Cybersecurity

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspxAvoiding BreachesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Three days after detecting a breach of its network that impacted almost 50 million accounts, Facebook notified users of the incident and explained how it acted to prevent the breach from spreading.</p><p>“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else,” wrote Facebook Vice President of Product Management Guy Rosen in a post on the social media company’s website. ​</p><div>“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen explained. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”</div><div><br></div><div>In response to the breach that took place on September 25, Facebook fixed the “View As” vulnerability, informed law enforcement, conducted a force logout for affected accounts, and displayed a notification for affected users when they logged back on. Rosen also said Facebook would conduct a full security review of the “View As” function.</div><div><br></div><div>“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said in his post. “We also don’t know who’s behind these attacks or where they’re based.”</div><div><br></div><div>After its initial investigation, Facebook determined that only 30 million accounts were impacted by the breach; almost half of those accounts had their names and contact information stolen from their Facebook profiles.</div><div><br></div><div>Facebook is not alone in experiencing a cyber breach in 2018. In the first 203 days of the year, there were 668 publicly disclosed U.S. data breaches—meaning that at that rate, more than 1,200 breaches will have occurred in 2018.</div><div><br></div><div>There are roughly 18,000 companies in the United States. By the end of the year, nearly 17,000 of them will have avoided a data breach, according to a recent white paper from the SANS Institute, <em>Breach Avoidance: It Can Be Done, It Needs to Be Done.</em></div><div><br></div><div>“The bottom line is that breaches are not inevitable,” the white paper said. “There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed.”</div><div><br></div><div>John Pescatore—director of emerging security trends at SANS and former lead security analyst at Gartner—says he was inspired to write the paper after NotPetya ransomware hit FedEx and Maersk, and caused $1 billion in damage between them. </div><div>Other competitors in their respective industries, Pescatore says, did not see similar damages because they were prepared for the possibility of a ransomware attack.</div><div><br></div><div>Focusing on these examples of organizations taking the right steps to be prepared is helpful for industry as a whole, he adds.</div><div>“There’s no shortage of coverage in the press when the planes crash or when the breaches happen, but we never get to hear: what are those people doing right to escape these things?” Pescatore says. “In particular, with breach avoidance, how did the people who succeeded in minimizing their damage or totally avoiding damage from these breaches that made the press, what were the common things they were doing?”</div><div><br></div><div>To find out, Pescatore spoke with CISOs and security directors around the globe that have avoided data breaches to learn about how they’re doing it. His research found that “organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets are less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security efforts.”</div><div><br></div><div>The first step that organizations are taking to avoid data breaches is taking action in the first place—proactive actions to be specific.</div><div>As Pescatore wrote, people and software will always have vulnerabilities. But security professionals and their teams can take action through several best practices to reduce the risk of those vulnerabilities.</div><div><br></div><div>“By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combining it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents,” the white paper explained.</div><div><br></div><div>However, this doesn’t mean that organizations should just purchase a bunch of security products to complete these actions because there is limited correlation between the amount spent on security and the level of damage caused by a security incident.</div><div><br></div><div>“Simply adding layers of security products increases complexity, requires security staff skills that are hard to find, and often results in more disruption to business operations than to attackers,” Pescatore wrote.</div><div><br></div><div>In an interview, he tells <em>Security Management</em> that the real differentiator for organizations that have avoided a security breach is that the people they did have were working on the most important things first—“which tended to mean they were ahead of the curve when the attacks actually happened.”</div><div><br></div><div>Helping organizations determine what actions to take to prevent and avoid breaches is using a cybersecurity framework designed to prioritize protecting the business, as opposed to focusing on compliance.</div><div><br></div><div>“Simply achieving compliance can avoid some level of fines, but it does not assure actual protection of business and customer information, nor has it even been shown to provide any legal cover or liability reduction if incidents do occur,” according to the white paper.