Higher-Standards.aspxStriving for Higher StandardsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The cannabis industry is full of contradictions. Although more than half of the United States has legalized—and therefore legitimized—some form of cannabis commerce and usage, it remains illegal under federal law. The drug's stringent controlled substance label prevents it from being researched, and banks take a risk if they accept money from cannabis companies.</p><p>The industry's strict state-by-state regulations mix policy, political influence, and borrowed best practices to create detailed rules that vary vastly by location and can be difficult to interpret and implement, and a lack of overarching guidance can leave organizations vulnerable. </p><p>And where the security industry falls into all of this—with its reliance on metrics, experience, and best practices—is still being explored. The challenge of protecting a product that just years ago was considered criminal cannot be ignored. And, as each U.S. state implements different regulations that are enforced by different entities, it's difficult to compare notes with other security practitioners trying to navigate the nascent industry.​</p><h4>A Growing Industry</h4><p>Tim Sutton, CPP, was working as a senior systems engineer for a security integrator in 2013 when his company received a call from someone who was going to apply for a cultivation center permit. Medical cannabis legalization in Illinois was going into effect at the start of 2014, and the caller needed someone to write a security plan—one that would set the standard for cultivation center security in Illinois.</p><p>The task fell to Sutton, who used his experience with creating security plans for other industries to outline a proposal to win the contract. He integrated foundational security principles, including asset identification, threat assessment, hazard vulnerability analysis, and physical security measures, into the proposal. The plan also took other factors into consideration, such as geographical, architectural, and operational elements, as well as electronic security systems and policies and procedures. </p><p>His firm won the job, and that's when the real work began, Sutton says.</p><p>"There really aren't too many resources available for security plans in general, let alone within the medical cannabis industry," Sutton explains. "As much as security principles remain constant, the application of these security principles must remain variable to be effective."</p><p>Site security plans had to follow the newly outlined laws, which differ from state to state and range from vague to incredibly detailed—and, at times, confusing, Sutton says.</p><p>"Many of the requirements under the law really made me wonder how in the world they were included, but the security plan had to meet all of the requirements," he says. "The security plans are generally considered for between 20 to 30 percent of the total score for the application depending upon the particular state, and many times the score of the security plan is used as a tie-breaker in the awarding of a permit."</p><p>Sutton was able to tour established cultivation centers and dispensaries in another state to better understand how they worked, what security measures were in place, and how those compared to what Illinois would require. "This also allowed me to see many things that I wanted to be sure to avoid or improve upon when writing plans for other organizations," he adds.</p><p>The application Sutton created was approved, and the cannabis company was able to open two cultivation centers. "That was huge," Sutton says. "Illinois is very highly regulated."</p><p>Sutton went on to work with another cannabis company, won three dispensary permits for them, and suddenly found himself an expert in the industry's security. "That's the way it was," he says. "You win one permit in Illinois and that means something. I didn't realize how important that was."</p><p>Since then, Sutton has helped cannabis organizations all over the country apply for dispensary and cultivation center permits and now works as the director of security for Grassroots Cannabis, where he's responsible for security at sites in several states, including Illinois, Pennsylvania, and Maryland. Many cannabis organizations are consolidating, since it takes a lot of money—and expertise—to successfully open and run a dispensary or cultivation center. </p><p>"Nobody knows what they are doing," Sutton notes. "I've never grown marijuana and not many people have ever even seen it. These organizations are consolidating and trying to branch out to other states."​</p><h4>Varied Governance</h4><p>The path a state takes to legalize medical or recreational cannabis—and who is involved in that process—is one of the biggest indicators of what the law looks like and how it's regulated, says Bob Morgan, special counsel for Much Shelist and former statewide project coordinator for Illinois' medical cannabis pilot program. Morgan was involved in crafting the legislation and framework for the program and managed its implementation once the law was enacted in January 2014. </p><p>"Every state that develops a medical cannabis program creates it in its own image, which reflects the political, cultural, and administrative structure of its respected law," Morgan tells Security Management. "Illinois was no different. It had multiple agencies that were responsible for implementing the program—the Illinois State Police and the Departments of Agriculture, Public Health, and Financial and Professional Regulation (IDFPR). Those agencies collectively were responsible for establishing security measures and regulations for the industry, from start to finish."