More Headlines Thanks: National Security Officer Appreciation Week Kicks Off GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​September 17 to 24 marks the third annual National Security Officer Appreciation Week, an opportunity to say thanks to security officers working across the United States.</p><p>“We must all recognize and be grateful for the continual contributions of security professionals, who not only are often the first line of defense against natural disasters, civil unrest, violence, and terrorist attacks, but who can also provide a friendly face and welcoming gesture in a time of need,” wrote AlliedUniversal CEO Steve Jones in a blog post. <br></p><p>There are approximately 1.1 million security officers employed in the United States with a projected employment growth of 5 percent from 2014 to 2024, according to a U.S. Bureau of Labor Statistics analysis from May 2016. <br></p><p>“Our community protectors and guardians are sometimes put in high-risk situations as they confront and detain criminals engaged in theft, trespassing, gang activity, and other criminal activity,” Jones explained. “They also save countless lives by administering CPR…they offer peace of mind by finding your lost car key or ID that fell out of your pocket, or by simply delivering a ‘have a nice day,’ as you leave the office.”<br></p><p>To show its appreciation for the work these individuals do, AlliedUniversal created National Security Officer Appreciation Week in 2015 to encourage others to “say thank you” and recognize security officers’ contributions to maintaining safe and secure workplaces, schools, and communities.<br></p><p>“Security officers are hard-working, highly trained men and women who are our country’s first responders,” AlliedUniversal said in a press release. “These individuals deter crime, lead evacuations, provide information, work closely with local law enforcement, and are constantly vigilant in their efforts to keep us safe.”<br></p><p>To participate and show your appreciation for security officers this week, thank an officer in person and also on social media by using the hashtag #ThankYouSecurity.​<br></p> Hiding Body Art During Interviews, Then Revealing It on the Job, Deceptive?GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Security Management </em>has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Michele Poacell​i​ discusse​s how organizations should approach communicating body modification expectations with potential employees.<br></p><p>--</p><p>​What should a company do if, after s​he is hired, an employee alters her physical presentation in such a way that the employer worries clients or customers might find it offensive? Is it misleading for an applicant to hide tattoos or piercings during a job interview, then reveal them on the job? What recourse does an employer have?</p><p>Body art is ubiquitous. According to a February 2016 survey from The Harris Poll, tattoos are especially prevalent among younger Americans, with nearly one-half of Millennials (47 percent) and over one-third of Generation X respondents (36 percent) saying they have at least one. People across diverse industries and regions boast colorful ink and nontraditional skin piercings.</p><p>As the popularity of tattoos and piercings has risen, has stigma in the workplace subsided?</p><p>That depends on the culture, image and values of the company.</p><p>For instance, Chase Bank's dress code states that "Appropriate dress and appearance increase the perception that Chase employees are professional, knowledgeable and capable of serving customer needs and maintaining responsible relationships." With the exception of having them for religious and certain health reasons, visible tattoos and piercings other than in the earlobes are not permitted.</p><p>When a corporate culture is built around its workers, however, there is more room for personal expression. In 2014, responding to demand from its young workforce, Starbucks began allowing employees to display their tattoos. Tattoos on the face and throat are still prohibited. Micha Solomon, a contributor to, suggested that the change had benefits for all parties. "Letting employees revel in their own style is a way to project how genuine you are as a brand to employees and to the customers they support," Solomon wrote.</p><h4> SHRM Members Debate Body Art</h4><p>In a recent discussion on the Society for Human Resource Management (SHRM) discussion forum—SHRM Connect—it became clear that HR professionals have different opinions on the subject.</p><p>One SHRM member wrote that the trend in body art will continue to influence corporate dress and appearance policies: "Many of our employees, including higher-ups (and myself) have tattoos and piercings," this member wrote. "Especially as you look to hire Millennials and the next generations, I think these policies [banning the display of body art] are going to quickly become outdated. We certainly removed them from our handbook."</p><p>Another HR professional wrote that "we also have customer-facing roles and do not allow visible tattoos, facial piercings or ear gauges. We are clear on this upfront, even if the person being interviewed does not show any. [A] manager needs to address this. And going forward, let your candidates know your expectations upfront."</p><p>Given that range of attitudes about tattoos and piercings in the workplace, job applicants may be uncertain about a company's position. Because many worry that their skills and abilities will be overlooked if body art is showing, they cover it up during the hiring process, some SHRM Connect commenters wrote.</p><p>Job search coach Ashley Robinson at, an online job search engine based in Richmond, Va., recommends this. "Cover your tattoos as much as possible," she advises. "Wear clothing that will hide them or even use tattoo cover-up so they won't be visible. ... You want the interviewer to be focused on you and your qualifications, not your ink."</p><p>Once the job is secured, should the body art stay hidden?</p><h4>To Reveal … Or Not?​</h4><p>In the SHRM Connect discussion, one HR professional noted that a newly hired desk greeter at a medical office covered her tattoos and removed her piercings during job interviews, then displayed them once she started working there. The SHRM member who manages the office felt duped. "She hid the fact that she had tattoos up both arms and that she wears a very large tongue ring and nose ring," this member wrote. "[The tattoos and piercings] were not made [apparent] to us in any of the interviews we had with her."</p><p>Patients complained about the woman's appearance, the member wrote, but HR was worried about the ramifications of asking the woman to cover her tattoos and remove her piercings while at work.</p><p>Body modification can be considered an artistic, and in some cases religious, form of expression. Title VII of the Civil Rights Act of 1964 states that employers with 15 or more employees "must reasonably accommodate employees' sincerely held religious practices unless doing so would impose an undue hardship on the employer." Many states offer similar anti-discriminatory protections to employees working for businesses with fewer than 15 employees.</p><p>Brian Elzweig, assistant professor of business law at Texas A&M University-Corpus Christi, and Donna K. Peeples, the university's retired associate professor of management, cautioned in an e-mail that "Employers should take special care to familiarize themselves with Title VII cases, take claims of religious and other forms of discrimination seriously, know the implications of their dress code, and make employees understand the repercussions of violating the dress code."</p><p>Another HR professional participating in the SHRM Connect discussion urged proactive communication: "We need to share the policies in order for candidates and employees to know the policies. … Considering the popularity of tattoos [and other body art], it would be wise to address this with candidates during the interview process, across the board, and especially with [those occupying] a visible role."</p><p>Some companies communicate dress and appearance policies as early as the job posting. "When you have very specific job requirements or expectations, weed out non-compliance before anyone's time is wasted," one person in the SHRM Connect discussion suggested.</p><p>Tracy Perez, a benefits manager in Denver, told SHRM Online that it's best for an employer to communicate clear expectations for dress and appearance in a formal, written policy signed by the employee. "This becomes the condition for employment," Perez said. "If you can't adhere to it, you can't work here."</p><p>Perez's 16-year-old son is seeking summer employment in the restaurant industry. His hair is dyed a verdant shade of green. Perez said she thinks her son's unnatural hair color won't hurt his chances for a dishwashing or other kitchen position that's out of customers' view.</p><p>"But if he interviewed with brown hair for a maître d' position and showed up to work with green hair, there would be problems."</p><p><em>Michele Poacelli is a freelance writer based in Mercersburg, Pa. © 2017, SHRM. This article is reprinted from​ <a href=""> </a>with permission from SHRM. All rights reserved. ​​ ​</em></p> is More: A KISS Approach to ESRMGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>,-Compromising-143-Million-Americans’-Data.aspxHackers Hit Equifax, Compromising 143 Million Americans’ DataGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Hackers breached a crown jewel of the U.S. financial institution this summer, potentially compromising 143 million Americans’ personally identifiable information (PII). </p><p><a href="" target="_blank">Consumer credit reporting agency Equifax</a> confirmed in a statement released late Thursday that hackers gained access to its systems and compromised consumer data, including Social Security numbers and driver’s license numbers. <br></p><p>“Criminals exploited a U.S. website application vulnerability to gain access to certain files,”<a href=""> the statement said.</a> “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”<br></p><p>Along with consumers’ names, Social Security numbers, birth dates, and addresses, the hackers also stole 209,000 consumers’ credit card numbers and 128,000 consumers’ dispute documents.<br></p><p>“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” the statement said. “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”<br></p><p>Equifax became aware of the hackers’ intrusion on July 29, acted to stop the intrusion, and hired a cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. It also reported the intrusion to law enforcement. <br></p><p>“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and CEO Richard F. Smith in a statement. “I apologize to consumers and our business customers for their concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”<br></p><p>To help consumers determine if they have been impacted by the breach, Equifax created a website--<a href="http://www.equifaxsecurity2017/" target="_blank">www.equifaxsecurity2017</a>--to check their status and sign up for credit file monitoring and identity theft protection.<br></p><p>Critics, however, have cautioned consumers about checking their status with Equifax as doing so might waive any rights they have to sue the agency. <br></p><p>This is because in a disclaimer on the dedicated website includes the following statement: “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”<br></p><p>New York Attorney General Eric Schneiderman tweeted that this language is “unacceptable and unenforceable,” and that his staff has contacted Equifax to demand it be removed. He also announced that he’s launching an investigation into how the breach occurred.<br></p><p>“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” <a href="" target="_blank">Schneiderman said in a statement.</a> “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”<br></p><p>While investigators work to determine the cause of the breach and who was responsible, it’s likely to have widespread ramifications given the number of consumers compromised and the data involved. <br></p><p>In a<a href="" target="_blank"> blog post</a> for cybersecurity firm Digital Shadows, Vice President of Strategy Rick Holland detailed what’s most likely to happen next, including tax return fraud, benefits and medical care fraud, carding, resale of data, and enablement of nation state and hacktivist campaigns.<br></p><p>“There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion,” Holland wrote. “Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.”​<br></p>écnicas-Forenses-Defectuosas.aspxTécnicas Forenses DefectuosasGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​La existencia de evidencias científicamente sólidas es uno de los pillares fundamentales del sistema judicial de los Estados Unidos de América. Pero, recientemente, ciertas investigaciones llevadas a cabo por un comité presidencial de consulta cuestionaron la validez de algunas técnicas para la obtención de evidencias. Ésta es sólo una de las más recientes críticas a las prácticas de las ciencias forenses, que han enfrentado un llamado a la reforma desde algunos rincones.</p><p>La investigación más reciente tiene sus raíces en otro informe, el cual fue emitido en 2009 por el Consejo Nacional de Investigación (en inglés National Research Council), y analiza el estado actual de las ciencias forenses. Ese informe, realizado a la orden del Congreso de los U.S.A, era altamente crítico; entre varias cosas, encontró una carencia de protocolos y estándares sólidos para informar y analizar evidencia.</p><p>En respuesta a este informe, se emprendieron varias iniciativas de parte de diferentes agencias del gobierno de U.S.A. y así nació la Comisión Nacional de Ciencias Forenses (en inglés National Commission on Forensic Science), apuntada a elevar los estándares forenses. Además, en 2015, la administración de Obama le solicitó al Consejo Presidencial de Asesores en Ciencia y Tecnología (en inglés PCAST) que investigue pasos científicos adicionales que podrían ayudar a garantizar la validez de evidencias forenses utilizadas en asuntos judiciales.</p><p>El consejo de científicos e ingenieros designado por el presidente produjo, como se le solicitó, un informe llamado en español Ciencias Forenses en Cortes Penales: Asegurando la Validez Científica de los Métodos de Comparación de Características, el cual fue publicado hace varios meses.</p><p>El informe encontró dos lagunas de conocimiento existentes. El primer vacío fue la necesidad de mayor claridad respecto a los estándares científicos sosteniendo los métodos forenses válidos. El segundo vacío fue la necesidad de que ciertos métodos forenses específicos sean evaluados para demostrar su validez de una mejor manera.</p><p>Para ayudar a acortar estas brechas, el informe examinó siete métodos forenses de comparación de características, que son los usados para determinar si una muestra de evidencia está asociada con una potencial muestra tomada directamente de la fuente, como puede ser un sospechoso.</p><p>Los métodos evaluados fueron: análisis de ADN en muestras de una única fuente y de fuentes con mezclas simples; análisis de ADN en muestras con mezclas complejas; huellas de mordeduras; huellas dactilares latentes; identificación de armas de fuego; análisis de huellas de calzado; y análisis capilar.</p><p>Basado en su análisis, el PCAST recomendó que los jueces no deberían admitir en la corte cuatro de los métodos: huellas de mordeduras, identificación de armas de fuego, análisis de huellas de calzado, y análisis capilar.</p><p>El PCAST también sugirió que los jueces deben ser cautelosos al admitir evidencias basadas en ADN en muestras con mezclas complejas, y recomendó que los jurados sean advertidos sobre el alto índice de errores en el análisis de huellas dactilares.</p><p>Varios meses luego de la publicación del informe del PCAST, otro desarrollo significante tomó lugar: el Departamento de Justicia anunció que desmantelaría la Comisión Nacional de Ciencias Forenses. Algunos expertos ahora declaran que la ausencia de investigación y asesoramiento de parte de la comisión podría hacer que, en el futuro, la tarea de desafiar evidencias científicamente cuestionables en un juzgado sea aún más difícil.</p><p>“Incluso si los abogados defensores hacen lo imposible para quejarse sobre (evidencias cuestionables), no tendrán el poder una comisión nacional para apoyarlos”, le contó Erin Murphy, una profesora investigadora en la Escuela de Leyes de la Universidad de Nueva York, a Associated Press en Abril. “El status quo en este momento es admitir toda evidencia que se presente. El status quo es cómo las cosas seguramente permanezcan”.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Management <em>i</em><em>s not responsible for errors in translation. Readers can refer to the original English version here: <a href="/Pages/Flawed-Forensics.aspx">​.​</a></em><br></p> for ProtestsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Riots in Ferguson, Baltimore, and Berkeley. Disruptions at airports coast to coast. Pipeline site blockades and sabotage. Out-of-control town hall meetings and campus speeches.</p><p>These stories have been filling headlines and social media feeds at a seemingly constant pace. Less trumpeted, however, are the protests that fizzled out or were kept calm thanks to smart security planning. What makes the difference between a protest that boils over into violence and major disruption and a protest that is steered, subtly or boldly, toward a peaceful outcome?</p><p>A security director may not be able to determine in advance whether a protest will be peaceful or legal, but it is not his or her task to stop people from protesting. Therefore, when a company is targeted by protesters or is expected to be in their path, the security director should focus on traditional security concerns: protecting the company’s people, property, information, and reputation.  </p><p>In a protest or riot situation, the protective effort takes on special urgency and requires different methods from those employed during normal operations. Protests and riots are unstable, high-tension events that can have outcomes as serious as loss of life, severe personal injuries, major property damage, and complete stoppage of legitimate business activities.  </p><p>Some situations call for a high-visibility security profile designed to discourage protesters from harming the company’s employees and property. In other types of protests, a low-key, low-visibility approach takes the wind out of the protesters’ sails. In all cases, a disciplined, documented approach leads to the best outcomes—both on-site and in court. </p><p>It may be difficult to convince senior management to spend money on planning and preparation if a protest does not seem imminent. However, showing coverage of recent protests that got out of control may clarify the ramifications of being unprepared. Images of burning buildings, looters, broken windows, and injured people on stretchers may provide a reminder of what can happen when inadequate precautions are taken.</p><h4>Assessing Conflict</h4><p>Security is not law enforcement. The goal is not to arrest protesters but to prevent problems. To address an upcoming protest or riot, it is essential to assess the threat based on intelligence collection. After gaining an understanding of the threat, the security director can choose a protective approach that best fits the situation, applying various concepts designed to calm the event and prevent harm.</p><p>Intelligence gathering. A large company with a well-developed security department may have enough skilled personnel to perform its own intelligence gathering, while a smaller security department may need outside help through a risk assessment firm that specializes in addressing protests and riots. </p><p>Whoever performs the intelligence collection should attempt to learn as much as possible about the adversary, including its prior tactics and level of aggression. Conducting online research, looking at social media, interviewing law enforcement personnel, and speaking with other companies that have faced the group in the past can increase understanding. Viewing videos of past incidents can provide insight into the adversary’s strategies and practices in the hope of countering them. </p><p>In some cases, invisible countersurveillance may be appropriate. For example, before a major international economic summit, the author’s security firm determined that a famous, well-organized activist group wanted to embarrass a company that was headquartered in the city. To protect that company, the author’s company put the facility under covert surveillance before the summit. The goal was to detect odd behavior, such as a car passing by the site multiple times to conduct advance work for protesters, or someone walking past the site and taking pictures or notes, possibly for planning a protest. Surveillance was also designed to covertly determine the best places for protesters to hang banners. The company then took steps to make those locations unavailable. </p><p>Surveillance and countersurveillance are not foolproof. Dedicated protesters are aware of surveillance techniques and have published guides for detecting and eluding them. </p><p><strong>Planning.</strong> Intelligence collection should lead to some understanding of the adversary, which in turn should suggest an overall approach to protecting the site. However, finesse is required. In some cases, a high-visibility, high-security, high-deterrence approach is appropriate. If the protesters are known to be violent or the site is especially vulnerable, a strong approach may be called for. In many corporate settings, by contrast, a lower-profile, less-provocative approach is appropriate as a way to set expectations for peaceful behavior without doing anything to inflame the protesters. </p><p>Potential conflicts may be quelled through unpredictability. The company should generally not broadcast its security plans but should aim to keep protesters guessing. That way, they will not know what types of security measures to combat. For example, if there is a risk of insider collusion with the protest, the company can send workers home early, without any advance notice, to reduce opportunities for sabotage.  </p><p>Calm can also be preserved through disciplined behavior by security staff during the protest. They should not engage in arguments with protesters or return any abusive language. Protesters like to goad security officers into inappropriate responses. </p><p>Officers should control any urge to confront the protesters and instead calmly use deflection and redirection, with phrases like, “I hear and understand what you are saying, but...” Insulting protesters emboldens and empowers them, whereas keeping cool strengthens an officer’s control over the situation and increases safety.</p><p> Make the company a less attractive target by removing loose items that could be used as projectiles from the property and locking trash receptacles to decrease locations where protesters could plant bombs or set fires. Moving company trucks inside the security perimeter prevents vandalism against those vehicles, and locking up propane and oil tanks on-site keeps protesters from igniting those items.​</p><h4>Taking Action</h4><p>If the intelligence-based risk assessment suggests a significant risk, security directors should assess the site’s physical security strengths and vulnerabilities and develop a well-rounded security plan—long before a security response is required. A detailed plan is needed regardless of whether the company itself or an outside security firm will be providing security during the incident. </p><p><strong>Site assessment. </strong>Taking stock of a site’s strengths and vulnerabilities makes it possible to identify gaps that may need to be filled before the incident. Site strengths might include a high or isolated position, perimeter barriers, building access control, security video cameras and intrusion alarms, fire protection, emergency plans, and a security officer force. Vulnerabilities might include a low position, a lack of setback from the street, multiple routes in and out, and a location that is close to a riot’s point of origin.</p><p>Having completed the assessment, the company will have a better idea of what additional security measures are necessary to protect the site during the incident. For example, it might opt to strengthen key controls, establish an outer perimeter with a temporary chain link fence, increase protection of hazardous material areas, reposition security cameras, and trim foliage that could provide hiding places or help intruders scale fences.</p><p>The security director will likely need to work with senior management to make important policy decisions that will shape security operations during the incident. Issues to address include whether the business will continue to operate during the incident and whether security efforts will be high or low visibility. Management should also consider how to protect the company from the effects of the protest, including documenting illegal behavior by protesters, meeting legal obligations, protecting the corporate reputation, speaking with the media, and designating someone to address unexpected issues that arise during the protest or riot. </p><p><strong>Put it in writing.</strong> Protests and riots can create chaotic conditions, and a variety of support documents are needed to bolster decision making and protect against legal ramifications. For example, the security effort may require a list of employees and contractors authorized to enter the site during the incident; detailed emergency and contingency plans; written rules on access control during the incident; a list of on-site hazardous material and its location; detailed external and internal maps of the facility for fire and police units; and forms for reporting violence and other crimes that occur during the incident. </p><p>The plan should specify required security staffing levels, fixed and roving security officer posts, task assignments, shift schedules, supervision responsibilities, command center arrangements, and evidence management procedures.</p><p><strong>Education. </strong>The company needs a way to notify employees if an incident is underway or about to begin, as well as whether they should report to work and whom to contact for more information. It is also essential to establish communication channels with local law enforcement so the company will be informed of impending risks. In addition, the company may choose to contact distributors, customers, and vendors regarding whether business will continue during a protest or riot. </p><p>If the company’s usual security officers will be responsible for security during the incident, they will need training on how to act during the disturbance. Nonsecurity employees will also need training on how to conduct themselves and what to do if they show up to work and encounter a demonstration.</p><p><strong>Resources.</strong> A large-scale event will require additional equipment, materials, and services that address temporary needs. These include visible marking of property lines and “No Trespassing/No Parking” signs, and additional lighting and cameras. To prepare for disaster response, procure identification badges for special service providers during the incident, emergency medical supplies, fire and HAZMAT response equipment, and food and sleeping arrangements if security personnel will be required to stay on-site for long periods.</p><p>The plan should require employees to wear identification badges at all times and clarify any changes to work access hours and locations. It should also specify how employees should report security concerns and protester offenses. ​</p><h4>The Spectrum of Situations</h4><p>During a full-scale riot, a high-level, clearly visible deterrent posture to protect life and property is usually most effective. If people are moving through a city in large numbers, burning cars and buildings and looting stores, a low-key approach to security—such as clearly marked property lines and “No Trespassing” signs—will likely fail.</p><p>If a company’s intelligence effort suggests that a riot may follow an upcoming event, such as a controversial court decision or a campus speech, or a recent event such as a shooting by police, the company should use high-profile security measures to set an expectation, namely that rioters should move on and not attack the company’s facility. The author’s firm was tasked with protecting industrial facilities during the 2015 Baltimore riots following the death of Freddie Gray while he was in police custody. The firm’s approach was to deter attacks—not combat them—by prominently deploying security officers and cameras. </p><p>A different technique was required when the author’s firm was tasked with protecting television news crews as they went about the city. Because rioters were all around and the client was a soft target, the author’s company kept a low profile, standing only an arm’s length away from reporters, watching the surroundings carefully, and standing ready to carry out the evacuation plan.</p><p><strong>Disruptions at meetings.</strong> If protesters come to a town hall or annual shareholder meeting, the best approach is to send a positive message that event hosts expect the meeting to proceed in an orderly fashion. One approach is to mount temporary cameras on tripods or walls around the room. Mounting them makes them seem less aggressive than having a person hold each camera and point it at attendees. Large video monitors should be placed around the room, clearly showing participants that they are on camera, and a single local law enforcement officer should be visible on-site. Experience shows that difficult or disruptive people will not comply the first or second time they are asked to behave, but if the request is made properly, somewhere around the third or fourth time most people will comply.</p><p><strong>Mass protests at company sites.</strong> Some special techniques for events such as protests against the Dakota Access Pipeline and the Atlantic Coast Pipeline include using high locations for photography, perhaps capturing multiple angles from a roof. Employee training on reporting threats and safe practices for driving to and from the site should be reinforced—especially what to do if followed when leaving. For legal protection, clearly mark property lines and take video of the act of posting “No Trespassing” signs in case they are torn down.</p><p>Sometimes the best approach is to remove protesters’ targets—this approach can minimize risk for all concerned. The author’s firm was asked to protect a corporate headquarters where a large-scale labor protest was expected. Only 10 to 15 police officers would be available to help deal with more than 1,000 protesters. To reduce opportunities for trouble, the company sent all its headquarters staff home, without warning, four hours before the protest was expected to start, and removed trash cans that could be thrown. To reduce protesters’ hope of good photo opportunities, the company’s main headquarters sign was covered and company trucks bearing the firm’s name were moved out of sight. Photographers were posted on the roof to document the event. These protection measures kept key assets safe.</p><p><strong>Airport protests. </strong>Sometimes a disruptive protest can be prevented or dispersed by emphasizing its illegality. In January 2017, protesters opposed to federal immigration policy massed at numerous U.S. airports, blocking pedestrian and vehicle movement. Most airports allowed the protests to continue, but protesters who tried to assemble at Denver International Airport were turned away by police because they did not have a permit as required by airport regulations. Restrictions on speech activity at airports were upheld by the U.S. Supreme Court, which states that an airport can impose reasonable restrictions on protest activity.</p><p>The goal of security in an era of protests is a safe outcome—the avoidance of death, injury, destruction of property, the hindering of legitimate business activities, and damage to reputation. </p><p><em><strong>Martin Herman</strong> is president and CEO of Special Response Corporation. He is a member of ASIS International and a past ASIS chapter chairman. He serves on the board of directors for the National Association of Security Companies. ​</em></p> Awards School Security Grant & More ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>This month, the Dallas Independent School District opens the doors to its newest transformational school, which is designed specifically for high school students interested in architecture, urban planning, environmental science, and community development. CityLab High School will offer students the opportunity to leverage the city of Dallas as their own hands-on laboratory.</p><p>But this cutting-edge “best-fit-school” concept, part of the city's public school choice program, comes with a daunting challenge: ensuring a safe and secure environment in an urban city center, and doing so on a limited budget.</p><p>That’s where the School Security Grant Competition, started by ASIS International and the ASIS Foundation in 2003, plays a critical role. This year, in conjunction with the ASIS International 63rd Annual Seminar and Exhibits, ASIS is awarding CityLab High School a $22,000 grant to pay for upgrades to the school’s camera system, access control system, and classroom intercoms. Axis Communications is making an in-kind donation of cameras and other equipment.</p><p>ASIS 2017 Host Committee Chairman Martin Cramer, CPP, worked closely with the Dallas Independent School District Police Department to get the word out about the grant and to identify the school with the greatest need.</p><p>“CityLab really stood out,” said Cramer. “Parents had voiced concerns about the school’s proximity to downtown Dallas, a busy interstate highway, and a homeless shelter. But with most of the school’s budget going to new construction, renovations, and asbestos removal for the 1950s building, there was little more the school could afford to improve security. These funds will go a long way to provide students and staff a safe and secure learning environment.”</p><p>The school identified a number of needed security upgrades, including network improvements, new security cameras, access control devices, and classroom intercoms covering all five floors of the building. </p><p>“In a large urban school district with limited funds, the responsibility of campus safety falls within the school’s budget,” wrote CityLab High School Principal Tammy Underwood, in her grant competition application. “This grant is an amazing opportunity for CityLab students and staff to be in a safe environment so that they can focus on their highest educational goals.”</p><p>The School Security Grant Competition is just one of the many ways ASIS International pursues its mission to advance security management best practices and give back to the community hosting the Annual Seminar and Exhibits. </p><p>“Without a doubt, school safety contributes to academic success, and promotes innovation, inquiry, and risk taking in high-poverty, high-performing schools,” wrote Underwood. “Students who feel safe are more attentive and efficient in the classroom, and they also have fewer symptoms of depression. I want parents, students, staff, and visitors to be comfortable and confident coming to our building.”​</p><h4>A World of Opportunity at the ASIS 2017 Career Center </h4><p>As the premier education and technology event for security professionals worldwide, ASIS 2017 promises unparalleled networking and career development options. </p><p>Now in its sixth year, the Career Center will continue to offer unprecedented professional value. Free to all attendees, the Career Center offers résumé reviews, career coaching, networking opportunities with employers and peers, and access to career development tools and job postings—plus free professional headshots in the Headshot Studio.</p><p>The excitement starts on Tuesday, September 26, with a Coffee and Careers Networking Event sponsored by the Young Professionals Council, a perfect place for great networking. Attendees currently seeking jobs in the security field will want to return later for an interactive panel session, “What Security Employers Look For and What Makes Candidates Stand Out,” where senior security executives and hiring managers will share what elements in an applicant’s history impress employers, describe what they look for in interviews, and provide advice on how to stand out from the crowd. </p><p>The day culminates with a session for ambitious professionals who have set their eyes on the top and are looking for an answer to the question, “How do you become a CSO?” This is their opportunity to hear straight from senior executives how they reached the top, lessons learned along the way, and how attendees can benefit from their experiences. </p><p>On Wednesday, the Career Center will hold another Coffee and Careers Networking Event for those looking to transition into the security field to help them create new professional connections, foster ones already made, and take part in engaging discussions on career development. Afterwards, attendees will have a chance to further build on those discussions when they take part in the “Career Development in Security” session, which will offer young security professionals the tools and best practices they need to grow their security careers.</p><p>The Career Center wraps up with a bang on Thursday with two of its most impactful sessions. The first, “Mentoring: Guiding Tomorrow’s Leaders” will provide the next generation of security industry leaders with another avenue to hone their skills to achieve their career goals, whether it’s to embark on a new challenge or advance within their organization. Panelists will examine the importance of mentoring, as well as what to look for in a mentor, key factors in building an effective relationship, and the qualities of a successful mentee. </p><p>Attendees will continue examining the future of security with a convergence panel that will explore the ever-changing relationship between information technology and physical security. As threats around the globe become increasingly sophisticated, it is vital that security professionals in every focus area can collaborate and identify comprehensive solutions for the risks facing citizens, industry, and governments around the world.</p><p>Career Coaching and résumé reviews will take place during exhibit hours. Stop by to book an appointment. </p><p>“ASIS has been instrumental to my professional development and as cochair of the Young Professionals Council, it has been particularly rewarding to help shape the high-caliber programming. From CSO perspectives to employer hiring needs to mentorship best practices and leadership skills, ASIS 2017 will provide security professionals at every stage of their careers with the tools they need to succeed in today’s job environment,” says Angela Osborne, PCI, regional director for Guidepost Solutions. “I encourage security professionals across every sector to take advantage of the breadth of career-enhancing education, advice, and professional development that will be available.”</p><p>Whether attendees are new to the security field and looking for those first valuable connections, or seasoned veterans of the industry seeking to further their existing careers, the Career Center offers a world of opportunity ready to be explored.</p><h4>International Buyer Program Helps Expand ASIS 2017’s Global Footprint</h4><p>Attendees and exhibitors at ASIS 2017 will have the chance to expand the scope of their business opportunities to a global level. Thanks to the U.S. Department of Commerce International Buyer Program (IBP), a joint government-industry effort, hundreds of global buyers from multiple delegations will attend ASIS 2017 for business-to-business matchmaking with exhibitors and attendees. The buyers represent security professionals from around the world.  </p><p>“The International Buyer Program provides an excellent opportunity for security professionals globally to benefit from the collective wisdom of the 22,000 attendees and exhibitors at ASIS 2017,” says Godfried Hendriks, CPP, managing consultant at GOING Consultancy BV and secretary of the ASIS International Board of Directors. “In today’s threat environment, security professionals need a global community of peers they can turn to year-round for support, best practices, and information sharing. ASIS 2017 will help facilitate these relationships.” </p><p>Every year, the IBP generates approximately $1 billion in new business for U.S. companies, primarily through increased international attendance at participating U.S. trade shows. </p><p>ASIS 2017’s participation in the IBP provides attendees with access to a broad array of security professionals, qualified international buyers, representatives, and distributors. It also increases the chances of finding the right international business partner. Not only will attendees meet more global buyers, representatives, and distributors, but exhibitors’ products and services can be listed in the Export Interest Directory and distributed to all international visitors for additional awareness.</p><p>Once a potential partner is identified, attendees have complimentary use of the on-site International Trade Center, where companies can meet privately with prospective international buyers, prospective sales representatives, and other business partners.</p><p>To assist in facilitating conversations, international trade specialists will be available on-site in the International Trade Center to provide matching assistance and expert trade counseling to global delegates and U.S. exhibitors.</p><p>Don’t miss out on the chance to expand your global footprint. Stop by the International Trade Center on the expo floor to learn more. ​</p><h4>All the Hub-Bub</h4><p>ASIS 2017 promises a show floor filled with fantastic networking opportunities, groundbreaking security products and service solutions from industry-leading exhibitors, and second-to-none education opportunities. At the center of it all is the ASIS Hub, an enormous 1,600-square-foot presence on the show floor that is serving as the place for all things ASIS International. </p><p>The Hub is the primary location for meeting with ASIS staff and learning more about becoming a member, obtaining one of the three board certifications, and getting involved in one of the professional interest councils. It’s also the place to unwind and recharge—literally—in the lounge with several charging stations.</p><p>The Hub will function as the go-to space for everything related to ASIS councils, with council members standing by to answer questions and offer expertise. The 34 ASIS councils explore focus areas like Crime Prevention and Loss Prevention, Healthcare Security, Information Technology Security, Investigations, Physical Security, and much more. There is a council for security professionals in nearly every discipline and industry sector.</p><p>The staging point for multiple Fireside Chats, the Hub will provide attendees an opportunity to interact in small groups with speakers after select education sessions. Members can visit the Hub for updates on the certification programs and exhibitor press conferences. And this year, the prize booth is located inside the Hub, where, twice a day, lucky attendees will walk away with exciting prizes.</p><p>Members of ASIS International are part of the largest community of security professionals worldwide, all with the shared goal of advancing global security. Engaged in their local communities year-round, members are dedicated to the security mission and making all communities safer places to live. Additionally, ASIS certifications are recognized worldwide as the gold standard of excellence in security management. Offering Certified Protection Professional® (CPP), Professional Certified Investigator® (PCI), and Physical Security Professional® (PSP) accreditations that are transferable across all industry sectors and geographic borders, ASIS certifications are valuable investments in advancing a security career. </p><p>Those who stop by the Hub can gain insights and tools needed to further their careers, get more involved in the Society, and learn about the unmatched benefits of membership in ASIS International. ​</p><h4>LIFETIME CERTIFICATION</h4><p>Congratulations to the following members who have been named Lifetime Certificants.</p><p>• Thomas M. Prochaska, CPP</p><p>• W. David Rabern, CPP</p><p>• David O. Best, CPP</p><p>• Walter F. Bodner, CPP</p><p>• James M. Gill, CPP</p><p>• Peter Urbach, CPP, PCI, PSP</p><p>• Richard G. Steele, CPP</p><p>• Samuel E. Manto, CPP​</p><h4>LIFE MEMBER </h4><p>The ASIS Board of Directors has granted life membership to Bob Battani, CPP.</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Key to Keys: 5 Steps to Developing an Effective Access Control System</em>. By Randy Neely. CreateSpace Publishing; available from; 118 pages; $15.95.</p><p>While this book could more aptly be titled <em>Keys: A Memoir</em>, author Randy Neely does a sound job of highlighting a widespread challenge that everyone in the security business has experienced at one time or another—the effective control and accountability of key and access systems.</p><p>Neely employs first-person narrative to recount his professional history and how he invented key and access control systems, relying too much on personal description for a professional publication. </p><p>Nonetheless, the author does a superb job of bringing to life the adage that necessity is the mother of invention. After experiencing a series of expensive lost key episodes, he created a system to more effectively manage keys. Valuable first-hand stories help round out the problem-impact-solution triad. </p><p>Neely chronicles the financial and legal impacts that inadequate controls can bring. For example, a single set of lost master keys cost a university nearly $350,000. The impact doesn’t end with the bottom line, but it can also adversely affect legal documents and court cases, as well as an organization’s reputation.</p><p><em>The Key to Keys </em>has some instructive value to students of security management, but it goes too far in promoting the author’s products. Further, some of the photos, tables, and figures lack defining labels or captions, are presented out of focus, or do not adequately line up.  </p><p>The most valuable lesson from this book is that motivation and initiative can inspire an earnest practitioner to not only safeguard people and property, but also to take that next step and invent new and effective ways to help improve security practices.</p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force chief master sergeant. He is a doctoral candidate in organizational management and a member of ASIS. ​</em></p> House RulesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong><em>​Q. How are gaming security professionals leveraging technology to protect their assets? </em></strong></p><p><strong>A. </strong>While the protection of gaming assets is important, what about the nongaming areas of the operation such as food and beverage outlets, nightclubs, bars, lounges, and retail outlets? Many security professionals believe the second most-observed area for surveillance personnel should be food and beverage. Data from Moody’s Investors Service from September 2016 said that nongaming revenue was 55 to 65 percent of the revenue of a gaming property, with food and beverage being the largest portion of that. So no matter what city or property patrons visit, of the disposable income that people bring to the gaming industry, it appears that the food and beverage revenue is becoming at least as important to casinos as the gaming revenue. </p><p>To more closely monitor losses and possible theft in the food and beverage departments, security teams can leverage an effective point-of-sale control solution that is integrated with a hotel and casino’s surveillance recording system, which identifies errors in procedures and theft.</p><p>With a point-of-sale (POS) terminal, you basically have a cashier device of some type, such as a register. That transmits data to the server, where the data is analyzed and stored. Depending on what the food and beverage management team wants and what their parameters are, the POS generates reports. For example, if you’re talking about a bar, you have data on who the employee is, the time of day, what drink was ordered, what drink was served, what food was ordered, and what food was served. The solution takes that data and overlays it with the video of that POS terminal. You can go back and see what the employee is actually ringing up, and what their actions are compared to what the electronic data is coming out of that POS–and hopefully they are going to match. If you see any anomalies in the data, then you can go back and watch what actually happened, which is very helpful in catching any improper actions, mistakes, or thefts.</p><p><br></p><p><strong><em>Q. Some thieves have learned to steal thousands of dollars by hacking and cheating slot machines. How can these incidents be avoided? </em></strong></p><p><strong>A. </strong>In 2009, virtually all gambling was outlawed in Russia, so the casinos there had to sell their slot machines to whoever would buy them. A lot of their machines wound up in organized crime groups. In 2011 the casinos in Europe started noticing certain brands of slot machines that were losing large amounts of money, but no physical cheating was noticed. That led to the theory that maybe the cheaters had figured out a way to predict slot machine behavior. </p><p>It was later discovered that cheaters were uploading footage of slot machines  to technical staff in Russia. Someone would analyze the video, calculate the machine’s spin pattern, somehow interfering with or being able to determine that slot machine model in their pseudo-random number generator, and send a reply back to the cheater. This information would set certain markers for their play, giving them a better-than-average idea of when the machines were going to hit. </p><p>In the United States, law enforcement investigations led to the arrest of one Russian national in California in a casino in July 2014 who was engaging in this sort of cheating. The FBI later indicted all four individuals involved in the ring. </p><p>To give you an idea of the potential losses, the Russian cheaters tried to limit their winnings to less than $1,000 per incident, but a four-person team working multiple casinos could earn upwards of a quarter of a million dollars a week. </p><p>While some responsibility falls on the slot machine manufacturing company, the basic protection effort is still on the casino surveillance and security personnel. It’s up to them to follow up with surveillance observations and review that slot machine play to see if there’s anything that does not match up with the daily slot exception reports, which highlight unusually large losses.  </p><p><br></p><p><strong><em>Q. We’ve seen armed robberies take place at gaming properties over the years, most recently at a casino in Manila where 36 people died. What is being done to combat those incidents? </em></strong></p><p><strong>A.</strong> Armed robberies in the industry are a concern; they don’t happen that frequently, but they are very troubling when they do. In June of this year in Gardena, California, two men followed a victim who had just won a large sum of money from a casino and rammed into the back of his vehicle to create an accident as he left the property. When he pulled into a gas station to look at the damage to his car, they robbed him of his cash winnings and shot him four times. Fortunately, the victim survived. </p><p>And then you have the shooting in Manila. It was an active shooter situation where 36 people died. The motive for that individual? Also robbery. How do we prevent things like that? It’s very difficult. Most of the robberies occur at night, and most of the casino hotels are so large they have multiple entrances and exits. </p><p>For cage [money-handling area] robberies, the training is, give the subjects the money, don’t cause any problems, and hit the holdup alarm when the robber leaves your window. And you want him to get away—you want him to get out of the property, especially if he is armed. We don’t want our security personnel to try to stop them. We notify law enforcement and let them handle it. </p><p>You need to look at the scheduling of your security staff during hours of darkness, and you may want to increase the external patrols during those times. If you have winners who have large amounts of winnings, you may want to encourage them to take a check rather than cash. If they decide to take cash, offer them an escort to their mode of transportation. Most of the time it’s their own personal vehicle, so offer them a security escort to their vehicle. </p><p>If properties don’t already do it, they may want to consider posting a security officer by the cage. A lot of casinos have security podiums for public relations and assistance for guests that are located by the cage and serve as a deterrent. And finally, you can use plainclothes officers to be on the lookout for any unusual activity.</p><p><br></p><p><strong><em>Q. How has the active shooter trend affected gaming security? Are more properties deciding to arm their guards? </em></strong></p><p><strong>A. </strong>One trend is that some gaming regulators are now requiring a copy of a licensee’s active shooter plan. The Mississippi Gaming Commission, for example, recently announced such a policy. Some casino companies are also considering arming some of their security force to be able to quickly react to an active shooter situation, if state law allows it. In many jurisdictions where gaming is a business, the state regulations do not allow security to be armed. </p><p>The approach has some pros and cons, and I would not disagree with any of my peers on what their decisions might be to protect their company. </p><p>Most active shooter situations are over in 11 minutes if it’s not a hostage situation, and in many cases first responders from law enforcement can’t get there that quickly. Sometimes they do, but if you had individuals on site, obviously their response would be much quicker. </p><p>Now your armed response team could contain and neutralize an active shooter, but they also have to be cognizant of what is lawful for a citizen’s reaction to such a violent situation. State laws pretty much dictate when deadly force can be used against an armed suspect. So if you’re going to arm these personnel, you have to be sure to operate within whatever your state law says about using deadly force on an individual.</p><p><br></p><p><strong>Q. What are the pros and cons of arming plainclothes officers?</strong></p><p><em>A. </em> If your armed security guards are in uniform, that could be a deterrent to an active shooter in and of itself. But if your armed officers are in plainclothes they can blend in with the customers, concealing the fact that they’re armed. One of the disadvantages of such a policy—and this is strictly my opinion—how are your law enforcement first responders going to be able to identify a plainclothes security officer as a friendly with a gun in his hand? For law enforcement personnel responding to an active shooter, their first goal is to neutralize that shooter. And if they come into a property and you’ve got one of your plainclothes security officers standing with a weapon, it’s quite possible they’re going to be neutralized by law enforcement, which is not good.