</div><div><br></div><div>Instead, SANS recommends that organizations use cybersecurity frameworks to support business protection and risk reduction, such as the National Institute of Standards and Technology Cyber Security Framework, Center for Internet Security Critical Security Controls, PCI Data Security Standards Prioritization Guidelines, or the Health Information Trust Alliance Common Security Framework.</div><div><br></div><div>“The use of a cybersecurity framework that prioritizes actions and controls by business risk is key to focusing on what security processes and controls are the most important to avoid incidents that would disrupt business operations or expose customer information,” Pescatore wrote.</div><div><br></div><div>In addition to a framework, organizations that are successfully avoiding breaches are also instituting complete, accurate, and prioritized continuous monitoring of their systems. This also requires working with the business side of the organization to ensure that nothing is falling between the cracks. </div><div><br></div><div>“Security professionals need similarly fresh knowledge of business operations mapped to IT assets to ensure that current and accurate risk assessments cover all critical systems,” the white paper explained. </div><div><br></div><div>Once continuous monitoring is implemented, it’s likely to produce a high number of vulnerability alerts for security personnel to address. However, organizations that are avoiding breaches are prioritizing what alerts they address first based on the risk to the business that alert poses. </div><div><br></div><div>By doing this, security professionals can get more support across the organization for addressing vulnerabilities and taking action because the impact to the business is made clear. </div><div><br></div><div>“When vulnerabilities are mapped first against active threats that exploit those vulnerabilities and then by criticality to business operations, security teams have been able to justify the need to take immediate patching, reconfiguration, or shielding actions,” the white paper explained.</div><div><br></div><div>Additionally, organizations that are avoiding breaches are using playbooks to address incidents—much like physical security professionals use playbooks to walk through response to a fire in the facility or an active shooter.</div><div><br></div><div>These playbooks should recommend “mitigation and shielding steps based on asset criticality and threat classification” so that any security analyst can follow the instructions to reduce risk to the organization, the white paper said.</div><div><br></div><div>Playbooks should also be updated regularly to address changes in IT systems and software that the organization is using.</div><div><br></div><div>After organizations avoiding breaches have implemented these steps, they’re also keeping track of their security posture using metrics to communicate to the CIO, the CEO, and the board what the current risk landscape looks like and how the security team is poised to address it.</div><div><br></div><div>“The most effective security programs develop processes and methodologies to provide high-level views of risk that are understood by management even though they are derived from data that is used by both security and IT operations for tactical decision making,” according to the white paper.</div><div><br></div><div>To do this, SANS recommends security professionals track three main metrics: time to detect, time to respond, and time to restore.</div><div>“The three ‘time to’ metrics discussed above have proven critical to measuring and increasing the efficiency and effectiveness of a security operations center,” the white paper said. “Higher level metrics and measurements are needed to manage the overall security program, and for effective presentation to the C-suite and the board of directors.”</div><div><br></div><div>Effective communication with the board has been a priority for CISOs over the past year, Pescatore explains, because boards are looking for CISOs to bring them strategies to deal with risks to the business—not just what the risks are.</div><div><br></div><div>“Part of this is for CISOs to think through the business side of it—what possible risks have the biggest impact to the business and what are the strategies for removing those risks,” Pescatore says.</div><div><br></div><div>Examples of this in action that the white paper detailed include showing a decline in risk due to faster patching or shielding, improved cybersecurity hygiene, and improved focus on avoiding software vulnerabilities. </div><div><br></div><div>“Trend analysis of threats, vulnerabilities, and business impact allow CISOs to demonstrate success, as well as document lessons learned from failures, and support justification for the overall strategic cybersecurity approach and any necessary tactical actions,” the white paper said.</div><div><br></div><div>All of these factors coming together help organizations avoid cybersecurity  breaches, or—when they do occur—respond to them in a timely manner to reduce the overall impact to the business.</div><div><br></div><div>“What we always say in security is everybody who succeeds has found a way to mix people, processes, and technology,” Pescatore says. “People, processes, and technology, and being able to prioritize—it’s easy to say those things but to have that focus and the prioritization built in is the difference maker.”​</div><div><br></div>