</p><p>Ultimately, each state will model the cannabis industry after another existing industry—often based on what agencies are responsible for its implementation, Morgan notes.</p><p>"Colorado's medical cannabis program was overseen by its Department of Revenue," Morgan says. "So, the culture and process and structure of the Department of Revenue has laid the groundwork for the subsequent medical, and now recreational, marijuana industry. In Illinois, our agencies here all put a significant imprint of their agency culture on the program we have now. In a state like Florida, the Department of Health is overseeing implementation of the medical marijuana program. That determines whether a state will treat the cannabis industry like a pharmacy, or a bank, or a casino."</p><p>Sutton has experienced firsthand the challenges of the differing approaches to the industry. Despite being proficient at writing security plans for the cannabis industry in Illinois—a notoriously highly regulated state—he says navigating security specifics in many states can be daunting for an unexperienced practitioner. "I always read the rules and the law, and every part of the law," he says.</p><p>For example, Sutton was tasked with developing a security plan for a cannabis organization in Hawaii. Its permitting rules are broken down into sections, including one for security, which dictates that, among other things, an organization must retain 30 days of video in its archives.</p><p> "An inexperienced person would design a system that retains 30 days of footage and feel like they're doing what they should do," Sutton says. "But, if you read the rest of the rules and the section on records retention, there's a retention requirement of a year for you to keep inventory reports, employment files, and electronic video archives. If you didn't read that whole rule, you'd never know that and would design the system for 30 days and it would be 12 times too small. It's terrible. That's how I attack it—I read the whole rule, not just the security section."</p><h4>Regulations vs. Best Practices</h4><p>To overcome the challenge of crafting Illinois' medical cannabis regulations in 2014 without national guidance, Morgan created a listserv of state cannabis program directors from around the country to share best practices. He also pulled ideas from the rules in place for pharmacies and casinos in the states.</p><p>"We weren't really recreating the wheel, we were taking the best ideas and security measures we could find and incorporating that into the industry as we shaped it," Morgan explains. "Part of this is driven by the problem of the federal government's prohibition, which requires each state to do this in a haphazard way."</p><p>Some states—including Illinois—may have "gone overboard" with regulating the nascent industry due to a lack of national best practices, Morgan notes. For instance, Illinois is the only state that requires patients to be fingerprinted to get a medical cannabis card. </p><p>"That was a political consideration—it had nothing to do with policy or security, it was politics, unfortunately," Morgan says. "Almost every state has some variation of that."</p><p>Sutton agrees, noting that he has had to comply with head-scratching security requirements in both Illinois and other states. Illinois' Department of Agriculture oversees regulation at cultivation centers, while distribution centers answer to the IDFPR. The two departments wrote the regulations for their respective facilities, meaning that an organization trying to open both cultivation and distribution centers may need to abide by two separate sets of rules. And sometimes those rules don't align with overarching best practices in the security industry, Sutton says.</p><p>"For cultivation centers I record on motion, at five frames per second, even though the rules require three frames per second on an alarm—that's it," Sutton says. The video surveillance rules for dispensaries were initially vague, and Sutton says most security directors defaulted to using security industry best practices and designed their systems to record on motion. However, IDFPR later clarified that dispensaries would require constant recording, not motion-based.</p><p> "Now you jump up about three or four times the storage and processing power, just to satisfy that," Sutton says. "And then they went and arbitrarily pulled this number out of their back pocket that we would need to record at seven frames per second—I have no idea where that came from."