</p><p>You also need to take a look at how your security personnel with weapons are trained to respond. This training has to be thorough, the policies and procedures must be able to withstand legal scrutiny. How are security personnel trained in the use of firearms? What’s the selection process for such officers? Are they retired or former law enforcement personnel, are they military personnel? Finally, what’s your lability if one of your security personnel accidentally shoots an innocent bystander in a situation like that? All these things must be considered when deciding whether to arm officers.   ​</p> in Shared SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Coworking spaces  are on the rise around the globe. These flexible work settings allow people without a traditional office building to still enjoy many of the amenities that come along with having a dedicated work environment. </p><p><em>The 2017 Global Coworking Survey</em>, conducted by Deskmag, along with, found that there are an estimated 13,800 active coworking spaces worldwide, hosting more than 1 million people. </p><p>This represents a major increase from five years ago, when just 2,070 coworking spaces were used by 81,000 people globally. COCO, a coworking company based in St. Paul, Minnesota, offers several different levels of membership and types of space, so clients are only paying for the amount of time they need and space they require, says Megan Dorn, director of operations at COCO. </p><p>“Our idea in doing that was to be with our clients as they grow—from the beginning of their business, to hiring employees, to maybe needing private offices—which we also have,” she says. “So that’s what makes us a little bit different than your typical coworking space.” </p><p>When the company started in 2010, it had to distribute physical keys to its members, “which is a nightmare as you’re trying to grow,” she notes, and a security concern if a key was ever lost. </p><p>Because COCO normally leases its space in a larger building, it needed a security solution that was as flexible as the working environment it provides. “We usually have to find ways—when we’re opening a space or acquiring a space—to work with the building to find ways to get our security system installed,” Dorn explains. </p><p>When COCO acquired a new space in Chicago last May, the existing security system was a door locked by a PIN code, which the building never changed. The PIN code was distributed to a large number of people.</p><p>“The space got broken into a week before we acquired it. Laptops were stolen, and people were really on edge,” she notes. “So as soon as we came in to the Chicago space, one of our top priorities was to get a really solid access and security system in place.” </p><p>COCO turned to Brivo’s OnAir, a cloud-based access control system that easily integrated into the company’s membership dashboard, called Bamboo. Using Brivo, COCO can easily distribute keycards to its clients and manage membership usage and levels. </p><p>To set up the system, Brivo representatives come to COCO’s space and add card readers to the appropriate doors. They also set up schedules and the different access levels for membership types.</p><p>COCO has one membership accountant who works out of the company’s headquarters and oversees assigning new members a keycard number through Brivo. “It’s all digital, so it can be done remotely,” she notes. </p><p>A community manager at the member’s location—the lead COCO employee for that site—can then log on to Brivo and see which card number has been assigned for that client, add the number to their member profile in Bamboo, and distribute it. </p><p>Changing, granting, and revoking access levels, as well as keeping track of when members come and go throughout the building, are all managed through the Brivo platform. </p><p>“Say you want to upgrade a member from part-time to full-time. We’re able to just go into Brivo and quickly change your access. It’s active the moment that you do it,” she notes. “That’s actually been really helpful for us, given we have all this variability in types of membership.” </p><p>When a member badges in, a wealth of information comes up on the Brivo dashboard for the community manager to see. “Their picture, their name, their membership level, how many times they’ve checked in already that month, it immediately shows up,” she says. “So it tells you in real time exactly who’s in your space and when.”</p><p>The business value of OnAir is immense for COCO, Dorn points out, because the company can tell how often members are actually using the space, and whether they have made payments, as soon as they present their access card to the door reader. </p><p>“Let’s say someone is delinquent on payment. As soon as the member checks in, there’s going to be big red circle with an exclamation point [on the dashboard]–you can’t miss it,” she says. “It’s definitely helped us lower the sheer amount of delinquent payments that we have, and receive that payment.”</p><p>When a member badges in, Brivo also alerts the community manager if that person hasn’t been in the space very often that month. </p><p>“If we can find a member who we consider at-risk, who hasn’t been using the space, and we’re alerted to that we can reach out to them, invite them to an event, or try whatever we can to reengage them,” Dorn says. </p><p>COCO is also in the initial stages of using Brivo MobilePass, which lets COCO staff remotely lock and unlock doors via a smart device, for members who want to access the space after-hours but forget their keycard. </p><p>Because of how easily it can deactivate and reactivate access, COCO also encourages members who leave the company to keep their keycards. </p><p>“The goal is to try to get the member to come back. So if you have that card and you come back, you’re already set up in our system, all we have to do is reactivate the card and then we’ll also waive any setup fees,” Dorn says. </p><p>She notes the combination of security and business insights from Brivo has been tremendous for COCO. </p><p>“Brivo as a security system has helped us go from being a group of people working out of a space to a full-fledged company,” she says. “It really helps us manage all of the different types of membership and the stages of business they’re in.” </p><p><em>For more information: Nicki Saffell,,, 301.664.5242 ​</em></p> The Force MultiplierGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Go is not just a game. It can also serve as an analogy for life, a method of mediation, an exercise in abstract reasoning, or even as insight into a player’s personality. The ancient board game from China is played by two players on a 19-by-19 gridded wooden board with black and white stones. The stones are used to surround other stones to capture them or to mark territory, with 10 to the power of 170 possible board configurations. </p><p>“There is no simple procedure to turn a clear lead into a victory—only continued good play,” according to the American Go Association. “The game rewards patience and balance over aggression and greed; the balance of influence and territory may shift many times in the course of a game, and a strong player must be prepared to be flexible but resolute.”</p><p>A typical game on a normal board can take 45 minutes to an hour to complete, but professionals can make games last for hours. Supercomputers are not even capable of predicting all the moves that could be made in a game.</p><p>This is why when Google’s Deep Mind artificial intelligence (AI) AlphaGo beat one of the best players of the past decade, it was an exciting moment for the future of technology. AlphaGo bested Lee Sedol, winner of 18 world titles, in four out of five games in a 2016 tournament.</p><p>“During the games, AlphaGo played a handful of highly inventive winning moves, several of which—including move 37 in game two—were so surprising they overturned hundreds of years of received wisdom, and have since been examined extensively by players of all levels,” Deep Mind said in a press release.</p><p>And then, AlphaGo won again in May 2017, marking the AI’s final match event. “The research team behind AlphaGo will now throw their energy into the next set of grand challenges, developing advanced general algorithms that could one day help scientists as they tackle some of our most complex problems, such as finding new cures for diseases, dramatically reducing energy consumption, or inventing revolutionary new materials,” Deep Mind said in a press release. “If AI systems prove they are able to unearth significant new knowledge and strategies in these domains too, the breakthroughs could be truly remarkable. We can’t wait to see what comes next.”</p><p>Neither can the rest of the world. The AI market is projected to reach $70 billion by 2020 and will impact consumers, enterprises, and governments, according to The Future of AI is Here, a PricewaterhouseCoopers (PwC) initiative. </p><p>“Some tech optimists believe AI could create a world where human abilities are amplified as machines help mankind process, analyze, and evaluate the abundance of data that creates today’s world, allowing humans to spend more time engaged in high-level thinking, creativity, and decision-making,” PwC said in a recent report, How AI is pushing man and machine closer together.</p><p>And this is where cybersecurity professionals and experts have shown the most interest in AI—in its ability to create a workforce of the future where AI works to amplify the human workforce, freeing it up to look at the bigger picture and handle problems that machines are not yet capable of.</p><p>“The goal of AI in cybersecurity is to make people more efficient, to be a force multiplier,” says Ely Kahn, cofounder and vice president of business development for threat hunting platform Sqrrl. “There’s a huge labor shortage in the cybersecurity industry. I think AI has the ability to help with that by making the existing cybersecurity analysts more productive.”</p><p>The basics. AI is defined as the development of computer systems to perform tasks that typically require human intelligence. The term was first used in a 1955 proposal for a Dartmouth summer research project on AI by J. McCarthy of Dartmouth, M. L. Minsky of Harvard, N. Rochester of IBM, and C.E. Shannon of Bell Telephone Laboratories. </p><p>The authors requested a two-month, 10-man study of AI to attempt to find out “how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves,” according to the proposal.</p><p>Since then, AI has advanced, and there are now many broad areas that fit under the overall umbrella of AI, including deep learning, cognitive computing, data science, and machine learning, says Anand Rao, partner at PwC and global artificial intelligence lead. </p><p>Machine learning is one of the largest areas getting attention right now, Rao says. Machine learning is what its name describes—the science and engineering of making machines learn, according to PwC.</p><p>This is done by feeding a machine large amounts of data, then having it learn an algorithm to figure out what is considered normal and abnormal behavior. </p><p>“In machine learning, the idea is you don’t know exactly what the rules are, so you can’t write a program,” Rao explains. “Usually we get an input, we write specific instructions that produce an output; we can do that if we know what it is that we are trying to do. But when we don’t know that, it becomes hard.”</p><p>This is where the two subcategories of machine learning come into play: supervised and unsupervised learning.  </p><p>Unsupervised machine learning uses data to train the system to create algorithms and the machine is continuously learning, says Kahn, who is the former director of cybersecurity for the White House’s national security staff. Unsupervised machine learning algorithms are “continuously resetting, so they are learning what’s normal inside an organization and what’s abnormal inside the organization, and continuously learning based on the new data that’s fed into it,” he explains. </p><p>With supervised learning, humans train the system using training or labeled data to teach the system the algorithm to look for to identify certain types of patterns or anomalies. However, the two types of learning can be used in combination—they do not need to be kept separate.</p><p>For instance, supervised machine learning can be used to allow analysts to provide feedback for algorithms the system is using, “so if analysts see something that our unsupervised machine learning algorithms detect that is a false positive or a true positive, the analysts can flag it as such,” Kahn says. “That feedback is fed into our algorithms to power our supervised machine learning loop…you can think of it as two complementary loops reinforcing each other.”</p><p>Deep learning. One of the main fears that many people have about the increasing role AI will play in society is that it will replace jobs that humans now hold. While that might be the case for some positions, such as receptionists or customer service jobs, experts are skeptical that AI can replace humans in cybersecurity roles. </p><p>To make the kind of decisions cybersecurity analysts make, machines would need to use deep learning—a subcategory within supervised machine learning that powers Google’s Deep Mind products and IBM’s Watson. It uses neural network techniques that are designed to mimic the way the human brain works.</p><p>“I talked about supervised machine learning in the sense of using training data, to help educate algorithms about the different types of patterns they should look like,” Kahn says. “Deep learning is that on steroids, in that you’re typically taking huge amounts of training data and passing them through neural network algorithms to look for patterns that a simpler supervised machine learning algorithm would never be able to pick up on.”</p><p>The problem with deep learning, however, is that it requires vast amounts of training data to run through the neural network algorithms.</p><p>“Google, as you can imagine, has massive amounts of training data for that, so it can feed that training data at huge scale into these neural networks to power those deep learning algorithms,” Kahn says. “In cybersecurity, we don’t quite have that benefit. It’s why deep learning algorithms have been a little bit slower in terms of adoption. There are not pools of labeled cybersecurity data that can be used to power deep learning algorithms.”</p><p>For cybersecurity, ideally, there would be a huge inventory of labeled cybersecurity incidents that could be used to create deep learning algorithms; the inventory would have information about how a site was compromised and what exploit was used.</p><p>“In today’s environment, there is no massive clearinghouse of that information,” Kahn adds. “Companies generally don’t want to share that information with each other; it’s sensitive.”</p><p>This is holding back the cybersecurity industry in terms of taking the next step with AI, and Kahn says he doesn’t see companies’ unwillingness to share data changing any time soon. </p><p>“It’s going to be very hard—less from the technical reasons and more from the policy and legal reasons,” he says. “I don’t know if we’ll ever get to a point where companies are willing to share that level of detail with each other to power those types of deep learning algorithms.”</p><p>However, big companies who have vast amounts of data may be able to take advantage of deep learning in the future, Kahn says.</p><p>AI today. Numerous cybersecurity products are available today that market themselves as an AI product, or one that uses machine learning. These products tend to be used to understand patterns of threat actors and then look for abnormal behavior within the end users’ system, Rao says.</p><p>For instance, a product could be used to look at denial of service attacks, “how that happens, the frequency at which they are coming, and then developing patterns that you can start observing over a period of time,” he explains.</p><p>These patterns can help companies identify who is trying to infiltrate their systems because the behavior of hobbyist hackers, organized hacking groups, and nation-states differs. </p><p>“Once you start profiling, you start looking at how to prevent certain types of attacks from happening,” according to Rao. “Based on the types of profiling, you have various types of intervention.”</p><p>This blending of machines—using AI to identify patterns and humans to make decisions based on those identified patterns—is how AI will change the future of cybersecurity and help bolster the workforce, Kahn says.</p><p>“Optimally, we start seeing a very close blending of man and machine in that we’re reliant on relatively simple algorithms to detect anomalies. Those algorithms are advancing and getting more sophisticated using AI-type technology to reduce false positives and increase true positives,” he explains. “So, analysts are spending more time on the things that matter, as opposed to chasing dead ends.” ​ ​</p> Fine Art and Other Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​PROTECTING FINE ART</h4><p>Thousands of visitors enter El Museo Thyssen-Bornemisza in Madrid each day to view the museum’s priceless masterpieces. To safeguard the precious art, the museum recently switched from analog video surveillance to an IP-based system. Bosch Security Systems helped the museum create a single integrated security system with a Bosch Video Management System and IP cameras that provide recording and storage of images, in addition to video analytics.</p><p>A special “museum mode” enables administrators to predefine a perimeter around an artwork, creating a virtual, invisible protective barrier. When the perimeter is breached by, say, an attempt to touch an artwork, an alarm is sent to the control center and security’s mobile devices, so personnel can quickly take action. This virtual barrier is a convenient alternative to conventional infrared barriers.</p><p>For those exhibits displayed in low-light conditions, the museum selected Bosch IP cameras with starlight technology. These cameras ensure that dimly lit areas can be properly monitored without additional lighting, and the museum need not compromise artistic concepts and ambience for security reasons.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>BriefCam video analytics embedded in Milestone’s video management platform are making efficient video investigation possible for Massachusetts General Hospital.</p><p>Bristow U.S. LLC won a contract from Hess Corporation for medevac services in the Gulf of Mexico.</p><p>Disaster recovery service provider Databarracks has announced that it is now a corporate partner of the Business Continuity Institute.</p><p>EyeLock LLC entered into a partnership with STANLEY Security to deliver EyeLock’s suite of access control solutions to North America.</p><p>Hikvision will help secure the iconic Holocaust Memorial Miami Beach.</p><p>BSE (formerly the Bombay Stock Exchange Ltd.) selected IBM Security to design, build, and manage a cybersecurity operations center.</p><p>IDSecurityOnline entered into an exclusive distribution agreement with ScreenCheck for its new line of durable ID card printers.</p><p>Lexmark International, Inc., announced that its Secure Document Monitor uses Intelligent ID’s Endpoint ID.</p><p>XProtect IP video management software from Milestone Systems was selected to protect a Picasso exhibit at the Tomie Ohtake Institute in São Paulo, Brazil.</p><p>Scania AB is using a Morse Watchmans key control and management system. </p><p>NAPCO Security Technologies, Inc., will supply Pepperdine University with its Trilogy Networx Locks for use on the Malibu, California, campus.</p><p>OnSSI is integrating its Ocularis 5.3 with S2 Security Corporation’s NetBox software.</p><p>Quantum Corp. announced that Zhejiang Uniview Technologies Co. Ltd., will become a Quantum value-added reseller and strategic alliance partner. </p><p>Razberi Technologies will embed CylancePROTECT software from Cylance in Razberi ServerSwitchIQ appliances.</p><p>Security Door Controls added Ascheman Marketing Group to its national family of security industry sales and support centers.</p><p>Siklu Inc. signed a distribution agreement with ALLNET, which will carry Siklu’s complete line of millimeter wave wireless radios.</p><p>TierPoint, LLC, is partnering with Compass Datacenters to build a new facility in Broken Arrow, Oklahoma.​</p><h4>GOVERNMENT CONTRACTS</h4><p>American Traffic Solutions won a contract from the Houston-Galveston Area Council for traffic control, enforcement, and signal pre-emption equipment.</p><p>ASPIDER-NGI and SURFnet, the Dutch National Research and Education Network, are partnering on eSIM to develop applications with an initial focus on identity management and authentication.</p><p>Axon announced that the Alameda County Sheriff’s Office in California purchased Axon Body 2 cameras and a five-year license.</p><p>An updated Disaster Resilience Scorecard was developed for the United Nations Office for Disaster Risk Reduction by AECOM and IBM with support from USAID and the European Commission.</p><p>Mosaic451 was awarded a contract for technology products and related services from the city of Charlotte, North Carolina.</p><p>The STRATTON U.S. Coast Guard cutter recently deployed with a small unmanned aerial system, the Insitu ScanEagle, which helped in four interdictions—seizing more than 1,676 kilograms of illicit contraband and apprehending 10 suspected drug traffickers.</p><p>Nextdoor social network for neighborhoods is partnering with the U.S. Federal Emergency Management Agency to support its mission to help communities prepare for and mitigate all hazards.</p><p>UL received a grant from the U.S. Defense Advanced Research Projects Agency for cybersecurity testing of Internet of Things (IoT) gateways for industrial control system applications to help mitigate security risks.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Forbes named Allied Universal to its America’s Best Employers list for 2017.</p><p>ByteGrid Holdings LLC was awarded FedRAMP Ready status by the U.S. Federal Risk and Authorization Management Program.</p><p>ClearDATA was granted EU-U.S. Privacy Shield Certification.</p><p>Concurrent Technologies Corporation was recognized as a 2017 Best for Vets employer by Military Times.</p><p>Conformance Technologies announced that its InConRadar offering received the Electronic Transactions Association’s PayPal Tech Innovation Award for best risk solution.</p><p>Crowe Horwath has been designated as a HITRUST CSF Assessor by HITRUST. </p><p>At KuppingerCole’s recent European Identity & Cloud Conference in Munich, Germany, the Danfoss IoT security framework project was recognized with an award in the Best IoT Security Project category.</p><p>EventTracker announced that SC Magazine awarded EventTracker SIEMphonic with a perfect five-star rating in the 2017 UTM/SIEM/NGFW annual product Group Test review.</p><p>EyeLock LLC received a U.S. patent for enabling a single camera to acquire iris biometrics, as well as a face image, by providing suitable illumination for both.</p><p>FreeWave Technologies, Inc., announced that its ZumLink 900 Radio Series and Industrial IoT Programmable Radio were named bronze award winners by the American Business Awards and the IT World Awards, respectively.</p><p>G2’s Payment Laundering Detection was named a 2017 Pay Awards winner in the Fraud Fighter category. The selection was made by a panel of payment industry experts assembled by Paybefore.</p><p>The G4S North America Training Institute was named one of the best organizations for learning and development by Chief Learning Officer magazine for the fourth consecutive year.</p><p>Hikvision announced that its DS-2TD4035D-25 Bi-Spectrum PTZ Camera System was named the 2017 ESX Innovation Award winner in the video </p><p>surveillance category.</p><p>Hillard Heintze announced that it achieved ISO/IEC 27001:2013 information security certification from the BSI Group.</p><p>NAPCO Security Technologies announced that its StarLink Connect was awarded a 2017 ESX Innovation Award in the intrusion systems category.</p><p>OpSec Security gained ISO 14298 security standard accreditation for its Washington and Leicester facilities.</p><p>The Protection Bureau announced that The Monitoring Association renewed its TMA Five Diamond Monitoring Center designation.</p><p>Zenitel Group announced that TMC named Vingtor Stentofon’s TCIV-6 IP SIP Video Intercom a 2017 Unified Communications Product of the Year Award winner.​</p><h4>ANNOUNCEMENTS</h4><p>Boon Edam Inc. announced that a new production line for its Lifeline Optical Turnstiles is now operational at the company’s Lillington, North Carolina, factory.</p><p>Continental Access, a division of NAPCO, launched a newly revitalized website at</p><p>The Cross-Cultural Institute introduced Badges2Bridges, a new training program that helps police officers and law enforcement professionals work effectively with minority communities.</p><p>DataPath, Inc., expanded operations in the Washington, D.C., area to complement its existing Maryland office. </p><p>Detection Technology Plc. completed the expansion of its Beijing factory, with a larger production floor and new investments in automation and technology.</p><p>Frontier Services Group Limited acquired 25 percent of the International Security and Defense College in Beijing, becoming the largest private security training school in China.</p><p>F-Secure acquired Digital Assurance, a U.K.-based security consultancy firm.</p><p>The former Giesecke & Devrient Banknote business unit is now the Giesecke+Devrient Currency Technology independent subgroup.</p><p>Sheriff’s agencies will use the Lockheed Martin Indago quadrotor small unmanned aerial system to perform search-and-rescue operations as part of the Project Lifesaver International program that supports clients with autism, Down syndrome, and dementia.</p><p>The Master Lock Company relocated its headquarters to a newly renovated campus in Oak Creek, Wisconsin.</p><p>Point Blank Enterprises acquired Gould and Goodrich.</p><p>PSA Security Network acquired USAV, a team of audio-visual integrators, and its affiliate CI Edge. </p><p>The Security Industry Association (SIA) established the SIA Public Safety Working Group to develop recommendations to improve the safety, security, and sustainability of cities.</p><p>Security On-Demand Inc. acquired Infobright Approximate Query technology and intellectual property assets from Infobright Corporation.</p><p>Software Assurance Forum for Excellence in Code released two best practices documents to help combat growing security vulnerabilities. One is on threat modeling, and the other is about third-party components.</p><p>Tyco Security Products is partnering with the mayor of Boston and the Boston Women’s Workforce Council in a program designed to close the gender wage gap for women in the Boston area.</p><p>In a team-building exercise, Vector Security’s managers and senior executives constructed travel-version wheelchairs for donation to the Keystone Chapter of the Paralyzed Veterans of America.</p><p>Vision-Box reinforced its support to border control officials in Portugal, sponsoring the Conference “SEF and the Economy.” ​ ​</p> with the FlowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Somewhere in Syria, an Israeli espionage team was left scrambling after U.S. President Donald Trump passed along Israeli intelligence to Russian officials in May.</p><p>During a visit to the White House by the Russian foreign minister and ambassador, Trump revealed highly-classified information that was given to him by Israel about an ISIS plot—including the Syrian city in which the intelligence was gathered. The disclosure raised concerns that Russia—or ISIS—would be able to figure out who was collecting intelligence and how.</p><p>While Trump’s action was not illegal—the president is allowed to share classified information with whomever he sees fit—it could be seen as a political gaffe, according to experts. </p><p>In this case, Israel, which is known for its long-ranging espionage tactics, had explicitly asked that the information not be passed on without permission. </p><p>The impact of Trump’s disclosure to the Russians is yet to be seen, but it might manifest itself in ways not directly related to intelligence sharing, says James Igoe Walsh, professor of political science at University of North Carolina at Charlotte.</p><p>“On the one hand, that would be very troubling to other countries because they are sharing a lot of intelligence with the United States and it might be passed on in a similar spontaneous way,” Walsh tells Security Management. “Having said that, these are typically ongoing long-term relationships, so one episode is probably not going to be enough to upset that longer-run cooperation. In this case, Israel gets a lot from the United States in terms of intelligence, as well as a lot of other types of support. Maybe one mistake would not lead to a fundamental reassessment of that relationship.”</p><p>Walsh says he believes Trump’s decision to share the classified information was not planned; typically, countries share such information so they will receive something concrete in return, which was not the case with Russia. But regardless of the disclosure’s spontaneity, it almost certainly created headaches for the intelligence agents who initially obtained the information.</p><p>The flow of national security intelligence from one country to another can be fickle, Walsh notes. Alliances such as the North Atlantic Treaty Organization (NATO), the European Union (EU), the United Nations (UN), INTERPOL, and Five Eyes, an intelligence alliance made up of Australia, Canada, New Zealand, the United Kingdom, and the United States, foster structured intelligence sharing between nations. </p><p>But there are also countless complex connections, networks, and alliances between countries based on the sharing of not just intelligence but economic and military support. </p><p>“These narrow intelligence-sharing arrangements are embedded in larger arrangements,” Walsh explains. “If the U.S. becomes less predictable, that might be counterbalanced by other commitments, like military cooperation in Afghanistan or cooperation against terrorist threats.”</p><p>This is especially important for nontraditional intelligence-sharing partners. The United States depends on both traditional and new allies for counterterrorism intelligence sharing, according to a report in academic journal Global Security Studies. The global reach of terrorist groups has widened the circle of allies the United States has to rely on for intelligence from the trenches.</p><p>For example, “nontraditional relationships with Muslim nations like Saudi Arabia and Pakistan have been critical to the crackdown on terrorism financing and the ongoing operations against terrorists and insurgents in both Afghanistan and Pakistan’s federally administered tribal areas,” according to the report Challenges to International Counterterrorism Intelligence Sharing written by Anna-Katherine Staser McGill and David H. Gray.</p><p>While these newer relationships are bolstered by military support or a dependence on the oil trade, more traditional alliances are expected to last through thick and thin—although recent concerns based on leaks, personal data protection, and the increased flow of information can put a strain on the sharing relationships.</p><p>Just weeks after Trump passed on Israeli intelligence to Russia, the attack at an Ariana Grande concert in Manchester, United Kingdom, shocked the world. While British authorities were scrambling to track down the perpetrators, American news media published details of the ongoing investigation, including the name of the suspected attacker and photos of bomb fragments from the attack. </p><p>British intelligence officials immediately announced that they would no longer share information from the investigation with their American counterparts; Manchester Mayor Andy Burnham told newspaper reporters that the country couldn’t risk sharing any more information. </p><p>The change in policy upsets a history of open information sharing between the United Kingdom and the United States during crises, Walsh notes. </p><p>“They share this kind of intelligence on autopilot, and maybe with good reason,” he says. “They planned it in advance so that they could disseminate information to partners who may be able to help them with the investigation. The assumption would be that the recipient would not be sharing it with the media at all, or especially more or less immediately.”</p><p>The EU has its own intelligence-sharing challenges. Although Europol has established several means of intelligence sharing across Europe, it has continued to face problems connecting the dots. </p><p>“The recent terrorist attacks in Belgium and France have once again highlighted the contradiction between the seemingly free movement of terrorists across Europe and the lack of EU-wide intelligence sharing,” notes Oldrich Bureš in the policy journal European View. “Due to their earlier criminal activities, most perpetrators of the attacks in both Paris and Brussels were known to the various security agencies in several EU member states.”</p><p>Indeed, a man who gave logistical support to the terrorists who carried out the November 2015 Paris attacks had been investigated by both Belgian and Dutch police, but neither the EU nor French authorities were aware of the man. </p><p>While Europol has established multiple tools for reporting and collecting national security and terrorism intelligence, it cannot conduct its own investigations and instead facilitates the exchange of information. However, given the cultural and linguistic diversity of the 28 EU member states, as well as their differing political and judicial frameworks, sharing intelligence through Europol may not be as effective as more informal arrangements.</p><p>Likewise, the United Nations’ counterterrorism efforts lack coherence, according to an issue brief by the Council on Foreign Relations. The UN alone runs more than 30 agencies that conduct counterterrorism activity. </p><p>“Too often, these various elements are uncoordinated and even competing,” the report notes. A UN committee created a consolidated list of individuals subject to sanctions because of terrorist activity, but the report finds that the impact was negligible “given the lack of regular updates and expansion of the list, making it an inflexible mechanism,” especially as terrorist groups become less hierarchical.</p><p>Walsh points out that even successful intelligence-sharing relationships face larger philosophical concerns—determining when to share information, and whether the receiving country will treat that information appropriately.</p><p>“Typically, when you cooperate with another country, say on trade policy or an alliance, you want to be able to observe how they’re behaving to see if they’re living up to their commitments,” Walsh explains. “That’s exceptionally hard to do in the area of intelligence because it’s information and secrets.”</p><p>Nations also need to know whether it is necessary to share intelligence they have collected. After 9/11, intelligence agencies agreed to share secrets more freely with each other to prevent another large attack. However, the effort backfired when leaks through Edward Snowden and WikiLeaks made agencies scale back their sharing to need-to-know information.  </p><p>“It’s really hard to know when you actually have ironclad intelligence that something bad is going to happen,” Walsh explains. “You have so much intelligence that’s collected on individual people, like travel records, so the problem is connecting the dots. How do we even know that we should share that?”</p><p>Trust is essential to intelligence-sharing relationships, whether it’s trusting that the information is accurate or trusting that the receiving country will treat the information appropriately. </p><p>Despite Trump’s gaffe, Walsh points out that it takes a great deal to seriously damage an intelligence-sharing relationship—there were no significant changes to the United States–Germany relationship after it was revealed that the United States had been tapping German Chancellor Angela Merkel’s private phone. However, too many leaks and faux pas by the new administration could eventually take a toll.</p><p>“It’s troubling that the Manchester investigation leaks happened so shortly after the Israel episode,” Walsh says. “It might suggest to foreign governments that there’s a pattern, especially if that information was shared with the United States and it was leaked by the White House, in particular.”  ​</p> Water RiskGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​If, as biblical wisdom reveals, the meek shall inherit the earth, then perhaps it will be the dirty, not the pure, who help build a sustainable global future—at least when it comes to water, say scientists.</p><p>As an issue of global significance, water security has recently vaulted to prominence. Half of the world’s largest cities now experience water scarcity, and roughly two-thirds of the world’s populace face seasonal or annual water stress. </p><p>The future looks even drier. Demand for water is expected to exceed supply by 40 percent within 15 years, if current conditions continue. By 2025, absolute water scarcity will be a daily reality for an estimated 1.8 billion people, according to a United Nations (UN) estimate. Water scarcity can lead to instability and violence; the crisis in Syria was triggered by, among other factors, a historic drought from 2007 to 2010.</p><p>But water security is a complex issue, and scarcity is merely one of its components.</p><p>Most activities that require water produce wastewater. As water usage grows, so does the production of wastewater. And more than 80 percent of wastewater worldwide is released into the environment untreated according to some estimates. </p><p>This discharge can contribute to devastating consequences. In 2012, for example, more than 800,000 deaths worldwide were caused by contaminated drinking water, inadequate handwashing facilities, and insufficient sanitation services. </p><p>In the oceans and larger seas, wastewater discharge sometimes causes deoxygenated dead zones that harm an estimated 245,000 square kilometers of marine ecosystems, according to UN estimates.</p><p>But instead of being discharged, wastewater can be treated—and reused. And more officials and experts are realizing the benefits of this new approach. </p><p>“Wastewater is gaining momentum as a reliable alternative source of water,” says the recently released United Nations World Water Development Report for 2017: Wastewater, the Untapped Resource. </p><p>“Wastewater is no longer seen as a problem in need of a solution, rather it is part of the solution to challenges that societies are facing today,” the report finds. “Wastewater can also be a cost-efficient and sustainable source of energy, nutrients, organic matter, and other useful by-products.” </p><p>Given the skyrocketing demand for water, the positive effect that wastewater reuse could have on the global water crisis is “immense,” says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It.</p><p>“This is a very big deal,” Glennon tells Security Management. He cites the example of the state of Arizona, which has been active in reusing water for a few decades now. Facilities like golf courses and ballparks can consume large amounts of water, he says, so Arizona’s water reuse practices have been helpful. </p><p>Moreover, state officials have formed WateReuse Arizona, a group that assists communities in achieving sustainable water supplies through reuse. Among other things, the group offers scholarships for Arizona college students interested in specializing in water reuse and reclamation.</p><p>On the U.S. federal level, the U.S. Department of the Interior announced in May that it awarded $23.6 million to seven states for researching, planning, designing, and constructing water reuse projects. </p><p>Often, treating wastewater so that it can be reused for agricultural purposes is less expensive than purifying it to the level where it can be used as drinking water. Given this, countries are becoming more aggressive in their water reuse programs, according to the report. </p><p>For example, in 2013, 71 percent of the wastewater collected in the Arab states was safely treated, and 21 percent was being reused, mostly for irrigation and groundwater recharge.   </p><p>Other regions are realizing the potential benefits of wastewater reuse. In the Asia Pacific region, some countries have discovered that byproducts from domestic wastewater, such as nitrogen, phosphorous, and salt, have potential economic value. </p><p>For example, case studies in Southeast Asia have shown that revenues generated from wastewater byproducts, such as fertilizer, are significantly higher than the operational costs of treating the wastewater. That provides an economic incentive for water reuse, the report finds. </p><p>However, “more needs to be done across the region to support municipal and local governments in managing urban wastewater and capturing its resource benefits,” the report adds. </p><p>In Latin America and the Caribbean, urban wastewater treatment has almost doubled since the late 1990s, so that between 20 and 30 percent of wastewater collected in all sewer systems is now treated. </p><p>“Treated wastewater could be an important source of water supply in some cities, particularly those located in arid areas (such as Lima), or where long-distance transfers are required to meet growing demands, particularly during drought (such as São Paulo),” the report finds.   </p><p>While progress in reusing wastewater has been made in the United States and around the world, there are still constraining factors hindering even more progress, Glennon says. One is cost; some localities in developing countries struggle to afford construction of wastewater treatment plants.   </p><p>Another is that countries like China and India continue to use unsustainable practices when it comes to their water supply, such as “pumping groundwater with impunity.” India, for example, has yet to truly face up to its water shortage crisis and change its practices. “The rules of groundwater pumping remain so relaxed,” Glennon says. </p><p>And in places where water scarcity is currently not a huge issue, some officials have the attitude of, “Why should I bother to reuse water if I can just drill a well?” Glennon says. He compares this attitude to the mistaken belief that an unlimited number of straws can be placed in the same glass—eventually, all the liquid will be sucked out. </p><p>In addition, there are some security issues related to the practice of wastewater reuse, says Yves Duguay, CEO and founder of HCIWorld, who has had on-the-ground experience with audits of water works and other infrastructure systems. For example, systematic controls in the process are needed to ensure that health, safety, and security requirements are maintained. “Most of the time, my audits have shown a lack of oversight and controls, along with poor contract performance management. This can increase the risk for water reuse,” he says. </p><p>This is doubly important in areas where waste management operations, which can include water reuse, are linked to corruption and even organized crime. “How certain are we that waste, solid or liquid, is being disposed as expected and regulated?” he asks. </p><p>Still, developed countries like the United States and Canada can show leadership by developing a systematic approach to the recycle and reuse of wastewater, Duguay says. And since it is not an “in-your-face issue,” wastewater reuse needs more awareness and advocacy so it is not crowded out by more publicized political concerns. “There is little room on our governments’ agenda for such a topic, unless it is talked about and frequently communicated to the general public,” he explains.</p><p>Nonetheless, in areas of the world where water scarcity hits hardest, it will ultimately become a necessity to reuse treated wastewater, because supply will not hold out, Glennon says. “Some places will have to use that for drinking water—there is simply no alternative,” Glennon explains. Duguay echoes this view: “There is no doubt that we need to control our utilization of water; it’s a unique resource that is not infinite,” he says. </p><p>In the end, the UN report argues that, in a world where limited water resources are increasingly stressed by over-abstraction, pollution, and climate change, it is imperative for officials around the globe to focus on wastewater treatment and reuse.   </p><p>“Neglecting the opportunities arising from improved wastewater management,” the report concludes, “is nothing less than unthinkable.”  ​ ​</p> in the CrucibleGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On July 12, 2006, fighting between the Israeli army and the Lebanese militant group Hezbollah suddenly erupted and started to spread. Hezbollah fired rockets and anti-tank missiles; Israel responded with airstrikes and artillery fire, and later launched a ground invasion of southern Lebanon. The 2006 Lebanon War raged on for 34 days before the United Nations brokered a ceasefire.</p><p>I received word of the fighting shortly before the news reports hit. I was GE’s divisional global security director at the time, based at the corporate headquarters building of General Electric (GE) Healthcare in Waukesha, Wisconsin. I was responsible for the security and wellbeing of employees at more than 600 properties around the world, including three sites in Israel and one in Lebanon. Calls were coming in from both sides of the battle; many employees were at risk of losing their lives. </p><p>However, as the war entered its tenth day, we had relocated more than 1,000 employees and family members out of harm’s way, with the help of our corporate executive team and several strategic partners. This wasn’t an easy task. We were able to continue basic operations with minimal losses in Israel, but all activity in Lebanon came to an abrupt stop. What further complicated matters was the U.S. government’s refusal, or inability, to assist with any form of safe passage from Lebanon. Still, we were able to complete relocations by using several dangerously remote and unpopulated routes to reach Jordan through Syria.  </p><p>An event of this magnitude—an actual war—is difficult to navigate, and can be wholly draining. While the war crisis proceeded, the company continued to operate, so long hours were a requirement. For three days after that first call, I didn’t get many chances to sleep.</p><p>Managing a serious crisis as a group leader can be stressful, both physically and emotionally. It is crucial to recognize that your effectiveness in successfully leading others will diminish if you openly demonstrate indecisiveness, emotional frailty, and operational ignorance during the event.</p><p>But it is also important to realize that crisis leadership begins long before the actual crisis occurs. The right preparation is essential for being an effective crisis leader, and for a security executive this groundwork can start from day one on the job. By focusing on preparation, and by consistently practicing certain management best practices, managers can greatly improve their chances of being an effective crisis leader. This article explores these practices and preparation, including building technical expertise, assessing situations, developing relationships with key stakeholders, and training for emergencies. </p><h4>Build Expertise</h4><p>Knowing the business you support is the most critical factor to your success as a crisis management leader. Thus, if you’re new to an organization, you should dedicate as much time as possible in your first three months to learning all you can about every facet of the business—from sales to production to market share—and meeting the people who are the driving forces in those areas. </p><p>In my career, I have had the opportunity to manage security programs for several companies in completely different vertical markets. Each market change required extended study time. There’s a huge variance in the operational methodologies of security programs at a hospital and a nuclear power plant, for example. Although the core principles of security can be applied to any industry, each line of business retains its own unique characteristics and regulatory framework.  </p><p>Besides operational knowledge, you must also develop relationships with most of the key process and resource owners who support the business’s primary missions. Once those relationships are established, you should then strive to understand the secondary and tertiary levels of operations, resources, and personnel necessary to keep the business going.</p><p>In addition, you should also learn some basic business continuity planning skills and conduct a few business impact assessments. These will allow you a fuller understanding of the potential vulnerabilities and the gaps that may exist in business operations, the contingency plans themselves, and the resource base that will be available when a crisis occurs. </p><p>However, conducting a business impact assessment of your company can be a daunting task if you attempt to assess the whole business in a single review. And it can be almost impossible to complete without the full cooperation of nearly everyone in your company. Instead, consider focusing on key revenue streams, products or services that define the company, and significant vulnerabilities that could interrupt these streams and services—such as the sudden loss of a single-sourced major component, a labor disruption, or a stoppage in distribution channels. Even if the assessment seems to have little to do with traditional security activities, it is a great way to learn about the inner workings of your company.  </p><p>For example, after the Great Tohoku Earthquake struck Japan on March 11, 2011, I was working as a security manager at Paramount Pictures. Due to the earthquake, almost all of the film industry’s specialized magnetic recording and video storage tape became unavailable. Sony, with its entire tape manufacturing business located in Japan, was the exclusive maker of such tape, and its production stopped cold. </p><p>This was a supply chain crisis for sure, and we at Paramount were scrambling for tapes. Fortunately, our security team had enough operational and business continuity knowledge to know where to look and who to call. By volunteering to help secure tapes for the many television productions on the lot, our team knew where to find hundreds of new and reusable tapes in dozens of secure storage locations. It was like an Easter egg hunt gone wild. Armed with this knowledge and with very little effort, the security department was able to secure dozens of the remaining tapes, which kept our production teams going until other recording methods were found.</p><p>Sometimes, it takes great effort to avoid being constrained into a departmental silo and stuck in the dark when it comes to internal business workings. But the effort is worth it. Get out there and mingle, don’t be afraid to ask questions and build relationships and alliances. Learn the business so you can contribute to its survival.    ​</p><h4>Assess Situations</h4><p>Another important component of crisis leadership preparation is staying current on domestic and international events, especially if your company is a global one. Third-party providers of intelligence and communications services can be useful here. Many of these providers even offer crisis forecasting by region and country to keep your team abreast of problem areas.  </p><p>This global understanding, combined with business knowledge, will allow you to see the big picture and anticipate which operations might be interrupted if a crisis starts to unfold.  </p><p>Moreover, demonstrating this knowledge improves your chances of being part of the inner circle at your business. For example, as a matter of practice, GE security leaders routinely gathered for periodic operational continuity development sessions. In these meetings, we shared intelligence derived from in-country leaders, paid global intelligence services, and geopolitical analysts. At the first signs of trouble—what we called “a smoldering issue”—the affected business units were identified, and key revenue processes were analyzed for potential impacts and vulnerabilities. </p><p>Often, a smoldering issue has the potential to challenge several exposed operational and distribution channels, and the material or human resources they contain. Thus, effective coordination and communication is critical during these initial stages. </p><h4>Develop Relationships</h4><p>With sufficient business knowledge and a global understanding, you will be in a position to advise the C-suite on events once a crisis starts to unfold and help your firm be active rather than reactive.  </p><p>However, this cannot happen if organizational leaders reject an inclusionary approach when it comes to crisis leadership. For example, early in my career, the company I worked for decided to move forward on a major acquisition—the purchase of a competitor’s remanufacturing division. In general, not all security departments are included in every C-suite function; some do not get much visibility into major corporate decisions. This held true in our particular case because the security team was not part of the company’s diligence support team. Furthermore, the security team was not included in the company’s crisis response team, which consisted mostly of legal and financial leadership, supported by communications and customer relations staff.</p><p>As a result, the security team was unable to flag any discrepancies that might have shown up in the due diligence process. The division that was purchased turned out to be a fraudulent shell company. When news of the bad purchase reached the press a few days later, our firm suffered a severe financial loss and some reputational damage to its brand.</p><p>The incident illustrates the im­por­tance of maintaining a wide representation of all business functions on a crisis management team. By emphasizing teamwork and relationship building, a manager can help develop and maintain collaborative channels that will be invaluable during a crisis. Moreover, a well-structured and collaborative crisis management team can incorporate the use of predictive tools, such as event forecasting and analysis, that maximize the chances of avoiding a crisis in the first place.  </p><p>Even so, if a crisis does occur, successful collaboration between many stakeholders is usually a prerequisite for formulating an acceptable and viable solution. An effective crisis management leader knows where to go to seek out advice from others when considering options to present to company leaders. While it is often necessary to quickly provide solution options during a crisis, it is also advisable for managers to carefully consider all security-based spending decisions, which can sometimes be driven more by fear than by reason after a major event</p><p>Once options have been considered and a response plan is approved, a manager needs strong interactive leadership skills to ensure that others buy in and follow the course laid out. As the example of the shell company purchase shows, a collaborative effort can be quickly derailed by preventing a single department, which might hold a critical part of the solution, from participating.  </p><h4>Train</h4><p>Good leaders make intelligent decisions; great leaders do so consistently. The combination of business operations knowledge and current event understanding will help a security leader make better decisions. </p><p>But in the final analysis, leadership is not about making the best decision possible in every instance, or about always being the smartest person in the room. It’s ultimately about your ability to earn the trust of others to the point where they will willingly follow you. Here, effective communication is vital. </p><p>In July 2005, four suicide bombers armed with rucksacks full of explosives detonated bombs on the London Underground that killed 52 people and injured hundreds more. Within four hours of the bombings, our security team at GE Healthcare was able to quickly identify—from a pool of roughly 45,000 employees —that 483 were confirmed or expected to be traveling in or about London that day for work. Using our mass communication system, we located all but nine employees on business travel that were in London or had passed through London within an eight-hour window of the bombings.</p><p>  By other means, we quickly confirmed that the remaining nine travelers were safe. Additionally, some of our employees on personal leave and vacation were traveling in London that day. Because those employees had included their private cell phone numbers in the company’s emergency notification system, we were able to receive confirmations that they, too, were safe.  </p><p>On the other hand, sometimes crisis pressure can lead to costly communication errors. Take for example, one of the most high-profile crisis situations in recent memory, the 9/11 terrorist attacks. After the planes hit the towers, one senior security manager of a major corporation in New York was overheard saying, “We’re being attacked!  I don’t think anyone’s gonna make it out of Manhattan!” The comment started a panic in the entire office building, which took hours to calm.  </p><p>The example shows that even accomplished managers can succumb to pressure. However, specialized crisis management leadership training can be invaluable in reducing the chances of this happening. Communication is often an important component of this type of training; many programs provide guidance on how bad news can be communicated without embellishment, panic, or fear, and how correct communication can provide stability and hope by demonstrating a confident resolve—indicating that something is being done immediately, or will be in the near future.</p><p> In addition, crisis training helps managers better understand the anatomy of a crisis, which is an essential element in remaining rational and functioning calmly. Drills can help build response memory, which in turn helps a leader avoid freezing or panicking. </p><p>In cases where in-house crisis training is unavailable, security managers should consider building their own training. With a little research online about crisis management planning, managers can first assemble the basics: contact sheets, resource directories, contingency plans, meeting schedules, and organizational charts. Then, with help from both the legal and human resource departments, the manager can coordinate partnerships with local emergency service and communication providers, and design some crisis training exercises. </p><p>Becoming skilled at anything takes practice, and crisis management leadership is no exception. If you ever find yourself in a room filled with managers trying to solve a major problem, don’t be shy; step up to the plate and share your knowledge and experience, and contribute something. This will build on your experience base, and allow you to practice being in crisis situations. </p><p>In the end, the best coaches are those who prepare, know the rules inside and out, and can lead their players strategically. Stopping in the middle of a crisis to learn more about the business, means you haven’t learned the business well enough and you aren’t prepared to lead. </p><p><em><strong>Clint Hilbert</strong> is the owner of Corporate Protection Tech­nologies, a North Carolina-based private investigation firm. He has served as a security executive for General Electric, Pacific Gas and Electric, and Paramount Pictures. Earlier in his career, he was a commander of protective services for the U.S. Delegation to NATO for the U.S. Army Criminal Investigation Command. ​</em></p> 2 Peer ProtectionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Daisy Torres wants to pursue a career in law enforcement after she graduates from the University of Iowa in Iowa City, Iowa. So, when she was looking for student employment opportunities, she discovered that the university hired students to work in its public safety dispatch center.</p><p>She applied for a position, but wasn’t hired. That didn’t deter her, however, and during her sophomore year of college in 2016 she found out about another opportunity for undergraduates to work with the University’s Department of Public Safety: becoming a student security officer.</p><p>Torres filled out an application, interviewed, passed a background check, and was offered a position as an officer that fall, patrolling the campus and interacting with students.</p><p>“At first, the whole thing was intimidating, but the officers have been very helpful and supportive. They guide you,” Torres says. “They encourage you to ask questions to make sure you don’t mess up.”</p><p>The experience has also offered her a chance to see what a career in law enforcement might look like and gain a better understanding of how first responders interact with students and respond to incidents.</p><p>“As a regular person, you just see the ambulance come or you see the officer coming to take care of something—but going through the training you realize this is hard work,” she explains. “It definitely humanizes the process, so it’s really fun for me. It’s fun getting to know the people, the officers you are working with. You get to see the person behind the badge.”</p><p>That’s the goal of the Student Security Officer Program at the University of Iowa, which was created in the fall of 2016 when Assistant Vice President and Director of Public Safety Scott Beckner was hired to lead the Public Safety Department.</p><p>Beckner has spent more than 30 years in law enforcement, including 25 in higher education law enforcement with roles at Georgia College and State University in Milledgeville, Georgia; Shepherd University in Shepherdstown, West Virginia; and Michigan State University in East Lansing, Michigan. </p><p>“I believe in a community policing philosophy, meaning that our police and security officers need to go where the students are comfortable to build positive relationships with them, even if it’s not the environment in which the officers themselves are most comfortable,” Beckner says. “This enables both parties to establish meaningful communication and receive better feedback from both the law enforcement officers and the students.”​</p><h4>The Program</h4><p>The University of Iowa covers 1,880 acres that straddle the Iowa River. Approximately 33,000 students are enrolled each semester, and most freshman undergraduates live on campus.</p><p>Protecting the campus community is the University of Iowa Public Safety Department, which has two major divisions: the police division and the security division. The police division is made up of roughly 45 armed state-certified police officers who patrol campus around the clock. The security division is made up of nine full-time security officers.</p><p>The university also has a dispatch center, which is the main dispatch center for campus 911 calls and the back-up dispatch center for the county. </p><p>When Beckner came on board in 2016, the university hired students as dispatchers in the dispatch center and also as security staff at the University of Iowa Art Museum. Based on his experience at prior institutions, Beckner wanted to expand the university’s use of student employees for campus security positions.</p><p>“Hiring student security officers is another layer of our community policing approach,” Beckner says. “It gives our officers another opportunity to connect with students to get a pulse of what’s happening on campus from the student perspective.”</p><p>With this mind-set, Beckner instructed the department to create the Student Security Officer Program to hire students to be the eyes and ears of campus public safety.</p><p>“I’m not afraid to try new things, and I’m not afraid to fail,” Beckner explains. “I think it’s just as valuable to know what doesn’t work as what does work, and you don’t always know until you try. So many people in law enforcement are afraid to fail because of the spotlight we’re in, and we have to learn to get beyond that mind-set.”</p><p>To push the program forward, Security Supervisor Beau Hartsock was pulled off his regular assignment at the time—head of security at the University of Iowa Art Museum—and brought in to recruit students and interview them for officer positions.</p><p>To recruit students, Hartsock and others in the department used the university’s Hire a Hawk program that lists student employment opportunities and attended the campus job fair. They also went to Introduction to Criminology classes—the first core class in the Criminology, Law, and Justice major—to contact students who might be interested in the program. </p><p>“The Intro to Criminology is a prerequisite to the program that every student coming in has to go through,” Hartsock explains. “We go to those classes and do a 10-minute pitch of what we have to offer and tell them about the department. If they wish to apply, they can.”</p><p> Within one month, the program had 30 students on staff as security officers, with a peak in the middle of the academic year of 75 student officers. The students completed training conducted by full-time security staff on mandated issues, including radio operation, the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, bloodborne pathogens, and CPR. </p><p>The student officers were then trained for each of their particular assignments. These assignments included dorm patrol, building checks, the art museum, athletic events security, the campus transportation service called Nite Ride, and the Hawkeye Storage Lot.</p><p>“We don’t train everybody on everything; we train on an as-needed basis in accordance with whatever assignment they are working,” Hartsock says. </p><p>This is because each assignment has different requirements. For instance, students assigned to Nite Ride—a transportation service that provides rides for students between 7:00 p.m. and 6:00 a.m.—act as dispatchers, taking calls and managing the app that sends the vehicle out to pick students up.</p><p>Dorm patrol requires that students walk the dormitories, using a pipe check-in system from Guard1Plus to track their progress throughout the campus. “A student could potentially walk five or six miles a night, especially on the weekends, looking for any safety concerns, damage to property, and things like that,” Hartsock says.</p><p>Student officers have similar responsibilities when they are assigned to the libraries or the Voxman Music Building, which is a new building on campus that houses valuable musical equipment. </p><p>The art museum job is a“sought-after” assignment, Hartsock says, because students sit at a desk, greet people who come into the building, and keep an eye on the building’s video camera feeds, making it a relatively low-key assignment. </p><p>The other assignment for students is Hawkeye Storage Lot, which is vulnerable to thefts from parked cars because it is separated from the main campus, Hartsock says. </p><p>“We have students that also sit out there and do patrols every half hour in an electric car around the lot for about 10 minutes,” he explains.</p><p>Students on patrol wear yellow polos and black pants and have utility belts with pipes for the check-in system, masks for CPR, and radios to reach the dispatch office. If they notice suspicious activity or an incident unfolding, student officers are instructed to radio into the dispatch office and a police officer or security officer will be sent to their location to respond.</p><p>“First and foremost, students are trained to be the eyes and ears of the university only,” according to Hartsock. “In no way are they to physically or verbally intervene…we train them on what could potentially get them in danger, and to use their best judgment.” </p><p>So far, the university has had no incidents of harm to a student security officer while on duty, according to Hartsock. </p><p>“We have the benefit of our student security officers carrying radios—the same exact radios that our police officers and our full-time security officers carry—so they are literally a key click away from our dispatch,” he adds. “And a lot of times our police officers are scanning our student security officer channels, and they can start heading that way even before it is actually dispatched by a dispatcher.”​</p><h4>Campus Impact</h4><p>When Torres was initially hired, her friends and fellow students’ first question was: Do you get to carry a gun? Student security officers are not armed, but they are taken seriously by their peers and this support has helped them build relationships on campus.</p><p>“I’ve been the night dispatcher for Nite Ride and [my friends] don’t bother calling the phones because they know I’m working, so they’ll text me and say, ‘Is there a chance you could send a Nite Ride my way?’” Torres says. “They think it’s interesting because they get to see me in the dorm sometimes and say, ‘I know the security officer.’” </p><p>Building this sense of community helps give credibility to the campus police because the student security officers get to know police officers as real people, says Police Captain Mark Bullock. </p><p> “Kids, when they talk about these officers as people rather than as a profession, it takes away some of those barriers that may have previously been there,” he explains.</p><p>Another benefit to having the student security officers on patrol is that it can make reporting a sensitive crime, such as a sexual assault, easier for students because they are talking to a peer instead of a police officer.</p><p>“If it is a sensitive crime, and if you have a familiar face or a peer who is part of an organization like ours, we would hope that would make reporting that crime just a little bit easier,” Bullock says. “It’s a well-known thing that sexual assaults are underreported. We would like to do anything we can to make the occurrences go down—ideally eliminate them completely. But at least knowing about them is a step in the right direction.”</p><p>For less serious offenses, such as smoking in a dorm room, Bullock says students are much more likely to bring that up to a student security officer on dorm patrol than to a security officer.</p><p>Students are “not going to be as open to saying that to a police officer as they would to one of their peers,” he adds. “General quality of life issues within our campus have been easier to report by having a peer to talk to.”</p><p>And in instances like smoking in a prohibited space, student security officers have several options on how to handle the situation, including reporting it to the residence assistant on duty, the front desk of the building they are in, or dispatch for a police response, if necessary.</p><p>Student security officers are all equipped with a radio, "so it’s a direct line of access to the police so information is coming in in real time,” according to Bullock. “There’s nothing lost in translation.”​</p><h4>Future Plans</h4><p>The Student Security Officer Program has been viewed as a success so far, and the university plans to expand it during the fall of 2017 to hire approximately 125 student officers for the academic year.</p><p>“We’re actually getting ready to do a very large hiring surge of possibly 40 to 50 more students just to cover one assignment that’s in the works right now,” says Hartsock, who declined to provide more detail about what the assignment was.</p><p>The department itself is also making a push to have student security officers, police officers, and security staff be increasingly more involved with campus life in their off hours. One initiative is paying for staff to participate in intramural sports on campus. </p><p>“So you’re interacting with the university community, humanizing us in the sense that students get to know us personally, see a familiar face out of uniform as well as in uniform,” Hartsock explains. “Being more approachable and being looked at in a way that we’re really genuinely here to help.”</p><p>All of this goes back to Beckner’s focus of creating a community policing approach to campus security at the university.</p><p>“If University of Iowa officers can begin to know students on a personal level—when it’s not in the context of punitive action—I believe we’ll be able to solve more problems proactively,” he says. “One of my early goals was to begin to break down the barriers between students and campus police, and I think this program is helping us do that.”  ​</p> Professional PathGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Until recently, security has been considered a trade, with practitioners fighting for proper standing in the institutions they protect. But the industry is now at a crossroads.</p><p>Before us lie two paths. One is a continuation of the status quo. We may continue to glide down this road, but it is not a self-determined path. It has been chosen for us because we have not clearly defined security’s role. Given this failure to self-define, security has traditionally been defined by others by the task it performs, such as information security, investigations, physical security, or executive protection. This type of definition diminishes the value of the security function; our role is more than just our allocated tasks.</p><p>The second road is one of self-determination and opportunity. It offers a chance for the industry to advance from a trade to a fully respected profession. On this road, we can take control of the dialogue, shape the conversation surrounding our field, and make our own way forward. As an industry—with ASIS taking the lead—we can keep advancing until security is considered a profession.</p><p>How can we advance on this second road? First we need a clear definition of the role of security in the private sector. We also need a core base of knowledge that supports our understanding of that role, which can be taught—not only to college students, but to transitioning personnel coming into our industry and to our hiring managers. There also needs to be an established expectation that practitioners will share this knowledge of security’s role and the core competencies associated with it. </p><p>ASIS International has already started defining this role through the concept of enterprise security risk management (ESRM). With its embrace of ESRM, ASIS has positioned our industry to travel down the road of opportunity and self-determination, with ESRM as the guiding principle to help chart our course.  </p><p>Not everyone in the industry is ready for this journey, however. For some who may have heard of the concept but still find it vague, questions remain. Primarily: What exactly is ESRM and why is it needed?</p><h4>What is ESRM?</h4><p>At its core, ESRM is the practice of managing a security program through the use of risk principles. It’s a philosophy of management that can be applied to any area of security and any task that is performed by security, such as physical, cyber, information, and investigations. </p><p>The practice of ESRM is guided by long-standing internationally established risk management principles. These principles consist of fundamental concepts: What’s the asset? What’s the risk? How should you mitigate that risk? How should you respond if a risk becomes realized? What is your process for recovering from an event if a breach happens? Collectively, these principles form a thoughtful paradigm that guides the risk management thought process.</p><p>When pursued, these questions elicit valuable information, and they can be asked of every security-related task. For instance, investigations, forensics, and crisis management are all different security functions, but when they are discussed within the ESRM framework they are simply different types of incident response. </p><p>Similarly, every function of physical and information security, such as password and access management, encryption, and CCTV, is simply considered a mitigation effort within the ESRM paradigm. These may seem to be merely semantic differences, but they are important nuances. When we define these functions within the ESRM paradigm, we also start to define the role we play in the overall enterprise.</p><p>ESRM elevates the level at which the role of security management is defined. Instead of defining this role at task level, it defines the role at the higher, overarching level of risk management.  </p><p>By raising the level of security’s role, ESRM brings it closer to the C-suite, where executives are considering much more than individual tasks. And by defining the role through risk principles, it better positions the security function within the business world at large. Business executives in all fields understand risk; they make risk decisions every day. Using ESRM principles to guide our practice solidifies our place within the language of business while also defining the role we play within the business.</p><p>For example, consider a company with a warehouse and a server. In the warehouse, security is protecting widgets and in the server, security is protecting data. Under the common risk principles, we ask: What are the risks to the widgets and data?  How would we protect against those risks? Who owns the widgets, and who owns the data? </p><p>We may decide to put access control and alarms on the warehouse or a password and encryption on the data. In both instances, we’re protecting against intrusion. The goal is the same—protection. For each task, the skill set is different, just like skill sets differ in any other aspect of security: investigations, disaster response, information technology. But the risk paradigm is the same for each.</p><h4>Why We Need It</h4><p>We need ESRM to move beyond the tasks that security managers and their teams are assigned. For instance, if you manage physical security, your team is the physical security team. If you do investigations, you are an investigator. If you manage information security, your team is the information security team. </p><p>But these tasks merely define the scope of responsibility. Our roles are broader than our assigned tasks. Our responsibilities should be viewed not as standalone tasks, but as related components within our roles as security risk managers.   </p><p>Having a clear, consistent, self-defined role provides significant benefits. First, it preempts others from defining our role for us in a way that fails to adequately capture and communicate our value. </p><p>Second, it helps better position ourselves in the C-suite. C-level executives often struggle with what security managers do, and where to align us. This is often reflected in the frustrations expressed in some of our own conversations about needing a proverbial seat at the table. In one sense, this exclusion may seem justified: if we can’t define our role beyond describing our tasks, why would upper management charge us with higher-level leadership and strategy?</p><p>Third, it provides guidance to our industry. Greater use of ESRM will provide an always-maturing common base of knowledge, with consistent terms of use and clear expectations for success.  </p><p>This benefits not only practitioners in our industry, but also all other executives who may need to interact with the security practice or work with the security manager. This can be especially valuable during times of change, such as when a security manager switches companies or industries, or when new executives come into the security manager’s firm.</p><p>In those situations, security managers often feel that they are continually educating others on what they do. But this endless starting over process wouldn’t be necessary if there were a common understanding of what security’s role is, beyond the scope of its responsibilities.​</p><h4>Why Now?</h4><p>This industry at large has talked about ESRM for at least the last 10 years. But as relevant as the topic was a few years ago, the present moment is the right moment for ESRM because security risks now have the potential to become more disruptive to business than in the past.  </p><p>There are several reasons for this. The use of technology in the current economy has allowed businesses to centralize operations and practices. While this consolidation may have increased efficiency, it has also made those centralized operations more susceptible to disruption. When operations were more geographically dispersed, vulnerabilities were more spread out. Now, the concentrated risks may have a more serious negative impact to the business. </p><p>We are also moving beyond traditional information security and the protection of digitalized data. Now, cybersecurity risks pose threats of greater business disruption. For example, the threats within the cyber landscape to the Internet of Things (IoT) have the potential to cause more harm to businesses compared with the negative effects they suffered in the past due to loss of information.</p><p>Many executives understand the significance of these risks, and they are looking for answers beyond the typical siloed approach to security, in which physical security and information security are separately pursued. They realize that the rising cyber risks, in tandem with the increasing centralization of business operations, have caused a gap in security that needs to be closed. </p><p>Boards are also becoming more engaged, which means that senior management must also become engaged, and someone will have to step in and fill that gap. That could be a chief risk officer, a board-level committee, an internal audit unit…or security. Hopefully, it will be the latter, but to step up and meet this challenge, security professionals must be able to consistently define their role beyond simply defining their tasks. ​</p><h4>Making the Transition</h4><p>What we need is a roadmap toward professionalization.  </p><p>ASIS is leading the effort of defining security’s role through ESRM. At ASIS 2017 in Dallas, you will hear more conversation around ESRM as well as more maturity and consistency in that conversation.  As the leading security management professional organization, ASIS is best positioned to guide us through the roadmap from a trade to a profession. </p><p>The ASIS Board of Directors has made ESRM an essential component of its core mission. It has started incorporating ESRM principles into its strategic roadmap, which means that ASIS is starting to operationalize this philosophy—a critical step in building out this roadmap. Other steps will be needed; it is essential that volunteers, both seasoned and new to the field, embrace this shift towards professionalization for it to gain traction.</p><p>This transition will not occur with the flip of a switch. It will take dedication to challenge our own notions of how we perceive what we do, the language we use to communicate to our business partners, and our approach toward executing our functions.  It will take time and comprehensive reflection, and the ability to recognize when we don’t get it right. We may not be totally wrong either, but thoroughness in developing consistency is critical.</p><p>There are some core foundational elements that need to be in place for this ESRM transition to be successful. First, there needs to be a consistent base of knowledge for our industry to work from: a common lexicon and understanding of security’s role that is understood by practitioners and the business representatives we work with. </p><p>We also need both a top-down and bottom-up approach. New security practitioners entering the industry from business or academia, or transitioning from law enforcement or the military, need a comprehensive understanding of risk management principles and how a risk paradigm drives the security management thought process. There should be an expectation that these foundational skill sets are in place when someone enters the security field. Working from a common base of knowledge, these ESRM concepts should be incorporated into the security management curriculum, consistently established in every security certification, and inherent in job descriptions and hiring expectations at every level.  </p><p>We also need to build expectations regarding what security’s role is, and how it goes beyond its assigned tasks, from the top-down—among executives, boards, hiring managers, and business partners. A clear and common understanding of security’s role will make it easier to define success and the skill sets that are needed to be successful. Organizations like ASIS will assist in providing the wherewithal to support these leaders. </p><p>If we truly are security risk managers, then there must be an expectation of foundational and comprehensive risk skill sets when hiring decisions are made. There could be educational opportunities through ASIS, through global partnerships with universities, and through publications coordinated with organizations that reach the C-suite, such as the Conference Board of the National Association of Corporate Directors.</p><p>Clearly academia needs to play a role as well. College students interested in entering this dynamic industry will come in more prepared to assist security leaders and businesses with a solid knowledge base of security risk management fundamentals. And once a rigorous ESRM body of knowledge is established, ASIS has the clout, expertise, and standing to provide a certification for academic institutions that meet concepts in their curriculum, which would will provide for a more consistent understanding of security’s role.</p><p>ASIS has established ESRM as a global strategic priority and has formed an ESRM Commission to drive and implement this strategy. One of the commission’s first steps is developing a toolkit comprising a primer and a maturity model.</p><h4>Benefits to ASIS Members</h4><p>There is a question I ask of every can­didate I interview: “Tell me about a time when you’ve been frustrated in this industry.” </p><p>Every answer comes down to one of two issues. One, we do not know and cannot clearly define our role. Two, our business partners cannot clearly define our role. Both of these frustrations are manageable, and both are our fault as an industry for not establishing clarity.  This leads to strained relationships with our business partners in how we are perceived and how likely our expert guidance is to be accepted.</p><p>Having a clearly defined security role through ESRM helps build a foundation for a more satisfying career in the security industry. It would provide us with proper standing in our enterprises, and better positioning for us to have a seat at the table for the right reasons, ones that executives understand and can support.</p><p>For the practitioner, a consistent security program through ESRM provides a framework to bring together security mitigation tasks under one proper umbrella: physical, investigations, cyber, information, business continuity, brand protection, and more. </p><p>The human resources industry has professionalized over the last decade or so. We see this through their standing within business, their seat at the table, and their upgrades in title and pay. Now, with the rise in threats and potential business disrupters, our industry has an opportunity. Business leaders and boards are looking for answers.  We have the necessary skill sets and a dedicated and supportive professional association in ASIS to take the lead.</p><p>We are at a crossroads.  It is time to choose the path of self-determination, take control of this conversation, and make the transition from trade to profession.</p><p><em>Brian J. Allen, Esq., CPP, is the former Chief Security Officer for Time Warner Cable, a former member of the ASIS Board of Directors, and a current member of the ASIS ESRM Commission. ​</em><br></p>,-CSOs-Assess-Dynamic-Situation-in-Houston.aspxFEMA, CSOs Assess Dynamic Situation in HoustonGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Updated August 30, 2017​</p><h4>Insurance claims concerns​</h4><ul><li><p>Some reports have circulated that homeowners must file claims stemming from damage wrought by Hurricane Harvey by <strong>September 1, 2017</strong>, in order to receive full coverage.</p></li><li><p>Those reports are <strong>not accurate.</strong></p></li><li><p><strong>The change only affects lawsuits, not the claims process</strong>, says Texas Senator Kelly Hancock.</p></li><li><p>A Texas law going in effect on September 1, 2017, involves legal damages that insurance companies must pay policy holders if the companies <strong>deny a claim for, offer a lowball settlement, or are slow to settle</strong> a claim.</p></li><li><p>If a claim is denied, lowballed, or inordinately delayed, and the policy holder goes to court against the insurer and prevails, under the new law the insurer would have to pay the claimant damages plus <strong>an additional 10 percent</strong> (rather than 18 percent under the prior law).</p></li><li><p>Most <strong>Texas homeowners policies don't cover home flooding</strong>, but they do often cover wind damage, vehicle flooding, and other related damage. </p></li><li><p>Most insurance policies that cover flooding in Texas are provided by the <strong>federal government</strong>, which is <strong>not covered</strong> by the new Texas law.</p></li></ul><p>--</p><p>August 29, 2017</p><p>​ASIS International CSO Center members and officials from the U.S. Federal Emergency Management Agency (FEMA) joined a conference call this morning to discuss the latest impacts of Hurricane Harvey on the Houston area and how it is affecting employees and business continuity. These are some of the takeaways.</p><h4>ASIS Activities</h4><ul><li><p>ASIS is supporting those affected by the storm by working with the ASIS Crisis Management and Business Continuity Council to provide <a href="" target="_blank">response and recovery resources.​</a></p></li><li><p>The Society is donating $5,000 to the American Red Cross through its Security Cares initiative. To make your own donation, contact the American Red Cross at 1-800-RED CROSS or text HARVEY to 90999 to make a $10 donation for those in need.</p></li></ul><h4>Harvey's Path</h4><ul><li><p>Harvey is expected to loop back through the Gulf Coast and make fall slightly north of Houston and head into Louisiana. </p></li><li><p>At least another foot of rain is expected in the Houston area through Friday, and some areas will receive more than 50 inches of total rainfall.</p></li></ul><h4>FEMA Assessments and Activities</h4><ul><li><p>There are currently about 5,000 people in emergency shelters, and FEMA and the American Red Cross estimate that will grow to 30,000 people over the next several days.</p></li><li><p>FEMA has a million meals and millions of liters of water on hand to distribute as needed.</p></li><li><p>As many as 75,000 homes have been damaged by the storm, and there are about 250,000 homes and businesses without power.</p></li><li><p>FEMA has brought in 9,000 federal workers to the affected areas.</p></li><li><p>About 2,500 FEMA employees are coordinating efforts of some 1,100 urban search-and-rescue teams, as well as 120 swift water rescue teams.</p></li><li><p>Teams are working hand-in-hand with state authorities.</p></li><li><p>Corporations wanting to offer resources and assistance can contact FEMA's National Business Emergency Operations Center at 202-212-8120.</p></li></ul><h4>Issues discussed by CSOs</h4><ul><li><p>The key is making sure that staff and families are safe, sound, and taken care of.</p></li><li><p>Corporations with business operations in the affected area are still focusing on making sure employees are accounted for and providing them assistance as needed. Some are continuing to pay those affected by the storms, even if they can't make it to work. Some corporations also established round-the-clock helplines and are offering financial assistance to employees as needed.</p></li><li><p>Corporations are working to come up with viable criteria with which to assess staff need for financial assistance.</p></li><li><p>A continuing challenge is keeping track of employees who are displaced to cities as far away as Dallas.</p></li><li><p>Most business operations in the affected area have come to a halt, but some corporations have employees who have ridden out the storm at their facilities—either by choice or because they became stranded.</p></li><li><p>Some companies with shift workers made arrangements in advance for people to ride out the storm by setting up shelters onsite or at nearby hotels.</p></li><li><p>Sleep deprivation is becoming an issue—even if someone finished up a 12-hour shift, they can't go home. </p></li><li><p>Some companies are working with their facility's food vendors for extra stock and allow maintenance workers and their families to stay in a hotel across the street from the facility. </p></li><li><p>Some businesses have been able to switch security operations to another facility to provide some relief for onsite shift workers.</p></li><li><p>It's also important to prepare for looting as well as donation, insurance, and home improvement scams. The CSO Center and ASIS will update members on the specific types of these fraudulent activities as they occur.</p></li></ul><h4>Hurricane Harvey Recovery Resources:</h4><ul><li><p><a href="">ASIS International Response and Recovery Resources</a></p></li><li><p><a href="">FEMA updates and rumor control</a></p></li><li><p><a href="">FTC on avoiding charity scams</a></p></li><li><p><a href="">iJet updates</a></p></li><li><p><a href="">DHS updates</a></p></li></ul><h4>Local News Resources:</h4><ul><li><p><a href="">Houston Downtown Management District</a></p></li><li><p><a href="">News Station KHOU</a></p></li><li><p><a href="">ABC 13 Houston</a></p></li><li><p><a href="">Houston Chronicle</a></p></li><li><p><a href="">Texas Department of Transportation Highway Conditions Map</a></p></li><li><p><a href="">National Weather Service flood map</a></p></li><li><p><a href="">Harris County rainfall map</a></p></li></ul><h4> How to Help:</h4><ul><li><p><a href="">American Red Cross donations</a></p></li><li><p><a href="">FEMA Business Emergency Operations Center</a> – Call at 202-212-8120</p></li><li><p><a href="">FEMA Industry Liaison Program</a></p></li><li><p><a href="">Better Business Bureau's tips on trustworthy charities</a></p></li></ul> Update: Releasing Reservoirs Creates Ghost TownsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The scope of Hurricane Harvey's impact on the southern United States is hard to grasp, and the end is still far from sight. Since its landfall Friday night, the storm has dropped more than two feet of water in some areas, and the U.S. National Weather Service expects Houston and south Texas will receive up to 50 inches by the time the storm dissipates. </p><p>Houston—the fourth largest city in the United States—has seen devastating flooding, forcing residents to leave their homes and seek shelter. The U.S. Federal Emergency Management Agency estimates that 30,000 people will be displaced from their homes, and that the <a href="" target="_blank">$3 billion disaster fund</a> will be enough to help with immediate aid—for now.</p><p>Here's what we know so far about the storm's impact:</p><ul><li><p><a href="" target="_blank">Eight people are confirmed dead</a> in Texas from Harvey.<br></p></li><li><p>U.S. President Trump is planning to travel to<a href="" target="_blank"> Texas tomorrow</a> to survey the damage.<br></p></li><li><p>All schools in Houston are closed, as well as several retailers, hospitals, and the U.S. postal service.<br></p></li><li><p>Both of Houston's airports will remain closed to the public until at least <a href="" target="_blank">Wednesday</a>.<br></p></li><li><p>Houston 911 received <a href="" target="_blank">56,000 calls for help</a> over 15 hours. The average number of calls for a typical day is 8,000. <br></p></li></ul><p>Although Houston has been in the spotlight, cities south of Houston are struggling as well—and are facing a surge of floodwater from Houston. Two dams in the Houston area are being released to control the overflow and provide relief for the city, but officials say it will affect thousands of homes along the reservoirs. </p><p><a href="" target="_blank">The dams were released earlier than expected</a> due to rapidly-rising waters that threatened to overflow the reservoirs. "If we don't begin releasing now, the volume of uncontrolled water around the dams will be higher and have a greater impact on the surrounding communities," said Galveston District Commander Col. Lars Zetterstrom around 2:30 a.m. on Monday. "It's going to be better to release the water through the gates directly into Buffalo Bayou as opposed to letting it go around the end and through additional neighborhoods and ultimately into the bayou."</p><p>Cities such as La Grange and Bay City implemented mandatory evacuations Monday morning due to the surge, which could add up to 10 feet of water to the already-flooded streets. Officials warned remaining residents that roads out of the city would be closed, and first response, utility, and other services will be shuttered.</p><p>"This means there will be absolutely no emergency response, including law enforcement, fire, and EMS services, in all areas of the county," the Matagorda County Emergency Operations Center warned residents in a statement. "Basic services, such as food and water, will not be available. Mandatory Evacuations MUST be completed before this deadline."</p><p>The Bay City Police Department posted on<a href="" target="_blank"> its Facebook page</a> that dispatch centers are completely out of service and encouraged residents to call on nearby counties for assistance.</p><p>Meanwhile, the U.S. Department of Homeland Security has warned of an <a href="" target="_blank">increase in phishing attacks</a> by cyber criminals posing as charities or insurance agencies. </p>ÓN.aspxLA IMPORTANCIA DE UNA FUSIÓNGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Durante años, la idea de una fusión entre Universal Services of America y AlliedBarton Security Services tenía completo sentido financiero, más que cualquier otra cosa en el mundo. Los números parecían claros: si las empresas unían sus fuerzas, crearían la compañía de seguridad más grande de Norteamérica, una que podría ofrecer enormes recursos y una gama de servicios en un único punto de compra para aquellos necesitados de servicios tercerizados de seguridad. Además, ambas compañías tenían fortalezas complementarias; por ejemplo, las soluciones integradas de seguridad electrónica de Universal y los guardias de seguridad de AlliedBarton, de combinarse, fortalecerían aún más el encanto de una fusión.</p><p>Aunque la lógica industrial era innegable, hacer realidad la fusión demostró ser una tarea intimidante. Algunas discusiones vacilantes habían tomado lugar por varios años, y en diferentes momentos, cada empresa cortejó a la otra buscando una adquisición, pero ninguna estaba lista para cerrar el trato. El porqué no siempre estaba completamente claro.</p><p>En cualquier circunstancia, existe un gran número de factores que podrían hacer difícil de alcanzar un acuerdo de esta magnitud. Como una fusión de este tipo usualmente comienza con el nivel más alto e involucra al liderazgo de ambas compañías, siempre está presente el riesgo de una lucha por el poder. Ésto puede presentar un obstáculo para los cambios en la gestión: ambos equipos de líderes se enfrentarían buscando la supremacía al decidir asuntos clave de la fusión, tales como el nuevo nombre de la compañía, los títulos de los puestos en la dirección, o la ubicación de la sede central.</p><p>Es más, fusionar dos culturas corporativas diferentes puede resultar bastante escabroso, especialmente cuando las dos compañías han sido competidores por varios años, y ambas están profundamente devotas a su búsqueda de ser el líder de la industria.</p><p>Universal y Allied Barton habían hablado frecuentemente acerca de una unión a lo largo de los años, sin acuerdo fructífero alguno. Pero entonces, una nueva oportunidad apareció, cambiando el panorama y haciendo la fusión posible.​</p><h4>SE ABRE UNA VENTANA</h4><p>En 2015, el Blackstone Group, la entidad de capital de inversión propietaria de AlliedBarton, anunció que vendía la compañía a la firma de inversión francesa Wendel Stock Exchange. Universal Services of America tenía una buena relación con Wendel, por lo que la idea de una fusión bajo su auspicio parecía que tendría un fuerte apoyo de capital de inversión. Ciertamente, ambos socios de capital de Universal, Warbung Pincus y Partrners Group, indicaron que apoyarían una fusión.</p><p>Este nuevo acontecimiento tomó lugar en un ambiente para los negocios que continuaba madurando a favor de una posible fusión. A medida que los márgenes de ganancias en la industria permanecían estrechos, las eficiencias económicas que podrían ser obtenidas a partir de la integración horizontal de las dos compañías y sus fortalezas complementarias se volvían más y más convincentes.</p><p>Por supuesto, todavía había que resolver el asunto de la “lucha por el poder” entre los equipos de líderes que eran competidores mutuos. A veces, este esfuerzo puede ser el más problemático en los niveles más altos de una organización; una fusión entre dos grandes empresas con directores ejecutivos titulares puede convertirse en un choque de egos que no puede ser contenido.</p><p>AlliedBarton y Universal evitaron este conflicto. En el caso de nuestras empresas, ambos CEOs (yo mismo y Bill Whitmore de AlliedBarton) teníamos una relación que parecía fortalecerse a lo largo del tiempo. Me gusta llamarla una relación “feroz y amigable”: ambos éramos intensos competidores en el mercado, pero fuera del campo, siempre nos llevamos bien. Si había dos líderes de compañías rivales que podían unirse exitosamente, éramos nosotros. Aún más, Bill había dejado en claro que estaba dispuesto a abandonar su puesto como director ejecutivo para convertirse en la cabeza de la junta de Allied Universal, de modo que no tendríamos que competir por ese rol en la nueva compañía.</p><p>Dadas estas condiciones, la fusión empezó a cobrar aún más sentido. Luego de casi dos años de serias discusiones, ambas partes decidieron proceder. Universal Services of America y AlliedBarton Security Services anunciaron la fusión al público el 03 de Mayo de 2016. Para el primero de Agosto, la fusión se vio concretada, formando en su resultado Allied Universal, la cual ahora es una compañía que vale US$5,1 billones y emplea a más de 150.000 personas.</p><p>Los desafíos no faltaron en el camino a ese final. Yo creo que nuestra fusión puede servir como un caso de estudio en gestión del cambio, porque atravesamos una gran cantidad de problemas de integración, desde el ajuste cultural y la provisión de personal, hasta los procedimientos y procesos operacionales. Lo que sigue son algunos de los elementos clave del ejercicio de integración, que generó tanto lecciones aprendidas como una guía de mejores prácticas.​</p><h4>DE COMPETIDORES A CAMARADAS</h4><p>Comenzamos con la ayuda de consultores de confianza. El Boston Consulting Group (BCG) se encargó del proceso organizacional, mientras que West Monroe Partners se enfocó en la integración de las tecnologías de la información. Ya que BCG había trabajado con Universal durante nuestras adquisiciones de Guardsmark y de ABM Security, ya nos conocían a nosotros y a nuestro negocio, de modo que pudieron redoblar sus esfuerzos rápidamente para ayudar a desarrollar nuestro plan de integración.</p><p>Dado el alcance del proyecto, nuestro cronograma era ambicioso. En Marzo y Abril, llevamos a cabo un análisis extensivo de cada área funcional de ambas empresas. Los análisis nos proveyeron una perspectiva clara sobre dónde se encontraban las fortalezas y las debilidades de cada organización en términos de alcanzar nuestros objetivos de negocios, como la creación de valor, el servicio al cliente, y el uso de tecnología dentro de nuestra oferta de servicios.</p><p>Luego llegó un período todavía más intenso. Tras anunciar la fusión en Mayo, unos cuantos cientos de ejecutivos de ambas empresas, que habían liderado anteriormente equipos rivales, se reunieron en Dallas durante una semana para realizar un proceso en el que debatieron sobre los componentes claves de la nueva compañía. Los asuntos discutidos incluyeron desde el nuevo nombre y sus valores fundamentales hasta sus áreas de énfasis, discutiendo cada gerencia y cada área individualmente. Por ejemplo, en un caso tuvimos que elegir un proceso de contaduría en vez de otro. Y hubo ocasiones en las que tuvimos que elegir a un único proveedor para un servicio que anteriormente estaba manejado por dos entidades diferentes.</p><p>Una vez que estos parámetros fueron establecidos, atravesamos varios días de entrevistas “uno a uno” en el camino a formar los equipos de líderes para la nueva compañía. Desde el comienzo sabíamos que ésto sería un momento desafiante para muchos. Dado todo lo que estaba en juego, intentamos hacer que el proceso sea tan abierto y transparente como fue posible. Se discutieron los detalles y el cronograma del proceso, incluyendo los arreglos de finiquitación para aquellos que no harían la transición a la nueva organización.</p><p>Durante Mayo, Junio, y Julio, comenzamos las actividades visitando las ubicaciones clave. El proceso que habíamos recién terminado en Dallas fue replicado con los empleados de nivel operativo (aproximadamente 150.000), quienes trabajaban en alrededor de 250 sucursales, varias de las cuales estaban siendo consolidadas. Visitamos todas las oficinas regionales, y tal como hicimos en Dallas, compartimos con los empleados nuestras aspiraciones para la nueva compañía en términos de la cultura deseada, los valores fundamentales, y los planes para alcanzarlas.</p><p>Este proyecto de tres meses de duración fue uno de los componentes más desafiantes de la fusión. Ya que había que muchos puestos a lo largo del país que requerían personal (incluyendo líderes regionales, profesionales de recursos humanos, y responsables de ventas), fue necesaria una enorme cantidad de trabajo de primera línea.</p><p>Tomar estas difíciles decisiones de contratación resultó el aspecto más intenso de la fusión entera. Las presentaciones iniciales de las futuras metas, valores, cultura y objetivos de la nueva compañía fueron bien recibidas y altamente motivadoras. Pero, luego tenías que tener “la conversación” sobre la realidad de que no todos harían la transición a esta nueva fase. Durante estos momentos, se hizo aparente la importancia que una fusión puede tomar en la vida de los empleados.</p><p>También quedó perfectamente claro lo inquietante que el proceso puede ser: además de cumplir con sus responsabilidades actuales de trabajo, los empleados básicamente debían ser “reentrevistados” para sus trabajos, sin ninguna garantía de que obtendrían uno para cuando la fusión haya terminado. Insisto: considerando todo lo que estaba en juego, era imperativo para nosotros ser tan directos, honestos, y transparentes como era posible.</p><h4>EL PROCESO DE INTEGRACIÓN</h4><p>Aunque la consolidación del abastecimiento de personal puede ser la faceta más intensa de este proceso, no se trata del único aspecto desafiante. Fusionar la cultura y los procesos de dos compañías era un proyecto complicado que tuvo una buena porción de sobresaltos y dificultades en el camino.</p><p>Cada organización es única. Hay empresas con valores y perspectivas corporativas similares, como lo eran AlliedBarton y Universal, pero siempre habrá desigualdades en los procesos y las operaciones. Esto incluye diferencias en los estilos de gestión, la distribución de recursos, las estrategias para generar compromiso, y los protocolos de procedimientos.</p><p>Para completar esta parte de la fusión, literalmente delineamos cada función en las operaciones de ambas compañías, comparándolas y encontrando similitudes y diferencias. Desde allí, determinamos la mejor manera de designar cada función para la nueva compañía. En algunos casos, elegimos los procesos de una empresa en lugar de los de la otra; en otras ocasiones, tomamos las cualidades de ambos procesos para crear uno nuevo. En unas cuantas situaciones, decidimos que sería mejor crear un proceso completamente nuevo. Por ejemplo, el área de recursos humanos diseñó nuevos programas de reconocimiento y evaluación de los empleados.</p><p>No quiero endulzar esta parte de la fusión: éstas fueron algunas de las discusiones más complicadas que tuvimos. Ya que los líderes de ambas compañías eran quienes estaban discutiendo estos procesos, era de esperarse que algunos podrían verse un poco cegados y defender la forma de hacer negocios de su propia empresa. Pero, permitir que ésto pase habría hecho que el ejercicio pierda sentido, ya que lo que queríamos era diseñar las funciones de la nueva compañía basándonos en sus cualidades.</p><p>Así que desafiamos a nuestros ejecutivos a que superen sus propias inclinaciones y que aspiren a la objetividad en el momento de pensar cuáles eran los mejores métodos para las operaciones. Ésto resultó en montones de discusiones sinceras y minuciosas que contaban con varios accionistas presentes en cada reunión, para asegurarse de que todos los puntos de vista fueran tomados en cuenta.</p><p>Al final, decidimos tener dos sedes corporativas centrales: una en Conshohocken, Pennsylvania, donde se albergaría a los departamentos de finanzas, nóminas, y facturación; la otra, en Santa Ana, California, centralizaría las áreas de recursos humanos, ventas y mercadotecnia. Adicionalmente, forjamos siete territorios regionales que recibirían apoyo operacional de primera línea por parte de centros de excelencia designados.​</p><h4>CONTINUIDAD DEL NEGOCIO</h4><p>Seis meses luego del anuncio de Mayo, logramos completar la integración de los servicios de seguridad en nuestras siete regiones de los U.S.A (Nordeste, Medio Atlántico, Sureste, Medio Oeste, Central, Noroeste, y Sudoeste) y en Canadá.</p><p>Dado que estas regiones comprendían más de 200 sedes, ésto significaba que habría días de trabajo que se extendían desde las primeras horas de la mañana hasta tarde en la noche, manteniendo un buen ritmo para mantener el proceso en pie y cubrir todas las bases. Agendé reuniones y llamadas con cada región para conversar sobre las áreas que necesitaban mayor concentración y sobre oportunidades para resaltar nuestras nuevas fortalezas. Trabajé con equipos legales y de recursos humanos para perfeccionar las operaciones de negocios y la retención del talento, y dediqué tiempo en el terreno para compartir la visión y misiones de la nueva marca con clientes y empleados. Viajamos alrededor del país para dar a conocer nuestras iniciativas culturales. Estas iniciativas incluían desafiar a los empleados a que se enfoquen en los aspectos positivos de la fusión, a que anticipen cambios que beneficiarían al negocio y a nuestros clientes, y a adoptar las nuevas políticas y programas, aceptándolos.</p><p>Pero una fusión tan grande como ésta viene con sus propios problemas de continuidad del negocio. Nosotros sabíamos bien que sostener las operaciones normalmente y retener el talento sería un desafío durante una integración de tal escala. Dedicamos tanto tiempo, preparación y atención en el negocio regular durante la transición como antes de que la fusión ocurra.