 

 

https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspx2018-12-01T05:00:00ZTop Five Challenges for Managing Cybersecurity Risk
https://sm.asisonline.org/Pages/TEAM-Software.aspx2018-09-01T04:00:00ZTEAM Software
https://sm.asisonline.org/Pages/Blockchain-Buzz.aspx2018-07-01T04:00:00ZBlockchain Buzz

 

 

https://sm.asisonline.org/Pages/A-Shock-to-the-System.aspx2018-12-01T05:00:00ZA Shock to the System
https://sm.asisonline.org/Pages/Census-Scrutiny.aspx2018-12-01T05:00:00ZCensus Scrutiny
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches
https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Artful-Manipulation.aspx2018-09-01T04:00:00ZArtful Manipulation

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches
https://sm.asisonline.org/Pages/Book-Review-IT-Policies.aspx2018-12-01T05:00:00ZBook Review: IT Policies
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI

 

 

https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/a-manual-private-investigation-techniques-0013117.aspxA Manual of Private Investigation Techniques<div class="body"> <p> <em> <strong> <span style="color:red;">*****</span> A Manual of Private Investigation Techniques. Edited by William F. Blake. Charles C. Thomas Publishers, Ltd.; ccthomas.com; 326 pages; $39.95; also available as e-book. </strong> </em> </p> <p>The editor of this volume was able to amass an amazing number of beneficial articles for both aspiring and experienced investigators. Although clearly developed for private investigators, its breadth of topics pertaining to various types of investigations gives it significance for investigators working in the public sector as well.</p> <p>The book presents the reader with an array of interesting essays on useful topics such as premises liability, undercover operations, integrity investigations, protecting assets, mortgage fraud, arson investigations, and homicide investigations. Many other investigative topics are explored in this tome as well.</p> <p>The authors of these articles often incorporate information on how the various types of investigations should be conducted. There is worthwhile information in these articles that will enable private investigators to educate their respective clients on potential issues in their businesses that could create vulnerabilities for criminal exploitation. Collectively, the contributing authors adequately spell out the applicable best investigative practices as they survey the various types of investigations.</p> <p>In short, this work is a valuable contribution to the field of investigation, especially in the private sector. The editor did a superb job of collecting meaningful articles pertaining to the study of investigation as well as the investigative process.<br></p> <hr /> <span style="color:#800000;"> <strong>Reviewer: </strong> </span>Hugh J. Martin is a retired police chief from Wisconsin. He is a graduate of the FBI National Academy and a member of ASIS. <p></p></div>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Cyber-Trends.aspxCyber Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/July-2018-ASIS-News.aspxJuly 2018 ASIS News<h4>​GSX Promises Vegas Flair</h4><p>World-class networking is a hallmark of the ASIS annual event. In Las Vegas this September, the Society is pulling out all the stops for Global Security Exchange (GSX), formerly the Annual Seminar and Exhibits. From bowling to luncheons to a reception at Drai's Nightclub, GSX offers countless opportunities to forge new connections and cement existing relationships at the industry's premier networking events.</p><p>Kick off the week on Sunday, September 23, by teaming up with friends and colleagues for the ASIS Foundation Golf Tournament at Bali Hai Golf Club, located next to the Las Vegas Strip. Registration includes breakfast, player gifts, and a buffet lunch, with event proceeds benefiting the ASIS Foundation. </p><p>On Sunday evening, the popular Brooklyn Bowl will be transformed into the GSX Opening Night Celebration. Don your bowling shoes and join thousands of peers for a fun-filled night of food, music, and catching up with friends. </p><p>The U.S. Outstanding Security Performance Awards (OSPAs) Luncheon on Monday provides an opportunity to celebrate excellence across the industry—from young professionals to managers to consultants, and more. The deadline to enter for U.S. OSPAs consideration is July 23. Apply at us.theospas.com/enter.</p><p>In addition to opportunities to connect with colleagues in the halls and while perusing the exhibits, the ASIS International Happy Hour on Tuesday on the show floor will celebrate the end of the first day of exhibits. Grab a drink and relive the highlights of the day.</p><p>Close the week in style at the annual President's Reception at Drai's Nightclub. At one of Las Vegas's most exclusive venues, guests will be treated to an evening of live entertainment, food and drinks, networking, and a view of the Strip from the 11th story capstone of the Cromwell hotel.</p><p>Register for an All-Access Pass before August 10 and save $100 on your ticket to these events and more. Visit GSX.org/register to sign up.​</p><h4>SECOND QUARTER GLOBAL EVENTS</h4><p>Excitement is building towards GSX this September in Las Vegas, as evidenced by the energy at the following events that took place in the second quarter of 2018. </p><p><strong>CSO Summit</strong></p><p>Transparency battles. Global rules in flux. Artificial intelligence. </p><p>Global chief security officers and deputies who attended the 11th Annual CSO Summit April 29 through May 1 at Target Plaza Commons in Minneapolis, Minnesota, grappled with how these and other change drivers will affect the security profession. </p><p>While key conversations and experiences—such as a private security tour of U.S. Bank Stadium—were prevalent, at center stage was a forward-looking agenda aiming to make sure security executives adapt and remain relevant to their organizations. </p><p>Futurist and cybersecurity professional Scott Klososky led off the conference by emphasizing that security leaders are responsible for looking into the future and—before anyone else—understanding how the world, their industry, and their businesses are changing, especially with an eye toward future risk. </p><p>For every cutting-edge technology solution or strategic advantage discussed throughout the event, there was equal and appropriate caution regarding unintended consequences. </p><p>For example, artificial intelligence will help security by enabling analysis of logarithmically more data, such as using HR records to identify insider threats, but it has to be implemented properly and with auditability because it can lead to algorithmic bias—that is, it could systematically discriminate against certain groups.