</p><p>Sutton has run into similar challenges in several states. </p><p>"There are a lot of things written that don't make sense with why they were done—it depends on who contributed to writing the law," Sutton says. "They all think they are very secure and are writing the best plans, but there are some really big variants out there. Some do not have many requirements at all and leave them written pretty vaguely and open for interpretation, which has its own pitfalls, and a lot of others are so extremely specific, and I don't know where they get this stuff. They've got a lot of old technology and use terminology that's really outdated."</p><p>Morgan says this type of experience is not unusual. "With cannabis, it's still such a new industry and so heavily influenced by politics that we result in these kinds of sometimes unnecessary regulations," he notes. "The political pressures and ideology drives ridiculous regulation and laws that are based on fear as opposed to pragmatic security measures."</p><p>Regulation enforcement is a regular part of the cannabis industry, even after an organization is approved for a license. In Illinois, the state police enforce the state's regulations, while one of the two designated departments makes sure each facility is adhering to its permit specifications. Sutton says that while the inspections help prevent people from skirting regulations, they can also focus on the wrong problems. </p><p>"The Illinois Department of Agriculture comes every week and audits us against our security plan that we submitted," Sutton says. "All they care about is what we said we'd do in our application. If I said in my plan that all my cameras are going to be three megapixels and that I will have 200 days of archives, they'll come inspect those things every week. The Illinois State Police come in and audit to the actual law. They're going to make sure you have a video system that meets whatever the law says. They don't care how you're using it or that you're being effective and proactive."</p><h4>Above and Beyond</h4><p>These challenges were apparent to a group of people who last year started the National Association of Cannabis Businesses (NACB), the first and only self-regulatory organization in the cannabis industry. NACB President Andrew Kline, a former federal prosecutor and White House advisor, says that the organization establishes industry best practices that help cannabis businesses transcend varying state regulations and hold themselves to a higher standard.</p><p>"Professional organizations like banks and insurance companies had no idea who to do business with," Kline says. "The idea was to start a self-regulatory organization where we would vet our members and then develop national standards and use those standards as rules for our member companies. We want to demonstrate that these companies meant business, that they were trying to go above and beyond what they were required to do at the state level in terms of compliance requirements, and signal to professional entities that these businesses can be trusted, because it's a new industry and there are some actors who aren't as trustworthy."</p><p>NACB is also setting its sights to a future where the cannabis industry would be federally recognized, and a set of national guidelines would be needed. Kline says that when the organization started, it positioned itself to create best practices in line with the Obama Administration's priorities, but with the rescission of the Cole memo—which culled enforcement of the federal marijuana prohibition—and the Trump Administration, there is less clarity of national priorities.</p><p>In fact—despite the vague or overregulation issues Sutton and Morgan experienced—Attorney General Jeff Sessions suggests that many of the individual states' regulations that are on the books today are not sufficient to protect the public interest, Kline notes.</p><p>"The national standards that we're looking to build are in alignment with federal priorities for public health and safety, and as we develop them with our members, in many cases we will be more rigorous than state law to show just how serious these members' businesses are in demonstrating they are good actors," Kline says. "We're baking into our standards what we believe the federal government should care about, but there isn't as much clarity today as there was a few months ago."</p><p>The current environment of regulatory uncertainty—both at the state and federal levels—can be a hindrance to cannabis organizations, and the NACB's approach is especially useful for organizations that operate in several states with disparate regulations.</p><p>For instance, Nevada's regulations do not permit fruit imagery on cannabis product packaging, while Colorado—which has more liberal regulations than Nevada—does allow fruit imagery, Klein explains. In such a case, NACB would create a standard that would be more akin to Nevada's rules than Colorado's.</p><p>Well-researched best practices are especially important when it comes to security, since dispensaries have products and financial assets that are lucrative to criminals (see Security Management's May 2018 News and Trends department for more on how banks and cannabis businesses interact).</p><p>"Security becomes even more complicated when you're dealing with people who are taking in large amounts of cash and don't necessarily have a good place to put it," Kline says. "It's costly, particularly for companies who are operating in more than one state."