</p><p>Aun así, reconocimos la posibilidad de que los clientes se vean preocupados por una posible degradación del servicio al cliente a causa del proceso de fusión. Para nosotros era una prioridad contrarrestar esa línea de pensamiento. Así que, durante la semana del anuncio, contactamos a todos los clientes para explicarles lo que pasaría. Desde la perspectiva del cliente, queríamos que todo quede claro, de modo que no hubiera signos de pregunta en sus mentes respecto a nuestra capacidad de proveer nuestros servicios de siempre. También fuimos directos en lo que respecta a comunicar los beneficios que la fusión generaría para ellos.</p><p>En esencia, les garantizamos a nuestros clientes que sus servicios no se verían interrumpidos. Para ratificar ésto, sostuvimos llamadas diarias de gestión con nuestro equipo de liderazgo, y discutimos todos los problemas y preocupaciones que tenían los clientes. Nos aseguramos de que ningún problema interno pueda entorpecer nuestros servicios externos.​</p><h4>ADQUISICIONES DELANTE</h4><p>Internamente, las fusiones pueden ser una experiencia inquietante para algunos, incluso para los trabajadores que anticipan permanecer en la compañía. Por momentos, los empleados querrán conversar sobre lo que el proceso de fusión significará para ellos, o incluso hablar sobre una oportunidad de trabajo que les surgió en otra organización.</p><p>Esta última situación a veces nos conduce a un dilema. Los empleados son vitales para nuestro éxito y la retención del talento también es fundamental, pero no queríamos hacer que nadie se pierda de oportunidades prometedoras para su carrera. Siempre nos mostramos abiertos y discutimos estos asuntos con la gente, siendo lo más honestos que podemos.</p><p>En general, es una simple realidad económica: las fusiones y las adquisiciones son una norma en muchos sectores de negocio. A pesar de sus momentos complicados, permiten que las empresas crezcan exponencialmente, y se expandan en áreas y mercados que anteriormente estaban fuera de su alcance. Tal vez, la lección final aprendida es que integrar organizaciones y alinear culturas siempre requiere un enfoque absolutamente colaborativo. Ésto no incluye sólo al equipo de liderazgo, sino también a todos los empleados, clientes y accionistas. Todos aquellos que dependen de y de los que depende la compañía deben comprometerse juntos para alcanzar el éxito.</p><p><em>Steve Jones, originalmente el CEO de Universal Services of America, es el CEO de Allied Universal. Mark Tarallo es editor sénior de </em>Security Management.</p><p><em>The translation of this article is provided as a courtesy by </em><em>Ari Yacianci</em><em>. </em>Security Management <em>is not responsible for errors in translation. Readers can refer to the original English version here: <a href="/Pages/The-Meaning-of-a-Merger.aspx" target="_blank">​.​</a>​</em><br></p> for the Safe City GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​Today's cities often use video management systems or other platforms to view camera footage, protect citizens and property, analyze incidents, evaluate security, and determine appropriate responses to events like natural disasters, disruptions to public transit and other municipal services, and other threats to public safety. <br><br>Cities implementing this connected security approach are typically referred to as safe or smart cities. Most safe cities share a common infrastructure and operate using sensors and cameras over a shared municipal network. Synthesizing information from these sensors and the data from other devices through one interface, government officials and law enforcement are afforded a comprehensive view of a city's security.<strong> </strong></p><p><strong>Integrating the Many Parts of a Safe City</strong></p><p>There are operational challenges that accompany the many systems that are included in a safe city deployment. Interoperability continues to present one of the greatest challenges, particularly with video management systems, video recording devices, and cameras. The most common scenario is that municipalities have several management systems for city operations that were created by different manufacturers, each with proprietary interfaces for integration.<br><br>To connect their different systems together, cities often end up employing a single-vendor "build once and maintain forever" approach, in which the continuing cost for integration of systems becomes prohibitively expensive. In a world where technology and features change quickly, this approach is not practical because it severely limits an end user's ability to try new technology and different vendors' products and requires a substantial financial commitment to specific manufacturers and proprietary interfaces.<br></p><p><strong>Standards in Safe Cities </strong></p><p>ONVIF was founded in 2008 by Axis, Sony, and Bosch to create a global standard for the interface of IP-based physical security products. The organization was developed to provide increased flexibility and greater freedom of choice, so installers and end users can select interoperable products from a variety of different vendors. </p><p>Product interoperability is a driving force behind ONVIF. Interoperability is a simple concept: it is the ability of a product or system to work with another product or system, often from different brands made by different manufacturers. </p><p>ONVIF profiles are subsets of the overall ONVIF specification. They group together sets of related features to make product selection easier for end users, consultants, and systems integrators. Products must be conformant with one (or more) of ONVIF's specific profiles. </p><p><strong><em>ONVIF's current profiles are:</em></strong></p><p><strong></strong></p><p><strong>Profile S</strong> for IP-based video and audio streaming, including:​<br></p><ul><li>Video and audio streaming<br></li><li>Pan-tilt-zoom control and relay output<br></li><li>Video configuration and multicast<br> </li></ul><p><strong>Profile G</strong> for edge storage and retrieval, including:</p><ul><li>Configure, request, and control recording from conformant devices<br></li><li>Receive audio and metadata stream<br></li></ul><p><strong><br>Profile C</strong> for IP-based access control, including:</p><ul><li>Site information and configuration<br></li><li>Event and alarm management<br></li><li>Door access control<br></li></ul><p><strong><br>Profile Q</strong> for easy configuration and advanced security, including:</p><ul><li>Out-of-box functionality<br></li><li>Easy, secure configuration<br></li><li>Secure client/device communications using transport layer security (TLS)<br></li></ul><p><strong><br>Profile A</strong> for Broader Access Control Configuration</p><ul><li>Granting/revoking credentials, creating schedules, changing privileges<br></li><li>Enables integration between access control and IP video management system<br> <br></li></ul><p><strong>Profile T</strong> for Advanced Video Streaming is currently in draft form and is scheduled for initial release in 2018. </p><p>Standards, such as those from ONVIF, provide the common link between disparate components of safe city systems. Designed specifically to overcome the challenges in multi-vendor environments, ONVIF's common interfaces facilitate communication between technologies from different manufacturers and foster an interoperable system environment where system components can be used interchangeably, provided they conform to the ONVIF specification. </p><p>In 2014, ONVIF member company Meyertech helped the city of York, United Kingdom, deploy a safe city solution for the city's public spaces and transportation system. Using Meyertech video management software (VMS) and information management software, the city integrated IP cameras with the many legacy systems for its York Travel and Control Centre command center. </p><p>The city's control room monitors more than 150 cameras from different manufacturers in York, and city representatives reported an immediate impact on crime rates. The integration of legacy and new IP cameras with the new VMS, which interfaced with the information management software, was made possible through ONVIF's video specification. </p><p>A standardized approach for both file format and associated players, which is often a challenge in multi-vendor environments, is also provided by ONVIF, increasing the efficiency of the process and also adding the potential of including metadata—for example, data from an analytic, indicating number of objects, speed of objects, or even colors—in exported materials and reports. Standardized file formats include MPEG4, H.264, and, with Profile T, H.265, which are readable by many standard video players on the market, including Windows Media Player, VLC, DVD players, and many more. </p><p>ONVIF has also released an export file format specification that outlines a defined format for effective export of recorded material and forensics. These specifications together make it possible not only to integrate devices in multi-vendor video security system deployments in safe city environments, but also to offer a common export file format that can streamline post-event investigations where authorities are trying to react as quickly as possible to apprehend suspects or to defuse an ongoing situation.<strong> </strong></p><p>Another ONVIF member, Huawei, is considered a leader in smart city solutions. Huawei's video management system was used in Shanghai, China, as part of the Chinese Ministry of Public Security's safe cities construction initiative. One of the key challenges of the project was to integrate old and new technology. Huawei's VMS uses ONVIF to integrate cameras from manufacturers Dahua, Haikang, Axis, Sony, and others.<strong> </strong></p><p><strong>Multi-Discipline Standards</strong></p><p>A multi-discipline physical security standard that specifies parameters for video surveillance, access control, and other essential operations of a safe city command center would likely increase the prevalence of safe cities even further.</p><p>Many in the broader technology industry see standards as an important component in both safe cities and the Internet of things (IoT). The Institute of Electrical and Electronics Engineers and other standards groups are already working on IoT standards for technology-based industries, and some experts that global IoT standards will be introduced by the end of this year. </p><p>As standards and industries collaborate even further and establish minimum interoperability standards together, the need for a multi-discipline physical security standard will become more urgent. ONVIF envisions that all physical security systems will eventually have the same interfaces for interoperability, and the organization is dedicated to facilitating the work of its members in developing such a multi-discipline standard. </p><p><em>Jonathan Lewit is chairman of the ONVIF Communication Committee.</em></p> Agrees To 20 Years Of Audits To Settle Deceptive Privacy ChargesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Uber will create a privacy program and undergo regular audits for the next 20 years to settle charges that it deceived customers by failing to track employee access to personal information and secure sensitive data.</p><p>The charges were brought by the Federal Trade Commission (FTC) and alleged that Uber did not live up to claims that it closely monitored employee access to consumer and driver data. The company also did not deploy "reasonable measures to secure personal information" that was stored on a third-party cloud provider's server, according to a <a href="" target="_blank">press release by the FTC.</a></p><p>"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said FTC Acting Chairman Maureen K. Ohlhausen. "This case show that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises."</p><p>Uber <a href="" target="_blank">collects and maintains </a>a vast inventory of information about its riders, including names, addresses, profile pictures, and detailed trip records. It also collects data on its drivers, including their Social Security numbers, driver's license numbers, bank account numbers, and car registrations.</p><p>Uber issued a statement in December 2014, which said it had an automated system for monitoring employee access to consumer personal information. However, it stopped using the system less than a year after it was rolled out, and the<a href="" target="_blank"> FTC alleged</a> that Uber rarely monitored internal access to data on users and drivers.</p><p>The FTC also charged that Uber's security practices "failed to provide reasonable security" to prevent unauthorized access to data stored with a third-party cloud provider.</p><p>"As a result, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and driver's license numbers that Uber stored in a database operated by Amazon Web Services," according to the FTC.</p><p>The commission also claimed that Uber did not implement low-cost measures that could have prevented the breach.</p><p>"For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud," the FTC explained. "Instead, Uber allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data. In addition, Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud."</p><p>As part of the <a href="" target="_blank">settlement agreement </a>with the FTC, Uber is:</p><ul><li><p>Prohibited from misrepresenting how it monitors internal access to consumers' personal information.<br></p></li><li><p>Prohibited from misrepresenting how it protects and secures that data.<br></p></li><li><p>Required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services, and protects the privacy and confidentiality of personal information collected by Uber.<br></p></li><li><p>Required to obtain--within 180 days, and every two years after that for the next 20 years--independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order. <br></p></li></ul> Guard Scheduling ConundrumGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Guard scheduling in a security services company may seem straightforward, but the potential for costly consequences is huge. Scheduling-related errors can lead to financial penalties that can put the business at risk. Class-action claims for unpaid overtime, unpaid breaks, and illegal scheduling practices have cost companies millions of dollars. How can you minimize risk?</p><p>The basic premise is simple: Get the right guard to the right place at the right time, doing the right things. But it takes only a few minutes on the job for the scheduler to realize that simple scheduling gets complicated—very complicated. Let’s step back and look at all the pieces that go into the scheduling puzzle.</p><p><strong>Repeated tasks.</strong> Each assignment requires the same basic actions. A guard scheduling process should handle the myriad details of scheduling easily and efficiently so that managers are freed up to keep their eye on the broader operation. Moreover, schedules are not done once and then left on a shelf. They are alive and active, so modifying them must be easy and accurately done. </p><p><strong>Rules, rules, and more rules. </strong>Scheduling people is full of micro conditions that you need to know: overtime, breaks (paid or not), site rules, and business processes. Does your week start at midnight Sunday? Do hours worked fall into the week they are worked or into the last day of the week they are completed? You need to know the answers and keep track of them.</p><p><strong>Skill sets.</strong> Your top salesperson just signed a high-profile account in town. To onboard your staff for the new account, you need to clearly identify what skills and attributes are required for a guard to work there. For example, will the guard need to use systems or equipment that require training?</p><p><strong>Exposure.</strong> Security staff occasionally fail to show up, book off, or have emergencies. To protect your client and yourself from an uncovered site, you need a 24/7 alerting mechanism that can also help you quickly find a qualified replacement.</p><p><strong>Exceptions. </strong>We live in a world of exceptions—the “yes-but” clause. For example: “That is always the schedule except…” or “I will always work five days in a row, except when I…” The scheduling process has to be flexible enough to manage exceptions. </p><p><strong>Overtime.</strong> Simply put, unbilled overtime (OT) can destroy profit margins, which are already tight in most guard companies. OT varies based on jurisdiction, but in general OT can be 1.5 or 2 times a regular wage rate. Even salaried people can be entitled to OT if they earn less than the weekly threshold (subject to conditions, the U.S. threshold is $913 per week). Does your process protect you from overscheduling individuals?</p><p><strong>Liabilities. </strong>Even if you prepare for every contingency, liabilities can occur. A guard who doesn’t know what to do or whom to alert can cause damage. Or, imagine that a new scheduler places an employee at a site they were previously banned from: client confidence will take a hit.</p><p><strong>Large volume.</strong> When you are running an event and need to book many guards at the same time, your process should allow you to book by multiple means. At events, getting guards logged in and attending to their posts with the required instructions are crucial; the process needs to be efficient.</p><p><strong>Special rules.</strong> Countries, states, provinces, and even cities have their own rules. On top of that, there are collective agreements and special function rules to consider, where applicable. Are compressed work weeks legal or not? What sort of rest periods are required between shifts?</p><p><strong>Scheduling errors.</strong> Client confidence can be shaken if you are repeatedly double-booking guards for the same shift. In that scenario, which guard gets paid? Both?</p><p><strong>Ecosystem.</strong> There are many moving parts in a security business: applicant tracking, onboarding, security operations, scheduling, payroll, invoicing, accounting, and other business operations. It is smart to have systems that integrate seamlessly with each other. Do not be held hostage to a system!</p><p>The most obvious way to address the mission-critical function of scheduling and timekeeping is to adopt a back-office software tool. Such software is designed to automate the repeatable, consider all the rules, provide guidance when assigning resources, and adhere to functions in service-level agreements. To truly drive efficiency, systems must do more than just schedule. They should give you a leg up on contract management and invoicing as well as drive business intelligence data. </p><p>To fully benefit your operations, couple back-office tools with front-line automation tools to create an ecosystem that harnesses the data generated by the security company and drives overall service that is more accountable, reliable, transparent, and efficient. After all, a security business needs to invest in activity that drives business, and avoid wasting money on the management of lawsuits and exposure.</p><p><em>Mark Folmer, CPP, is vice president for the security industry at TrackTik. He is a member of the ASIS Security Services Council and ASIS senior regional vice president for Region 6, Canada. He also serves on the PSC.1 Technical Committee and Working Group.</em></p><p><br> </p> Internet And The Future of Online TrustGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​How will online trust change over the next decade? That was the focus of a new<a href="" target="_blank"> nonscientific canvassing of 1,233 individuals</a> by the Pew Research Center and Elon University’s Imagining the Internet Center, which found that most experts think “lack of trust” won’t be a barrier to society’s reliance on the Internet.​</p><p>The survey partners asked 1,233 individuals, including technologists, scholars, practitioners, strategic thinkers, and other leaders: “Will people’s trust in their online interactions, their work, shopping, social connections, pursuit of knowledge, and other activities be strengthened or diminished over the next 10 years?”</p><p>Forty-eight percent of respondents said they think online trust will be strengthened, 28 percent reported that trust will remain the same, and just 24 percent said trust will be diminished. </p><p>“Many of these respondents made references to changes now being implemented or being considered to enhance the online trust environment,” according to Pew. “They mentioned the spread of encryption, better online identity-verification systems, tighter security standards in Internet protocols, new laws and regulations, new techno-social systems like crowdsourcing and up-voting/down-voting, or challenging online content.”</p><p>For instance, Adrian Hope-Bailie, standards officer at blockchain solution provider Ripple, participated in the survey and said technology advancements are bringing together disparate but related fields, like finance, health care, education, and politics.</p><p>“It’s only a matter of time before some standards emerge that bind the ideas of identity and personal information with these verticals such that it becomes possible to share and exchange key information, as required, and with consent to facilitate much stronger trusted relationships between users and their service providers,” Hope-Bailie explained.</p><p>One technology that respondents were asked about in particular was blockchain and the role it might play in fostering trust on the Internet. Blockchain is a digital ledger system that is encryption-protected and used to facilitate validated transactions and interactions that cannot be edited.</p><p>Other experts, however, were less optimistic about the future of trust in online interactions. Vinton Cerf, vice president and chief Internet evangelist at Google, and co-inventor of the Internet Protocol, participated in the survey and said that trust is “leaking” out of the Internet.</p><p>“Unless we strengthen the ability of content and service suppliers to protect users and their information, trust will continue to erode,” he explained. “Strong authentication to counter hijacking of accounts is vital.”</p><p>Overall, the survey found six major themes on the future of trust in online interactions:</p><div><ol><li><p>Trust will strengthen because systems will improve and people will adapt to them and more broadly embrace them.<br></p></li><li><p>The nature of trust will become more fluid​ as technology embeds itself into human and organizational relationships.<br></p></li><li><p>Trust will not grow, but technology usage will continue to rise, as a “new normal” sets in.<br></p></li><li><p>Some say blockchain could help; some expect its value might be limited.<br></p></li><li><p>The less-than-satisfying current situation will not change much in the next decade.<br></p></li><li><p>Trust will diminish because the Internet is not secure, and powerful forces threaten individuals’ rights.<br></p></li></ol></div><p><br></p> Employee Onboarding GuideGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Security Management</em> has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Roy Maurer​ discusse​s the merits of a yearlong employee onboarding program.<br></p><p>--</p><p>​New employee onboarding is the process of integrating a new employee with a company and its culture, as well as getting a new hire the tools and information needed to become a productive member of the team.</p><p>Onboarding new hires at an organization should be a strategic process that lasts at least one year, staffing and HR experts say, because how employers handle the first few days and months of a new employee's experience is crucial to ensuring high retention.</p><h4>Getting Started with the Onboarding Process</h4><p>Finding the best candidates for positions in your organization is only part of building an effective team. The process of onboarding new employees can be one of the most critical factors in ensuring recently hired talent will be productive, contented workers. </p><p>However, in some organizations, <a href="">onboarding is often confused with orientation</a>. While orientation might be necessary—paperwork and other routine tasks must be completed—onboarding is a comprehensive process involving management and other employees that can last up to 12 months.</p><p>Before implementing a formal onboarding program, employers should answer some key questions to attain team and upper management buy-in, including:</p><ul style="list-style-type:square;"><li><p>When will onboarding start?</p></li><li><p>How long will it last?</p></li><li><p>What impression do you want new hires to walk away with at the end of the first day?</p></li><li><p>What do new employees need to know about the culture and work environment?</p></li><li><p>What role will HR play in the process? What about direct managers? Co-workers?</p></li><li><p>What kind of goals do you want to set for new employees?</p></li><li><p>How will you gather feedback on the program and measure its success?</p></li></ul><p>Once these questions have been answered, HR professionals and upper management can devise a plan of action to help new employees quickly assimilate company policies and workflow while getting fully acquainted with the organization's culture.</p><h4>Creating an Onboarding Program</h4><p>"If we don't worry about onboarding before the employee starts, then we're way behind," said Ben Peterson, CEO of <a href="">BambooHR</a>, an HR technology company. "Rather than having a stack of papers waiting for their signature, send them out to the employee beforehand, for electronic signature. Give them their benefits selection. Find the technology to help you automate the paper-pushing process."</p><p>As soon as new employees receive a job offer, they can also receive access to the company's online onboarding portal, said Amber Hyatt, director of product marketing at SilkRoad, a talent management solutions firm. </p><p>"Here they discover content that's designed to engage them, like a friendly note from their manager, first-day information, welcome messages and photos from new teammates, a glossary of company acronyms, a virtual copy of your employee handbook as well as other details about the new hire's department and job responsibilities," she said.</p><p>New-hire portals also benefit HR through dashboards that can organize and track tasks that need to be completed and managed electronically, such as W-4 or I-9, benefits and payroll forms, Hyatt said.</p><p>In addition to having new employees fill out new-hire paperwork online, consider providing the answers to questions they may have, such as where to go on day one, who to ask for upon arrival and what to wear, she said.</p><p>Set up new hires' desk, phone, computer and password logins before they arrive, said Peterson. </p><p>"The worst thing for a new employee is being wooed through the recruiting process and then arriving on the job and the receptionist isn't even expecting you or your office isn't set up," he said.</p><h4>The First Day</h4><p>The two main goals on the first day should be setting expectations and introducing objectives. Employees need to have crystal clear ideas about what their job duties and responsibilities are on Day 1, Peterson said. </p><p>"New employees need to get to know the job and get to know their new co-workers. Social interaction is critical. You want them back on Day 2, right?" he asked. </p><p>New employees at BambooHR are taken out to lunch on the first day. "We cared enough to hire them, we want them to know we care enough to build rapport," Peterson said.</p><p>Aligning expectations is critical. </p><p>"Organizations that don't focus on acclimating new employees to their corporate culture are at a significant disadvantage," said Hyatt. "Employees who know what to expect from their company's culture and work environment make better decisions that are more aligned with the accepted practices of the company."</p><p>To keep existing team members from resenting a new employee, make sure roles and responsibilities are outlined for the entire team, Peterson advised. </p><p>"Sometimes existing team members could feel threatened that someone new could take over their responsibilities. So it's a good idea to clarify the position of the new hire as well as [the positions of] other team members whose work is closely related, how they'll interact with each other, and how projects will run," he said.</p><h4>The First Few Months</h4><p>It's important for HR to have a one-month check-in to make sure that that the new employee is comfortable, happy and engaged, said Peterson. "Reviewing and giving thoughtful feedback on your new hire's early contributions are also important during onboarding," he said.</p><p>According to a BambooHR survey, three-fourths of new hires said training during the first week on the job is most important to them. Meanwhile, 41 percent of HR professionals felt they needed to update training in onboarding. </p><p>"If you aren't communicating what new hires are supposed to be doing and arming them with the tools to do it properly, you're setting them up to fail," Peterson said. </p><p>You also don't want to inundate your new hires with too much information. </p><p>"While it's important to get your new hire ramped up and productive quickly, you also need to make sure you provide on-the-job training in a manageable flow," he said.</p><p>Hopefully, new hires have picked a mentor by the end of the first month, Peterson added. Fifty-six percent of respondents in the BambooHR study said that having a buddy or mentor at work was very important when getting started.</p><p>The Aberdeen Group report found that high-performing organizations are nearly two-and-a-half times more likely than lower-performing employers to assign a mentor or coach during the onboarding process. </p><p>"Mentoring programs can be as simple as assigning a new employee a go-to person or having an elaborate team of mentors for any questions that might arise," Hyatt said.</p><h4>The First Three to Six Months</h4><p>Peterson advised HR to conduct another check-in between three and six months, depending on the employee and the role. </p><p>"Unfortunately, only 15 percent of companies continue onboarding after six months," he said. Remember, nearly 90 percent of employees decide whether to stay or go within that first six months. "You have a huge impact on that choice. Sometimes you just have to show that you sincerely care," he said.​</p><h4>The First Year</h4><p>"An employee's performance at the end of the first year will prove if they're fully productive," said Peterson. "Now you can plan for future development. Show them what their career looks like at the company. Sadly, sometimes they don't belong there," he said.</p><p>The end of the first year is when traditional onboarding transitions into retention and employee satisfaction. </p><p>"Shift from on-the-job training to continuous development. It's also a great time to have the compensation conversation," Peterson said.</p><p>"Your new hires will thank you for setting them up on the path to success and your company will be well on its way to turning those new hires into seasoned employees."</p><p><em>Roy Maurer is an online editor/manager for SHRM. </em><a href=""><em>Follow him @SHRMRoy</em></a><em>. </em>© 2017, SHRM. This article is reprinted from <a href="" target="_blank"></a> with permission from SHRM. All rights reserved. ​</p> Blackwater Guard Granted A New Trial In Nisur Massacre Case GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In an about face, a U.S. court of appeals remanded a lower court ruling and will grant a new trial for a former Blackwater Worldwide Security guard convicted of killing Iraqi civilians in Baghdad in 2007.</p><p>The U.S. Court of Appeals for the D.C. Circuit ruled that lower court Judge Royce Lamberth should not have barred a statement during Nicholas Slatten’s original trial by his codefendent that Slatten did not fire the first shot in what came to be known as the Nisur Square massacre. <br></p><p>The statement, <a href="$file/15-3078.pdf" target="_blank">the court of appeals said, </a>should have been allowed and Slatten should have been tried separately from his three codefendants—Paul Slough, Evan Liberty, and Dustin Heard, also former Blackwater security guards. <br></p><p>Instead, they were tried together and Slough, Liberty, and Heard were convicted of voluntary manslaughter, attempted manslaughter, and using and discharging a firearm in relation to a crime of violence. Slatten was convicted of first degree murder.<br></p><p>Slatten was sentenced to life in prison, and Slough, Liberty, and Heard were sentenced to a mandatory-minimum of 30 years in prison. <br></p><p>Slatten appealed the ruling, and through the court process his case reached the appellate court, where he challenged the lower court’s decision not to sever his trial from that of a codefendant.<br></p><p>“Slatten argued for severance because he sought to introduce exculpatory evidence—the codefendant’s admission that he, not Slatten, initiated the Nisur Square attack by firing on the white Kia—evidence inadmissible in a joint trial with a codefendant,” the appellate court wrote in its opinion. <br></p><p>The district court denied Slatten’s request, which the appellate court said was wrong.<br></p><p>“Because the codefendant’s admissions were vital to Slatten’s defense and possessed sufficient circumstantial guarantees of trustworthiness, we believe they were admissible,” the appellate court explained. “Accordingly, because the district court erroneously denied severance, we reverse Slatten’s first-degree murder conviction…and remand his case for a new trial.” <br></p><p>The appellate court also ruled that the 30-year mandatory minimum sentence for Slough, Liberty, and Heard violated the Eighth Amendment prohibition against cruel and unusual punishment. It remanded their cases for resentencing.<br></p><p>“The sentences are cruel in that they impose a 30-year sentence based on the fact that private security contractors in a war zone were armed with government-issued automatic rifles and explosives,” the appellate court explained. <br></p><p>“We again emphasize these defendants can and should be held accountable for the death and destruction they unleashed on the innocent Iraqi civilians who were harmed by their actions. But instead of using the sledgehammer of a mandatory 30-year sentence, the sentencing court should instead use more nuanced tools to impose sentences proportionally tailored to the culpability of each defendant.”<br></p><p>The four men were contracted through Blackwater in 2007 to provide security for the U.S. Department of State in in Baghdad. While out on patrol in response to a car bombing, prosecutors accused the defendants of going on a shooting spree that killed 14 people and injured 17. The defense, however, argued that the Blackwater guards feared they were under attack and fired in self-defense.<br></p><p>The case garnered worldwide attention and was closely followed by both U.S. and Iraqi leaders. No date for Slatten’s new trial or the other defendants’ re-sentencing has been set.</p><p><br> </p> A Shift in Global RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The quest to better understand the sources of global risk, and the effect those sources of risk may have on security, is of continuing importance to many practitioners of enterprise security risk management (ESRM). </p><p>And now, global risk has entered into a new era, with people around the world facing more political instability, more economic challenges, and the prospect that more national policy decision making will be driven by emotion rather than reason, a new study finds. </p><p>The study, The Global Risks Report 2017, is the 12th edition of one of the flagship reports issued annually by the World Economic Forum. The report postulates that the new era of risk began last year, a watershed time for instability when increasing economic populism and political polarization came to a head in unexpected election results and the disquieting rise of former fringe nationalist parties. </p><p>“The year 2016 saw profound shifts in the way we view global risks. Societal polarization, income inequality, and the inward orientation of countries are spilling over into real-world politics,” reads the study, which was conducted with the help of academic advisors from the University of Oxford, the National University of Singapore, and the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania. </p><p>The report argues that five “gravity centers” will shape global risks moving forward, and it sketches out the challenges that will result from each of them.  First, continued slow economic growth, in tandem with high debt and demographic changes, will create an environment conducive to financial crises and growing inequality. Second, corruption and unequal distribution of the benefits of growth will convince a growing number of people that the current economic model is not working for them.</p><p>Third, the transition towards a more multipolar world order will put a greater strain on global cooperation. Fourth, the fourth industrial revolution—Internet-connected technologies—will continue to transform societies, their economies, and their ways of doing business. Fifth, more people will seek to reassert identities that have been blurred by globalization, so decision making and election choices will be increasingly influenced by emotions rather than reason.</p><p>There is no one silver bullet solution to these challenges. But the report argues that the problems “create the opportunity to address global risks and the trends that drive them.” In that spirit, the study sets out several actions that leaders should take to push forward in creating a more secure and stable world. </p><p>The report argues that political leaders need a deeper commitment to fostering inclusive development and equitable growth, on both a national and global scale, instead of allowing increasing economic inequality to further destabilize societies. And while the report praises innovation, it also argues for better management of technological change, so the growth of new uses for technology causes less disruption and leaves fewer behind. </p><p>Finally, at a time when multinational institutions like the European Union and NATO are under unprecedented attack, the report calls on leaders to redouble efforts to protect and strengthen systems of global collaboration. Destabilizing international events—which range from migration flows created by the Syrian war to major weather events that impact several countries to a potential global water crisis—all warrant more cooperation between countries.  </p><p>“It is ever clearer,” the report argues, “how important global cooperation is on the interconnections that shape the risk landscape.”</p> to Protect Your House of WorshipGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Fifteen years ago, attackers threw grenades into a church in Islamabad, Pakistan, killing at least five people and injuring numerous others. No one claimed responsibility for the attack.</p><p>The attack garnered international response because it was in the diplomatic quarter of the city near the U.S. Embassy and was attended by diplomats and their families. Officials, according to CNN, said the church was only lightly guarded with a single officer responsible for overseeing access via its three entrances.</p><p>In 2015, Jim McGuffey, CPP, PSI, PSP, chair of the ASIS International Houses of Worship (HOW) Committee (a subgroup of the ASIS Cultural Properties Council) was in Pakistan and visited that church. He met the pastor and offered to do a security assessment for the church, which the pastor took him up on.</p><p>The interaction made him think about the increasing threats to houses of worship and how a limited security budget—or no security budget at all—could affect their security posture.</p><p>“These churches often can’t afford to have barriers, metal detectors, or bollards,” McGuffey says. “Most churches are not big money makers—most of them are smaller churches and not well-funded. When we approach them with security countermeasures, we have to think outside the box.”</p><p>This led to the creation of the Security Risk Analysis (SRA) Guide for houses of worship by the Cultural Properties Council that was released earlier this year. </p><p>It’s designed to share a “modified version of the SRA process, so that with guidance by a qualified security professional, house of worship leaders will be able to identify critical assets and assess threats and hazards,” according to a white paper on the guide. “This information will help determine levels of undesirable consequences and profitability of occurrence in order to select cost effective security strategies to mitigate risk.”</p><p>The modified version of the SRA guide includes selecting a safety focus team, conducting a security survey, identifying and prioritizing vital assets for protection, identifying threats and hazards, selecting cost effective security strategies, implementing those strategies, and maintaining those strategies.</p><p>And for houses of worship that don’t have the resources—either financial or man-hours—to conduct the SRA, the committee also released actionable steps to improve churches’ safety and security at little to no expense. </p><p>Those 34 steps include suggestions like never allowing staff or volunteers to work at the facility alone, ensuring opening and closing procedures are in place, making sure all doors and windows have functioning locks, and maintaining an inventory of expensive or easily stolen items.</p><p>The council specifically included these steps, McGuffey says, for those who “want to see some immediate impact and for whatever reason the SRA process isn’t going to happen…this way they will see a significant improvement in safety and security.”</p><p>In 2015, the ASIS Savannah Low Country Chapter hosted a workshop with a local police department and invited 40 clergy from South Carolina and Georgia to participate and learn about the not-yet released SRA and actionable steps. </p><p>McGuffey says the workshop was a success, and the committee held another one in April 2016 to help local clergy “walk away with the tools to take back to their churches and implement what they have learned.”</p><p>The committee is planning future events to work directly with clergy and local law enforcement to share the SRA, and McGuffey says it will continue to adapt the SRA as new threats emerge.</p><p>“I’ve made a point of saying, as with any document, we always have to audit them and make appropriate changes to meet revised threats,” McGuffey explains. “It’s a living document.”   ​</p> Sacred SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Christians were gathered in churches around the world to celebrate Palm Sunday on April 9, 2017, marking the beginning of Holy Week. During this time of year, many Christians share in a renewal of their faith as they remember the pilgrimage that Jesus took before his death and resurrection.</p><p>At Saint George Church in Tanta, Egypt, the church was full. Scriptures were read. Songs were sung. Somewhere between welcome and amen, a bomb exploded—killing at least 25 people and wounding dozens of parishioners and members of the clergy.</p><p>Investigators reportedly believe, according to CNN and other media reports, that someone had placed an explosive device under a seat in the prayer hall. Exactly how the bomb was detonated is still unknown.</p><p>As emergency personnel were working to secure the scene at Saint George, a second attack occurred just outside of St. Mark Coptic Orthodox Cathedral in Alexandria, Egypt. </p><p>The church service had just ended and people were leaving the building when a man arrived wearing a zipped-up jacket with one hand in his pocket. A security officer denied the visitor access to the cathedral and referred him to the metal detector outside the church’s entrance.</p><p>The man can be seen on video talking with the officer and then walking towards the metal detector. He walked a few steps past it, turned, entered the metal detector frame, and detonated a bomb, killing at least 11 people—including three police officers—and wounding 35 others. The actions of the security officer and the use of the metal detector saved numerous lives that day.</p><p>Between the two attacks, 43 people died and approximately 100 were injured. ISIS claimed responsibility for both attacks and warned that there would be more attacks in the future against Christians, police, and the military, according to CNN.</p><p>However, these attacks left many questions unanswered. Details such as how the bombers picked their targets, whether they were working together, and what advance preparations they had made all remained a mystery.</p><p>Did the bombers choose these congregations based on the size of the facilities? It appears that the attackers selected a day in which they knew more people would be present at the churches, possibly in an attempt to create more terror and politicize them as an assault on Christianity. A similar attack at a Christian church in Alexandria on New Year’s Day in 2011 killed 21 and injured 96, according to The Telegraph. Christians have been targeted in several attacks in Egypt, which explains the enhanced security precautions in place on Palm Sunday in 2017.</p><p>These bombings prompt several questions. What can be done to prevent an attack from occurring in our respective places of worship? Will it become customary to have a bomb-sniffing dog search the premises? Will metal detectors become a common feature outside religious and cultural properties?</p><p>“There is no commonly accepted or developed profile of a suicide bomber,” the Anti-Defamation League (ADL) wrote in Protecting Your Jewish Institution in 2015. “The only characteristic accepted by experts is that the overwhelming majority are prepared to die in the service of their cause.”</p><p>Security leaders are faced with the challenge of preventing an act that someone else is determined to achieve, even in the face of death. </p><p>We have known for years that the Islamic State wants to destroy Western culture, and that they plan to attack various locations, including houses of worship, bus stops, airports, hospitals, schools, shopping venues, concert halls, night clubs, parades, sporting events, and other places with large gatherings of people. Additionally, we are experiencing more attacks by individual terrorists with various affiliations, as seen in recent attacks using vehicles in Paris and London. </p><p>The ADL reported in January 2017 that bomb threats have increased. In addition, there is an increase in anti-Semitic assaults on college campuses. As a result, the league has updated some of its resources to assist synagogues with their security plans as they seek to secure places of wor­ship, religious artifacts, and those attending services.</p><p>The Muslim community is not exempt from crime, and has reported increases in incidents of violence and vandalism, most of which are suspected to be committed by homegrown extremists in response to terror acts committed across the globe. In the Middle East, extremists often target more moderate Muslims as they seek to impose Sharia Law.</p><p>Houses of worship around the world are faced with various challenges as they try to secure their facilities, people, and programs with limited budgets and resources. A congregation of 1,000 will have some of the same challenges as a congregation of 100, but it will have more resources. Smaller congregations may not face the same complexities as larger organizations but they may still encounter violence.</p><p>For example, when 21-year-old Dylann Roof entered the Emmanuel African Methodist Episcopal Church in Charleston, South Carolina, on June 17, 2015, only 12 parishioners were present.</p><p>Every church throughout the world has the same goal: to provide a safe place to worship. We can implement interior and exterior controls and follow best practices to prevent many types of crimes. However, nothing can protect houses of worship from a bombing except denied access.​</p><h4>Bombings in the United States</h4><p>The most notorious church bombing in the United States occurred in September 1963 in Birmingham, Alabama, at the Sixteenth Street Baptist Church. A bomb exploded in the building, killing four African-American girls during a service and injuring at least 14 others. Three former Ku Klux Klan members were eventually convicted of murder for the bombing.</p><p>Between 1970 and 2007, there were 25 terrorist attacks against religious figures or institutions in the United States; nine of the 25 attacks involved explosives or bombings, according to the National Consortium for the Study of Terrorism and Responses to Terrorism (START). Nine of those attacks targeted Jewish institutions.</p><p>The FBI also tracks hate crimes against individuals and religious institutions, with a reported 1,402 victims of anti-religious hate crimes in 2015, according to the Uniform Crime Reports: Hate Crime Statistics 2016. </p><p>Those crimes primarily targeted Jews (52 percent), Muslims (22 percent), Catholics (4 percent), and individuals of varying religious groups (4 percent).</p><p>This was an increase from figures released in 2015, when the FBI reported that there were 1,140 victims of religious hate crimes in the United States. Hate crimes, as defined by the FBI, include traditional crimes—like murder, arson, or vandalism—that are motivated by bias.</p><p>For example, in January 2012 in Rutherford, New Jersey, several Molotov cocktails and incendiary devices were thrown at a synagogue, starting a fire in the second-floor bedroom of the rabbi’s residence. This was deemed the fourth bias incident in a month against a Jewish religious institution. Other incidents included a fire that was intentionally set and graffiti at two synagogues. ​</p><h4>Bombings Suspects</h4><p>The profile of a bomber in the United States may be different from what security professionals expect. It could be a jilted spouse or lover who is seeking revenge at the end of their romantic involvement. It could be former business partners or employees looking for retribution when a business relationship goes south. It could also be the work of a terrorist—foreign or homegrown—trying to make a political statement toward a specific person or group.  </p><p>As of this writing, most bombings in the United States are carried out by an individual working alone. Further investigations after the fact generally indicate that a spouse or family member had suspicions about the bomber’s behaviors, but did not seek help. </p><p>While security cannot anticipate the moves of a bomber, there are a few behavioral characteristics that could be considered suspicious.</p><div><span style="white-space:pre;"> </span></div><p>• Nervousness, including sweating, tunnel vision, and repeated, inappropriate prayers or muttering, as well as repeated entrances and exits from the building.</p><p>• Inappropriate, oversized, and loose-fitting clothing.</p><p>• Concealed hands, such as in pockets, to hold a triggering device.</p><p>• Favoring one side or area of the body, as if wearing something unusual or uncomfortable.</p><p>• Projected angles under clothing, such as those that would indicate the individual is carrying a firearm at the waist or ankle.</p><p>• Constantly adjusting clothing.</p><p>• Carrying packages or backpacks.</p><p>When this kind of behavior is observed, the “See Something, Say Something” principle is applicable. However, at religious institutions, if at all possible, congregants should be encouraged to leave the area.</p><p>Reports should be made to a law enforcement officer if possible. If law enforcement is not available at the location, individuals have the option to investigate on their own, report suspicions to church staff, or do nothing. In these instances, security professionals should trust their instincts.​</p><h4>PREVENTING A BOMBING</h4><p>The attacker could use a mail bomb or a placed bomb. Placed bombs, like the one used in the Boston Marathon bombing, injure indiscriminately and can be concealed in boxes, backpacks, briefcases, and purses. </p><p>There is no certain way to prepare for a bombing. As witnessed with the Boston Marathon bombing, members of the public are vulnerable at events and in crowds. Someone can enter a facility with intent to do harm and there is little security can do to stop him or her.</p><p>But, just as Boston responded quickly with paramedics and doctors, houses of worship need to be prepared with security and safety measures. </p><p>Places of worship need video cameras for successful identification of attackers. Congregants must be diligent in their observations of attendees who might intend harm. They also need to be observant of behavior that is unusual, such as a person who attempts to enter a church after the service had ended, as the second Palm Sunday bomber did. </p><p>As a precautionary step, religious institutions’ office personnel should be trained about mail bombs and suspicious packages, such as the pipe bomb that was mailed to a Lakewood Church in Houston, Texas, in January 1990.</p><p>The pastor’s daughter, director of ministries for the church, opened the package addressed to her father, suffering minor burns and bruises, according to The New York Times.</p><p>Access control is key to a secure environment, as the Tanta, Egypt, bombing shows. Someone was able to place a bomb inside the sanctuary, showing that someone had access to the facility prior to the start of the service.</p><p>Staff should also be advised to keep offices and desks locked when they are not in use to avoid creating hiding places for explosives. Staff should also ensure that utility janitorial closets, boiler rooms, mail rooms, computer offices, switchboards, and elevator control rooms are locked at all times.</p><p>Additionally, trash receptacles—especially dumpsters—should be locked and located far from the building. The area around the receptacles should also be free of debris. As demonstrated by the Oklahoma City bombing in 1995, cars and trucks should be required to maintain a safe setback from the facility. </p><p>A security plan should also include an evacuation plan for the facility with a designated meeting point to ensure that everyone is safe, should it be used. Places of worship should also be equipped with medically trained staff, first aid kits, and ambulatory services to quickly respond, should an attack take place.</p><p>There are no easy answers to this disturbing dilemma. There is no easy way to predict when or where a bombing may occur. There are even fewer ways to prevent it. As security leaders, we must be diligent in our observations of human behavior. </p><p><em>Paula L. Ratliff is the coauthor of </em>Crime Prevention for Houses of Worship<em>, the first book published on the topic in 2001 and the author of the second edition. She began researching crimes against religious facilities in the early 1990s and has written several articles on crime prevention for places of worship. She is a member of ASIS International and a graduate of the University of Louisville.        ​</em></p> PreventionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Sexual harassment allegations involving high-profile public figures have appeared in the news repeatedly this year, spurring broad debate on the prevalence of the problem, as well as the potential effectiveness of different prevention measures. </p><p>Although their views may differ regarding the value of different prevention components, many security professionals seem united on a core issue: harassment is a serious workplace issue both in the United States and around the world, and it is one that deserves more attention and more prevention programs.