</p><p>Sutton agrees that overarching guidance is needed in the cannabis industry, especially when it comes to the nuanced role of security. Those who want to start a cannabis-based organization may not know what to look for in a security director, Sutton notes, and operational security personnel may be reluctant to work for an industry that remains taboo. The cannabis industry needs experienced operational security practitioners to continue paving the way, and Sutton says he would like to see more security directors become board-certified through ASIS or similar organizations.  </p><p>"I refuse to be siloed and just be the guy who is worried about video and access control," Sutton says. "I worry about it and I love it; however, there are so many other things you have to make sure you're following that do involve security. It touches everything. Security has to be at the table in deciding how you're going to operate, it's more than just your physical systems."</p><p>Morgan says he has seen a shift in the role security and law enforcement are playing in the cannabis industry. Initially, he says the Illinois State Police and local law enforcement were opposed to medical cannabis programs, but today his successor who runs the program at the state level is a former sheriff who changed his way of thinking. "He has seen the way the program works and can articulate how it's safe," Morgan notes.</p><p>"Everyone who knew me beforehand was shocked to hear that I was writing security plans for the medical cannabis industry," Sutton says. "I was the no-fun guy who was very much anti-drug and, for the most part, toed the line when it came to abiding the law. I rationalized it as making sure these companies were tight when it came to security and felt that as it was not illegal, I had no problem with it.... The turning point for me was the passion of the people in the industry and the fact that I wasn't dealing with hippies growing pot in their basement or garage. I was working with people who genuinely believed in their cause and truly considered cannabis as medicinal."  </p><p>Morgan continues to help governments and businesses create medical cannabis programs and says he hopes Illinois—which renewed its medical cannabis program through 2020—will revisit some of its more stringent regulations.</p><p>"It would absolutely be fair to say that Illinois has more than enough data points to show that our regulations can be scaled back in some areas where they were overly politicized," Morgan says. "Regulations such as fingerprinting patients and the extent of security measures each facility has to have in terms of the number of cameras and other requirements. This was an experiment to see how it was working and what wasn't working well, and to improve it. And that's what's happening throughout the country."  </p>
https://sm.asisonline.org/Pages/The-Returned.aspxThe ReturnedGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The fall of Raqqa, ISIS's last and most symbolic stronghold, to Syria last fall granted a moment of relief worldwide and to the forces that had spent years doggedly eradicating the extremist group from the region. ISIS's so-called caliphate—a physical manifestation of its jihadist tenets—had finally been vanquished, and many thousands of its fighters had been killed or captured. Those who were left retreated to pockets of Syria.</p><p>But along with the tactical victory came the threat that national security experts had been warning of for years: the return of foreign fighters—and their extremist beliefs and training—to their countries of origin. Some 38,000 foreigners from 120 countries traveled to Iraq and Syria during ISIS's reign to aid the group in achieving its goal of building a caliphate. An estimated 7,000 of those foreign terrorist fighters (FTFs) died on the battlefield, and almost 15,000 left the conflict zones. Of those who left, about a third have been imprisoned and almost half—more than 6,800 people—have returned home without entering the criminal justice system.</p><p>"The fate and location of a sizeable proportion of FTFs appears to be uncertain," notes a March United Nations (UN) report on returning fighters. "Identifying and locating these remaining FTFs remains a critical priority for the international community."</p><p>Another challenge is determining whether returnees are defectors from ISIS, are merely supporters who have nowhere to go, or were sent home to continue their work. </p><p>While foreign fighters have not returned to their countries of origin in large numbers, as expected, they continue to trickle in—travelers turning up at an embassy in Turkey claiming they have lost their passport and wishing to return home, or a young family with expertly forged documents that allowed them back into a country that might otherwise turn them away.</p><p>Countries must figure out how to address such situations, and the approaches taken vary considerably. The process so far has been strewn with pitfalls, from an inability to prosecute foreign fighters over a lack of evidence to differentiating between ISIS defectors and jihadists to reintegrating children that were brought to the war zone or were born there. Several wide-ranging studies are looking at the makeup of the foreign fighters and the challenges countries may face in accepting them back into their borders.</p><p>While there have been many waves of foreign fighters for different causes over the years, the current group of ISIS foreign fighters is larger, more global, and more diverse in terms of age, gender, and experience in conflict zones, according to the UN report. They are also "the most operationally experienced, lethally skilled, and highly networked group of FTFs to date," the report notes.</p><p>The actual threat of these returning fighters has not yet been realized, but the UN report notes that foreign fighters have been involved in European terrorist attacks from 2014 to 2017.</p><p>"Although only 18 percent of attackers were known FTFs, the attacks they carried out were among the most lethal," the report states. "Most foreign fighters do not prove a threat on return, but those who do are highly dangerous and have been involved in a substantial proportion of the domestic plots in the West."</p><p>Another report written by the nonprofit research organization Soufan Center acknowledges that there is a range of returnees, from those who were only briefly with ISIS and came home after realizing it was not what they expected to those who were dispatched to return home and continue their efforts. </p><p>"These trained terrorists are not so much returnees as fighters dispatched to operate outside the caliphate," the report states. Due to the difference in threats these two groups cause, they should be dealt with differently.</p><p>Defectors should undergo close psychological and police assessment. "Terrorism is as much emotional as ideological, and even those who returned disillusioned or revolted by what they saw, or simply mentally or physically exhausted, may over time look back on the caliphate more positively and blame outsiders for its failures," the Soufan Center report says.</p><p>A study of returned fighters by psychologists for the Homeland Security Affairs Journal encourages countries to look carefully into the motivations and vulnerabilities of those who traveled to join ISIS. </p><p>"It will be incumbent on Western states to find adequate ways of determining who among returnees is a security risk at present, who may become one in the future, specifically by returning their allegiance to this violent group, and who can be safely reintegrated into society for the long term," the journal article states. </p><p>Resorting to imprisoning the worst offenders—if not all returning fighters—may seem like the best option, but it could make matters worse. Prisons are known to encourage and spread jihadist ideals. But, if managed well, prison can be a place for rehabilitation—which is especially important because those charged with terrorist offenses in the European Union spend an average of five years behind bars. </p><p>"Prison, or the threat of it, also appears to be a major stressor driving some back into the arms of ISIS," the journal article explains. "There is a tension in all societies between repressive measures against those involved in terrorism and rehabilitative measures that may put society at increased risk."</p><p>"Prison authorities are divided on the merits of segregating prisoners convicted of terrorism from the general prison population as the risk that an extremist prisoner will exert malign influence on his fellows, rather than become deradicalized through their influence, depends on too many variables to be easily calculated," the Soufan Center report finds. "At the same time, if extremists are grouped together, their views are likely to harden and they will form close bonds."</p><p>In its report, the UN reminds countries that a hardline response to returning foreign fighters may not be the most effective—especially since former jihadis will continue to return to their countries of origin for years to come.</p><p>"Returning and relocating FTFs are likely to remain a significant long-term challenge, requiring Member States to balance repressive and 'soft' responses," the UN report notes. "Many states have struggled to secure criminal convictions for FTFs, while imprisonment may delay, but not necessarily reduce, the threat they pose."</p><p>Britain. Home to notorious foreign fighters including teenage runaways and Jihadi John—a now-deceased member of the murderous quartet dubbed the ISIS Beatles—Britain is dealing with the aftermath of some 850 citizens who traveled to join ISIS. The capture of two members of the ISIS Beatles, who were responsible for the beheading of 27 foreigners, illustrates the challenges the country faces in prosecuting its citizens for involvement in ISIS. </p><p>The two Brits were captured by the United States-backed Syrian Democratic Forces (SDF) in January and remain held in Syria, where they have been continuously interrogated by U.S. forces under an agreement with the SDF. The United Kingdom stripped the men of their citizenship—an increasingly common practice in Britain—leaving them in legal limbo. </p><p>This is not an isolated scenario—the United States is urging countries to take responsibility for the hundreds of foreign fighters held by the SDF, but most do not want to repatriate citizens-turned-jihadi fighters.