</p><p>“Unfortunately, most people do not consider sexual harassment as a workplace violence issue, but this is a serious mistake,” the ASIS International Crime and Loss Prevention Council said in a white paper, Sexual Victimization, issued last year. “…It is imperative that we in the security industry each gain a greater awareness of the prevalence of this crime.” </p><p>One preventative measure that has attracted recent attention is the use of company phone hotlines for anonymously reporting incidents of workplace harassment. The harassment hotline concept came into focus after intense media coverage of harassment allegations made against prominent Fox News broadcaster Bill O’Reilly by several female coworkers and program guests. The allegations eventually led Fox News to terminate O’Reilly’s contract in April 2017. <img src="/ASIS%20SM%20Callout%20Images/0817%20NT%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:536px;height:347px;" /></p><p>O’Reilly said that the allegations were spurious, and he maintained that no complaints against him had ever been reported on the company’s harassment hotline. But some experts say that a lack of hotline calls is never surprising and does not accurately reflect frequency of incidents. </p><p>Brian Lee, practice leader at CEB (now part of Gartner), a consultancy specializing in workplace incidents, says that, on the one hand, hotlines or “helplines” can be a valid component of an overall safe workplace programs. “But they are certainly not as helpful as people would want,” he adds. In part, this is because many companies employ a hotline for legal reasons, but do not publicize the actual phone number, which is sometimes embedded in a corporate policy handbook. “If you poll their employees, many have no idea what the number is, or how to get it,” Lee explains.</p><p>Another reason for low hotline use is that some employees suspect that the hotline isn’t truly anonymous, even if it is billed as such. Media reports of cases like the Wells Fargo fake account scandal of 2016, in which supposedly anonymous reports were still used for retaliation against whistleblowers, “have a chilling effect” on hotline use, Lee says.  </p><p>In addition, the hotline can feel too impersonal, like taking a complaint and “dropping it in a box somewhere,” says Stephen Hollowell, CPP, vice chair of the ASIS International Crime and Loss Prevention Council and a member of the ASIS International Healthcare Council. Hollowell helped prepare the Sexual Victimization white paper. </p><p>A recent CEB global study on workplace misconduct seems to support Hollowell’s view. Only about 7 percent of respondents reported that they had used a hotline to file a complaint, compared with 68 percent who reported the incident to their direct managers. “The use of helplines tends to be much lower than people think,” Lee says. “It is far from the most popular way [of reporting].”</p><p>But unlike hotlines, other components of workplace safety programs have been shown to be effective, says Hollowell, who is an advocate for treating harassment with the same seriousness as other incidents of workplace violence. One such component is harassment training for all employees, which starts with orientation but does not end there. </p><p>“You don’t just do it one time in orientation and then forget about it,” he says. Companies should provide periodic updates. Hollowell was involved in one organization that used the company’s weekly internal magazine to remind people that they should not hesitate to speak to their manager or call the firm’s helpline to report an incident. </p><p>Experts often say that there are two main reasons why many harassment incidents go unreported: fear of retaliation, and previous demonstrated inaction by the company. Given this, a rigorous prevention program should address both these concerns, Hollowell says.</p><p>To do this, managers should make clear that the company’s workplace is one free of harassment and violence, and that this ethos is reflected in the procedures for reporting complaints. Hollowell uses his own program as an example: if a complaint is reported to a supervisor and the supervisor does not take action, the employee is encouraged to take the complaint to the supervisor’s supervisor, or to another department like human resources or security. “We make it very clear,” he says. Additional action will take place immediately, if the complaint is valid, he adds. </p><p>Another point that should be made clear is that whistleblowers are protected. If an employee is penalized by a manager for filing a complaint in any way–such as by being assigned extra work or by having privileges taken away–“we make it very clear you need to come forward and make us aware of it,” Hollowell explains. “That could lead to [the manager’s] termination.” </p><p>However, it is also a workplace reality that, occasionally, false harassment allegations are made. This is one reason Hollowell does not like anonymous reporting—it makes it easier for disgruntled employees to target certain people, such as a coworker or supervisor they hold a grudge against, with false complaints.   </p><p>Given the possibility of false claims, impartial investigations are crucial, Hollowell says. Investigators take a “just the facts” approach, sticking to exactly what happened, and following wherever the facts lead. “If you start assuming, you’re not following the facts,” he says. Finally, keeping people informed of procedures and policies is crucial. “Transparency really is the watchword,” he adds. </p><p>For many years, harassment prevention programs would emphasize that company leaders needed to set a good example in their behavior, because the tone at the top was key. “But increasingly, that is just table stakes now,” Lee says. More firms are realizing that a coworker’s behavior is just as important as a manager’s behavior. “Employees are far more influenced by what they see around them than what they see at the top,” he adds. </p><p>Indeed, that philosophy is at the heart of a recommendation made recently by the U.S. Equal Employment Opportunity Commission (EEOC) Select Task Force on the Study of Harassment in the Workplace. In a report issued last year, the task force cochairs recommended exploring an “It’s On Us” campaign for U.S. workplaces.</p><p>“It’s On Us” is a social movement first created in 2014 by the White House to prevent sexual assault on college campuses. The campaign urged everyone on campus to be an active part of the solution, not passive observers. Launching a similar campaign in workplaces across the country would be “an audacious goal,” and not easy, the EEOC task force concedes. </p><p>“But doing so would transform the problem of workplace harassment from being about target, harassers, and legal compliance,” the task force argues, “and make it one in which coworkers, supervisors, clients, and customers all have roles to play in stopping harassment.” ​</p> the ZoneGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The term “Green zone” refers to a heavily fortified international center in a high-threat country—the original Green Zone is in Baghdad, Iraq, an area that American forces overtook in 2003 and turned into an international safe haven. It is now home to the U.S., British, Australian, and Egyptian embassies.</p><p>Other diplomatic centers throughout the world have adopted the term. That’s why Afghans were shocked by what occurred in Kabul’s Green Zone just before 8:30 a.m. on May 31, 2017, when a truck exploded in the center of the zone, killing at least 80 people and injuring upwards of 500.</p><p>The bomb destroyed buildings and demolished cars in a several-block  radius. Although the blast took place in a diplomatic area of the city, it was mostly Afghan civilians who were killed, including guards for several of the embassies in the zone. </p><p>The circumstances surrounding the massive blast in the Green Zone create a macabre juxtaposition. Officials have yet to figure out how a vehicle carrying enough explosives to create a 15-foot crater was able to enter the heavily-fortified area surrounded by 10-foot high blast walls. On the other hand, security measures were so heavy that security checkpoints snarled traffic, resulting in the high number of civilian casualties.</p><p>Nobody has claimed responsibility for the attack, and investigators reportedly believe that the vehicle carrying the explosives was a waste collection truck, which is perhaps how it was allowed through checkpoints. </p><p>But the attack has left diplomatic officials trying to find the balance between fortress-like security measures and fostering a more open and transparent relationship with the host country, both physically and strategically. </p><p>The 1998 bombings of American embassies in Nairobi, Kenya, and Dar es Salaam, Tanzania, which killed more than 220 people, and the 2012 Benghazi, Libya, attack that left four dead, all drastically shifted the way the U.S. Department of State approaches embassy security. </p><p>The United States has more than 300 embassies, consulates, and diplomatic missions around the world—the most of any country. After the 1998 attacks, the State Department determined that more than half of those embassies needed to be completely replaced to meet security requirements. The State Department then created a standard embassy layout that was used all around the world. <img src="/ASIS%20SM%20Callout%20Images/0817%20NS%20Fact%20Box.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /></p><p>Since then, more than 30,000 diplomatic staff have been moved into hardened facilities that meet heightened physical security standards, including a 100-foot setback from the site’s perimeter, anticlimb walls and antiram barriers, hardened building exteriors, and controlled access to the compounds.</p><p>American embassies and consulates have different threat levels based on factors such as the overall security landscape and host country crime rates, explains Robert Baggett, CPP, PCI, PSP,  a former Diplomatic Security Service (DSS) special agent for the State Department and current cochair of the ASIS International Academic and Training Programs Council. </p><p>Baggett led various Regional Security Office portfolios, such as local embassy guard forces and teams that identified security threats for U.S. missions in China, Iraq, and Vietnam. He tells Security Management that the risk ratings for individual embassies and consulates are assessed on a constant basis in light of any changes that may alter security posture.  </p><p>“Once a post is designated as high-threat, then other facets come into play in terms of additional funding, security preparedness, or staffing,” Baggett notes. </p><p>Currently, 78 embassies are ranked as high-threat, high-risk posts, which means that all mission chiefs must receive Foreign Affairs Counter Threat (FACT) training that focuses on topics such as emergency response, first aid, offensive driving, and evacuations. </p><p>“FACT training provides familiarization on what can be expected while serving at these posts, thereby improving one’s situational awareness and empowering them to work more effectively and safely in this type of high-threat environment,” Baggett explains.</p><p>Approximately 14,000 American foreign service officers and specialists work at U.S. missions around the world. These Americans are bolstered by more than 50,500 locally employed staff, who are typically citizens of the host country where the U.S. mission is located. </p><p>Some high-threat posts, such as the U.S. Embassy in Baghdad, are also staffed by third-country national security forces—many of which hail from South America or Africa—that are employed under American-owned company security contracts. These guards often supplement the mission’s security force that comprises DSS special agents, special protective specialists, American civilian security force operators, and other personnel. </p><p>“In any embassy or consulate, you’re going to have to heavily rely on foreign service national staff to support operations, including political and economic sections, human resources, general services, and especially the local guard force,” Baggett notes. “These individuals not only speak the native language, they are truly vital to the mission where they are familiar with host country laws, policies, and customs. They serve as an embassy or consulate’s foundation to conduct U.S. foreign policy overseas, have cultivated host country government contacts, and possess the historical knowledge of the mission, which is truly priceless since foreign service officers and specialists typically rotate assignments every one to three years.”</p><p>Maintaining effective communication between a U.S. mission and the host country’s government, regional offices, and local law enforcement is imperative for strengthening the embassy or consulate’s security, as well as the bilateral relationship with the host country, Baggett explains. </p><p>“Many times we would hear information through our foreign service national staff or established professional contacts, but we weren’t hearing it through official channels,” he says. “Other times we’d see plainclothes local law enforcement officers in front of our embassy and wonder why, and two hours later there’s a big protest that we didn’t know anything about. Being able to establish and develop professional local law enforcement relationships is paramount in receiving such potential threat information directly from the field rather than waiting on obtaining information from official channels.”</p><p>Strengthening the strategic relationship between embassy personnel and the host country goes beyond information sharing and includes the physical presence of the embassy. </p><p>Almost 15 years after the 1998 Africa bombings and subsequent implementation of standardized, high-security embassy construction, there was a push to allow more flexibility in embassy design while maintaining certain security standards. Dubbed the Excellence Approach, it gave the State Department’s Bureau of Overseas Building Operations (OBO) the ability to contract directly with individual design firms to “improve embassies’ appearance in representing the United States, functionality, quality, and operating costs,” according to a new U.S. Government Accountability Office (GAO) report.</p><p>“The whole idea of building these new embassies is to get our people into safer and more secure facilities,” says Michael Courts, director of international affairs and trade at GAO. “State Department officials believed they would have greater design control because they could customize the designs to the locations where they were being built.”</p><p>This is important because the previous standard design did not allow for embassy customization based on the region, space availability, or climate, lowering the flexibility and functionality when it came to building new embassies, Courts tells Security Management. </p><p>Instead, the Excellence Approach requires OBO and design firms to work together to make sure certain security standards are met at each unique facility while emphasizing location and design that will further the diplomatic mission. </p><p>The new policy emphasizes considering American values in promoting a sense of openness, accessibility, and transparency through location; proximity to other embassies and host country facilities; and a location that is connected to public transportation and infrastructure, according to the GAO report.</p><p>“How you implement those standards can change depending on what sort of site you’re building on, the density of the surrounding urban area—that is going to be somewhat challenging for the State Department because they are going to have to try to adapt to each context as they build their embassies,” Courts notes.</p><p>Keith Bobrosky, vice president of sales at Delta Scientific, agrees. “It’s subtle to an outsider, but from what we’ve seen it’s very important,” he explains. “For years they had standard embassies—all one design and arguably very militaristic and not very inviting. Now the embassy needs to mimic the surrounding environment aesthetically a lot more, so we still want to keep the utmost in vehicle barrier and perimeter security, but aesthetics play a far more important part when we’re a guest in some of these other countries.”</p><p>Bobrosky has been involved with the implementation of barrier protection at hundreds of overseas building operations for the State Department and the FBI. Despite the design changes, State has been relatively consistent in what it requires for perimeter security at its embassies, he says, but the technology itself is continuously changing to improve longevity and environmental impact. </p><p>For example, Bobrosky notes that embassies have always used hydraulic barrier systems—which rely on hydraulic fluids to operate their motion—but some newer builds have started turning to electromechanical barriers because they are more environmentally friendly. </p><p>“We’ve seen a paradigm shift from hydraulic to a more politically correct product—electromechanical—because there’s no fluid that could leak in these other countries where we’re really a guest,” Bobrosky says. “Some of them are very environmentally aware where they do not want to have any hydraulic fluid possibly hitting the soil.”</p><p>This fits in line with the shift Bobrosky has seen as OBO has implemented the Excellence Approach—placing emphasis on how the embassy can fit in to its surroundings while being respectful of the host country. </p><p>“Sometimes these fences are dozens of years old and the barriers we put in have to match,” he notes. “Or the cobblestone street in front of the embassy may be hundreds of years old, so when we install the bollards we have to meticulously move each cobblestone and replace it in the same manner.”</p><p>The customized embassy approach has been around for five years, but it’s unclear what effect the new, individualized designs have on security, the GAO report notes. OBO employees are divided on whether the Excellence Approach has improved the construction programs—37 percent agreed that it had, 34 percent disagreed, and the remainder were not sure, according to the GAO report. OBO has not defined performance measures to quantify the success of the new approach, the report explains.</p><p>“Without performance measures specific to Excellence and sufficient systems to collect and analyze relevant data, OBO will not be able to demonstrate whether the performance of Excellence projects over time justifies the increased emphasis on and investment in their designs,” according to the report.</p><p>Meanwhile, physical security providers such as Bobrosky continue to see small shifts in operations that make embassies more inviting. He notes that all barrier systems include in-ground vehicle detection, which prevents the accidental deployment of a barrier on an innocent party, such as a gate closing on a cleared vehicle. </p><p>“We’ve seen some changes in the last few years in this argument between safety and security,” Bobrosky explains. </p><p>Some embassies are requiring infrared sensors near their barriers, which are more accurate and would keep barriers or gates from being accidentally deployed on pedestrians. </p><p>“It’s a little less secure because there’s more of a chance for someone to keep the gate from operating as it should, but it’s a lot safer for pedestrians and vehicles alike,” he says. “It’s hard to have the best of both safety and security, because you have to take from one to get more of the other.” ​</p> News: Icelandic Prison Security, The Latest Government Contracts and Partnerships, and MoreGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​INTEGRATED SECURITY FOR ICELANDIC PRISON</h4><p>Holmsheidi Prison is a high-security women’s prison located near Reykjavik, Iceland. The facility has 56 cells and occupies a 9-acre property. The prison required a security system that would provide conventional security, but also allow prison staff to proactively respond to potential incidents.</p><p>Milestone Systems joined forces with Security Center (Öryggismiðstöðin) and Verkís to provide an advanced security solution that combines Milestone XProtect Expert 2016 with CIAS fence and microwave detection systems. High availability is ensured by the failover technology and uninterrupted video recording capabilities in the video management system. The system is designed to reduce the overall cost of ownership and offers unlimited expandability, enabling the prison to control its surveillance investment now and in the future.</p><p>Icelandic project management and engineering firm Verkís is responsible for the project’s building management system and designed the electrical, lighting, and security systems. Security Center, a local security services company, provides the alarm and fence systems.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>CBES installed IP access control systems from ACT at Asda stores and distribution centers across the United Kingdom. Asda is the trading name of Walmart in the United Kingdom.</p><p>ASSA ABLOY announced the integration of its IP-enabled PoE and WiFi access control locks with Millennium Group’s Ultra browser-based access control platform.</p><p>BioCatch will integrate its behavioral biometric technology into the Experian fraud and identity platform, CrossCore.</p><p>BriefCam is delivering solutions powered by NVIDIA technology and deep learning to accelerate video processing performance and enable richer metadata extraction at a reduced cost.</p><p>CNL Software entered a nonexclusive technology collaboration with Sonardyne International Ltd., integrating their products for situational awareness of approaching underwater threats.</p><p>Dahua and DBAPP Security Ltd. signed a strategic agreement to establish a “safety eco-system” in the field of IoT security.</p><p>Genetec Inc. has added STid, a French developer of RFID door controllers, to its access control partners. </p><p>Hanwha Techwin America and Camcloud are partnering to offer cameras that push video directly to the cloud.</p><p>Hikvision joined the HDBaseT Alliance as an Adopter member.</p><p>Lantronix, Inc., signed a distributor agreement with Connector Systems, a division of Ingram Micro Inc., inNew Zealand.</p><p>Leidos will act as an expert service provider for the Fortinet Security Fabric portfolio of solutions. </p><p>Peoples Savings and Loan Company uses Netwrix Auditor to control access to sensitive data.</p><p>OnSSI is partnering with Jemez Technology to make perimeter video surveillance solutions employing AXIS cameras even more effective in protecting critical assets and infrastructure. </p><p>The prpl Foundation and EEMBC announced a formal partnership to advance the use of security-by-separation in Internet of Things edge devices.</p><p>PSA Security Network expanded its suite of cybersecurity products and service offerings designed for physical security systems integrators via new partnerships with IDmachines, Secure Global Solutions, and itSM Solutions.</p><p>Rajant announced that Sharp Electronics Corporation will use its Kinetic Mesh technology as the wireless communications infrastructure for the Sharp INTELLOS Automated Unmanned Ground Vehicle.</p><p>The Safariland Group, parent company of VIEVU, and Veritone will integrate their product offerings to apply artificial intelligence to process data from body-worn cameras.</p><p>Vanderbilt is partnering with Citel Spa to support Italy’s financial and industrial sector.</p><h4>GOVERNMENT CONTRACTS</h4><p>American Signal Corporation and United Telecom Ltd. designed a tsunami early warning system for the government of Tamil Nadu, India.</p><p>Kansas will be the first state to deploy AT&T ESInet, a 911 solution that provides IP-based call routing services to emergency response centers. </p><p>Decision Sciences International Corporation was awarded a contract by the Singapore Ministry of Home Affairs to deploy its passive detection system at the Immigration and Checkpoints Authority of Singapore.</p><p>Evolis was selected by the Shandong Social Security Department for the personalization and instant issuance of credentials that combine a debit card with a social security card.</p><p>HALO Maritime Defense Systems received an award from the U.S. Naval Sea Systems Command to provide an automated waterside security barrier at Naval Station Norfolk, Virginia.</p><p>Gwanak-Gu, South Korea, uses Infortrend storage to support its city surveillance operation.</p><p>Masergy Communications Inc. announced that Eurostar selected the company’s networking and security solutions to facilitate the high-speed railway’s digital transformation initiatives.</p><p>SDI Presence LLC was selected to provide a turnkey digital upgrade of the public address system at O’Hare International Airport in Chicago.</p><p>Sterling High School in Somerdale, New Jersey, implemented Sielox Crisis Lockdown Alert Status System (CLASS).</p><p>Smiths Detection Inc. is partnering with Duke University in a project to advance airport checkpoint x-ray system screening capabilities in relation to a contract with the U.S. Transportation Security Administration.</p><p>The U.S. Marine Corps Warfighting Lab, in partnership with Defense Innovation Unit Experimental, awarded a contract to Sensofusion to further develop its AIRFENCE mobile capability.</p><h4>AWARDS AND CERTIFiCATIONS</h4><p>EyeLock LLC announced two new U.S. patents: for acquiring iris images and for linking an iris image with a facial image.</p><p>Fireglass was awarded ISO 27001 certification, signaling that its information security practices meet the highest international standards.</p><p>Forensiq received Certified Against Piracy and Certified Against Fraud seals from the TrustworthyAccountability Group.</p><p>General Dynamics obtained full operating capability status from the U.S. Department of Homeland Security’s Customs and Border Protection for a remote video surveillance platform.</p><p>For the 11th year in a row, Genetec was named one of the top employers in Montreal by the editors of Mediacorp Canada Inc.</p><p>Hikvision Optical Character Recognition Technology won first prize in the International Conference on Document Analysis and Recognition 2016 Robust Reading Competition. </p><p>Passport Systems, Inc., announced that its SmartShield Networked Radiation Detection System completed formal lab evaluation by the National Center for Spectator Sports Safety and Security.</p><p>The Security Industry Association honored products from its New Product Showcase at the ISC West trade show. Chosen as the best new product was the CrucialTrak Biometric Access Control System. The Judges’ Choice Award went to Hydra for its Thermal Imaging Radar. The judges presented awards in more than 20 product and service categories. See the complete list of winners at</p><p>Security Today magazine announced the 2017 winners in the Govies Government Security Awards. Among the winners in various categories are AMAG Technology, Arteco, Axis Communications, CNL Software, and Medeco Security Locks. See the winners list at</p><p>University of Maryland, Baltimore County defeated nine other finalist teams to win the 2017 National Collegiate Cyber Defense Competition.</p><p>The University of Warwick was recognized as an Academic Centre of Excellence in Cyber Security Research by the United Kingdom’s National Cyber Security Centre and the Engineering and Physical Sciences Research Council.</p><h4>ANNOUNCEMENTS</h4><p>Anixter, Tri-Ed, and CLARK are continuing Tri-Ed’s Stadium Tour training and networking events in U.S. cities during the 2017 baseball season. The daylong events feature technical trainings, dinner, and a ballgame.</p><p>ASSA ABLOY Openings Studio is a plugin to building information management software that helps users design door security solutions.</p><p>BICS will acquire TeleSign Corporation and create an end-to-end Communication Platform as a Service.</p><p>Camden Door Controls expanded its support of Western U.S. and Canadian customers with faster shipping and extended technical support hours.</p><p>The government of Canada implemented a dedicated telephone tip line and online form to accept anonymous tips about fraud, collusion, or corruption in government contracts.</p><p>Carnegie Mellon University (CMU)and Tata Consultancy Services are breaking ground on a new facility to be built on the CMU campus in Pittsburgh, Pennsylvania. The building will include research and academic spaces, an innovation courtyard, rain garden, and a robot yard. </p><p>Cities of Service launched the Prepared Together impact volunteering grant program, which is supported by the Walmart Foundation. Selected cities will engage citizen volunteers in initiatives that prepare the city for disasters.</p><p>Galaxy Control Systems published a new white paper titled Understanding Cloud Services for Access Control.</p><p>Hanwha Techwin is constructing a manufacturing facility in Vietnam’s Bac Ninh province.</p><p>The Heinz College of Information Systems and Public Policy and the CERT Division of the Software Engineering Institute at Carnegie Mellon University launched a Chief Risk Officer Certificate program.</p><p>Mission500 raised more than $125,000 at its eighth annual Security 5K/2K Run/Walk and related sponsorships at this year’s ISC West.</p><p>NTT Security formed the Global Threat Intelligence Center to replace the former Security Engineering and Research Team.</p><p>Observables is a new security solutions company that created a connected service platform that unifies access control, automation, surveillance, and security.</p><p>Orion Entrance Control, Inc., upgraded the company website at </p><p>Point Blank Enterprises and First Tactical merged and will build an integrated clothing and body armor system.</p><p>The Shared Assessments Program released a new white paper: Fourth Party Risk Management: Supply Chain Issues and Emerging Best Practices.</p><p>Security vision products from Siqura are now branded TKH Security Solutions. </p><p>Sword & Shield Enterprise Security launched a new federal division, Sword & Shield Federal, and opened an office in Washington, D.C.</p><p>TASER International is changing its name to Axon.</p><p>Western Governors University is now offering a bachelor of science degree in Cybersecurity and Information Assurance. ​ ​</p> Embraces High-Tech HospitalityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With 3 million visitors crossing its threshold annually, the Jacob K. Javits Convention Center is a New York City landmark. It’s hard to miss the six-block long complex, which stretches from West 34th Street to West 40th Street in midtown Manhattan and features more than 840,000 square feet of exhibition space and 28,000 square feet of meeting rooms. Javits hosts an array of events annually, including the New York International Auto Show, the National Retail Federation’s annual convention, and New York Comic Con.</p><p>The Javits Center has undergone changes in recent years, including a $463 million renovation from 2009 to 2014. In addition to improvements to the mechanical and sustainability systems, the upgrade included adding 6,000 new glass panels to the outside.  </p><p>Before the new patterned panels were installed, Javits had a mirror-like façade, making the facility among the top bird-killers in New York City. Birds would frequently fly into the glass walls, not recognizing that the building was there. </p><p>Now Javits is considered one of New York’s bird-friendliest facilities; besides upgrading the panels, Javits installed a green roof space spanning nearly 7 acres, which is home to 26 bird species. This rooftop also lowers the facility’s annual energy consumption by 26 percent by lowering heat-gain and water runoff.  </p><p>But hospitality at Javits is not just for the birds. Providing excellent customer service while maintaining security is a top priority for the center. Security personnel are front and center when customers approach the immediate outside vicinity or enter the building. “We’re engaging the client, making eye contact with the people coming in–we want to be the first person you see when you come in the door,” says Kenneth Dixon, director of security and safety solutions at Javits. “Our focus is a balance between hospitality and security, and finding that right balance is a key to our success.” ​</p><h4>Challenges</h4><p>Being a busy convention center means constantly dealing with theft, lost prop­erty, and other larceny issues, Dixon explains. The type of theft that occurs varies, including exhibitors who steal from other exhibitors, attendees who steal from exhibitors, and employee theft. </p><p>The threat of terrorism also looms large over Javits, where anywhere from 60,000 to 70,000 attendees gather daily. In the spirit of being proactive, security decided to move heavy cement planters to a strategic location in front of the building “to give us a little more protection against vehicular attacks like the ones in London, Berlin, and Stockholm,” he says. </p><p>Unattended packages are also a cause for concern, Dixon says, citing the 2013 Boston Marathon bombings and other terror attacks caused by improvised explosive devices left behind. </p><p>To further address these security concerns, and to align with the new look and feel from the recent renovation at Javits, Dixon explains that there have been several changes to security procedures, technologies, and staffing at Javits. </p><p>“It was the first quarter of 2015 when we started implementing some new policies, and really started to monitor what happened at night, as well as address the legacy larceny complaints that we’ve had,” Dixon says.  </p><p>With a new and improved security operations center, an increase in the security workforce, and a hospitality- centered approach, Dixon is confident Javits is now an even safer place for its customers, vendors, and staff. Here’s a look at some of the ways in which the Javits Center has accomplished that mission. ​</p><h4>Technology</h4><p>Upgrading the center’s security technology was a foundational step in beefing up security at Javits, and the center upgraded everything from cameras to its state-of-the-art command center. Dixon notes that Javits went from 150 legacy cameras to 860 4K-resolution IP cameras from Axis and Arecont Vision in the last year and a half. </p><p>Cameras. As of press time, the center anticipates having approximately 1,000 cameras at the end of this summer. They are situated throughout the facility, Dixon says, including in the exhibit space, at ingress and egress points, and on the loading docks. </p><p>Not only has Javits increased the number and quality of its cameras, but security decided to strategically place them at a visual level where they serve as a deterrent. In the past, cameras were placed above people’s heads and were painted the same color as the walls and columns to create a more visually appealing look.</p><p>Now, however, the cameras are placed lower and unpainted, so they may be clearly seen by everyone who comes to the center. </p><p>“The people who are looking for the cameras really see them, and know that they are being filmed,” says Dixon. “The chances of getting away with something here at the Javits Center are far less than what they used to be.” </p><p>Javits is also currently testing a video management system from Genetec to manage the wealth of footage collected by the cameras. In addition, the cameras have facial recognition technology capability, so that video can be exported to law enforcement for identification if the need arises.  </p><p>Command  center. The command center at Javits is the heart and soul of the safety and security program, Dixon says, and is used for monitoring, dispatch, video review, and alarm monitoring.</p><p>Last spring, Javits put in an 18-monitor video wall from Orion that can be customized to view the cameras chosen by the operator. “That allows us to show 30, 40, 50, 60 cameras at a time—or just one at a time—on 18 monitors,” Dixon explains. “We can quickly change camera layouts on the video wall for whatever’s going on at any given time.”  </p><p>One monitor is dedicated solely to door alarms. Security can also automatically lock large gates and doors with the click of a button. “We have 225 perimeter doors,” Dixon says, “each of the doors has a reader in the door that lets us know whether the door is opened or closed.” </p><p>If a door alarm is triggered, an audible alert, as well as video associated with the incident, automatically populates the monitor. This lets officers easily determine whether a response is warranted. </p><p>The remote open-and-close feature greatly improved convenience for guards working in the building on an overnight shift. “Years ago, we would have dispatched a security guard on the overnight [shift]…he’s maybe two or three city blocks away, and he would have to go open up the gate,” Dixon notes. “Now he can just do that remotely.” </p><p>Members of the safety team who patrol the show floor have smartphones to receive photographs and other media related to any dispatch calls. For example, if a child goes missing, a photo or description can be immediately disseminated. </p><p>Analytics. Frequently, crime at the Javits Center isn’t reported until the victim realizes his or her property is missing, which can be hours after it occurs. Or someone leaves a package unattended, with no trace of who the person was.  </p><p>The security team wanted a video analytics solution to aid in the investigative process, so it turned to BriefCam software, which compresses hours of video into just a few minutes by speeding it up. “We use BriefCam to solve cases of property that may go missing for one reason or another…and for unattended packages,” Dixon says. “It’s been a real game changer for us.” </p><p>If someone leaves a package unattended, or stolen property is reported from a specific place, BriefCam can geofence the area where the item was left or stolen, and show the activity that occurred within a certain timeframe. </p><p>Other specific parameters can be set; for example, if security has information about the color of clothing the suspect was wearing, it can isolate the video to show only people wearing that color. “We’re able to see all the activity around the area of concern, and watch 13 or 14 hours of video in a short period of time,” Dixon says. “That has helped us close significantly more cases.”  </p><p>At the 2016 New York Comic Con show, for example, BriefCam analytics led to several arrests when property went missing from an exhibitor’s booth. Security isolated video to just around the booth and ran analytics to find the thieves. </p><p>“In the past, we didn’t have the ability to run analytics like we had in this case, and the person would have been long gone,” Dixon says. “The show would have been over, and we would have been chasing our tail trying to get all the information.”</p><p>Floor plans. The floor space at Javits is versatile, and conventions can choose the layout they want at their shows. Javits also has 28,000 square feet of flexible meeting room space, meaning that the walls can be easily converted to accommodate smaller or larger groups. </p><p>The center recently moved from traditional locks and keys on its meeting room doors to card readers to provide a greater level of security, and it can assign key cards to clients, which expire when their meeting or convention concludes. </p><p>But flexibility can come with challenges. In the event of an incident or emergency at the facility, pinpointing an exact location in the building for first responders can be difficult, because the Javits Center stretches for six city blocks, and every convention has a unique floor plan. </p><p>“We’ve been struggling over the last year and a half to replace outdated emergency evacuation plans, because we do 175 events every year—and every single one of them is different,” Dixon says. </p><p>When police or fire departments respond to an emergency or incident, they often come to the facility’s main address on West 34th Street. “We have to say, ‘No guys, it’s actually on 39th Street in Hall C.’ Well, they don’t know where Hall C is—so it ends up causing a lot of confusion and a lot of wasted time,” he says.</p><p>A recently declassified geospatial tool from BAE Systems allows Javits to pinpoint a more exact location within the building. The solution works by laying customized show floor plans over the existing blueprint of the center and labeling a grid by numbers and letters. “Now we simply say, for example, ‘Go to H-33,’ and first responders know, within a certain amount of space, that’s exactly where the incident is,” Dixon explains. </p><p>The tool also works as an evacuation map, pointing out ingress and egress routes and the adjacent streets they spill out onto. It also shows first aid office locations and where to find defibrillator machines. “For a building that’s six blocks long, it is extremely difficult to have one security evacuation plan that you can effectively articulate and communicate to everyone who is going to be involved,” Dixon says. </p><p>The safety team has an app from BAE Systems on its smartphones that displays the grid for each show and evacuation routes. Javits eventually hopes to expand that app to first responders. “Right now, we are communicating with responders with a PDF, but they still find that extremely useful,” he notes.​</p><h4>Customer Service</h4><p>“It’s one thing to have all these great procedures and great technology, but our most important asset is our people, and giving them the skills that they need to be successful,” Dixon says. “It’s the foundational aspect to everything we do.” </p><p>Because providing great customer service is a key business component, bolstering the security workforce has been crucial to the improvements at the Javits Center.</p><p>Personnel. A personnel increase has allowed Javits to provide a more robust security force on-site during expositions and events. In the past, clients exhibiting at Javits would depend mostly on their own contract security force. Now they can work more closely with the increased staff provided by the center. </p><p>“There are 25 other companies that are approved to provide security services in the Javits Center, and we, for all intents and purposes, would be the 26th—but we’re here every day,” Dixon says. “We know all the players; we know all of the vendors, contractors, and business partners that are here on a regular basis.” </p><p>The safety team, a proprietary force, went from about 45 members to 80 in the last two years. Many of these full-time employees, called public safety officers, come from law enforcement, loss prevention, or corporate security backgrounds, Dixon explains. </p><p>The philosophy at Javits, he says, is to provide employees with the tools they need to be successful. “When it comes to training, we take it very seriously,” he says, noting that each safety team member receives 40 hours of hostile surveillance training from Israeli firm AS Solution. They also learn verbal de-escalation methods and undergo active shooter training.  </p><p>Javits has even changed the appearance of the guard staff to create a more hospitable environment. “We’ve moved from uniformed supervisors and managers to suits and ties,” Dixon notes. “In a lot of ways, we’ve increased the credibility of our team by taking steps like that.” </p><p>Rather than large radios that hang off their uniforms and are loud enough for anyone nearby to hear, guards now sport a covert two-way radio earpiece. </p><p>Lost and found. With tens of thousands of people moving through its doors monthly, many who come to the Javits Center accidentally leave belongings behind or misplace them. </p><p>In 2015, the safety team implemented a new software tool to manage the wealth of lost and found items that are turned in—since then, the center has experienced a 28 percent increase in lost and found items reported. </p><p>“We follow New York state guidelines for lost property, and we have a chain of custody for every item,” says Dixon, explaining all lost items are logged into a database and put in tamper-proof evidence bags. Security has reunited owners with everything from misplaced iPads to wallets full of cash.</p><p>He adds that people are more likely to report that they have found a lost item when they feel deterred by their environment from stealing it. “There’s an interesting relationship between a good security posture within a facility…and a spike in lost and found,” Dixon says </p><p>Not only are more items being turned in, but Javits has raised the level of lost items returned by 40 percent in the same time period. Because exhibitors and clients often come from other countries, security will ship items overseas to make sure they are returned to their rightful owners. “We’ve even returned a cell phone to Sydney, Australia,” Dixon says. “We will do everything within our means to get it back to that person.” </p><p>Dixon says an act as simple as reuniting a client with a lost item speaks volumes to the customer service provided by Javits. “It really means a lot to us,” he notes. “We take great pride in it, and we’ve actually become really good at reuniting lost property with its owner.” </p><p>Dixon has even personally delivered items to their owners, including an expensive tennis bracelet left at a jewelry exhibition. “The next day we were able to return the jewelry to the owner in New York’s Diamond District. He was thrilled,” Dixon says.</p><p>More improvements are on the horizon for the Javits Center. In early 2016, New York Governor Andrew Cuomo announced a $1 billion expansion for the facility, which will add 1.2 million square feet of additional space. </p><p>A major addition will be a new four-level truck garage to accommodate deliveries for events. This will reduce the need for tractor-trailers to circle around the city block again and again until a loading dock is available—they will be able to move in and out in a timelier manner. </p><p>“This expansion project will…really propel the convention center into the top tier of convention centers nationwide,” says Tony Sclafani, senior vice president and chief communications officer at the Javits Center. “With the new spaces such as new ballrooms, new meeting rooms, and a rooftop event space, we believe that we will attract many major trade shows and conventions that normally would not consider New York.” </p><p>Dixon adds that a huge proponent of the safety improvements was Javits Center CEO and President Alan Steel. “Through the board of directors, our CEO was able to obtain the necessary funding to help push all of this through,” Dixon says. “He’s been extremely supportive.” </p><p>Sclafani adds that security will only be further strengthened as Javits continues to serve its customer community. “It’s important to note that this security upgrade really is an extension of the renovation and changes—it wasn’t done in a vacuum.” </p><p>As Javits anticipates even more improvements, the reinvented approach to security has paid off in measurable ways. In the last two years, the center saw an 86 percent decrease in overnight theft, and a 74 percent decrease in total theft on a year-to-year basis. </p><p>“There are a lot of risks that are associated with being the busiest convention center in the country, and with being located in midtown Manhattan,” Dixon says. “We’ve tried to harden the Javits Center—to become more proactive and to do certain things that we think would deter anyone wishing to do us harm.”  ​</p> the SolutionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For a small company, South Bay Sand Blasting and Tank Cleaning (SBSBTC), based in San Diego, California, has a big job. The organization completes critical system flushing for the U.S. Navy’s surface vessels and submarines. The flushing prepares ships for the water again after becoming contaminated. “Our team performs this work all over the world; basically wherever the ships break, we go,” says Kirk Boettner, director of the technical flushing division at SBSBTC. This includes Japan, Bahrain, Spain, Diego Garcia, and parts of the United States and its territories, such as Florida, Guam, Hawaii, Virginia, and Puget Sound regions.</p><p>SBSBTC also has one of the largest tank-cleaning operations in San Diego, and provides non-skid surfaces for military vessels’ flight decks, cargo decks, and more.  </p><p>As a U.S. government contractor, SBSBTC must comply with an array of requirements, including security vetting for personnel who need access to the multiple naval installations and vessels where the company does its work. </p><p>“To work on the naval bases, as well as the private shipyards, all of our people have to be drug tested and undergo background checks to make sure they don’t have any felonies, or things of that nature,” Boettner says. He adds that the U.S. government is continually increasing its security requirements for contractors, particularly in the realm of cybersecurity. Many of those requirements are mandated by the U.S. National Institute of Standards and Technology (NIST). <img src="/ASIS%20SM%20Callout%20Images/0817%20CS%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>“The government in general has raised its bar for what their own people have to do to gain access to information and to gain access to computer networks,” he says, citing recent cyberattacks linked to nation-states like North Korea and China. He acknowledges that contractors are the weakest link in terms of letting hackers access govern­ment information.</p><p>To address this issue and to help keep hackers and cyberterrorists from accessing controlled unclassified information (CUI), the U.S. Department of Defense (DoD) requires all of its contractors to be compliant with the NIST 800-171 mandate by the end of December 2017. </p><p>One of the key provisions in that framework is the use of multifactor authentication—a PIN, biometric, or smartcard will be needed, in addition to a username and password, to log onto computer terminals and into certain government websites. </p><p>For SBSBTC, this meant the company had to develop a policy differentiating between who had access to CUI and who did not. Those with access would need the multifactor authentication. Separating the two types of employees can be a challenging task for a company like SBSBTC, where worker numbers widely vary. </p><p>“In our industry, with the workload spikes and turnover, we could be 400 employees in one month and 70 the next,” Boettner says. “So trying to maintain and manage that policy would be extremely difficult, and require lots of oversight to ensure that we stay in compliance with NIST.” </p><p>That’s where the company’s relationship with SureID, an identity-solutions provider, came in. SBSBTC has been a SureID customer since 2011 when it adopted the RAPIDGate program to gain streamlined access to naval installations. </p><p>The RAPIDGate Program is SureID’s authentication solution, used by the DoD and other U.S. government agencies, that allows physical access to military bases and other facilities in a quick, efficient way. </p><p>At the gate to the Navy installations, armed DoD personnel check the RAPIDGate credential, which has the cardholder’s photo and a barcode. DoD employees use handheld scanners to read the barcode associated with the RAPIDGate Program credential. </p><p>The card also provides multifactor authentication for logging onto computer terminals because it complies with NIST’s Personal Identification Verification standard. That framework verifies the “identity of individuals seeking physical access to federally controlled government facilities and logical access to government information systems,” according to NIST’s website. </p><p>In the end, SBSBTC decided it would be more efficient to certify all of its employees under the new standard, and provide multifactor authentication for the non-RAPIDGate personnel through the SureID Certified PIV-I (Personal Identity Verification Interoperable credential). </p><p>“It was more beneficial to just have our overhead and general administrative staff on the same level as our RAPIDGate personnel, and just say the whole company has access to CUI,” Boettner explains. </p><p>The RAPIDGate card already meets all the protection levels and limits for the requirements in the NIST 800-171 program. “For people who already have RAPIDGate, which is most of the company, it serves both functions,” he says. “It gets them physically onto a location, as well as also covering the two-factor authentication; it’s a two-in-one card.” </p><p>For staff not requiring physical access, the SureID Certified PIV-I credential provides the same access except for admission to military locations and vessels. </p><p>“A PIV-I credential is provisioned with digital certificates, photo, and fingerprint and among the most effective ways of addressing security vulnerabilities both online and on-premise,” a white paper from SureID explains. “A would-be hacker would have to infiltrate a given Public Key Infrastructure (PKI), and hack each individual card where the information is stored. Doing so would be practically impossible for a cyber espionage group physically located on the other side of the  world.” </p><p>A SureID customer service representative came to SBSBTC in March 2017 to fingerprint and photograph the staff who didn’t have the RAPIDGate card to sign them up for the SureID PIV-I credential. </p><p>“They set up a registration station at our facility here and we were able to process through all of our employees over two visits,” Boettner notes. SureID maintains the database for both the RAPIDGate and PIV-I cards.</p><p>When logging onto their computers, SBSBTC employees insert their SureID PIV-I or RAPIDGate card into a reader and enter their username and password. The cards are valid for a three-year period and can be renewed electronically. </p><p>Boettner adds that there is much more to meeting the NIST 800-171 requirement than credentialing employees for multifactor authentication. </p><p>“There’s a myriad of other changes we had to go through,” he says. “We had to get a whole new firewall, brand new hardware in our network closet, we had to switch servers; we had to do all these different things to be compliant.”</p><p>He notes that the SureID PIV-I credential, however, has made a huge difference moving toward meeting the deadline. </p><p>“We’ve advanced very far down the requirement ladder because of them,” he says. “Probably more than a third of the work….we knocked out just by working with SureID.”  </p><p><em>For more information: Aaron Cohen,,, 503.924.5297 ​</em></p> News: ASIS 2017 Updates, Board Certifications, ASIS NYC Recap, and MoreGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​ASIS 2017: Solutions to Global Challenges</h4><p>Consider the first week of June: a sensitive U.S. National Security Agency document was leaked; attackers used a van to mow down pedestrians on London Bridge and then used knives to attack people in Borough Market; an ex-employee shot and killed five former colleagues at an awning factory in Orlando; and a cyberattack took down all systems of the Al Jazeera Media Network. The various actors, attack vectors, targets, and geographies of these incidents—all in a single week—underscore how diverse the threat is that confronts security and law enforcement around the world.</p><p>While incidents of espionage, cybercrime, terrorism, and violence continue to gain headlines, security professionals need to adapt. What worked just a few years ago is not enough for today’s volatile environment. Whether security practitioners are protecting a small organization or a global enterprise, it is critical for them to stay informed about innovations and learn best practices from experts in the industry. That’s the mission of ASIS 2017.