</p><p>Nobody has made moves to bring a case against the two men due to a lack of evidence needed to convict them of war crimes. The British jihadis mocked the situation in a recent interview with CNN, noting that accusations of their involvement in dozens of murders for ISIS were merely allegations. "I am not a democratic person, but I am being subjected to democratic law," one of the men said in the interview. "So it is only right for those who claim to uphold this to fully uphold it."</p><p>Canada. With about 180 Canadian foreign fighters in Syria and Iraq—including 60 that have already returned—Canada has implemented programs aimed at monitoring and deradicalization. Prime Minister Justin Trudeau has stated that returning fighters will be prosecuted where evidence exists, but rehabilitation should take priority so they do not pose a longer-term threat to the public.</p><p>The Canada Centre for Community Engagement and Prevention of Violence is tasked with countering radicalization and violence at an individual level, but focuses on research and does not directly interact with radicalized people. Quebec's Centre for the Prevention of Radicalization Leading to Violence has conducted 199 interventions of jihadist radicals—however, it has not yet worked with returnees.</p><p>France. France had one of the larger contingents of foreign fighters, with more than 1,000 citizens journeying to Iraq and Syria to join ISIS. An estimated 300 were killed and about 250 have returned to France, where they have either been imprisoned or placed on house arrest. France has determined that any ISIS fighters captured by the SDF will not be repatriated and should face justice in Syria. </p><p>France's criminal division recently released a report on jihadi women based on the court hearings of returning French women. Although jihadist ideology states that women cannot fight, some testified that they were given operational roles in ISIS that included recruiting, policing, and enforcing punishment. </p><p>"Although several French women were forced into joining the Islamic State by their husbands, most of the female recruits interviewed on their return to France expressed an attachment to the jihadist project," French newspaper Le Monde reports the memo as saying. The discovery has caused France to rethink its approach to returning female fighters, changing its policy to automatically arrest female returnees and monitor them more closely. Of the 72 women who have returned to France, 26 have been indicted, 15 have been arrested awaiting trial, and six have been tried.</p><p>Reintegration efforts in France are faltering, and the country's first center for deradicalization of young people closed due to a lack of use.</p><p>United States. With less than 100 citizens successfully traveling to Iraq and Syria to join ISIS, the United States is dealing with the return of 12 foreign fighters—nine of which have been arrested and charged with terrorism-related offenses, and three that have not yet faced criminal charges. Unlike many countries, the U.S. had an existing law against jihadist travel before the flood of foreign fighters journeyed to join ISIS. Under that law it has charged some 153 citizens who attempted to join ISIS or plotted ISIS-inspired schemes. </p><p>And a report by George Washington University's Program on Extremism notes that due to the difficulties of gathering evidence of a traveler's activities in Syria or Iraq that is admissible in a court of law, prosecutors often have to charge the returned fighters with lesser offenses.</p><p>"While the average prison sentence for individuals who attempted (but failed) to travel to Syria and Iraq is approximately 14 years, the seven successful travelers that have been convicted from 2011 to 2017 received an average sentence of 10 years in prison," the report states.</p><p>While deradicalization and reintegration resources have been reduced under U.S. President Donald Trump, the report notes that such programs will be necessary once the returned jihadists are released from prison. There are currently no deradicalization or rehabilitation programs for jihadist inmates in the U.S. federal prison system.</p><p>"Without these programs, incarcerated travelers have few incentives to renege on their beliefs and may attempt to build networks in prison or radicalize other prisoners," the report states. ​</p>
https://sm.asisonline.org/Pages/Catastrophe-on-Delivery.aspxCatastrophe on DeliveryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Austin, the warm and colorful Texas capital—known for its Tex-Mex cuisine, live music, and popular grassroots slogan "Keep Austin Weird"—was set completely on edge in March 2018 by an unusual and most unwelcome threat: a package bomber.</p><p>From March 2 through March 20, Mark Anthony Conditt perpetrated five bomb attacks before blowing himself up. In each of his first three attacks, Conditt dropped off a conventional-looking delivery package at three different residences in the city. All three packages contained pipe bombs that exploded when opened. The first two recipients were killed; the third was badly injured. These three doorstep bombs were followed by a tripwire bomb Conditt left on the side of a road. It injured two nearby pedestrians when it detonated.