</p><p>For more than six decades, the ASIS International Annual Seminar and Exhibits has stood as the premier educational and networking event for security professionals worldwide. ASIS 2017, taking place in Dallas, Texas, September 25–28, is the one event where security professionals across all disciplines and industry sectors gain insights from thought leaders and engage with product and service providers who can help translate expertise into solutions. This kind of networking and shared purpose builds community, which is the heart of the Seminar experience and what keeps attendees returning year after year.</p><p>“Now more than ever, harnessing the collective wisdom of a global community of peers by sharing ideas and best practices is critical,” says Peter J. O’Neil, CAE, CEO of ASIS International. “We have worked hard to make sure that our conference program meets this need. From breakout sessions, case studies, and lectures to panel discussions, demonstrations, and simulations—our learning program is designed to deepen connections, foster information sharing, and provide practical applications that can be used to advance each attendee’s educational needs.” </p><p>This year’s event offers the most comprehensive education program in Seminar history. The lineup includes more than 180 sessions aimed at helping security professionals keep pace with emerging threats, approaches, and best practices impacting the profession. Topics include Enterprise Security Risk Management (ESRM); drone/UAV reconnaissance and surveillance; active shooter, assailant, insider threat, and soft target attack response; radicalization and violence mitigation; big data, analytics, and the Internet of Things; cybersecurity and privacy; and workplace violence.</p><p>For example, the “Lone Offenders, Radicalization, and Violence Prevention” session on September 25 will teach attendees how to expand their organizations’ workplace violence prevention programs to identify and respond to behaviors that may be indicative of insider radicalization. “Defusing Hostile People” on September 25 will demonstrate how to use mental methods and tools to effectively respond to a hostile or potentially violent situation. </p><p>And those looking to learn how to apply ESRM principles will find an entire track of options. On September 26, presenters in “The Future of Cyber Security Risk? Wake up, You’re There” session will use ESRM concepts and theories to talk about cybersecurity risks as part of an overarching security risk management program. Later that day, “Enterprise Security Risk Management Requires a New Conversation Among the Executive Team” will examine how to become literate, not just in the language of security or business but in the language of technology and new external threats.</p><p>This is just a small sample of the expert-led sessions being presented at ASIS 2017. In addition, extensive education will be offered on the exhibits floor, including career development best practices, impact learning sessions, and product and service demos. </p><p>Terrorism and violence threaten our workplaces “in addition to the day-to-day issues we face that never make the news but impact us directly and immediately,” says Thomas J. Langer, CPP, 2017 president of ASIS International. “This year’s education program reflects this reality. From the global perspectives provided by the morning keynotes to innovative learning formats and learning lab experiences on the exhibits floor, our aim is to ensure attendees have the intelligence and professional connections to protect the people, property, and assets entrusted to their care.” </p><p>ASIS 2017 promises unprecedented educational value to attendees—addressing the full spectrum of security—through partnerships with leading organizations such as the Information Systems Security Association (ISSA) and InfraGard. To learn more about ASIS 2017, visit​</p><h4>Support the Foundation </h4><p>In the past three months, full-tuition scholarships were awarded to eight security professionals from around the world to pursue undergraduate and graduate degrees at the University of Phoenix and Webster University. In addition, 10 active-duty military and law enforcement professionals are one step closer to achieving their board certifications—all thanks to ASIS Foundation awards and scholarships. These life-changing programs are funded solely through voluntary donations from individuals and companies who support the Foundation’s mission to provide valuable research and scholarship opportunities.</p><p>At ASIS 2017, there are many ways to help support this work—and have fun while doing so! Kick off Seminar week at the Golf Tournament, Sunday, September 24, at the Cowboys Golf Club in Grapevine, Texas. This is a great way to catch up with clients and colleagues at the world’s only football-themed golf club. Later that night, visit Gilley’s Dallas for the Opening Night Celebration. Thousands of peers will be on hand for a truly Texas experience featuring armadillo racing, live music, and the opportunity to donate to the Foundation by participating in the mechanical bull riding competition. </p><p>Need to update your professional photo? Head over to the Headshot Lounge located near the Career Center on the Expo Floor, which will be equipped with photographers and makeup artists. This free service is sponsored by the Foundation. Donations are accepted and appreciated. </p><p>The Foundation will also sponsor several education sessions at ASIS 2017, including “Intelligent Building Vulnerabilities: Is There an Open Door into Your Facility?” on Monday, September 25; “Use Metrics Dashboards to Manage Enterprise Security Risks” on Tuesday; and “Archaeological Site Security: Clunia, Huerta De Rey, Spain” on Wednesday. </p><p>Stop by the ASIS Hub (#1613) on the exhibit floor to learn more about the Foundation’s work or visit </p><h4>​PRE-Seminar Programs</h4><p>Whether you want to cultivate a better understanding of IT security, security risks for financial institutions, or best practices for successful security consulting, the ASIS Pre-Seminar Program is designed to jump-start your education prior to ASIS 2017. The pre-show options also include ASIS certification reviews.</p><p>Understanding IT. Having a basic understanding of information security is essential to protecting physical security systems from cyberthreats, thereby improving the overall enterprise security position of an organization. Sunday, September 24, from 8:00 a.m. to 4:00 p.m., “IT Security for Physical Security Professionals—In Plain English,” sponsored by the ASIS ESRM Commission, will offer key resources and tools to use in navigating information security issues. </p><p>“Too often, physical security and cybersecurity professionals operate independently of one another, which prevents a holistic, enterprise risk-based approach,” says session leader Dave Tyson, CPP, CEO at CISO INSIGHTS and chair of the ASIS International ESRM Commission. “This session will use plain English to arm physical security professionals with the cybersecurity basics they need to communicate across that divide and begin working towards a more unified security posture. It will also serve as a valuable foundation for physical security professionals who are looking to extract even more value from the more technical cybersecurity sessions offered throughout the week ahead.”</p><p>Financial risk. Practitioners in the financial sector will want to attend the “Security Risks and Mitigation Strategies for Financial Institutions” program, sponsored by the ASIS Banking and Financial Services Council on Sunday from 8:30 a.m. to 5:00 p.m. During this session, subject matter experts will address threats to global financial institutions, as well as mitigation strategies. Immediately following the program, a networking reception will afford an opportunity to connect with security leaders in the financial services industry.</p><p>Consulting. The “Successful Security Consulting” program will provide insight on how to develop and market yourself as a security consultant while avoiding expensive mistakes. Sponsored by the International Association of Professional Security Consultants, the program is offered from 8:00 a.m. to 5:00 p.m. on Sunday.</p><p>Certification. Certification Review Programs provide a high-level review of the security concepts tested on the CPP, PCI, and PSP exams. Attendees will also take a sample test to gauge areas of strength and identify where to best focus their study efforts. Each class will take place from 8:00 a.m. to 5:00 p.m. on Saturday, September 23, and continue from 8:00 a.m. to 2:00 p.m. on Sunday.</p><p>Don’t miss the opportunity to begin your ASIS 2017 experience at the Pre-Seminar Programs. To register or learn more, please visit the Pre-Seminar Programs section of the ASIS 2017 website, located under the Conference tab.</p><h4>​40 Years of Board Certifications at ASIS 2017</h4><p>This year marks the 40th anniversary of the ASIS International Board Certification Program, which began in 1977 with its first certification credential—the Certified Protection Professional® (CPP). ASIS was the first organization to offer a credential specifically for security managers, and it remains the global standard. </p><p>ASIS will recognize this milestone anniversary with special activities during ASIS 2017. Newly certified individuals as well as all certificants in attendance will be acknowledged during the networking luncheon on Monday, September 25.</p><p>In addition, the four individuals who have held the CPP certification for all 40 years will be celebrated at an awards presentation. Be sure to check out the Show Daily to read the interviews with these board-certified superstars. </p><p>• Dr. James D. Calder, CPP, Professor at University of Texas at San Antonio </p><p>• Don W. Walker, CPP, Chairman of Securitas Security Services USA, Inc.</p><p>• Dr. Kenneth G. Fauth, CPP, Senior Consultant at K. Fauth, Inc.</p><p>• James P. Carino, Jr., CPP, Senior Consultant at Executive Security Consultants</p><p>Stop by the ASIS Hub (Booth #1613) to get details on additional celebratory plans and for answers to your certification questions.  ​</p><h4>ASIS NYC HIGHLIGHTS</h4><p>The ASIS 27th New York City Security Conference and Expo was packed with thought-provoking sessions, interactive panels, and engaging exhibitors. The event, held at the Jacob K. Javits Convention Center in early June, opened with a keynote by Paul Fitzgerald of the Boston Police Department, who was present during the 2013 Boston Marathon bombing. He gave attendees a captivating play-by-play of the events following the explosions. After an exhausting 72 hours—filled with managing social media speculation, a shootout, a carjacking, and a citywide shelter-in-place—Fitzgerald described the capture of the younger Tsarnaev brother, which played on live television. </p><p>He discussed the changes made in the years since the bombing and said that partnerships between law enforcement and private entities are more imperative than ever. “The criminals are networking and that’s why it is so critical that we do as well,” Fitzgerald said.</p><p>Steve Crimando of Behavioral Science Applications followed the keynote with a discussion about how social media and fake news feed into terrorist operations. “Terrorism is not designed to cause the cracks,” Crimando explained. “It is by the continued use of ambient fear over time that those small tactical strikes deepen and widen those cracks.”</p><p>Following a break, former Time Warner CSO Brian Allen, CPP, led an off-the-cuff discussion about how to shift security from a trade to a profession and better define the role of security managers. </p><p>“Industry folks are starting to talk about security management,” he noted. “It’s getting beyond tech issues and talking about legal liability, protests, and reputational issues. That’s where we should get to.”</p><p>An afternoon panel session on protecting America’s cities was led by Fitzgerald; Lori A. Hennon-Bell, CSO of Prudential Financial; John P. Cronan of the U.S. Attorney’s Office in the Southern District of New York; and James Waters, counterterrorism chief with the New York City Police Department (NYPD). They discussed public-private partnerships, combating violent extremism, the private sector’s role in mitigating risk, and challenges in prosecuting terrorism cases. </p><p>The following day, cybersecurity expert Iain Paterson led a discussion about organized crime as a cyberthreat. Brian Jantzen and Jared Van Driessche of AS Solution gave a joint presentation on how security professionals need to consider the Internet of Things (IoT) when making an executive protection plan.</p><p>The NYC Chapter Person of the Year Luncheon honored New York City Police Commissioner James P. O’Neill and other industry superstars. The Eugene J. Casey Award for Service was presented to Craig Schwab, CPP, former chair of the ASIS NYC chapter. Raymond L. Dean, CPP, was presented with the Joseph A. Spillane Lifetime Achievement Award. Chapter Chair Lynn Brown offered a touching tribute to the wife and son of NYPD Detective Steven McDonald, who passed away in January. </p><p>Accepting the Person of the Year Award, Commissioner O’Neill talked about a neighborhood policing model on the streets of New York that allows officers to take ownership of their beats and identify problems in the community. “Murders are down, shootings down…and to think that after all these years we can continue to push violence down is a testament to men and women of the NYPD,” O’Neill said to applause. “Partnership with everyone in this room is critical. I’m humbled—I started out as transit cop, and never in my wildest dreams did I think I’d be up here.” </p><p><em>By Lilly Chapa, assistant editor at</em> Security Management.<em> Contact her at  Follow her on Twitter @lillychapa.​</em></p><h4>MEMBER BOOK REVIEW </h4><p>Corporate Executive Protection. By Christian West and Brian Jantzen. AS Solution; available from ASIS; 250 pages; $35 (ASIS members); $39 (nonmembers).</p><p>This is not a how-to book for individuals looking to enter the protection field as a bodyguard or executive protection specialist. It’s not about how to protect individuals as they exit a vehicle and enter a stadium where they are the main event. It’s not about what formation works best when moving a motorcade through an urban environment. </p><p>Instead, Corporate Executive Protection is a book about why the board of directors should consider an executive protection program, and it examines the benefits and potential issues of establishing a program. How will a proposed program affect the principal being protected? Does the program address the risks and threats faced by the principal? How does the program affect the principal’s family and private life? These and other questions are realistically addressed in this book.</p><p>Who will benefit from this publication? Just about anyone participating in the assessment, design, and review of an executive protection program for corporate principals and their families. This includes members of the board of directors, corporate staff supporting the executive protection effort, internal and contract executive protection managers, and others seeking to understand executive protection from a corporate point of view. It’s all about designing and justifying a solid program that will be valued by the corporation and the principal.</p><p><em>Reviewer: William “Bill” Leap, CPP, is the vice president of security services for Chicago-based Titan Security Group. He is a member of the ASIS Security Services Council. ​ ​</em></p> Breach TrendsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Early in the afternoon on May 12, 2017, the United Kingdom’s National Health Service (NHS) confirmed that it had been hit by a massive ransomware attack that was spreading its way around the globe.</p><p>“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said in a statement, confirming that at the time it was released, 16 of its organizations had been affected by WannaCry ransomware.</p><p>MalwareTech, a cybersecurity blogger and researcher, saw that NHS had been hit by the attack at approximately 2:30 p.m. That fact tipped him off “that this was something big,” MalwareTech wrote in a blog post.</p><p>To find out what was happening, he got a sample of the malware, ran an analysis, and registered an unregistered domain for $10.69 that the malware had queried. </p><p>“Now one thing that’s important to note is the actual registration of the domain was not on a whim,” MalwareTech explained. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server domains.”</p><p>In the course of registering that domain name, however, MalwareTech effectively stopped WannaCry, the ransomware infecting 200,000 computers globally, demanding that users pay a ransom of about $300 in Bitcoin to decrypt their data.</p><p>MalwareTech’s efforts, along with an emergency patch released by Microsoft for Windows XP (which hasn’t been supported since 2014), stopped WannaCry. But that doesn’t mean they will be so lucky in the future as ransomware and other types of crimeware become more prevalent.<img src="/ASIS%20SM%20Callout%20Images/0817%20Cyber%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>In the recently released Verizon 2017 Data Breach Investigations Report, Verizon analyzed data from 65 organizations and found that 88 percent of breaches fell into nine patterns identified in 2014: crimeware, cyber espionage, denial of service, insider and privilege misuse, miscellaneous errors, payment card skimmers, point-of-sale intrusions, physical theft and loss, and Web application attacks.</p><p>These attacks are successful, in part, because most companies erroneously believe they won’t be targeted, wrongly think they have the basics of cybersecurity covered, are failing to set strong password requirements, and are relying on how they have always done things—as opposed to being innovative and proactive.</p><p>“While attackers are using new tactics and tricks, their overall strategies remain relatively unchanged,” the Verizon report explains. “Understanding them is critical to knowing how to defend your organization from cyberattacks.”</p><p>The report also finds that it’s not just major companies being targeted. Instead, 61 percent of breaches in the report affected businesses with fewer than 1,000 employees.</p><p>Manufacturing, healthcare, and the financial services sectors were major targets for data breaches in 2016. But Verizon Global Head of Cybersecurity Strategy and Marketing John Loveland said that companies should not be distracted by that fact.</p><p>“I would say put a big emphasis on ‘industries most at risk,’ but that can be unhelpful because I think it may distract from the idea that every organization is a potential target,” Loveland said in a Verizon podcast interview.</p><p>Bryan Sartin, Verizon global security services executive director, echoed Loveland’s comments, and said that no organization should rest on its laurels.</p><p>Though they may be in denial, org­an­izations are going to be targeted, Sartin explained on the podcast. “Whether it’s design plans, medical records, or good, old-fashioned payment card details—somebody, somewhere will see it as their meal ticket and as an opportunity to get a hold of that, exploit vulnerabilities, find that data, get it out, exfiltrate it, and try to convert it into cash. Most cybercriminals aren’t that fussy about who they steal from.”</p><p>Ransomware. One of the unchanged strategies that cybercriminals are using is ransomware, which was the twenty-second most common form of malware in 2014. It’s now moved up to the number five position.</p><p>“For the attacker, holding files for ransom is fast, low risk, and easily monetizable—especially with Bitcoin to collect anonymous payment,” according to the Verizon report. Due to the success of ransomware in the past several years, criminals have become more innovative about how they use it to turn a profit.</p><p>“Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people,” the Verizon report says.</p><p>And while the hackers behind WannaCry didn’t make a great deal of money from the ransomware—CNBC estimated they made about $50,000 in Bitcoin in May—the way the malware spread was concerning for future attacks, says Jonathan Couch, senior vice president of strategy at ThreatQuotient, a threat intelligence platform.</p><p>This is because WannaCry spread through an initial infection, such as a malicious email that was opened, but from there operated like a peer-to-peer network, he explains.</p><p>“Clients would search for other clients on the network, spreading that way, rather than having a user spread the ransomware,” Couch says, adding that this is one of the reasons that WannaCry spread so quickly—because it was able to do so on its own.</p><p>The ability of ransomware to target an organization, as opposed to an individual, was a major change to ransomware in 2016, and attackers combined this tactic with other strategies to make their efforts even more successful.</p><p>“Ransomware campaigns targeting organizations often have additional characteristics, such as credential theft to spread the attack throughout the organization, delayed encryption to infect as many machines as possible before detection, and code that targets corporate servers as well as user systems,” according to the report.</p><p><img src="/ASIS%20SM%20Callout%20Images/0817%20Cyber%20Fact%20Box.png" class="ms-rtePosition-1" alt="" style="margin:5px;width:282px;" />These tactics will likely make future versions of ransomware even more powerful than what has been seen so far, Couch says. “People are going to improve the peer-to-peer to spread [ransomware] faster, and are going to use more encryption within their code to hinder analysis,” he adds. </p><p>Couch also predicts that future models will actually extract data from victims’ systems and encrypt it—rather than encrypting the data on the existing network. “One of the ways to fight ransomware is to do a backup…so if I have a good backup, I just use that,” Couch says. “If you have taken all my files, now I run the risk of you exposing my information.”</p><p>While ransomware is not likely to go away anytime soon, the security industry is stepping up to the challenge to detect ransomware before infections become critical, protect organizations from criminal campaigns, and help rescue ransomed systems without paying cybercriminals.</p><p>The industry is doing this by improving endpoint protection and detection of ransomware, sharing threat information with law enforcement agencies and other organizations, and supporting the No More Ransom! Campaign. </p><p>Started in July 2016, the campaign now has 57 corporate, association, and public sector members that work to help victims recover their encrypted data without paying ransoms.</p><p>“To that end, currently hosts 27 decryption tools, which can recover files from a wide range of ransomware families,” according to the report. “No More Ransom! calculates that they have successfully diverted more than $3 million from criminals by offering free decryption tools to thousands of victims around the world.”</p><p>Cyber espionage. Another major pattern in 2016 identified by the Verizon report was the increase in the number of attacks linked to state-affiliated actors who may—or may not—have a motive of espionage.</p><p>Twenty-one percent of the breaches examined by Verizon in the 2017 report were related to espionage, and the manufacturing sector accounted for 86 percent of the breaches. And of those breaches, 73 percent of perpetrators used a combination of a social engineering attack—such as a phishing attack—to install malware.</p><p>“A malicious email is the cyber spy’s favored way in. But this is no smash and grab,” according to the report. “The initial email is typically followed by tactics aimed at blending in, giving the attacker time to collect the data that they need.”</p><p>Attackers want to infiltrate their target, find out where its secrets are kept, and then slowly collect them until they are detected—ideally, as long as possible. </p><p>“When state-affiliated actors are involved, their operations are targeted attacks, rather than opportunistic,” the report explains. “In other words, the criminals are coming directly for a particular organization with a specific purpose in mind.”</p><p>The cyberattacks on French President Emmanuel Macron’s campaign in spring 2017 is a prime example of this tactic. After Russia’s efforts to influence the U.S. presidential election in 2016, Macron’s team knew it was likely to be targeted by similar efforts to help Russia-friendly candidate Marine Le Pen win. After winning a position in the final round of the election, Macron’s team began to receive sophisticated phishing emails.</p><p>Because Macron had limited staff resources, his team decided to create a disinformation campaign to confuse any potential hackers instead of focusing on keeping the hackers out altogether, said Macron’s digital director, Mounir Mahjoubi, in an interview with The New York Times following the election.</p><p>Mahjoubi said the team went on the counteroffensive, creating false accounts full of fake content that could be used to trap hackers. This way, once the hackers got into the accounts, they would have to spend precious time determining what content was fake and what was real.</p><p>While this was effective in slowing down the hackers and preventing the hack from being completely damaging, it’s not the best defensive approach to take, says Alex Vaystikh, cofounder and chief technology officer of SecBI, a threat detection provider.</p><p>“If we look at it from a defensive point of view, it’s a bad approach in terms of defense because the defense has come to the conclusion that there’s nothing it can do to prevent the hack,” Vaystikh explains. “The only way is to confuse the hacker with enough false information that when he gets in, he’ll have to go through certainly a lot of noise. Kind of a denial of service attack on the hackers with information.”</p><p>Several companies have taken this same approach to cybersecurity, which Vaystikh says is frustrating because it seems that they have resigned themselves to the fact that hackers are going to get in.</p><p>“It’s somewhat frustrating in the world of cybersecurity because it means that we’ve given up... and our only hope is that by the time [the hacker] gets the sensitive information and figures out what it is, it will no longer be that sensitive,” Vaystikh adds.</p><p>Instead, companies should be proactive about securing their systems and monitoring them, he argues, echoing suggestions from Verizon’s report.</p><p>For instance, Verizon recommends that companies separate their highly sensitive data to allow only those who need access to have access, provide phishing training to all employees, monitor internal networks, and implement data loss prevention controls “to identify and block improper transfers of data by employees.”</p><p>According to the Verizon report, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.” ​ ​ ​</p> Dirty Secret of Drug DiversionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Controlled substances were going missing at Hennepin County Medical Center (HCMC), and the hospital’s security investigator, William Leon, was determined to get to the bottom of it. So, at 11 p.m. on a Friday, Leon settled in for a night of observation at the Level I trauma center in Minneapolis, Minnesota. He kept a trained eye on one registered nurse who was suspected of stealing hydromorphone, an opioid pain medication, for her personal use.</p><p>HCMC has cameras set up in the medication room to monitor controlled substances, and Leon watched as the nurse began gathering prescribed medication for a patient in the emergency department. The process, called wasting, requires the healthcare worker to take a fresh vial or syringe full of medication and then dispose of the excess, leaving only the correct dosage—all with a witness present. Leon observed the nurse dispense a syringe of hydromorphone from the medicine cabinet, and, while a fellow nurse was signing off on the withdrawal, she placed the syringe in her pocket and pulled out an identical syringe, which Leon later learned contained saline. The nurse held up the saline syringe and wasted the required amount, tricking her fellow nurse, and left the room.</p><p>At this point, Leon knew exactly what was going on, and watched with increasing alarm as the nurse headed to a patient’s room in the orthopedic area of the hospital. “In that area, I knew immediately, this patient could have a broken bone—they were in intense pain and requiring this medication,” Leon says. “I see a lot of doctors standing around and I’m thinking ‘uh oh, this patient is going to get saline.’”</p><p>Leon raced to the room and saw that the doctors had given the patient the saline the nurse had brought up. “The patient was still screaming in pain and the doctor was frantically asking the nurse, ‘Are you sure you got the right dosage? Are you sure it was hydromorphone?’ and she was insisting she had,” Leon says. He called the doctor and the nurse into the hall and explained that the patient had just gotten saline and still needed the proper pain medication because the nurse had diverted the hydromorphone in the medication room. The doctor went to properly treat the patient and Leon called the nurse manager and the local sheriff’s detective in to begin an official investigation into the nurse’s actions.</p><p>Drug diversion in the United States is a nebulous problem that is widespread but rarely discussed, experts say. Whether in manufacturing plants, retail pharmacies, hospitals, or long-term care facilities, healthcare workers are stealing drugs—typically for their own personal use—and putting themselves, patients, and coworkers at risk. </p><p>“I hate to tell you, but if you have controlled substances and dispense narcotics, you’ve got diversion going on,” says Cherie Mitchell, president of drug diversion software company HelioMetrics. “It’s just a question of whether you know it or not.”</p><p>The scope and frequency of drug diversion is almost impossible to grasp, due in large part to how diversion cases are addressed. A facility that identifies a diversion problem might bring in any combination of players, from private investigators and local law enforcement to state accreditation boards or the U.S. Drug Enforcement Agency (DEA). There is no overarching agency or organization that records every instance of drug diversion in the United States.</p><p>Controlled substance management is dictated by a number of laws, including the U.S. Controlled Substances Act of 1971, which classifies substances based on how they are used and the potential for abuse. It also dictates how the substances are dispensed, and a facility may be fined if it does not comply. </p><p>The closest estimates of drug diversion rates come from people or organizations who dig up the numbers themselves. The Associated Press used government-obtained data in its investigations on drug diversion at U.S. Department of Veterans Affairs (VA) medical centers. Reported incidents of diversion at about 1,200 VA facilities jumped from 272 in 2009 to 2,926 in 2015, the data revealed, and the VA inspector general has opened more than 100 criminal investigations since last October. John Burke, president of the International Health Facility Diversion Association, extrapolated data he obtained from facilities in Ohio to estimate the presence of 37,000 diverters in healthcare facilities across the country each year. </p><p>Mitchell points out that any statistic derived from officially collected data still wouldn’t accurately reflect the extent of drug diversion in the United States. “There’s a lot of people investigators really suspected were diverters but had to be chalked up to sloppy practice due to a lack of concrete evidence, so any statistic is talking about known diverters who are fired for diversion,” she tells <i>Security Management</i>. “Even if you did have a statistic, it would be off because how do you incorporate those so-called sloppy practicers, or diverters who thought they were about to get caught so they quit on you and left? No matter what number you come to, it’s probably bigger in reality.”​</p><h4>Addiction and Diversion</h4><p>Although more people are paying attention to drug diversion due to recent high-profile cases and the current opioid epidemic in the United States, experts say they have been dealing with the same problems their entire careers. </p><p>“I can personally tell you that I dealt with the same issues 15 or 20 years ago that the healthcare arena is facing today, specifically in the drug abuse and diversion by their own hospital healthcare employees,” says Charlie Cichon, executive director of the National Association of Drug Diversion Investigators (NADDI) and a member of the ASIS International Pharmaceutical Security Council. “There are different drugs today, of course, than there were 20 years ago.”</p><p>Susan Hayes has been a private detective for healthcare facilities for more than a decade and says the opioid epidemic has magnified the drug diversion problem in recent years. “The opioid addiction in America has lit my practice on fire,” she says.</p><p>It’s no secret that opioid addiction has reached epidemic levels in the United States. In 2010, hydrocodone prescriptions were filled 131.2 million times at retail pharmacies alone, making it the most commonly prescribed medication, according to the Mayo Clinic. However, those are just the numbers that were legally prescribed—about 75 percent of people who take opioids recreationally get them from a friend or family member. According to the U.S. Centers for Disease Control and Prevention (CDC), approximately 52 people in the United States die every day from overdosing on prescription painkillers.</p><p>Healthcare workers are not immune to the draw of opioids. In fact, up to 15 percent of healthcare workers are addicted to drugs or alcohol, compared to 8 percent of the general population, according to the Mayo Clinic. </p><p>“Healthcare providers are in very stressful jobs,” Hayes says. “They all have problems. Nurses have emotional attachments to patients that they see die. Even orderlies have very stressful physical jobs, they’re lifting patients. Pharmacists can make mistakes that mean life or death. You have people that are already in very stressful situations, and now you give them access to drugs…. I think the combination is almost deadly.”</p><p>While a bottle of 30mg oxycodone tablets can sell on the street for up to 12 times its price in the pharmacy, most drug diverters are addicts using the drugs themselves. Because of this, diversion shouldn’t be considered just a security concern but a patient safety concern, Cichon says. He references several high-profile diversion cases in which the diverters used the same syringe full of medicine on both themselves and their patients, spreading bacterial infections and hepatitis. In one especially egregious case, a traveling medical technician with hepatitis C would inject himself with his patients’ fentanyl and refill the same syringe with saline, ultimately spreading the virus to at least 30 people in two states.</p><p>Unfortunately, experts acknowledge that most diverters don’t get caught until they have been diverting for so long they start to get sloppy. “The people who are your real problem are the people who are hiding in the weeds, not doing enough to get caught, and those are the ones you want to find,” Mitchell says. “The people they are finding now are the people that have the needle in their arm or somebody has reported them. You want to try to find them before that.”​</p><h4>Out of the Loop</h4><p>Hayes details the path of drugs through a hospital: a pharmacy technician orders the medication from a wholesaler, who will deliver them to the hospital pharmacy. The drugs are sorted and stocked in the pharmacy, where they will remain until they are brought up to the patient floors and stored in various types of locking medicine cabinets. When a patient needs medication, a nurse goes to the medicine cabinet and dispenses the drug for the patient. </p><p>Another ASIS International Pharmaceutical Council member—Matthew Murphy, president of Pharma Compliance Group and former DEA special agent—describes this as the closed loop of distribution. “Once a drug is outside of the closed loop, when it gets dispensed from a pharmacy or administered by a doctor, it’s no longer in the purview of DEA rules and regulations,” he explains. Drugs are most likely to be diverted during those times when they are in transit or exchanging hands, outside of the closed loop.</p><p><strong>Wholesalers.</strong> When fulfilling a pharmacy’s request for medication, wholesalers have just as much of a responsibility to notice if something is amiss as the pharmacy does. Whether it’s a retail pharmacy or a hospital pharmacy, wholesalers are responsible for cutting them off if they start to request unusually high amounts of opioids. </p><p>In 2013, retail pharmacy chain Walgreens was charged $80 million—the largest fine in the history of the U.S. Controlled Substances Act—after committing record-keeping and dispensing violations that allowed millions of doses of controlled substances to enter the black market. Cardinal Health, Walgreens’ supplier, was charged $34 million for failing to report suspicious sales of painkillers. One pharmacy in Florida went from ordering 95,800 pills in 2009 to 2.2 million pills in 2011, according to the DEA. </p><p>Hayes says the fine against the wholesaler was a wake-up call, and now suppliers use algorithms to identify unusual spikes in orders of opiates. Wholesalers can even stop the flow of medication to pharmacies if they believe diversion is occurring—which can be disastrous to a trauma center, Hayes notes.</p><p><strong>Pharmacies.</strong> To restock the shelves, pharmacy technicians compile lists of what medications they are low on to send to the wholesalers at the end of each day. Hayes notes that many pharmacies do not conduct a retroactive analysis on what is being purchased—which is why wholesalers must pay attention to any unusual changes in orders. She stresses the importance of constantly mixing up the personnel who order and stock medications. </p><p>“If you’re both ordering and putting away drugs, that’s a bad thing because you can order six bottles when you only need five and keep one for yourself,” Hayes notes. </p><p>Similarly, it is important to rotate who delivers the drugs to the patient floors. “John the technician has been taking the drugs up to the floors for the last 20 years,” Hayes says. “Well gee, did you ever notice that John drives a Mercedes and has two boats and a house on Long Island? He makes $40,000 a year, did you ever do any investigation into why?”</p><p><strong>On the floor. </strong>Experts agree that the most egregious diversion occurs during the wasting and dispensing process in scenarios similar to the incident Leon witnessed at HCMC. Mitchell explains that all hospitals have different wasting procedures—some require nurses to waste the medication immediately, before they even leave the medication rooms, while others may have a 20-minute window. Other hospitals may prohibit nurses from carrying medication in their pockets to prevent theft or switching. ​</p><h4>Investigations</h4><p>Any company involved with controlled substances, whether manufacturing, distributing, or dispensing, must be registered with the DEA and must adhere to certain rules and regulations—which aren’t always easy to follow.</p><p>Murphy, who worked for the DEA for 25 years, now helps companies follow mandates he calls “vague and difficult to interpret.” For example, DEA requires anyone carrying controlled substances to report “the theft or significant loss of any controlled substance within one business day of discovery.”</p><p>“This hospital had 13 vials of morphine that ‘went missing’ and someone called me in to find out why,” Hayes says. “They asked me, ‘Are 13 vials substantial or not? Do I really need to fill out the form?’ I counsel them on what’s substantial because the language is very loose.”</p><p>Depending on the frequency or significance of these or similar forms, the DEA may open an investigation, Murphy explains. “DEA will look at these recordkeeping forms and determine if in fact everything has been filled out correctly, that they have been keeping good records,” he says. “If DEA determines that they are lax or have not been adhering to requirements, there could be anything from a fine to a letter of admonition requiring corrective actions.” In more serious cases, DEA could revoke the registration because the activity or behavior was so egregious that it was determined that the facility is not responsible enough, Murphy explains. If a facility loses its DEA registration, it cannot dispense controlled substances.</p><p>However, DEA does not get involved in every suspected case of diversion. “There are only so many DEA diversion investigators, so they have to prioritize what they get involved with,” Murphy says. “It has to be pretty egregious for them to get involved to seek a revocation or fine.”</p><p>That’s where people like Hayes come in. “They want me to come in instead of DEA or law enforcement,” she explains. “I’m a private citizen, I understand law enforcement procedures, and I can help them get at the root of the problem before they call in law enforcement.” </p><p>After an investigation into a diverter is opened, it is unclear what happens to the offender. Hayes says that she typically gathers evidence and gets a confession from diverters, at which point her client calls in law enforcement to arrest them. Leon, who was in charge of diversion in­vest­igations at HCMC for 20 years before becoming a consultant for HelioMetrics, was able to investigate but not interview suspected diverters. He tells <em>Security Management</em> that he would call in a sheriff’s detective to interview the suspect.</p><p>Although most diverters are fired when their actions are discovered, they are not always arrested—it’s often at the discretion of their employer. Depending on the diverter’s role, state accreditation boards—such as those that license nurses and pharmacists—would be notified and could potentially conduct their own investigations. </p><p>Cichon cautions that some hospitals hoping to avoid bad press and DEA scrutiny may look for loopholes. “We found out through the course of investigations that if someone resigns and was not sanctioned it may not be a reportable action,” he says. “If we allow this person to resign rather than take action against him, then we don’t have to report it.”</p><p>Murphy notes that DEA typically has no role in individual cases of diversion. “If the diverter has a license from one of those state agencies, usually it’s required that they be reported, and then it’s up to the board how they proceed with the personal license of the individual,” he says. The DEA doesn’t regulate the personnel—that’s up to the state and the facility. </p><p>Cichon notes that the lack of standards when addressing diversion makes it more likely that offenders could slip through the cracks and move on to continue diverting drugs at another facility. “Unfortunately, there are different laws and statutes in every state that set up some sort of reporting requirements,” he says. “There are medical boards, nursing boards, pharmacy boards, and not every worker even falls under some sort of licensing board for that state.” ​</p><h4>Staying Ahead</h4><p>Due to the stigma of discovering diverters on staff, many hospitals just aren’t preparing themselves to address the problem proactively, Cichon explains.</p><p>“This is something that is probably happening but we’re not finding it,” he says. “The statistics I’ve seen at hospitals that are being proactive and looking at this are finding at least one person a month who is diverting drugs in their facility. If a 300-bed hospital is finding one person a month, and Hospital B has the same amount of staff and beds and is finding nothing…”</p><p>NADDI has been providing training for hospitals to develop antidiversion policies. Cichon notes that many hospitals throughout the country have no plan in place to actively look for diverters. “As big as the issue is, many of them are still just not being that proactive in looking at the possibility that this is happening in their facility.”</p><p>Cichon encourages a team approach to diversion that acknowledges diversion as a real threat. “Not just security personnel should be involved with the diversion aspect,” he says. “Human resources, pharmacy personnel, security, everyone is being brought into this investigation, because the bigger picture is patient safety. The diverting healthcare worker typically isn’t one who’s going to be selling or diverting his or her drugs on the street, but they are abusing the drugs while they are working.”</p><p>Leon worked hard on diversion prevention at HCMC after discovering a surprising pattern: almost all of the diverters he investigated wanted to be caught. “What got me on this path of prevention was observing the nurses as they would admit to what they did,” he explains. “More often than not the nurses would say, ‘I wanted somebody to stop me. I needed help, didn’t know how to ask for it, and I was hoping somebody would stop me.’ That’s pretty powerful when you’re sitting there listening to this on a consistent basis.”</p><p>Leon implemented mandatory annual training for everyone in the hospital—from food service workers to surgeons—to recognize the warning signs of drug diversion. “If a nurse or anesthesiologist or physician is speaking with you and telling you they are having these issues, then you should say something,” Leon explains. “It’s not doing the wrong thing—you’re helping them, and that’s the message we sent out. Look, these individuals are not bad individuals. Something happened in their lives that led them down this path.”</p><p>Leon also had cameras installed throughout the hospital that allowed him to observe diversion but also kept his investigations accurate. “We had a nurse who was highly suspected of diverting,” he says. “With the cameras I was able to show that she wasn’t diverting, just being sloppy. The employees appreciated the cameras because it showed they weren’t diverting medication, they just made a mistake.”</p><p>Over time, HCMC personnel became more comfortable coming forward with concerns about their coworkers. Before the facility started the annual training, Leon caught at least one diverter a month. Before he retired, he says, that number had dropped to one or two a year.</p><p>“The success of our program at HCMC was the fact that we paid more attention to educating rather than investigating,” Leon says. “You have to keep those investigative skills up, but you have to spend equal amount of time on prevention and awareness.”</p><p>Mitchell points to algorithmic software that can identify a potential diverter long before their peers could. Taking data such as medicine cabinet access, shift hours, time to waste, and departmental access allows software to identify anomalies, such as a nurse whose time to waste is often high, or a doctor who accesses patients’ files after they have been discharged. </p><p>“Most people are using the logs from the medicine cabinets trying to do statistical analysis,” Mitchell explains. “You find out 60 days or six months later, or you don’t see that pattern emerge by just using one or two data sets. That doesn’t help. The goal is to identify these people as quickly as possible so they are no longer a risk to themselves or the patients or anyone they work with.”</p><p>Murphy encourages facilities to be in full DEA compliance to mitigate diversion. “If somebody wants to steal or becomes addicted, they are going to find a way to do it, and sooner or later they are going to get caught, but then there’s a problem because the hospital has to work backwards to determine how much was stolen and reconcile all that,” he says. He also notes the importance of following up internally on each diversion case and figuring out what went wrong, and adjusting procedures to address any lapses. </p><p>“Every entity that has a DEA program should have diversion protocols in place because if they don’t they are playing Russian roulette with theft and loss and their DEA registration,” Murphy says.  ​</p> Needed To Better Manage Physical Security Risks To The National MallGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Stakeholder actions are needed to better manage physical security risks to the National Mall in Washington, D.C., the U.S. Government Accountability Office (GAO) found in a recent investigation.</p><p>The National Mall is a destination for more than 24 million people ever year and home to some of America’s most iconic symbols, including the Washington Monument and the Lincoln Memorial, and major museums.</p><p>“Threats to these assets—whether acts of terrorism, violence, or vandalism or theft of artifacts or art—could result not only in the loss of life but also the loss of iconic monuments or irreplaceable items from the Smithsonian’s or National Gallery’s collections,” GAO explained.<br></p><p>In a<a href="" target="_blank"> public version of a classified report</a> released this week, GAO found that federal entities on the Mall are assessing the physical security risks to their respective assets—demonstrating that they are taking a risk management approach to security. <br></p><p>The U.S. Department of Interior, the Smithsonian Institution, and the National Gallery of Art collect information on aspects of their physical security programs’ performance and use that information to create goals, measures, and tests to assess the performance of their systems. <br></p><p>GAO, however, found that each stakeholder would benefit from taking additional steps to manage their physical security risks. <br></p><p>For instance, the National Gallery is assessing security risks to its galleries by voluntarily following the <em>Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (RMP),</em> but does not have complete documentation of its risk management decisions—a requirement of the <em>RMP.</em><br></p><p>“Without documentation, decision makers may not effectively understand the rationale behind decisions—or, in the case of risk management—make important security-related decisions and direct resources to address unmitigated risks,” the report said.<br></p><p>During GAO’s audit of the National Gallery, officials told GAO investigators that a lack of complete documentation limited their institutional knowledge of the National Gallery’s risk management decisions related to physical security. <br></p><p>“Because of a lack of documentation, [GAO] received inconsistent or incomplete information throughout that review,” according to the report. “While National Gallery officials agreed to address the concerns we raised to them, we believe there is an opportunity for the National Gallery to address gaps in its institutional knowledge and help ensure more informed decision-making—specifically, by developing a process to document its risk management decisions.”<br></p><p>GAO also found that U.S. Park Police, the Smithsonian, and the National Gallery can all take a “more strategic approach to performance measurement,” the report explained. <br></p><p>For example, GAO recommended each stakeholder develop goals where needed and link performance measures to those goals to assess the effectiveness of their security programs. <br></p><p>“Linking performance measures and goals could help these entities monitor and evaluate their efforts, which is an essential part of risk management,” GAO said. “The information the entities can gain from performance measures that are aligned with goals could also provide these entities with a clearer view of the effectiveness of their physical security programs and better position them to prioritize security needs.”<br></p><p>The Department of Interior, the Smithsonian, and the National Gallery agreed with GAO’s recommendations and said they will begin to take steps to address them.<br></p><p><br></p> Rediscovery Occurs At More Than Twice The Previously Reported RateGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Multiple researchers—working independently—uncover the same security flaws more consistently than previously believed, according to a new report from Harvard.</p><p><em></em><a href="" target="_blank"><em>Taking Stock: Estimating Vulnerability Rediscovery</em> </a>looked at a dataset of more than 4,300 vulnerabilities discovered between 2014 and 2016 for Android, and the Chrome and Firefox browsers. Vulnerabilities are flaws that allow cyber criminals, as well as intelligence and law enforcement agencies, to gain access to targeted systems.<br></p><p>Researchers Trey Herr, Ph.D., postdoctoral fellow with the Belfer Center’s Cyber Security Project at Harvard Kennedy School; Bruce Schneier, research fellow with the Belfer Center and adjunct lecturer in public policy at Harvard Kennedy School; and Christopher Morris, research assistant at the Harvard School of Engineering and Applied Sciences, found that rediscovery of vulnerabilities happens more than twice as often as previously reported. <br></p><p>Their findings conclude that “rediscovery happens more than twice as often as the 1 to 9 percent range previously reported,” according to the report. “For our dataset, 15 percent to 20 percent of vulnerabilities are discovered independently at least twice within a year.”<br></p><p>Based on their findings, the researchers suggested that the U.S. government rethink its process for not disclosing software vulnerabilities to companies.<br></p><p>“Underlying the choices to pay for a software vulnerability, as well as government decisions to keep some a secret, are assumptions about how often those same software flaws could be discovered by someone else, a process called rediscovery,” the researchers explained.  <br></p><p>“When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year,” the report said. “These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.”<br></p><p>In a post for <a href="" target="_blank">LawFare</a>, Herr explained that modern government intelligence agencies must maintain some access to software vulnerabilities. </p><p>"However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue--the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched," he wrote.</p><p>The researchers also suggested that rediscovery rates are likely higher than what their research was able to conclude because they only looked at high to critical-severity vulnerabilities.<br></p><p>For instance, records from a bug bounty company mentioned in the study “indicate that low- and medium-severity vulnerabilities are rediscovered more frequently than high- and critical severity bugs, to which this study is constrained,” the researchers wrote. “As it is, the 15 percent to 20 percent estimate is substantially higher than previously seen.”<br></p><p>The researchers plan to present the paper and discuss its findings at <a href="" target="_blank">BlackHat USA</a> in Las Vegas next week.</p> Y YoGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Como practicantes de seguridad, aprender de nuestros propios errores puede ser costoso. “Todos nosotros estamos a un mal día de distancia de ser despedidos”, es como un colega una vez sintetizó nuestra situación. La observación fue un recordatorio realista de que los gerentes de seguridad no pueden cometer error tras error y aun así esperar mantenerse exitosos en la profesión.</p><p>Con éso en mente, dar un paso adelante hacia el liderazgo de una operación de seguridad puede ser una experiencia aterradora, especialmente para el joven profesional haciendo su debut como líder. Yo definitivamente sentí mi propia ansiedad cuando asumí el rol de gerente externo de seguridad en un gran centro comunitario de estudios superiores en 2008.