<img src="/ASIS%20SM%20Callout%20Images/0718%20NT%20Chart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:225px;" /></p><p>But on March 20, the bomber changed his modus operandi (M.O.). He sent his next package through the Federal Express (FedEx) delivery system; it exploded on a conveyor belt at a FedEx facility in Schertz, Texas, a town outside of San Antonio. One employee was injured. About six hours after the Schertz explosion, Austin police received a call about another suspicious package at a FedEx facility in southeast Austin, not far from the airport. That package was disrupted by law enforcement, and no injuries were reported. A day later the b​omber blew himself up inside his vehicle after he was pulled over by police, injuring one law enforcement officer in the process. </p><p>That switch in M.O. from dropping off bombs at houses and roads to shipping them is somewhat unusual for a bomber, says Fred Burton, an Austin-based chief security officer for Stratfor who followed the events closely.  </p><p>"The change seemed predicated on adjustments he made due to the news media coverage surrounding the events that were taking place. There was tremendous local and national news coverage, press conferences, and everything," Burton explains.</p><p>Had the bomber stuck to his original approach of doorstep bombing, he likely would have been able to wreak havoc for even longer than he did, Burton says. Instead, when he started using FedEx, his bombs entered an efficient, tightly tracked supply chain that leaves a lot of digital bread crumbs. "That was a big plus for the investigation," Burton explains. </p><p>The unsettling events in Austin also put a spotlight on the issue of postal and shipping security. Burton, who was a counterterrorism agent for the U.S. Department of State from 1985 to 1999, remembers the Pan Am Flight 103 bombing in 1988, where a suitcase bomb placed in the luggage cargo area of the plane exploded over Lockerbie, Scotland.</p><p>Since that incident, package security has improved by leaps and bounds, with vast improvements in screening device technology and explosive detection instruments, Burton explains. In the United States, the anthrax attacks of 2001 spurred many advances in postal security: "You have had so many drastic changes since the anthrax scare," Burton says. </p><p>Indeed, the anthrax episode did lead U.S. officials to beef up postal security. The U.S. Postal Inspection Service (USPIS), the security arm of the U.S. Postal Service (USPS), enhanced its Dangerous Mail Investigation program to deal with the threat. And since then, authorities have established the National Postal Model for the Delivery of Medical Countermeasures, a contingency program under which medical countermeasures can be delivered in case of a catastrophic event such as an anthrax attack. </p><p>Currently, packages sent through the U.S. mail face several layers of security, according to Pamela Cichon, CPP, a program manager and postal inspector with the Security and Crime Prevention Group at USPIS. "Postal employees are trained to identify suspicious parcels and are provided standard operating procedures to follow when they encounter a suspicious parcel," says Cichon. "Specially trained postal inspectors recognize the common characteristics of suspicious mail."</p><p>In addition, retail clerks ask customers questions about the contents of an item being mailed, Cichon explains. But beyond those generalities, the USPIS does not discuss specific operating procedures regarding suspicious packages. "We do not comment publicly on our security measures, in order to prevent attempts to compromise or minimize their effectiveness," she says.</p><p>Since the USPS is typically the final delivery point for UPS and FedEx packages, the agency has collaborative relationships with both services. "We collaborate on best practices and also work joint investigations," she explains. </p><p>Collaboration also occurs between U.S. federal postal authorities and law enforcement agencies, in cases of potential security breaches or fraud. For example, in March 2017, the FBI announced that it was conducting a joint investigation with the USPIS regarding packages that contained potential destructive devices which were sent to U.S. military sites.</p><p>Such collaborations are "not an uncommon event," Cichon says: "The Inspection Service conducts joint investigations with all federal and state law enforcement partners frequently. When the mail system or USPS employees are at risk or being used to further criminal activity, the Inspection Service responds and investigates."</p><p>But officials, postal workers, and law enforcement officers are not the only ones responsible for postal and package security, Burton says. Demand for services like Amazon have spiked, and this has led to a sharp increase in "the sheer volume of packages on any given day around the whole world, and the United States," he explains. "What the Austin bombing did is remind all of us in this business the importance of mail and package handling." </p><p>For the services that work with packages, having a well-trained workforce with sharp observational skills is critical. But consumers must also play their part. "If you come home from work and there's an unexpected package, be careful. Don't touch it unless you are expecting something," Burton advises. </p><p>It's best not to move the package, he adds. And the consumer should try to do a little due diligence through observation, and consider: Who is it specifically addressed to? Is the sender's name blank? What is on the return address?  </p><p>These tips may seem simple, but they can be a challenge to follow, because they work against a common human impulse: the enticing feeling of possibility, or delight, embodied by an anonymous package, which may contain an unexpected gift or something equally wonderful. "You want to see what's hidden behind Door Number Three," Burton says. "But you may not want to know."  </p><p>Another challenge is the diminishing situational awareness of contemporary life. "Most people are multitasking all the time, and they are not very aware of their surroundings," Burton says. So, they may be checking email messages on their smartphone while they absentmindedly pick up a package with one hand and drag it into the house.</p><p>"I think it boils down to common sense and situational awareness," Burton says. "Is that package addressed to you? If not, why are you opening it? There has to be a little common sense to security at times." </p><p>In that respect, the bombing episode held some valuable security lessons. But "the one fearful part," Burton explains, is that it could serve as an unwitting demonstration to a militant group like the Islamic State (ISIS) on how to create chaos: "I worry about the copycat terrorism ramifications." </p><p>And this concern stems in part from the fact that the Austin-based Burton felt firsthand the waves of fear that swept through the streets as the bomber remained at large for days on end. "Oh my gosh," he says, "it quasi-paralyzed the city." ​</p>
https://sm.asisonline.org/Pages/Brac-to-the-Future.aspxBrac to the FutureGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Since the end of the Cold War, the U.S. Department of Defense (DoD) has been attempting to realign and increase the efficiency of military agencies with its ongoing Base Realignment and Closure (BRAC) process. Hundreds of military installations have been closed in five separate BRAC rounds, which began in 1988.</p><p>The most recent realignment round, BRAC 2005, was a massive undertaking, the costliest and most complicated to date. In contrast to previous rounds, which focused on reducing infrastructure, the goals for BRAC 2005 included an ambitious transformation of military operations. More than a dozen major installations were scheduled for closure, including the Navy Supply Corps School, Fort Gillem, and Fort McPherson, all in the U.S. state of Georgia. </p><p>Although there has not been another round since 2005 (largely due to funding issues), the BRAC process will continue, officials say. And so, the U.S. Government Accountability Office (GAO) was asked by Congress to review DoD's performance during BRAC 2005, so that DoD could improve future BRAC rounds. </p><p>The report, Military Bases: DOD Should Address Challenges with Communication and Mission Changes to Improve Future Base Realignment and Closure Rounds, examines to what extent the DoD has measured the achievement of its BRAC 2005 goals, and whether DoD is in a good position to measure the goal achievement of any future BRAC rounds. It also examines whether DoD has yet implemented previous GAO recommendations on the BRAC process, which were aimed at addressing potential challenges to improving performance of future BRAC rounds.</p><p>The report's findings were somewhat disquieting. In general, DoD did not measure the achievement level of the BRAC 2005 goals of reducing excess military infrastructure, transforming operations, and promoting joint activities among the different departments.</p><p>"Air Force officials stated that they did not measure the achievement of goals but that it would have been helpful to have metrics to measure success, especially because DoD had requested from Congress another BRAC round," the report found. </p><p>U.S. Army, Navy, and Marine Corps officials also said that they did not track performance measures or otherwise measure BRAC 2005 goal achievement. </p><p>In response, DoD officials argued that the agency should not be required to measure the achievement of its BRAC goals, and so there are no current plans to do so. And officials from the Army, Navy, and Air Force all stated that, although they did not measure goal achievement, they did measure the savings produced as a result of BRAC 2005 moves. </p><p>Still, the GAO argued that measuring savings is not enough. "Measuring savings did not allow DoD to know whether it achieved the goal of reducing excess infrastructure," the report states. </p><p>The report makes a plea to Congress: require metrics to increase the chances of future BRAC success. "If Congress would like to increase its oversight for any future BRAC round, requiring DoD to identify appropriate measures of effectiveness and track achievement of its goals would provide it with improved visibility over the expected outcomes," the report says.</p>

 UPCOMING EVENTS AND EDUCATION

​2 - 5 July 2018
ASIS / IE Business School​​ (Madrid)

9 - 10 July 2018
Executive Protection​ (Chicago)​

11 July 2018
Critical Systems Protection (Webinar)

26 - 27 July 2018
ASIS International African Security Conference​ (Lagos)

​More Events>>​​​
​​​​