</p><p>En el momento, los medios parecían presentar todas las semanas una nueva historia sobre una tragedia en un centro comercial, un lugar de trabajo, una escuela, o cualquier otro espacio público donde hubo vidas que se perdieron o que fueron afectadas para siempre. Cada vez, yo seguiría la noticia intentando entender exactamente qué ocurrió desde el punto de vista de la seguridad. ¿Le hubiera mejor a mi propio programa, o hubiera resultado en una tragedia y en mi destitución? </p><p>Afortunadamente para mí, no estaba solo. Yo tenía un mentor que se tomó el tiempo de ayudarme a convertirme en un profesional de seguridad experimentado. A través de la mentoría, un nuevo responsable de seguridad puede experimentar situaciones profesionales y hasta tomar decisiones que pueden resultar equivocadas, sin sufrir las consecuencias de realizar errores en el trabajo. Una oportunidad así es invaluable, porque contar con un espacio seguro en el que se puede fallar es crucial para el crecimiento profesional y el desarrollo de habilidades.</p><h4>EXPLORA LA COMPATIBILIDAD</h4><p>La mentoría es una asociación simbiótica entre un experto y un principiante en la que se comparten de igual manera el conocimiento y la confianza. Pero conseguir un buen mentor puede ser complicado, ya que requiere encontrar a un gerente “veterano” que tenga tanto un significativo nivel de experiencia como pasión por compartirla.​</p><p>Las organizaciones profesionales de seguridad, tales como ASIS International, son un gran lugar para mirar cuando se buscan mentores dentro de la industria. Incluso, la organización que emplee a un gerente de seguridad puede contar con un programa formal de mentoría. Sin embargo, nunca debe ser necesario obtener un permiso formal que no sea el tuyo y el del experto del que quieres aprender, para poder comenzar una relación de este tipo.</p><p>En mi caso, el experto fue George, el director de seguridad de la casa de estudios en la que yo estaba trabajando como gerente externo de seguridad. El centro empleó a George alrededor de un mes antes de que yo sea contratado; de hecho, mi fecha de inicio fue retrasada un poco para que él pudiera asentarse primero, y tener una oportunidad de entrevistarme.</p><p>Antes de la llegada de George, uno de los vicepresidentes del instituto era el encargado de la supervisión del programa de seguridad. Pero el estudio de seguridad realizado por un contratista llevó al centro a contratar un nuevo director de seguridad para desarrollar un departamento independiente de seguridad. Yo fui involucrado como un gerente externo de seguridad, con contrato permanente. La empresa de seguridad me hizo una oferta informal poco antes de que George llegara; la oferta era dependiente de una entrevista exitosa con él, lo que significaría la aprobación final.​</p><p>Como resultó, George y yo utilizamos nuestra entrevista inicial para tener una conversación amplia y agradable sobre un poco de todo, desde ética de trabajo hasta conocimientos de seguridad. Este encuentro fue muy importante, porque el éxito de una relación mentor-aprendiz depende de la compatibilidad de ambos individuos.</p><p>En general, los potenciales mentor y aprendiz siempre deberían tener una oportunidad de conocerse y determinar individualmente si van a ser capaces de trabajar juntos; un concepto que los programas formales de mentoría deben considerar antes de emparejar a sus participantes. Sinó, la relación puede verse destinada a fallar incluso antes de despegar.</p><h4>INVESTIGA</h4><p>Al elegir el mentor adecuado, el aprendiz posiblemente quiera considerar un número de variables, incluyendo el nivel de pericia del mentor y su disposición a compartir su conocimiento, así como el alineamiento general de los intereses de ambas partes. A través de la investigación en línea se pueden verificar su experiencia, sus credenciales, y sus logros; a veces pueden descubrirse fracasos de alto perfil, también.</p><p>En el caso de George, su perfil en línea mostró que él era un exitoso teniente de policía universitario que había transicionado a la seguridad corporativa, primero encabezando un sistema hospitalario multisitio, antes de llegar a la dirección de seguridad del centro comunitario de estudios superiores. También era un miembro longevo de ASIS y estaba certificado como <em>Certified Protection Professional</em>© (CPP); en definitiva, un profesional de seguridad veterano.</p><p>Por supuesto, el proceso de valorar la pericia de un mentor no tiene que terminar una vez que el proceso de selección se ve completado. Un aprendiz puede evaluar sus análisis a través de investigaciones independientes. Ésta es una gran herramienta para determinar si las acciones del mentor son consistentes con las mejores prácticas nacionales.</p><p>En mi caso, a medida que me fui involucrando con ASIS y mi propio desarrollo profesional progresaba, pude ver por qué George tomó ciertas decisiones y realizó ciertas acciones.</p><p>Por ejemplo, recuerdo haber creado una plantilla revisada de informe de incidentes para el departamento de seguridad, que incluía un glosario de tipos de incidentes con definiciones. La idea era hacer que a los guardias de seguridad les resultara más fácil elegir un tipo de incidente a reportar y promover informes más unificados entre diferentes instalaciones y entre guardias individuales. </p><p>Yo había usado las categorías del Programa de Denuncias Uniformes de Crímenes de la FBI como una base para establecer los tipos de incidentes. Cuando George los revisó, realizó una cantidad de ediciones que combinó categorías o las renombró, agregando delitos como robos, incendios provocados, y homicidios no negligentes a la lista.</p><p>George había reformado la lista de tipos de incidentes para seguir las categorías de la Ley Clery, lo que tenía más sentido ya que nuestro lugar de trabajo era un establecimiento educativo (la Ley Jeanne Clery requiere demanda que los institutos superiores y universitarios reporten información sobre delitos ocurridos dentro o cerca de sus instalaciones). Yo ya estaba familiarizado con tal ley en ese punto, pero hasta que no empecé a investigar no había comprendido del todo por qué habíamos cambiado los nombres, hasta ver qué la Ley Clery en efecto especificaba cómo se le debía llamar a los incidentes.</p><p>Ésto se volvió un patrón recurrente: cuanto más yo aprendía, más hondo podía investigar; y cuando más extensas eran mis investigaciones, más hallazgos validaban la pericia de George. Pero el proceso de evaluar la experticia de manera independiente tiene otro beneficio: a veces puede revelar que la brecha de conocimiento entre el mentor y el aprendiz es demasiado grande, y que no puede conciliarse.</p><p>Por ejemplo, si un aprendiz es apenas capaz de usar el correo electrónico, va a necesitar un mentor que lo utilice diariamente, no a un desarrollador de software que escribió el código que hace que el correo funcione. Una brecha de conocimiento demasiado extensa puede llevar a una ruptura en la comunicación entre ambas partes, en la que el aprendiz no puede comprender completamente los conceptos que el mentor considera de sentido común. Es casi como si estuvieran hablando idiomas diferentes.</p><p>Ésto no siempre se tendría que dar así, por supuesto; algunos profesionales altamente consumados también son talentosos comunicadores y docentes que pueden superar amplias grietas de habilidades. Pero a veces las brechas generan tanta frustración que ambas partes se dan por vencido. En el peor de los casos, esta mala experiencia puede impedir que ambos vuelvan a intentar establecer una relación de mentoría con un socio más apropiado en el futuro, perdiéndose así de los beneficios mutuos de este tipo de relación.</p><p>Si cualquiera de las partes siente que la pareja es insostenible, ambos deberían terminar la relación cordialmente e intentarlo nuevamente con otra persona. La industria necesita que los expertos y los novatos se busquen entre ellos y trabajen juntos, de modo que ninguno permita que la asociación se deteriore.</p><p>La investigación independiente puede ser valiosa de otra manera: como una gran herramienta educacional para los mentores. Ellos pueden usarla para desarrollar ejercicios que permitan que los aprendices analicen situaciones por su propia cuenta y seleccionen acciones apropiadas basadas en las condiciones a enfrentar.</p><p>Ejercicios como éstos ilustran que la mentoría no consiste simplemente en llevar de la mano al aprendiz; éstos deben estar dispuestos y ser hábiles para actuar y pensar por sí mismos. Practicar estas habilidades en el contexto de un ejercicio es una excelente manera de aprender.</p><p>Finalmente, la relación mentor-aprendiz puede no funcionar si ambos son considerados competidores para el mismo puesto de trabajo. El lugar de trabajo moderno puede ser territorial, y recibir mentoría de alguien que está preocupado porque eventualmente puedan tomar su trabajo (en vez de sucederlo en caso de que eventualmente se vaya de la empresa voluntariamente o se retire) será problemático. Es probable que las preocupaciones sobre un puesto de trabajo mermen la confianza de una o ambas partes, causando que la relación falle.</p><p>Dicho ésto, varios de los mejores mentores son aquellos que se están acercando al fin de su carrera profesional, son expertos en el nicho de la industria en la que el aprendiz quiere destacarse, y son entusiastas por transmitir su conocimiento a profesionales jóvenes y prometedores.​</p><h4>AVANZA</h4><p>Una vez que has identificado un mentor, crees firmemente que su pericia es genuina, hay una confianza mutua y un deseo de trabajar juntos, debes comprometerte a la relación completamente.</p><p>Cuando George y yo comenzamos a trabajar juntos, no había una separación real entre nuestros trabajos y el aprendizaje. No separábamos un día de la semana para las actividades de mentoría, con los otros cuatro días ocupados por tareas operacionales o reuniones disciplinarias. En cambio, ocurrió lo contrario: el trabajo tradicional y la mentoría se combinaron en perfecta armonía. Cada actividad se volvió una lección en potencia, y cada interacción una oportunidad para el traspaso de información.</p><p>Ambos nos reuníamos alrededor de dos veces a la semana para discutir las operaciones generales de la fuerza de guardias de seguridad. En esas reuniones, frecuentemente me serían asignadas tareas; lo que sea, desde redactar un borrador de una política sobre un tema en particular hasta desarrollar un plan para la cobertura de un evento especial. Yo volvería a mi oficina para trabajar en el proyecto, y entonces llevaría un borrador funcional a la próxima reunión.</p><p>George sacaría su bolígrafo rojo y, sin remordimientos, hacer correr la tinta por todos mis borradores. Él explicaría los errores cometidos, devolviéndome los documentos para que los corrija y vuelva a entregarlos.</p><p>Tal vez el obsequio más grande que recibí de George fue su paciente y firme rechazo a aceptar trabajo por debajo de los estándares o pobremente investigado. Desde entonces, me di cuenta qué tan tentador puede ser, cuando estamos muy ajetreados, reunir documentos e informes entregados con errores y enviarlos al siguiente destinatario, sólo para seguir de largo. Pero en el final, lo único que éso garantiza es que vas a continuar viendo documentos presentados con errores. Tomarse el tiempo para explicar qué está mal en un documento y devolvérselo al aprendiz para que lo arregle toma paciencia y un deseo por instruir.</p><p>La mentoría no tiene que ser unidimensional o exclusiva. De vez en cuando, yo recurriría al consejo de otros cuando la situación lo requería. Los dueños de la empresa de seguridad para la que trabajaba tenían una extensa experiencia como contratista de seguridad, así que fueron mi fuente primaria cuando necesité experticia específica en esa subárea. No hay una escasez de buenos mentores, así que no hay motivo para limitarte a ti mismo con uno sólo cuando buscas consejos.​</p><h4>TRANSICIÓN</h4><p>A medida que continuamos trabajando juntos, la complejidad de las tareas que me eran asignadas naturalmente creció. Cuanto más aprendía, más era capaz de hacer, y mayor era la cantidad de proyectos en los que me involucraba.</p><p>George y yo escribimos en conjunto artículos y desarrollamos programas de entrenamiento para guardias de seguridad de<em> campus </em>y para gente en transición a la seguridad desde otras industrias. Aprendí que no hay mejor manera de reforzar el conocimiento sobre un tema que enseñarlo. Ésto se vuelve aún más cierto si tus estudiantes son adultos. Cuando sea que creas que te has vuelto conocedor de una materia, intenta pararte en frente de una clase de adultos que creen que también lo son, y afronta sus preguntas.</p><p>Éste es un momento de transición profesional: el aprendiz ya no es un principiante, pero definitivamente aún no es un experto. Avanzar de los conceptos básicos hacia los más avanzados puede ser apasionante y gratificante, y puede presentarse una peligrosa tentación para el aprendiz: creer que la mentoría ha terminado. Por supuesto, alguna vez ese pensamiento me cruzó la cabeza, especialmente durante días difíciles y pesados en la oficina, cuando la última cosa que quería era a George señalando qué había hecho mal.</p><p>Sin embargo, me di cuenta que la relación todavía era muy valiosa para mí como para descontinuarla; pero sí tenía que cambiar. Cuando la mentoría alcanza un estadío avanzado, se debe reemplazar el énfasis por obtener conocimiento específico del trabajo y enfocarse más en el aprendizaje estratégico y el desarrollo de la carrera.</p><p>Las habilidades operacionales, tales como realizar cronogramas, entrevistar candidatos y desarrollar políticas y procedimientos estándar, ya fueron aprendidas. Ahora, tanto el mentor como el aprendiz se pueden enfocar en cultivar habilidades de alto nivel, así como saber predecir dónde y cuándo se puede necesitar una nueva política, y analizar tendencias actuales en prevención del crimen o seguridad de <em>campuses</em>.</p><p>De manera muy similar al liderazgo tradicional, el estilo de la mentoría puede ser alterado y ajustado a lo largo del tiempo, a medida que la relación se profundiza.</p><p>En las últimas etapas de mi mentoría, George me animó a tomar ventaja de cada vez más oportunidades de desarrollo, tales como educación profesional, cursos en línea de la Agencia Federal de Gestión de Emergencias de USA (FEMA), conferencias de los Servicios del Departamento de Justicia Criminal estatal, y muchas otras clases y seminarios de entrenamiento, incluyendo el evento <em>ASIS International Seminar and Exhibits </em>de 2011 en Orlando, Florida.</p><p>El seminario de ASIS fue una experiencia reveladora que permitió a un gerente de seguridad relativamente nuevo como yo explorar la profesión en toda su profundidad. En una semana, descubrí que no importa cuánto haya creído que aprendí durante mis tres años trabajando con George: sólo había tocado la superficie.</p><p>No obstante, mi primer seminario de ASIS sirvió como el perfecto catalizador para que George me presionara a proseguir mi designación como CPP, la cual eventualmente obtuve.</p><p>Dos años después de certificarme, un colega de ASIS me reenvió una nota sobre una oportunidad de trabajo como el administrador de seguridad para la ciudad en la que vivía. Era una oportunidad demasiado buena como para dejarla pasar, y, sorprendentemente, el anuncio buscaba específicamente un CPP con experiencia en gestión de seguridad en instalaciones múltiples.</p><p>Obtuve el trabajo, y me volví el administrador de seguridad para la Ciudad de Newport News, Virginia. George prosiguió a convertirse en el mentor de un gerente de seguridad física que fue contratado antes de que yo me vaya.​</p><h4>EL APRENDIZ SE VUELVE MENTOR</h4><p>George y yo aún nos mantenemos en contacto, poniéndonos al día a través de algún almuerzo ocasional en el que comparamos estrategias en asuntos similares. Cuando avancé a mi nuevo puesto, encontré nuevos mentores con extensa experiencia en el sector público que me ayudaron a navegar los campos minados que existen en los gobiernos locales.</p><p>Me topé con un ritmo de operaciones aún más rápido en este nivel, y hay menos paciencia por compartir conocimiento de nivel de básico porque las expectativas de mí ya se ven reflejadas en las responsabilidades añadidas del nuevo puesto. Sin embargo, la dinámica de mentoría se mantiene igual: yo trabajo para un individuo con un enorme nivel de conocimiento en administración municipal, y sus consejos en esa área de mi trabajo son inestimables.</p><p>Intenté compartir conocimiento con la gente a mi alrededor de una manera muy parecida a la que George lo hizo conmigo: pacientemente animando a quienes me rodean a aprender más sobre la industria y sus funciones dentro de ella. Mi aproximación, sin embargo, ha sido algo diferente a la suya. Mientras George dedicaba una cantidad significativa de tiempo a ser el mentor de una sola persona, yo he intentado influenciar a toda persona con la que entro en contacto.</p><p>Mirando atrás, no hubo ningún momento de película exacto en el que yo pudiera decir “fui enseñado para lograr exactamente ésto”. La mentoría no funciona así, en mi experiencia. Es un proceso gradual que requiere trabajo constante e infinita paciencia de ambas partes.</p><p>También se trata de una asociación que ayuda al desarrollo de ambos individuos, y potencialmente inculca en ellos una apreciación por aprender y enseñar que se mantendría durante todas sus carreras. Este interés nos lleva a continuar avanzando en nuestra industria, buscar nuevos mentores, y tomar el rol de mentores para aquellos que vienen detrás de nosotros; elevando a la profesión entera, un aprendiz a la vez.</p><p>--<br></p><p>Yan Byalik, CPP, es el administrador de seguridad para la Ciudad de Newport News, Virginia. Tiene más de 15 años de experiencia incluyendo seguridad en educación superior, parques temáticos, e infraestructuras críticas. Byalik es el vicepresidente asistente para la región 5A.</p> Review - Business Theft and Fraud: Detection and PreventionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<strong>Business Theft and Fraud: Detection and Prevention.  CRC Press;; 338 pages; $79.95.</strong></p><p>More than two-thirds of employee theft cases occur in small business operations, and more than half of victimized businesses have fewer than 25 employees. These statistics, from <em>Business Theft and Fraud: Detection and Prevention</em> help explain why even the smallest organizations need to know how to detect and prevent fraud and theft.<br><br>With experience in the military, law enforcement, and the private sector, and degrees in financial management and criminal justice, author James Youngblood, CPP, has the appropriate credentials to write a definitive book on the subject. He understands the differences between the operations of small and large businesses, and he offers techniques to thwart theft in all types of organizations.</p><p>For instance, background investigations for potential employees are important for all organizations Small companies may be hindered from conducting adequate background investigations due to budgetary restrictions, time constraints, and reduced applicant pools. Large organizations have greater monetary resources for background checks, are able to distribute the workload until replacement help is acquired, and usually attract more applicants for various reasons.</p><p>In any case the insider threat is a primary concern of the text. Other timely topics include the protection of brand integrity and brandjacking, the sale of bogus or counterfeit brand name merchandise, cybersecurity, technology-based fraud, data breaches, and ransomware. Encompassing a breadth of information for those concerned with theft and fraud, this book explains such important concepts as how to identify sales underreporting, track sales by shifts, and educate employees to be aware of computer scams. Throughout the work the thread of internal theft and shrinkage is prevalent.</p><p>Some suggestions to enhance the utility and flow of the book include using a linear presentation of information for easier understanding. Chapters of few pages could be consolidated with other relevant chapters, and many sub-topics could be combined. For example, both chapters 4 and 5 deal with financial statements: consolidation of these might be more effective. While some sub-headings are presented as questions, others are statements, possibly creating some confusion. The explanatory endnotes might better be incorporated into the text, while a bibliography would help readers find further resources in some subject areas.</p><p>The overall visual presentation is professional with quality materials and clear typeset. Two appendixes list organized retail crime associations and examples of phishing emails, and there is an extensive index. This book is recommended for security and business management professionals as well as loss prevention practitioners desiring a roadmap for the detection and prevention of business theft and fraud. It could also be used as a primary or supplemental textbook in college courses focusing on internal and external theft and fraud, as well as cyber issues.</p><p><em>Reviewer: Paul D. Barnard, CPP, CISM (Certified Information Security Manager), SFPC (Security Fundamentals Professional Certification) is an adjunct professor in loss prevention and security management programs. He has been a member of ASIS International since 1975</em></p>’-Security-Solutions-Are-Outdated.aspxReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are OutdatedGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A majority of information security professionals said they believe some of their organizations’ existing security solutions are outdated and inadequate, according to a new report released this week.</p><p><em><a href="" target="_blank">The Need for a New IT Security Architecture: Global Study,</a> </em>sponsored by Citrix and conducted by the Ponemon Institute, is a three-part report that surveyed 4,268 IT and IT security practitioners in 14 countries to find out why security practices and policies need to evolve to deal with threats from disruptive technologies, cybercrime, and compliance.<br></p><p>In response, 69 percent of respondents said their organizations’ security solutions are outdated and inadequate, making them unable to manage emerging risks.<br></p><p>“What is needed, according to 74 percent of respondents, is a new IT security framework to improve their security posture and reduce risk,” the report found. “A new strategy is especially important in order to manage such potential risks from the Internet of Things (IoT).”<br></p><p>The report also found that 83 percent of respondents think their organization is at risk of a security breach because of the complexity of business and IT operations. <br></p><p>“Business and IT complexity are leading to more employees circumventing security policies and sanctioned apps,” wrote Stan Black, CISSP, chief security officer and vice president of Citrix, in a <a href="" target="_blank">blog post.</a> “Bottom line, if it’s too complex, employees will find a way around it in order to do their jobs effectively and according to their own preferences.”<br></p><p>Additional factors that respondents said are putting their organizations at risk include:<br></p><ul><li><p>The growth of data assets (78 percent)<br></p></li><li><p>Integration of third parties into internal networks and applications (76 percent)<br></p></li><li><p>Silos and the lack of collaboration between IT security and lines of business (76 percent)<br></p></li><li><p>Inability to secure access rights (74 percent)<br></p></li><li><p>Inability to integrate disparate technologies (67 percent)<br></p></li><li><p>Lack of funding to support cyber defense (67 percent)<br></p></li></ul><p>To address these concerns, the respondents said their organizations’ new IT security infrastructure should include technology for identity and access management (78 percent), machine learning (77 percent), and configuration and log management (76 percent), among other technologies. <br></p><p>Black agreed with this assessment and wrote that virtualization, containerization, and enterprise mobility management and visibility will be needed to get employees to follow security rules. <br></p><p>“Containerization affords employees anytime, anywhere access on their device of choice while still protecting any apps and data accessed,” he explained. “Virtualization allows for information to be delivered at the pixel level, ensuring it doesn’t leave the data center. Combined, using these can significantly reduce the available attack surface, since information is delivered only via the secure channel and can be revoked or removed at any time.”<br></p><p>Black also suggested companies adopt identity and access management protocols to create trust and grant access based on contextual awareness.<br></p><p>“Without it, your business will be stuck in the dark ages as more new technologies surface in the workplace,” he wrote.<br></p><p>To read all three <em>The Need for a New IT Security Architecture</em> reports, visit <a href="">Citrix’s landing page.</a><br></p><p><br> </p>¡PRESTA-ATENCIÓN!.aspx¡PRESTA ATENCIÓN!GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>¿Cómo pueden los operadores humanos evitar terminar exhaustos en el trabajo, o permanecer alerta tras conducir por extensos lapsos de tiempo? ¿Cómo pueden los guardias de seguridad asegurarse de no perderse una alerta crítica durante un largo turno?</p><p>El programa Factores Humanos y Cognición Aplicada (HFAC en inglés) de la George Mason University, ubicada en Fairfax, Virginia, está realizando pruebas con sujetos sobre la fatiga de vigilancia para averiguar más acerca de cómo y por qué el poder mental se merma, y cómo se lo puede reponer. A los sujetos en el Laboratorio Arch de la institución se les encarga una variedad de tareas para realizar en una gama de escenarios.</p><p>"Constantemente estamos haciendo que la gente haga lleve a cabo varias labores al mismo tiempo," dice la Dra. Carryl Baldwin, quien dirige el programa. "En uno de los supuestos, los sujetos deben realizar cinco tareas simultáneas, intentando alternar su atención entre tres pantallas, de una a la otra."</p><p>Baldwin explica que la fatiga de vigilancia ocurre cuando nuestros cerebros se ven abrumados por la tarea que están realizando. “La teoría principal explicando por qué experimentamos esta reducción de atención es porque nuestros recursos cognitivos se ven agotados," dice. “Y nos preguntamos, ‘Si ése es el caso, ¿cómo restauramos esos recursos?’ Así que empezamos una serie de experimentos, de los cuales muchos siguen en curso, buscando qué podemos hacer para que esa persona pueda retomar el ritmo, intentando paliar esa disminución de desempeño."</p><p>Una hipótesis, señala Baldwin, es que dejar que el intelecto deambule (que también se conoce como conectar a la red predeterminada de la mente) ayuda a restaurar el flujo sanguíneo en la parte del cerebro que se emplea al completar una tarea, la red dorsal de atención. "A esta idea se la llama l<i>a hipótesis de desacople</i>, ya que trata del ciclo de alternar entre dos grandes redes de atención," cuenta. "Tienes que realizar este ciclo constantemente para lograr sostener tu desempeño durante cualquier cantidad de tiempo."</p><p>En un campo como el de la seguridad, Baldwin señala que la falta de incidentes durante cualquier turno puede llevar a una fatiga aumentada, así como con cualquier actividad que tiene poco o ningún estímulo para el cerebro. “¿Cómo puedes mantenerte motivado para mirar pantallas si, turno tras turno, nada sucede?," dice. “Es probable que pierdas las señales, porque es difícil prestar atención cuando raramente obtienes alguna."</p><p>Los investigadores están trabajando en restablecer la efectividad de los sujetos para realizar tareas con una variedad de técnicas. “Una de las cosas que puedes hacer en las investigaciones de vigilancia es insertar falsas alarmas… para despertar a los sujetos," dice Baldwin. “Porque si estás esperando una señal que no va a tomar lugar durante todo el turno de ocho horas, es realmente difícil permanecer comprometido."</p><p>Ofrecer recompensas también puede ayudar a que la gente permanezca enfocada. “Estamos experimentando con retribuir a los sujetos de vez en cuando… principalmente para aumentar los niveles de dopamina, lo que creemos que, a su vez, aumentará su habilidad de mantener la atención en la tarea."</p><p>Baldwin comenta que simplemente estar de buen humor también pareciera promover la efectividad y el estado de alerta. “Hemos intentando reproducir música de un cierto tipo, particularmente con vibras positivas, música lenta que es popular y disfrutable, y a la gente le gusta," dice. “Éso tiende a que los sujetos se relajen y tengan una actitud positiva."</p><h4>Ciberfatiga</h4><p>La fatiga también afecta a aquellos que toman decisiones relacionadas a la seguridad. La mayoría de los usuarios de computadoras en los Estados Unidos de América se sienten “abrumados,” “resignados,” y “sin esperanza” respecto a la seguridad y privacidad de su comportamiento en línea. Ésto los lleva a tomar pobres decisiones de ciberseguridad, según el estudio realizado por el Instituto Nacional de Estándares y Tecnología (NIST) en Octubre de 2016, llamado <em>Fatiga de Seguridad.</em></p><p>Los autores del informe le cuentan a <em>Security Management</em> que ellos no necesariamente buscaban ofrecer conclusiones sobre la fatiga de seguridad en su investigación, sino que deseaban aprender más sobre el comportamiento de seguridad en línea del usuario típico de computadora. “Realmente estábamos tratando de entender las percepciones, creencias y conductas de las personas respecto a la ciberseguridad," dice Mary Theofanos, científica de computación en la Oficina de Datos e Informática del NIST.</p><p>Theofanos, junto al coautor Brian Stanton del Grupo de Visualización y Usabilidad del instituto, entrevistaron a personas oscilando entre las edades de 20 y 69 años de zonas rurales, urbanas y suburbanas de los EUA. Realizaron preguntas tales como: ¿qué haces en línea? ¿Con qué frecuencia cambias tu contraseña? ¿Cómo te sientes respecto a la ciberseguridad?</p><p>“Cuando empezamos a hablar con ellos, se percibía esta sensación avasallante de resignación, pérdida de control, derrotismo, y abstinencia de tomar decisiones," explica Theofanos. “Cuando realmente empezamos a buscarlas, nos dimos cuenta que éstas son las características de la fatiga de seguridad”.</p><p>Las siguientes son algunas señales de fatiga de ciberseguridad observadas por los investigadores:</p><p>• Evitar tomar acciones innecesarias</p><p>• Elegir la opción más fácil disponible</p><p>• Tomar decisiones conducidas por motivaciones inmediatas</p><p>• Comportarse impulsivamente</p><p>• Resignarse y sentir una pérdida de control</p><p>Stanton, de profesión psicólogo, comenta que los usuarios están cansados de que constantemente se les pida cambiar sus contraseñas, actualizar sus sistemas, y participar de otras buenas prácticas básicas de ciberseguridad e higiene.</p><p>“Cuando sobrepasas un cierto umbral, ya no tienes ninguna capacidad para ocuparte de las cosas, y éso es lo que estamos observando en el terreno de la seguridad," explica. “Esta gente ya no tenía la capacidad para tomar más decisiones sobre seguridad.”</p><p>Sentirse abrumado lleva a los usuarios a tomar decisiones pobres, así como no cambiar sus contraseñas o actualizar sus equipos, o fallar en la protección de su información personal, abriéndole la posibilidad a los ciberataques o al robo de datos.</p><p>El reforzamiento positivo, uno de los métodos clásicos para contrarrestar la fatiga de vigilancia, no necesariamente está disponible en el mundo virtual. “Es difícil obtener una recompensa en el ciberespacio porque no hay una relación directa de causa y efecto”, dice Theofanos. Por ejemplo, si los usuarios cambian su contraseña cada treinta días pero sus sistemas se ven infiltrados de todos modos, sentirán que sus prácticas de seguridad no los protegieron y que, por lo tanto, no vale la pena realizarlas.</p><p>“En ciberseguridad no te dan ninguna devolución si haces todo bien,” agrega Stanton.</p><p>Aquellos entrevistados también creían que, para empezar, los hackers nunca tendrían a su información en la mira, porque consideraban que no poseían nada de valor. Declararon que alguien más debería proteger sus datos, como el banco que emite sus tarjetas de crédito o sus empleadores.</p><p>Para combatir la problemática de la fatiga de seguridad, la investigación sugirió que las compañías tomen algunas medidas para asegurarse de que los usuarios no se sientan agobiados:</p><p>• Limitar el número de decisiones de seguridad que los usuarios deben tomar</p><p>• Hacer que tomar la decisión correcta de seguridad sea simple para los usuarios</p><p>• Diseñar buscando una constancia en la toma de decisiones cuando sea posible</p><p>Theofanos señala que los usuarios están al tanto de las ciberamenazas existentes, y muchos habían mencionado intrusiones de alto perfil que llegaron a las noticias. Aun así, ella indica que la buena ciberseguridad tiene que volverse un hábito, y la concientización no es suficiente. “No pueden reposar sobre un grupo de hábitos, porque todavía no los han desarrollado. Es el clásico concepto de practicar y practicar,"​ dice. “Es un paso mayor que sólo obtener educación y concientización generales."</p> Course for Corporate SuccessGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Conventional wisdom suggests that businesses have a natural life cycle wherein new solutions, evolving markets, and misguided management play a significant role in the probable failure of the company. According to this model, every firm—from family businesses to the largest multinationals—falls into decline. Even those businesses that come back after one downturn may not prevail in the next one. These organizations are replaced by new companies that are born to meet evolving market needs, new technology voids, or changing business environments, and the cycle repeats. But some notable companies—IBM and Apple, for example—have overcome periods of decline and have emerged with a new focus, strong core values, and a powerful new leadership position. </p><p>There are many possible paths to this success, but for a large technology company, regaining its leadership position after a major decline requires several critical ingredients, including: </p><ol><li>A clear target-market focus with in-depth understanding of the customer</li><li>A strong, complete offering that cannot be easily duplicated</li><li>A clear market position and message</li><li>Strong organizational alignment with outstanding team commitment</li><li>A financial foundation that will support the necessary actions<br> </li></ol><p>While these elements may seem obvious to any start-up entrepreneur, they may be harder for an established, enterprise-level company to achieve. Here's a look at how these five key initiatives can be applied.</p><p><strong>1. Clear Target Market<br></strong>A statement of mission, vision, and values can help an organization create a roadmap of where it wants to go and how it will get there. A basic underlying tenet of the statement is that the organization, regardless of its nature (i.e., school, auto dealership, technology company, etc.) will provide a high-quality product or solution that the market needs. Organizations must also identify the right way to communicate to the defined market that their product or service has value and is the best choice. They must support that communication with a solid foundation in marketing, sales, and infrastructure. It's a broad "pull" rather than "push" approach that benefits not only the organization but the market as well. </p><p><strong>2. Strong, Complete Offering<br></strong>Businesses that have grown and prospered offer a strong, quality product line designed specifically for the defined market. Maintaining that portfolio is an ongoing process that requires both a commitment and a product roadmap that will position the organization not only as a product leader but also as a technology leader. </p><p>Crystal balls aside, listening and responding to a changing industry is necessary to ensure that the portfolio offers solutions as well as products. Offerings today must feature greater intelligence and performance capabilities that will make a difference to the industry. In the physical security market, for instance, some of these solutions include products with increased connectivity, cybersecurity features, and an understanding of the Internet of Things (IoT). The offerings should be positioned to work in combination with the expertise of select technology partners to deliver an integrated system that solves customer problems through meaningful innovation. </p><p><strong>3. Clear Market Message<br></strong>Successful companies have an aggressive integrated marketing program that combines the best of traditional marketing with new social media and digital techniques to get their message to the market. These companies have implemented and will continue to refine consistent and aggressive public relations, new print and digital advertising campaigns, and advanced inbound marketing. This is all in addition to updated websites that include significant support tools and search engine optimization. <strong> </strong><strong> </strong><strong><br></strong></p><p><strong>4. Organizational Alignment<br></strong>The successful business operation must fit the needs of the market as it exists today. Many companies start the restructuring with the sales organization to create a closer, more-direct line to the reseller and customer. This approach serves customers by ensuring more direct contact, feedback, and intervention. By listening carefully, understanding what the market needs, and giving value, the company, in return, will receive value.  </p><p>Along with a restructured sales organization, an updated marketing organization can better engage in highly strategic and integrated marketing efforts that are designed to reshape the company's image and drive new business opportunities. Populating the department with internal and external teams of experienced industry professionals who have proficiency in both traditional and digital marketing further helps in achieving company goals. </p><p>Finally, in any technology-based organization, the restructuring of the engineering organization is critical to meet the continual challenge of developing and delivering mainstream solutions with meaningful innovation. Ultimately, it is the close collaboration and alignment of these three primary functions—sales, marketing, and engineering—that will eventually drive the organization towards its new goals.<strong> </strong></p><p><strong>5. Firm Financial Foundation<br></strong>Although a company may have been profitable throughout its history, change is costly. Strong financial backing allows an organization to move forward with its redevelopment in a manner that better ensures success. As an example, the capability of sustained restructure has been a key component in the success of Pelco's reinvention. </p><p>Even when these five critical elements are implemented, success is still not a sure thing. Economic uncertainty, fast-moving markets, and competition from nontraditional sources can take a toll. Companies with entrenched or outdated business models are particularly susceptible to business failure. As it becomes harder to hit performance targets, virtually all organizations need to consider some type of strategic restructuring if they want to avoid the end-of-life paradigm. </p><p>If this sounds radical, it's likely due to the negative connotations associated with restructuring. For many, restructuring conjures up images of court-supervised negotiations with different classes of creditors trying to reach consensus. But when viewed more broadly, restructuring represents an opportunity for companies to examine their operating models with the ultimate goal of optimizing their business for the long term. Companies that follow this process can remain a dominant force for many years to come.​</p><p><em>Sharad Shekhar is CEO of Pelco by Schneider Electric.</em>​​<br></p> Of InfoSec Professionals Paints A Dark Picture Of Cyber DefensesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A majority of information security professionals believe that U.S. critical infrastructure will be breached by a cyberattack sometime in the next two years, according to a new survey by Black Hat. </p><p>“Most also believe that their own enterprises will be breached in the next 12 months,” the survey said. “And most believe that the defenders of those infrastructures are not ready to respond.”<br></p><p>The survey,<em><a href=""> 2017 Black Hat Attendee Survey,</a></em> polled 580 top-level cybersecurity professionals that have attended the Black Hat USA conference during the last two years. <br></p><p>“The survey results offer a dark picture of tomorrow’s cyber defenses, which are being increasingly tested by sophisticated hacking and social engineering exploits, including ransomware worms such as WannaCry and nation state​ sponsored hacks such as those emanating from Russia and North Korea,” the survey said. <br></p><p>For instance, while 60 percent of respondents said they believe a successful cyberattack on U.S. critical infrastructure will occur before 2020, just 26 percent of respondents said they are confident the U.S. government and defense forces are equipped and trained to respond appropriately.<br></p><p>“In essence, the survey is a warning from the industry’s most experienced and responsible IT security professionals that successful cyberattacks on essential infrastructure and business could be imminent, but defenders do not have the resources and training they need to efficiently respond.”<br></p><p>Respondents also said they believe that state-sponsored hacking, such as from Russia and China, has made U.S. enterprise data less secure. And only 26 percent of survey participants said they thought the Trump administration would have a positive impact on cybersecurity policy, regulation, and law enforcement.<br></p><p>Survey respondents were also not optimistic about the state of corporate cybersecurity with almost two-thirds predicting that their own organizations will have to respond to a major security breach in the next year. <br></p><p>“Sixty-nine percent say they don’t have enough staff to meet the threat; 58 percent believe they don’t have adequate budgets,” according to the survey. <br></p><p>And while ransomware remains a major threat that information security professionals are concerned about, the top worry for most respondents two years from now is Internet of Things (IoT) security.<br></p><p>“Digital attacks on non-computer systems—the Internet of Things—currently ranks 10th among security professionals’ chief worries; but when asked what they believe they will be most concerned about two years from now, IoT security ranks first on the list at 34 percent,” the survey said. “These concerns appear to be well-founded, as security researchers continue to prove vulnerabilities in non-computer systems such as automobiles and medical devices.”<br></p><p><br></p> Takes a NetworkGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​After more than four years of investigation, a global investigations team of 57 agents commenced an operation to take an international criminal infrastructure platform known as Avalanche offline at the end of November 2016. </p><p>Launched in 2009, the Avalanche network was used to facilitate malware, phishing, and spam activities. Criminals used the network to send more than 1 million emails with damaging attachments or links each week to victims in 189 different countries, according to Europol.</p><p>“The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns,” a Europol press release said. “It has caused an estimated €6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.”</p><p>German authorities began investigating the Avalanche network in 2012 after ransomware spread by the network infected several computer systems, and millions of private and business computer systems were injected with malware that allowed criminals using the network to obtain bank and email passwords.</p><p> “With this information, the criminals were able to perform bank transfers from the victims’ accounts,” Europol said. “The proceeds were then redirected to the criminals through a similar double fast flux infrastructure (an evasion technique used by botnets), which was specifically created to secure the proceeds of the criminal activity.”<img src="/ASIS%20SM%20Callout%20Images/0717%20Feature%204%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>German authorities investigating the network found that Avalanche was using as many as 500,000 infected computers worldwide. After analyzing 130 terabytes of data, they were able to identify Avalanche’s server structure. Working with the U.S. Attorney’s Office for the Western District of Pennsylvania, the U.S. Department of Justice, the FBI, Europol, Eurojust, the Verden Public Prosecutor’s Office, and the Lüneburg Police arrested five individuals, conducted 37 searches, seized 39 servers, and took 221 additional servers offline via abuse notifications.</p><p>“Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders,” said Julian King, European Union commissioner for the Security Union, in a statement. “Cybersecurity and law enforcement authorities need to work hand-in-hand with the private sector to tackle continuously evolving criminal methods.”</p><p>International law enforcement cooperation on investigations has always been important, but it has become critical as more crimes are taking place in cyberspace—beyond national borders.</p><p>“Criminals have figured out that borders mean absolutely zero, yet for countries and law enforcement agencies, sovereignty is important—our authorities generally remain within our borders,” says Richard Downing, U.S. Department of Justice (DOJ) Criminal Division acting assistant attorney general.</p><p>And that leads to complications when victims of a crime are in one country, the offender is in another country, and evidence of the crime is in yet another country. </p><p>“Of course, nowadays, it’s more likely to be that you have victims in 20 countries, offenders in 20 countries, and the evidence in 20 other countries,” Downing adds. “Criminals understand this problem for us, and they exploit it.”</p><p>To find out how law enforcement is addressing this problem, Downing led a panel discussion with law enforcement officials at the 2017 RSA Conference in San Francisco to share how agencies are working together to combat cybercrime. </p><h4>Information Sharing</h4><p>Law enforcement agencies use various avenues to legally share information with other nations, including treaties, conventions, and investigative teams.</p><p>One type of agreement is called a Mutual Legal Assistance Treaty (MLAT), which allows law enforcement to exchange evidence and information in criminal cases and related matters. In the United States, MLATs are negotiated by the U.S. Department of State in cooperation with the DOJ to help facilitate cooperation during investigations. The United States has MLATs with the European Union, as well as with numerous other nations around the world.</p><p>These treaties are often referred to as an “18th century tool for a 21st century law enforcement,” says John Lynch, DOJ Criminal Division Computer Crime and Intellectual Property section chief. “But over the last 30 years, we’ve innovated in the sense that we’ve gone from this very slow court process to mutual legal assistance treaties.”</p><p>And building off those MLATs is the Convention on Cybercrime, which was completed in 2001 and went into effect in 2004. Sometimes referred to as the Budapest Convention on Cybercrime, it was the first international treaty that sought to address Internet and computer crime by harmonizing national laws, enhancing investigative techniques, and increasing international cooperation.</p><p>The Council of Europe drafted the original convention, but Canada, Japan, South Africa, and the United States also played a role in its creation. Since going into effect in 2004, 52 nations have ratified the convention. Russia, Brazil, and India are among the nations that have not joined.</p><p>The convention “provided innovation in that it recognized that cooperation had to occur quickly, and so it recognized an [evidence] preservation scheme,” Lynch adds. </p><p>This preservation scheme was implemented via the Group of Eight (G8)—France, Germany, Italy, the United Kingdom, Japan, the United States, Canada, and Russia—through the 24/7 Network made up of prosecutors and police officers who work to quickly preserve evidence for cybercrime investigations. </p><p>For instance, they often make requests to Internet service providers to freeze data so it can be obtained for an investigation. The government authorities then use existing MLATs to obtain the data and begin their investigation.</p><p>And as cybercrime has evolved and increased during the past decade, countries have started using joint investigative teams—what Lynch calls a hybrid of MLATs and police-to-police cooperation. </p><p>These teams “usually consist of some sort of agreement to essentially conduct an investigation together, and then establish rules of the road for how information is going to be exchanged and how it’s going to be treated by each of the departments,” he says. “Europe, in particular, has taken the lead be­cause of the need for close cooperation among those countries.”</p><p>This type of process is key for cybercrime investigations, Lynch says, because the most efficient way to tackle the threat is by running a joint investigation where police-to-police cooperation, real-time sharing, and MLATs combine to authenticate evidence as it’s recovered.</p><p>An example of this is the takedown of the Avalanche network. Steve Wilson, head of business for the European Cybercrime Centre (EC3), was involved in the investigation into Avalanche and said it worked because it used the joint investigative team method.</p><p>“We brought together large groups of investigative officers from across the world, all under one roof so they could share evidence and problems, and get things done together,” Wilson says. The EC3 brought together 57 officers—40 on day shift and 17 on night shift—as well as industry partners to help locate Avalanche’s server structure and identify those involved. </p><p>“We were dealing with probably one of the most complex cybercrime gangs we had ever seen,” Wilson says, adding that Avalanche had infiltrated 880,000 devices and 200 servers around the globe—37 of which were eventually seized by law enforcement.</p><p>Coordinating the investigation into Avalanche was a “huge challenge for us,” Wilson says, and it required using the MLATs Europe had with the DOJ and other nations to conduct the investigation, share information, and ultimately decide on how to prosecute the individuals involved.</p><p>“We arrested five key individuals who were running this network; and if any of you have an idea that cybercrime is committed by…teenagers behind computers, when we searched the house of one of the main individuals involved in this, he began shooting at the police with an AK-47,” Wilson says. “Cybercrime is now every bit as bad as serious organized crime. And investigating these international networks actually takes a network, so that’s how we’re starting to tackle this.”​</p><h4>Prioritizing Cases</h4><p>Another issue facing law enforcement investigating cybercrime is coordination among different agencies on what crimes are being investigated—so agencies aren’t stepping on each other’s toes or potentially tipping criminals off.</p><p>One way the FBI is staying abreast and informed about other investigations is by communicating regularly with Europol, and within the Bureau itself, about what cases are being worked on, says Steven Kelly, FBI International Cyber Crime Coordination Cell (IC4) unit chief.</p><p>“The best way we can help is when we’re getting investigators together, we’re getting requests for information from them, and then we’re seeing what it is that folks are asking about, we’re reporting on that, and helping enrich that feedback,” he explains. “That helps us to know what people are working on and interested in.”</p><p>The IC4 has also tried to prioritize cases to ensure that it’s focusing on the top-level schemes and actors. “Because there’s so much crime, if we take an uncoordinated approach—a country and agency are working on this, and we’re working on that—and all these investigations are taking two, three, four, or five years, we’re never going to have an impact on the crime problem,” Kelly says. </p><p>To prioritize cases, IC4 works with Europol and Interpol to develop a project plan for cases and initiatives it wants to prioritize for the next year. It then reviews and refreshes that plan every six months, most recently in April 2017.</p><p>“That’s a very useful process for getting on the same page and deciding what’s the important thing you want to focus on so we can actually focus on it and drive progress,” Kelly adds. </p><p>The FBI also depends heavily on the private sector to help inform the Bureau about what it should be investigating. </p><p>One initiative that keeps this dialogue open is the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, Pennsylvania. The NCFTA is a nonprofit founded in 2002 that focuses on identifying, mitigating, and neutralizing cybercrime threats around the globe. </p><p>“The NCFTA operates by conducting real time information sharing and analysis with subject matter experts in the public, private, and academic sectors,” according to its website. “Through these partnerships, the NCFTA proactively identifies cyber threats in order to help partners take preventative measures to mitigate those threats.”</p><p>To do this, the NCFTA provides forums for partners, staff who spec­ialize in their respective initiatives, meetings and events for targeted cyber initiatives, intelligence feeds, monthly initiative calls on trends, and assessments and reports based on NCFTA intelligence.</p><p>The NCFTA is a “great platform for banks and tech firms to come together and share information, and help tip law enforcement off as to what’s important,” Kelly adds. “And if we have questions on our investigation, we can ask them.”</p><p>This model has been so effective, Kelly says, that the NCFTA is expanding its offices into two new locations: one in Newark, New Jersey, to focus on the financial sector; and one in Los Angeles, California, to focus on the technology and entertainment industries.</p><p>EC3 is also getting involved in the NCFTA after Wilson signed a memorandum of understanding with the center while at the RSA Conference in February. EC3 is making this move, Wilson says, because it mirrors similar efforts to partner with the private sector in Europe.</p><p>“We’ve got advisory groups from industry, Internet service providers, and the security industry and financial services,” he says. “We meet three times a year in relation to the problems they see…and very much in the last year we’ve recognized that law enforcement has been guilty of telling industry what they should be reporting and what they should do.”</p><p>In an effort to change that, EC3 has tried to be more open and encourage industry to bring its top two or three main problems to see how they overlap with law enforcement. “It’s really surprising how many common problems we have,” Wilson says.</p><p>Since adopting this approach, EC3 has introduced a European threat assessment that allows law enforcement to focus on the key priorities for the industry in each European country. It’s also helped foster better relationships with the private sector, which Wilson says Europol depends on for the assistance.</p><p>“We will never have staff at the top level that industry has,” Wilson explains. “We depend on that assistance, and what I’m seeing increasingly is the willingness of industry to work with us pro bono to do something—to put something good back into it.”</p><p>This dynamic is similar in the United States, according to Lynch, who says that the DOJ has found it can cooperate with the private sector to accomplish things neither law enforcement nor industry could do on its own, either due to lack of authority or expertise in an area of cyber.</p><p>“We have figured out ways so that we’re sitting together, we’re sharing information using established protocols, and can effectively take down a botnet or a criminal organization while respecting privacy and adhering to the national laws and the constitution of the United States,” Lynch says.​</p><h4>New Challenges</h4><p>While law enforcement and industry have been cooperating in some areas, a new challenge stemming from a court case involving Microsoft might prohibit future collaboration.</p><p>The case (Microsoft v. United States, U.S. Court of Appeals for the Second Circuit, No. 14-2985, 2017) was brought when Microsoft challenged a search warrant issued by a court in New York City for information that was in Microsoft’s possession but stored in a data center in Ireland.</p><p>Microsoft acknowledged that it could access the information from inside the United States, but said that because the information was stored outside of the country, the U.S. Electronic Communications Privacy Act and the U.S. Stored Communications Act did not require it to provide the information to law enforcement.</p><p>Instead, Microsoft argued, the U.S. government should use its MLAT with the Irish government to request the information.</p><p>The DOJ sued Microsoft, and a U.S. district court sided with the government. Microsoft appealed the decision, however, and the U.S. appeals court agreed with Microsoft in a ruling issued in July 2016. </p><p>The U.S. Second Circuit Court of Appeals explained that the Stored Communications Act “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.”</p><p>Lynch says that the DOJ is still weighing its options about whether to appeal the Second Circuit’s ruling, but in the meantime the decision will have some effect on the U.S. government’s ability to get access to information for investigations.</p><p>“On the one hand, not everyone stores their data the same way Microsoft does,” Lynch explains. “For example, Google stores its information all over the world—it sometimes splits it up and puts it into databases so it doesn’t even assemble the data until there’s a request. And in those cases, Google has made the choice that the information is only available in the United States.”</p><p>Google’s approach has also caused problems for international law enforcement wanting access to information the company has in its servers. </p><p>“Because for information located outside the United States, there’s essentially no law that can reach the data—the United States can’t reach it because of the Microsoft decision,” Lynch adds. “Foreign law enforcement can’t reach it because there’s no one in that country who has authority to access the data.”</p><p>The DOJ has also challenged Google’s position, and a district court in Philadelphia sided with the government requiring Google to turn over data to law enforcement, but the matter is far from settled.</p><p>“There’s going to be ongoing litigation in this area, and it continues to be a very difficult issue for law enforcement,” according to Lynch “We’re trying to grapple with it, because it is a problem when we can’t get the data under any regime. It can stymie an investigation altogether.”</p><p>Another major challenge for law enforcement is the perception that there are no consequences to committing cybercrime—few people appear to be charged, arrested, and then convicted of cybercrimes. This is a problem because “we’re not going to develop and build a deterrence model for cybercrime if we can’t get our hands on these people,” Kelly says. </p><p>As of February 2017, there were 123 individuals who had been charged with U.S. cybercrimes but have not been arrested, Kelly says. </p><p>“It’s a lot of people who have not been brought to justice because they are all over the world,” he explains. “They are in places we can’t get them—maybe there’s not an extradition treaty, and that’s a problem. If we’re spending a couple of years to make a case, bring it to a grand jury, get it charged, and then we can’t get the guy or gal, then that’s a problem. We’re not going to deter cybercrime if people continue to act with impunity and in safe havens.”</p><p>A recent example of this was the DOJ’s charges against two Russian spies and two criminal hackers in connection with the 2014 Yahoo data breach. One of the hackers, Karim Akehmet Tokbergenov, 22, was a Canadian national and was arrested. The other three individuals—Dmitry Aleksandrovich Dokucahaev, Igor Anatolyevich Suschin, and Alexsey Alexseyevich Belan—remain at large because Russia does not have an extradition agreement with the United States.</p><p>To address this problem, the FBI is looking at how it keeps track of cases where an individual has been charged with a cybercrime but has not been arrested. If it’s a priority apprehension, such as for a major crime, then the FBI will look at its options to possibly arrest the individuals while they are on vacation or traveling to a country that does have an extradition treaty with the United States.</p><p>And while Russia doesn’t have an extradition treaty with the United States and often refuses to extradite its own nationals, it has been known to cooperate with law enforcement for certain types of crimes, such as child exploitation charges.</p><p>“This is the one area where countries drop their individual stances,” Wilson says. “Police forces drop their egos and agree that the only thing to do is work together. I’ve seen some countries we’ve spoken about here who will not cooperate on extradition, but they will take immediate action against people who are passing out child pornography.”</p><p>Wilson says that law enforcement should use cases and moments of collaboration like this to open a dialogue about how they can work together to extradite individuals facing cybercrime charges.</p><p>“We need to keep these channels open to see if these countries will take on some of these investigations, because if we can’t have these people—if there’s no consequence to commit cybercrime—they’ll just continue to commit time and time again,” Wilson adds.</p><p>And for cases where dialogue isn’t effective, Wilson says that the European Union is looking at the possibility of using diplomatic responses and sanctions to pressure nations into cooperating. </p><p>The EU already has an agreement that if there is a terrorist attack on a member state, all of the members will stand together in response—whether it’s issuing a statement of condemnation or taking military action.</p><p>“There’s a process coming underway right now in the EU to look at the practicalities of this in relation to cyber—to actually put a consequence back to a country that either condones or actively decides to push people to commit this type of crime,” Wilson says. </p><p>The United States has taken a similar approach. Former President Barack Obama issued an executive order that allows the president to place sanctions on a nation and other actors in response to cyberattacks. </p><p>“At the end of last year, we actually implemented [the order] against a couple of actors who had been charged in the United States with ransomware schemes, botnets, and involvement in some major data breaches,” Lynch says. </p> on the FlyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Long before Jack Hanagriff was tasked with creating a temporary camera deployment for Super Bowl LIVE, he called on Keith Drummond, senior director of sales for IDIS America, for help supplementing the city’s camera infrastructure. Drummond traveled to Houston for the NCAA Men’s Final Four tournament in April 2016 to better understand the city’s needs, and found that Houston was dealing with a common problem: it needed temporary coverage of the event area but didn’t have time to deploy a whole surveillance system.</p><p>“They have an existing video surveillance system with hundreds of cameras, but when they have these special events they don’t always have cameras where they need them,” Drummond explains. “And IP-based video surveillance is just inherently very difficult to employ and very time consuming.”</p><p>Although the Final Four was at a known location, Drummond said last-minute changes could leave officers scrambling: bad weather could force an outdoor event to relocate, or companies or celebrities might decide to throw their own side events at the last minute. “These celebrities will decide they want 10,000 people in an outdoor gathering for their party, and the city finds out last minute and now needs cameras where they don’t have them,” Drummond explains. </p><p>After visiting Houston and talking with Hanagriff about the city’s needs, IDIS and integrator Edge360 created a rapidly redeployable solution to be used during Houston’s 2016 Freedom Over Texas Fourth of July event. The solution they created could be deployed in under four hours by untrained personnel—setup only requires a place to hang the camera and a power source, Drummond notes. </p><p>John Rezzonico, CEO of Edge360, says that his military background taught him the importance of being able to adapt in the field, and he applied that logic to surveillance systems. “We came up with a solution that allows police officers to deploy cameras wherever they want, and if something changes they can quickly grab them, power them down, move them, stand them back up, and they come back up online,” Rezzonico explains. “The goal of the project is freedom of movement of the camera sensors, so that way they augment and support existing infrastructure of security that’s already in place.”</p><p>Rezzonico noted that the biggest challenge was overcoming bandwidth saturation to send the video feeds to command centers or mobile devices. “If everyone is using their cell phones at the same time, bandwidth goes away and everyone relying on it for public safety loses the video feed,” he explains. “Houston wanted a wireless solution that could augment their fixed security that was mobile and easy to deploy but could also utilize whatever bandwidth was available. Our solution didn’t just include cellular, it included WiFi and point-to-point transmission. It was all built in.”</p><p>The Freedom Over Texas event took place at Discovery Green, a 12-acre park, and 50,000 people were expected to attend. The park already had some broad camera coverage, but Drummond explains that there were a few areas where more specific views were needed. Four pan-tilt-zoom cameras were installed to focus on high-volume areas such as the stage. IDIS had to address the unique environment, taking the event itself into account. Because the fireworks show was going to be the centerpiece of the event—making the camera image go from nighttime to broad daylight with each explosion—cameras that could handle the fluctuation were required. </p><p>Video feeds were sent to the city’s main command center where they could be viewed side-by-side with the city’s existing camera feeds, but unlike the existing cameras the redeployable cameras could be viewed on mobile devices at satellite command centers and in the field. Since the main goal of the solution was to create a rapidly redeployable surveillance system, Drummond says IDIS and Edge360 tried to be as hands-off as possible during the deployment.</p><p>“We set ourselves up for failure—the concept is that they need to be deployed quickly by untrained personnel, in some cases the utility guy who had never seen them,” Drummond says. “We were obviously available if needed, but we didn’t give them any training and let them do things how they wanted.” The deployment went as expected, and there was no connectivity trouble.</p><p>During the Freedom Over Texas event, the cameras were able to use the cell network almost exclusively, but experienced occasional blips in the service. During those moments, video continued to be recorded on the camera’s SIM card, and that footage was transmitted back to the control center once the live feed was active again. </p><p>“Frankly, most of the time it’s the recorded video that’s most important, not the live video,” Drummond explains. “They are watching those cameras in real time, but most of the time there’s no action to be taken. But if an event does take place during an outage, you didn’t record it for evidence purposes. The smart failover technology changes that.”</p><p>“It’s key for cities to be able to share this system,” Rezzonico notes. “If a municipality buys it, they can send it to another one that needs it for easy deployment.” ​</p>’s-Game-Day-Solutions.aspxHouston’s Game Day SolutionsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Houston, Texas, was in a football frenzy during the days leading up to the 2017 Super Bowl showdown between the New England Patriots and Atlanta Falcons at Houston’s NRG Stadium. A nine-day fan festival, pop-up clubs hosting acts such as Bruno Mars and Taylor Swift, National Football League (NFL) and ESPN activities, and other events were scattered throughout the sprawling metropolis, home to 2.2 million people. </p><p>Just four months before a million visitors converged on Houston for the festivities, Jack Hanagriff, the infrastructure protection coordinator for Houston’s Office of Public Safety and Homeland Security, was tasked with expanding the city’s surveillance program and implementing a solution that would support emergency communications while overcoming the expected strain on the mobile network. </p><p>“Although our system is robust and can handle things normally, when you get a national event coming in, our cell service gets interfered with and then our cameras get hindered by blockages,” Hanagriff explains. Especially tricky was Super Bowl LIVE, the nine-day fan festival held in Discovery Green, a 12-acre urban park, and in five surrounding parking lots. The area is also home to the George R. Brown Convention Center and several hotels, high-rise condominiums, and businesses—all of which contribute to high usage of wireless and mobile networks, even when no events are taking place. </p><p>Hanagriff had to figure out how to deploy additional cameras to Discovery Green and other high-traffic areas such as team hotels, pop-up clubs, and the Galleria shopping center, while addressing the network strain that was sure to hinder communication and video feeds during the events. </p><p>“In public safety, we’re using other sources of technology beyond the actual emergency radio communications—such as cell phones and field reporting devices and cameras—and it works fine,” Hanagriff explains. “But when you start coming in with a mass of people and commercial carriers putting in their infrastructure and tents, the ecosystem of the venue changes so that our existing permanent solution is not adequate because it may get blocked.”</p><p>Hanagriff pulled together a robust team for the task, including vendors, wireless providers, and federal, state, and local players. Axis Communications donated 40 cameras to the cause, Vidsys provided information management middleware, and Siklu’s radios were used to transmit some of the video surveillance. Wireless carrier Verizon had already been working for months to beef up its network capacity in the city, and Hanagriff said it agreed to allow the city to connect its cameras to the fiber network it was laying.​</p><h4>The Buildout</h4><p>While NRG Stadium and the Galleria already had robust camera networks established, the city had to prepare Discovery Green and its surrounding parking lots for Super Bowl LIVE, where more than 150,000 people were expected to attend each day.</p><p>“We were confident we would get some coverage, but when I saw the footprint of the event…Discovery Green is one thing, but those five additional parking lots? That’s a lot of coverage,” Hanagriff says. “We knew we needed some really big players.”</p><p>In the weeks leading up to the kickoff of Super Bowl LIVE, workers spent 480 hours deploying the solution. Several cameras were installed on permanent structures surrounding Discovery Green, but most of the installation occurred in sync with the construction of the Super Bowl LIVE infrastructure. </p><p>“As they built the gates and kiosks and stages, we attached the cameras to those structures,” Hanagriff explains. “But even while they were building, they kept moving things, so we kept having to move the cameras. We had to put flyover cables where they didn’t exist—we were literally dropping 3,000-pound flagpoles to attach cables to and run them across the street.”</p><p>Fixed cameras were installed at all entry and exit areas, and pan-tilt-zoom cameras were used at every gate to observe the outer perimeter of the festival’s footprint. VIP and high-density areas were also a high priority—Discovery Green’s main stage was expected to draw at least 20,000 people for its major events, such as nightly light shows and a concert by Solange Knowles. Hanagriff said the city worked with intelligence officials to set up cameras in areas where potential threats could be carried out. Cameras were also outfitted with audio sensors that could detect and triangulate gunshots, as well as a sensor that detects an elevated anger response in human speech that often occurs before an argument.</p><p>The 40 Axis cameras, as well as 26 of the city’s existing cameras, were brought together under one dashboard through Vidsys middleware and were connected with fiber because of Verizon’s infrastructure buildout. Additionally, the 40 new cameras streamed to the Verizon cloud, allowing for mobile access and redundancy. “If we lost our main system, we could still run the temporary system off the cloud,” Hanagriff explains. “The cloud gave us versatility to bring in mobile applications and partners that did not have access to our existing system.”</p><p>Hanagriff wanted to deploy a camera on top of a hotel a block from the Super Bowl LIVE footprint for an all-encompassing view of the festival, but ran into connectivity problems. The fiber did not extend to the hotel, and radio frequencies completely saturated the area, making a wireless network solution impossible. The city ended up working with Siklu to install a millimeter wave radio that used narrow beam technology to transmit the video feed on an unoccupied spectrum. </p><p>“There was so much radio frequency you could walk on air,” Hanagriff says. “The Siklu radio beamed right through all of it.” </p><p>Security officials set up an emergency operations center in the convention center next to Discovery Green, where the camera feeds—including setups at NRG Stadium and the Galleria—were consolidated. Although many of the existing cameras were part of a closed network, the temporary cameras could be accessed via mobile devices from the cloud, which was crucial in integrating new partners into security operations. Hanagriff described the operations center as a huge room with dozens of partners: event coordinators, Houston officials and first responders, the Harris County Sheriff’s Department, the Texas Public Safety and Transportation Departments, the FBI, and other federal agency representatives. </p><p>Whether they were at the center itself or out in the city, officials could access the camera feeds via mobile devices. The Harris County Sheriff’s Department set up a mobile command post at the Galleria, where more activities and protests were taking place. It was able to use the mobile application to review the Galleria’s camera feeds and correspond with the main command post, Hanagriff says. And during the Super Bowl game itself, several groups were able to access the city’s cameras at NRG Stadium, including NFL security directors and another mobile command post closer to the event.  ​</p><h4>Emergency Operations</h4><p>While Hanagriff’s role was coordinating the technology infrastructure ahead of the festivities, Patrick Hagan, technical specialist and engineer operator for the Houston Fire Department, saw firsthand how the camera setup helped emergency operations in such an unpredictable environment.</p><p>During Super Bowl LIVE, members of Houston’s police and fire departments were dispatched via portable devices that operate on Band 14, a broadband spectrum reserved for first responders. The devices can run active GPS for an entire 16-hour shift, serve as trackers for the officers, and share information, location, and images from the field to command center or vice versa. </p><p>“Because of the nature of the footprint, Super Bowl LIVE was closed off with a hard barrier, so we had to have teams inside that didn’t have vehicle apparatus,” Hagan explains. “Because of that they were on foot or on bike, so we dispatched them via GPS, which was new to us.” </p><p>A few weeks before the Super Bowl events, first responders tested out the devices to communicate via Band 14 during the Houston Marathon. “We gave the GPS a run for its money—we tried to max out the system, wanted to see what it would do under a lot of traffic, and never got any failure points,” Hagan says. But that wasn’t the case for Super Bowl LIVE.</p><p>Due to the massive amount of radio frequency traffic in Discovery Green, which Hagan agreed was the most he had ever experienced, the officers’ GPS signals experienced reflectivity and weren’t totally precise.</p><p>“Our GPS wasn’t quite true,” Hagan says. “It was off in some cases by 150 yards, which when you’re in a sea of people, is a few thousand people. We had to work around that.”</p><p>Hagan and others in the emergency operations center were able to coordinate with officers in the field by using the video feeds and verbal commands to guide them to called-in emergencies.</p><p>“We’d leverage those video systems to give our bike teams a better location,” Hagan explains. “We could see the officer’s blue dot with the tracking system and I’d compare it to the map of where I knew the patient was by looking at a video feed. Then I could verbally walk them there via radio and cellular communication. I can’t just say that the patient is over by the food truck when there are 80 food trucks.”</p><p>Using GPS and video feeds for dispatching was a first for the Houston Fire Department. “We don’t show up when things work. We show up when things break,” Hagan notes. “It’s a very fine line that we walk between using cutting-edge technology versus tried and true methods that are much lower tech. We have to utilize the technology to our advantage when we can, but when it fails we need to have contingency for that, and still be practiced in that contingency.”</p><p>Hagan made sure that contingency plans were in place during the Super Bowl, explaining that officials were prepared to resort to voice and radio dispatching if the GPS or video feeds failed. The dual capability of the video feeds allowed even the giant command post to be completely mobile, he notes. </p><p>“Everything in the command post was done on a laptop and broadcast on these giant screens, so at a moment’s notice we could drop and run and take all that with us and still have all our capabilities,” Hagan says. “We could still share data…still communicate—that’s the point of the redundancy. We had the hard connection but we wanted to be able to see all of our video streams and everything on mobile if we had to.”​</p><h4>Technology Forward</h4><p>After nine days of fans, football, and a Patriots win in overtime, Hanagriff and Hagan agree that the technology-forward security approach was a success. And while the pop-up clubs have been deconstructed and Discovery Green has reverted back to an urban oasis, the technology used remains in the city. Verizon’s citywide enhancements will continue to benefit Houstonians, city businesses and public officials will continue to strengthen their partnerships, and ​the 40 cameras Axis provided will be part of what Hanagriff calls a technology playground.</p><p>The cameras will be redeployed in high-traffic areas such as Discovery Green and the Galleria, and businesses, first responders, and industry partners will test ways to further integrate security technology into Houston. Hanagriff plans on forming a partnership with everyone invested in the project to determine the direction and scope of the testing.</p><p>“We all get exposure to all these different technologies, and there are benefits for everybody, and it’s all done by in-kind services,” Hanagriff says. “Everybody gets a big bang with no buck.” </p><p>Public safety officials will be able to learn more about video analytics and other cutting-edge technology without disrupting their current camera system, industry partners who provide the equipment and software will be able to conduct research and development and receive direct feedback from subject matter experts, and private businesses that allow the city to put equipment on their buildings will have access to systems that are normally out of reach. </p><p>“Most business partners are usually on the inside looking out, and this system gives them the ability to be on the outside looking in on their property,” Hanagriff notes. </p><p>Hagan says that in the past the fire department has only had access to the city’s camera feeds and has been unable to manipulate them. Being able to take full advantage of the cameras’ capabilities during the Super Bowl events showed how helpful they could be during dispatch, and he hopes the fire department can continue to access the city’s camera infrastructure more fully. </p><p>“We have a lot of the same goals and a lot of people doing the same exact job,” Hagan notes. “If we as a city can get three or four people who can perform that function and share that information with each department in real time, that would make sense. If someone calls into this joint operation and says, ‘I need eyes here, do you see anything?’ those people can give immediate feedback to any department. That’s the plan.”   ​</p> ForensicsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Scientifically sound forensic evidence is one of the cornerstones of the U.S. legal system. But recent research by a presidential advisory committee has questioned the soundness of some evidential techniques. This is only the latest critique of the practices of forensic science, which has faced a call for reform from some quarters.    </p><p>The most recent research has its roots in another report, which was issued in 2009 by the National Research Council on the state of the forensic sciences. That report, conducted at the behest of the U.S. Congress, was highly critical; among many other things, it found that strong protocols and standards for reporting on and analyzing evidence were lacking. </p><p>In response, various initiatives were undertaken by different U.S. government agencies, and the National Commission on Forensic Science, aimed at raising forensic standards, was formed. Additionally, in 2015, the Obama administration asked the President’s Council of Advisors on Science and Technology (PCAST) to investigate additional scientific steps that could help ensure the validity of forensic evidence used for legal matters. PCAST is a presidentially appointed advisory group of scientists and engineers.</p><p>As requested, PCAST produced a report, Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods, issued several months ago. </p><p>The report found two existing knowledge gaps. The first gap was the need for more clarity regarding the scientific standards upholding valid forensic methods. The second gap was the need for specific forensic methods to be evaluated, to better prove their validity.</p><p>To help close these gaps, the report examined seven forensic “feature-comparison” methods, which are used to determine whether an evidence sample is associated with a potential source sample, such as from a suspect. </p><p>The seven methods evaluated were for DNA analysis of single-source and simple-mixture samples, DNA analysis of complex-mixture samples, bite marks, latent fingerprints, firearms identifications, footwear analysis, and hair analysis. </p><p>Based on their analysis, PCAST recommended that judges should not admit into evidence four of the methods: bite marks, firearms identifications, footwear analysis, and hair analysis. </p><p>PCAST also suggested that judges be cautious when admitting DNA from complex-mixture samples, and it recommended that juries be advised that fingerprint examinations have a high error rate.</p><p>Several months after the release of the PCAST report, another significant development occurred: the U.S. Department of Justice announced that it was disbanding the National Commission on Forensic Science. Some experts now say that the absence of research and guidance from the commission could make the future task of challenging questionable scientific evidence in court even harder.</p><p>“Even if defense attorneys jump up and down and complain about [questionable evidence], they won’t have the power of a national commission to back them up,” Erin Murphy, a professor at New York University School of Law, told the Associated Press in April. “The status quo right now is to admit it all. The status quo is where things are likely to stay.”  ​ ​</p> 2017 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Video Update for the Council</h4><p>The Council of Europe is an international organization that was created to promote democracy and protect human rights and the rule of law in Europe. Located in Strasbourg, France, the organization focuses on issues such as child protection, online hate speech, minority rights, corruption, and judicial reform.</p><p>The headquarters campus has five distinctive buildings, including the Agora (pictured here). The video surveillance systems throughout the campus needed updating, and security managers called on Securitas and ENGIE Ineo to design and implement a new system. ENGIE Ineo partnered with Milestone Systems for video management software and Axis for network cameras. The team replaced the analog system with a full network video surveillance solution that delivers better performance, ease of access to video assets, and flexibility in tailoring how different locations are secured. The work was done with a minimum of disruption and completed early in 2017.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Hyatt Guns of Charlotte, North Carolina, deployed 3xLOGIC thermal cameras to increase security for the store. Sonitrol Carolinas installed the cameras and now oversees the video monitoring.</p><p>AMAG Technology and CodeLynx integrated AMAG’s Symmetry Access Control software and CodeLynx’s ARIES Mixed Reality platform.</p><p>Amika Mobile announced that the Amika Mobility Server platform for critical communications is now integrated with the Guardian Indoor Active Shooter Detection System from Shooter Detection Systems.</p><p>Point Blank Enterprises will distribute ARMORVENT systems to the U.S. commercial and law enforcement markets.</p><p>ASSA ABLOY announced the integration of its Aperio wireless lock technology with ProdataKey’s pdk io cloud managed access control solution. </p><p>V5 Systems is partnering with Axis Communications to create a self-powered solution to protect people outdoors.</p><p>Bosch Security Systems and Sony Corporation are partnering in sales, marketing, and technical collaboration for video security solutions.</p><p>Brivo and Mercury Security integrated the Authentic Mercury open platform into Brivo’s flagship OnAir access control system.</p><p>CBC AMERICAS Corp. announced a strategic business alliance with CrucialTrak to introduce CrucialTrak’s range of products to Japan, Australia, North America, and Latin America.</p><p>Centerra Group, LLC, was selected as the protective services contractor at URENCO USA’s site in New Mexico. </p><p>Checkpoint Systems is implementing electronic article surveillance systems at approximately 2,800 Dollar General retail locations. </p><p>Delta Scientific provided temporary vehicle barriers to restrict vehicle access to Bourbon Street in New Orleans during Mardi Gras.</p><p>Flexera Software is working with the Financial Services Information Sharing and Analysis Center to offer verified software vulnerability intelligence alerts to critical sector entities worldwide.</p><p>Genetec integrated gunshot detection technology from ShotSpotter in its Security Center.</p><p>Huawei is collaborating with Honeywell to create smart building offerings and make them sustainable, secure, and energy efficient.</p><p>HySecurity commercial, industrial, and antiterrorist automated gate systems are now available to PSA Security Network integrators.</p><p>Ergos Group and IndigoVision worked together to improve surveillance at the stadium of the Santos </p><p>Futebol Clube in Santos, Brazil.</p><p>Netsurion was named a Fortinet MSSP Platinum Partner.</p><p>Free2Move, a mobility app for car-sharing providers, including companies such as Car2Go, Flinkster, Multicity, Zipcar, and DriveNow, selected Jumio Netverify Trusted Identity as a service to verify customers’ driver’s licenses.</p><p>Kentec gas extinguishing fire safety panels are helping protect Specsavers’ new West Midland manufacturing and distribution center. The new fire safety system was designed and installed by Leader Systems LLP. </p><p>Lenel and Everbridge, Inc., announced an alliance to interface their leading solutions for comprehensive security management and critical communications.</p><p>March Networks announced a strategic partnership with Oncam for its banking, retail, and transportation solutions.</p><p>Mount Airey Group, Inc., is partnering with Acuant to launch a comprehensive authentication solution for border control and to minimize the acceptance of fraudulent passports.</p><p>Henry County Hospital in Ohio is using the Netwrix Auditor from Netwrix Corporation.</p><p>A collaboration between nuPSYS and Bosch Video Management System integrates the nuPSYS 3D-mapping solution to allow assets, sensors, alarms, and critical points to be plotted onto a 3D mapping surface.</p><p>Park Assist was awarded the Parking Guidance System contract for the University of Texas at Dallas in its new garage.</p><p>Deutsche Telekom entered a strategic partnership with Radiflow to collaborate in securing industrial networks. </p><p>Raytec LED lighting improved security at a multisite installation for the National Bank of Romania. </p><p>SALTO Systems hired Warren Associates to sell SALTO’s security products in northern California, northern Nevada, Utah, Colorado, Montana, New Mexico, Wyoming, and Idaho. Bassett Sales Corporation will represent SALTO in the Southwest United States and Hawaii.</p><p>Semafone is partnering with Australian compliance specialist SecureCo to protect customer payment data.</p><p>Sharp Robotics Business Development appointed U.S. Security Associates as an authorized guard services reseller of the Sharp INTELLOS Automated Unmanned Ground Vehicle.</p><p>Suprema announced that its SFU-S20 fingerprint modules are integrated in BioWolf LE rugged tablet PCs from BioRugged.</p><p>London development New Ludgate chose Tyco Security Products C·CURE 9000 Security and Event Management system to unite building management, access control, and video surveillance systems.</p><p>Vanderbilt integrated its award-winning Lite Blue and Bright Blue access control solutions with Allegion’s Schlage NDE series wireless locks with Engage technology.</p><p>An official partnership agreement was signed by SMR Links Consultants and VSTEP, making SMR Links the exclusive partner of the NAUTIS maritime simulators and RescueSim Incident Command Simulator in the United Arab Emirates region.​</p><h4>GOVERNMENT CONTRACTS</h4><p>American Public University was selected by the U.S. Transportation Security Administration Institute of Higher Education to provide academic programs to up to 20,000 TSA employees at 147 airports nationwide.</p><p>Fredericton Police Force in Canada is testing Axon body cameras.</p><p>The U.S. Department of Commerce and First Responder Network Authority selected AT&T to build the first nationwide wireless broadband network dedicated to America’s first responders. </p><p>BioTrackTHC partnered with the Hawaii Department of Health to deploy a live seed-to-sale cannabis traceability system in a FedRAMP authorized environment. </p><p>Bittium received a purchase order from the Finnish Defence Forces for Bittium Tactical Wireless IP Network system products.</p><p>Edesix is the body-worn camera provider of choice for Her Majesty’s Prison Service throughout the United Kingdom.</p><p>Central Lake Armor Express, Inc., was awarded a new contract with the San Francisco Police Department and San Francisco Sheriff’s Department to provide its Vortex ballistic vest.</p><p>Police in the Canton of Graubünden, Switzerland, where the World Economic Forum was held, employed a drone defense system from Dedrone to monitor critical airspace above the area.</p><p>Boise Airport updated its security infrastructure with Genetec Security Center to manage cameras, access control points, and video analytics software.</p><p>The City of Deagu, South Korea, is using Hikvision cameras in an integrated atmospheric information system.</p><p>J & S Franklin Ltd. delivered DefenCell MAC geotextile lined metal gabions to the Tunisian authorities for deployment on the Tunisian-Libyan border.</p><p>Milestone Systems open platform IP video management software was installed at JFK International Airport. </p><p>Mutualink and Rave Mobile Safety announced a technology deployment in Warwick, Rhode Island, public schools as an effort to help save lives through enhanced collaboration with the local police, fire departments, and hospitals. </p><p>Colquitt County Jail in Georgia worked with local systems integrator Ace Technologies to deploy a new video system from Pelco by Schneider Electric. </p><p>Safran Identity and Security supplied a facial recognition solution to the National Police of The Netherlands.</p><p>SRC was awarded a U.S. Army contract to deliver, integrate, and sustain 15 counter-UAS systems. </p><p>SuperCom announced that its M2M division was selected by the Czech Republic Ministry of Justice to deploy its PureSecurity Electronic Monitoring Suite.</p><p>Total Recall Corporation will work with the City of Chattanooga and the Chattanooga Police Department to provide a citywide safety solution that includes CrimeEye-RD-2 rapid deployment portable video systems.</p><p>Vialseg combined forces with Vivotek’s local distributor Selnet and LPR software partner Neural Labs to provide red light enforcement systems for Argentinian cities.</p><p>Zenitel is providing IP-based security systems for Oslo Schools.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>ByteGrid achieved the SOC2+ HITRUST designation, to go along with its EHNAC accreditation.</p><p>The office of the Ohio Secretary of State certified that Verity voting from Hart InterCivic meets all state requirements to ensure fair and accurate elections.</p><p>IBM announced that its scientists have been granted a patent around a machine learning system that can dynamically shift control of an autonomous vehicle between a human driver and a vehicle control processor in the event of a potential emergency.</p><p>Intelligent Protection International Limited was granted Conseil National des Activités Privées de Sécurité status and is licensed for Close Protection activities in France. </p><p>Frost & Sullivan recognized Karamba Security with the 2017 North American New Product Innovation Award for the Automotive Industry.</p><p>Milestone Systems was named one of the 100 Best Companies to Work for in Oregon by Oregon Business Magazine.</p><p>PinPoint Initiative from PinPoint won a Platinum Govie award from Security Today in the category of User Authentication/Identification/Credentialing and Management.</p><p>Secure I.T. Environments Ltd. achieved new quality management standards for design, construction, and management of data centers. The new accreditations are SOHSAS 18001:2007 (ISO 45001), ISO 14001:2015, and BN ES ISO 9001:2015.</p><p>Sielox LLC recognized MCM Integrated Systems of Van Nuys, California, as its National Business Partner of the Year.</p><p>Snap Surveillance achieved the status of Milestone Certified Solution with its integration to XProtect Corporate IP video management software. </p><p>Sword & Shield Enterprise Security was named to the Cybersecurity 500, a global compilation of leading cybersecurity solutions and service companies.</p><p>Tosibox won the Industrial and Security Category Awards at the IOT/M2M Innovation World Cup.</p><p>Tyco Security Products announced that its Innometriks Cheetah high assurance physical access reader achieved UL 294 certification, and the complete Innometriks Infinitas FICAM solution is now listed on the U.S. General Services Administration Approved Product List.</p><p>Vinson Guard Service, Inc., and company president Christine Vinson were honored with the James J. Coleman, Sr., Corporate Partner Award at the Annual Crimestoppers of Greater New Orleans Awards Luncheon. </p><p>Virtual StrongBox, Inc., was named a finalist for a Blue Diamond Award, which recognizes the best technology in the greater Charlotte area.​</p><h4>ANNOUNCEMENTS</h4><p>ASSA ABLOY completed an additional seven Environmental Product Declarations, third-party reports that document the ways in which a product affects the environment.</p><p>Blancco Technology Group opened a new office in Beijing, China. </p><p>The Community Security Service is launching a new app, the Jewish Security Application, allowing individuals to report suspicious activity and document anti-Semitic incidents quickly and accurately from their smartphones.</p><p>Constellis entered into a definitive agreement to acquire Centerra Group, LLC, and its subsidiaries.</p><p>DNA Labs International relocated to a larger laboratory near its current facility in Deerfield Beach, Florida.</p><p>A new shipping facility for eDist Security in Dallas offers more space.</p><p>Intelligent Protection International Limited opened an office in Paris on the Champs-Elysées.</p><p>MorphoTrak will donate access to MorphoCloud to West Virginia University. The donation will support research and education in biometrics and forensics.</p><p>The National Association of Police Equipment Distributors is welcoming online distributors and retailers within the law enforcement, public safety, and military markets to its general membership.</p><p>NEC Corporation and Infosec Corporation established Infosec America, Inc., as a security operations center in Santa Clara, California.</p><p>Pelco by Schneider Electric launched a new informational website for the security industry:</p><p>Red Hawk Fire & Security acquired  two companies: Alarm Tech Solutions of the Washington, D.C., metropolitan area and Integrated Systems of Florida.</p><p>RiskIQ revealed that its intelligence and external threat investigation system was used by the Citizen Lab in the discovery of commercial spyware that targeted the mobile phone data of United Arab Emirates human rights activists.</p><p>The Security Industry Association established the SIA International Relations Committee to engage with international trade officials, to facilitate education for SIA members on topics related to trade/export programs, and to collaborate with global security trade associations.</p><p>SecurityScorecard launched the Risk Ratings Alliance Program aimed at developing strategic partnerships to help the world’s companies become more secure through collaboration and trust. </p><p>Security Innovation’s security division, OnBoard Security, is placing all of its NTRUEncrypt patents in the public domain, so that they may be freely used under the Creative Commons CC0 1.0 Universal License.</p><p>The Smart Card Alliance is changing its name to the Secure Technology Alliance.</p><p>Tyco Security Products launched a new partner portal to enhance the third-party integration process with its brands.</p><p>Unisys Corporation plans to launch the Unisys Artificial Intelligence Center of Excellence, allowing users to gain free access to online tools to help them develop capabilities in advanced data analytics.</p><p>ViSTA Networking Solutions announced that its network video recorder configuration tool is now available for download. ​</p> MeasuresGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When it comes to preventing radicalization in at-risk communities, counterterrorism and countering violent extremism (CVE) programs often go hand-in-hand. While counterterrorism focuses on collecting evidence and making arrests before an event has occurred, CVE attempts to prevent radicalization from occurring in the first place through community engagement and counseling. Many countries have implemented CVE programs to various degrees, including the United States, which began its CVE efforts in 2011. Supported by the Obama administration and viewed as a way to create ties with marginalized communities, the U.S. CVE program strives to address causes of radicalization.</p><p>Over the past six years, the U.S. CVE program has faced its share of challenges, including confusion over strategy and implementation of its objectives, shifting threats, and criticisms that it stigmatizes American Muslims. In January 2016, a new CVE task force was formed to further coordinate government efforts, and U.S. Department of Homeland Security (DHS) and U.S. Department of Justice (DOJ) leaders once again emphasized the importance of CVE in preventing terror attacks. Former DHS Secretary Jeh Johnson told Security Management last year that building bridges with Muslim communities was imperative to deradicalization efforts.</p><p><img src="/ASIS%20SM%20Callout%20Images/0717%20NS%20Chart%202.png" class="ms-rtePosition-1" alt="" style="margin:5px;" />However, a new U.S. Government Accountability Office (GAO) report finds that the program’s leaders have no way to assess whether CVE measures are effective. “[GAO] was not able to determine if the United States is better off today than it was in 2011 as a result of these tasks,” the report notes. “This is because no cohesive strategy with measurable outcomes has been established to guide the multi-agency CVE effort.”</p><p>Paired with the uncertainty of the program’s effectiveness is the Trump administration’s approach to terrorism. U.S. President Donald Trump plans to shift the CVE program’s efforts to focus primarily on Islamist extremism, going so far as to switch the program’s name from “Countering Violent Extremism” to “Countering Islamic Extremism,” Reuters reports. </p><p>At least four of the community organizations former U.S. President Barack Obama awarded CVE grants to have turned down the awards because of the anticipated policy shift. One Michigan-based group declined a $500,000 grant it was offered “given the current political climate and cause for concern,” according to an email to Reuters from a representative of the organization.</p><p>The shift in policy contradicts GAO findings: of the 85 violent extremist incidents that have resulted in death since 9/11, 73 percent were carried out by right-wing violent extremist groups, while radical Islamist violent extremists were responsible for 27 percent. Diana Maurer, GAO’s director of homeland security and justice issues, tells Security Management that the statistics should frame conversations about the future of the program.</p><p>A recent Brennan Center report on CVE is more critical of the program due to its Muslim profiling and disproven methods, and states that these flaws will only be exacerbated by an administration that is “overtly hostile towards Muslims.”  </p><p>“Regardless of whether CVE is called ‘Countering Radical Islam’ or not, the programs initiated under this rubric by the Obama administration—while couched in neutral terms—have, in practice, focused almost exclusively on American Muslim communities,” the Brennan Center report states. “This is despite the fact that empirical data shows that violence from far-right movements results in at least as many fatalities in the U.S. as attacks inspired by al Qaeda or the Islamic State.”</p><p>Maurer says that while terrorism isn’t anything new, the threats are constantly evolving, requiring a robust counterterrorism program supplemented with an effort to combat violent extremism. “It’s important for agencies to take some actions to work with state and local officials to help prevent people from going down the path of terrorism in the first place,” she says.</p><p>At the start of the CVE program, 44 tasks to address radicalization on a domestic front were outlined, but efforts to implement them “were scattered across a number of components and lacked specific goals and tangible measures of success,” according to the GAO report, Countering Violent Extremism: Actions Needed to Define Strategy and Assess Progress of Federal Efforts, authored by Maurer. As of December 2016, almost half of the tasks were implemented. Yet to be implemented are a few of the most controversial goals, including FBI involvement in the program and prison outreach.</p><p>Throughout the program’s six years, the American Civil Liberties Union has lambasted CVE for focusing on monitoring at-risk individuals and communities instead of merely supporting them. Maurer acknowledges that this is still a problem with the program on a fundamental level.</p><p>“On the one hand, there’s a First Amendment in this country, which means people can express views on a wide variety of things, and those are constitutional rights that need to be protected and respected,” she explains. “At the same time, from a policy and political perspective, there’s a desire to try to figure out a better way to get advanced warning signs—that we should have known that someone was going to take action or commit a violent act because we should have been monitoring Facebook or Twitter.”</p><p>DHS has been meeting with the social media industry and officials to discuss how to address violent extremism online, but community outreach in the digital environment is a task that continues to need attention, according to the report. DHS is also having trouble developing countermessaging tactics. Although they have been working with the Los Angeles Police Department and YouTube to develop campaigns against violent extremism, officials want more access to former violent extremists to learn how to directly challenge radical narratives. Maurer notes that speaking with former terrorists is fraught with legal complications. </p><p>The report also points out that agencies have not yet taken action on implementing CVE in federal prisons, which Maurer says surprised her. “Even beyond CVE, we’re talking about gangs, and that is a well-known issue within the prison environment,” she notes. “There are all kinds of ways the federal prison system tries to mitigate or reduce the impact of gang activity and affiliations within the federal prison system, so why haven’t they done more on the issue of radicalization?”</p><p>One controversial aspect of CVE that has plagued it since its inception is that the outreach efforts are coming from the same agencies that investigate terrorist activity. Johnson and the Obama administration were vocal about using the program to build bridges, especially with Muslim communities that had been stigmatized by the government in the past. But Maurer explains that the role of some government agencies in CVE is a gray area.</p><p>“Obviously, the FBI knows quite a bit about pathways to terrorism and potential profiles and ways people become radicalized in all different forms,” she notes. “That could be an important part of having meaningful CVE activities. But at the same time, the FBI’s primary role is to investigate and arrest and get people ready for prosecution. That’s further downstream. Finding the right role specifically for the FBI is one of the main challenges to CVE.”</p><p>While financial support from the government may be critical to CVE efforts—DHS designated $50 million to addressing emergent threats in 2016 alone—other countries have developed similar programs with experts not directly affiliated with the government. </p><p>A task force of 100 counterterrorism experts is examining radicalization in prisons in England and Wales and will help train personnel on how to prevent extremism among prisoners. After a study showed that prisons in England are filled with more than 1,000 prisoners identified as extremist or vulnerable to extremism, the effort was accelerated. And organizations such as the Global Center on Cooperative Security encourage more holistic approaches to deradicalization, including using women to prevent violent extremism and rehabilitating juvenile violent extremist offenders.</p><p>“It’s a delicate dance,” Maurer acknowledges. “I know other countries have done more on this than we have in the United States, but they have very different systems.”</p><p>GAO was able to identify the challenges the U.S. CVE program faces based on the status of the 44 outlined tasks, but was unable to determine whether the efforts have made the United States safer, the report explains. </p><p>“We recognize it’s not like sticking a thermometer in someone’s mouth and taking their temperature,” says Maurer. “We know it’s challenging trying to develop these kinds of measures, but it’s something the White House tasked the agencies to do, and they didn’t do it.”</p><p> This isn’t the first time GAO has brought up CVE’s lack of evaluation measures. After a July 2015 report found that there was no cohesive strategy to implement program recommendations, a new CVE task force updated the program’s strategic implementation plan to coordinate federal efforts. </p><p>However, the lack of measurable outcomes makes the success of the program uncertain.</p><p>“Absent a cohesive strategy with defined measurable outcomes, CVE partner agencies have been left to develop and take their own individual actions without a clear understanding of whether and to what extent their actions will reduce violent extremism in the United States,” the report finds.</p><p>Maurer says the lack of measurable progress is disappointing and makes it difficult to understand the strengths and weaknesses of the current CVE program, as well as what its future will be. She says she hopes the Trump administration will take current research on the threat picture to inform decisions on how to proceed. “There are a variety of domestic terrorist threats facing this country, and the government should take into consideration those threats, the risk environment, and the current state of research, as well as the current capabilities of the various federal agencies and their state and local partners, to combat violent extremism.” </p><p>The Brennan Center report notes that “it is unlikely that either new or existing CVE programs will carry tangible security benefits” and while a shift by the new administration to target Muslim extremists would damage critical relationships, it may also provide an opportunity to rethink the government’s approach to CVE.</p><p>“Even if the federal government pulls back from its active sponsorship of CVE or renames it to make clear that the target is ‘radical Islam,’ the infrastructure for these programs has already been developed at the local level,” the Brennan Center report notes. “It is therefore critical that government agencies, particularly at the state and local levels…dismantle, or at the very least substantially reconfigure, their CVE programs.” ​</p>