</p><p>A common theme across the two days was to define security initiatives in terms of drivers and enablers of business and savings, rather than as sunk costs. Speakers shared examples of strategies they used to calculate the cost savings of implementing new security projects to justify those programs to the C-suite. </p><p>Another common theme was that the path forward for corporate security, and sustainable success in business, requires effective implementation of enterprise security risk management (ESRM), where the organization formally and holistically manages risk. </p><p>This can go hand-in-hand with a DevSecOps approach, where all employees are empowered to contribute to organizational safety and security, especially as it becomes more difficult to centralize response to the growing activities and vast data sources generated by modern business processes and systems.</p><p>CSOs and their deputies will have the opportunity to continue exploring the evolution of these change drivers and attend exclusive educational sessions in the CSO track at GSX in September. </p><p><strong>ASIS NYC</strong></p><p>Thousands of security and law enforcement professionals gathered at the Jacob K. Javits Center May 16 and 17 for the ASIS 28th New York City Security Conference and Expo to dive into networking, education, and exhibits at the Northeast's leading security event.</p><p>The event started with a Security Rocks welcome party at the Hard Rock Cafe on Tuesday evening. Live entertainment set the scene for fun and networking worthy of the Big Apple.</p><p>Conference education began Wednesday morning with a keynote from JPMorgan Chase Crisis Management Head Scott Morrison, who discussed emerging threats and trends. </p><p>The emerging trends theme continued throughout the day, via a panel discussing the legal and practical applications of drone technologies, a crash course on implementing ESRM to earn security a "seat at the table," and a talk from Facebook Chief Global Security Officer Nick Lovrien, who explored the challenges associated with securing Facebook's open office environment.</p><p>Thursday's education focused on active assailant attacks, with sessions devoted to emergency preparedness and vehicle-involved attacks. At Thursday's Person of the Year Luncheon, the ASIS New York City Chapter honored His Eminence Timothy Cardinal Dolan for his service to the people of New York.</p><p>On both days, a bustling expo floor provided attendees the opportunity to meet with some of the region's foremost solutions providers.</p><p><strong>ASIS Toronto Best Practices</strong></p><p>ASIS Toronto's largest educational event of the year, the 2018 Best Practices Seminar held on April 19, was its largest ever, with a full house of 200 attendees and speakers. It was the 25th annual seminar for the chapter.</p><p>For the first time, the event was held in the Grand Banking Hall of the Dominion Bank building at One King West in downtown Toronto. Attendees enjoyed a jam-packed day of presentations set against the historic ballroom's dramatic backdrop.</p><p>Themed #SecurityEmerging, the seminar featured topical sessions including hyperloop, ESRM, and cannabis. John Minster, physical security manager, TD Bank, discussed video analytics, demonstrating examples of how to apply basic analytics in a variety of real-world applications, with measurable results to the organization. The day concluded with a panel of experts who discussed the role of the security professional in dealing with workplace sexual assault. </p><p>The 26th Annual Best Practices Seminar will be held on April 11, 2019. Visit asistoronto.org for details.​</p><h4>ESRM: MID-YEAR UPDATE</h4><p>By Tim McCreight, CPP, and Rachelle Loyear.</p><p>The ASIS ESRM Initiative is now at its halfway point for 2018. During the leadership sessions held in Washington, D.C., in January, ASIS made it clear that enterprise security risk management (ESRM) is a priority for the Society today, and into our future. As co-chairs of this important work, we are pleased to share a status report detailing the efforts to infuse ESRM into the Society's programs and services. </p><p>It is with great pride we can say that in the past six months, the ESRM Initiative has accomplished a number of significant achievements. Four value streams were established, each led by a subject matter expert and a representative from the ASIS Board of Directors. </p><p>They focus on Education, Standards and Guidelines, Marketing/Branding, and Maturity Model Tool. We are already seeing the fruits of these groups' labor with the following initiatives well underway:</p><p>•   Education. An ESRM webinar, including definitions and key points, was developed to ensure that all the ESRM presenters at Global Security Exchange (GSX) are "singing from the same songbook." In addition, a draft glossary of terms has been created and an ESRM 101 training will be available by GSX. </p><p>•   Standards and Guidelines. A draft ESRM guideline is on track to be completed by GSX. This document outlines an approach to security program management using risk principles to link an organization's security practice to its mission and goals. The working guideline also describes the concept of ESRM, including its four principal elements, as well as additional steps security professionals can take to strengthen an ESRM effort, bring it to maturity, and maintain it over time. </p><p>•   Maturity Model Tool. Require­ments for the tool have been established and a request for proposal for a supplier has been disseminated. </p><p>•   Marketing and Branding. An ESRM slide deck was distributed to all chapter and council leaders, and several articles have been written detailing the need for security professionals to apply ESRM within their organizations. </p><p>There is a great deal of rigor and project management going on behind the scenes within the ESRM Initiative, and it shows. The value streams are all on track to deliver their key project updates by GSX, and there will be a number of educational sessions at GSX to showcase some of the deliverables, including a pre-conference program workshop.</p><p>Check the GSX program guide to see all the ESRM sessions for 2018, and feel free to contact us at esrm@asisonline.org if you have questions or would like more information on any of the value streams.</p><p>Tim McCreight, CPP, is ESRM Initiative board sponsor, and Rachelle Loyear is ESRM Initiative program manager.​</p><h4>EXECUTIVE PROGRAM</h4><p>Wharton/ASIS Program for Security Executives: Making the Business Case for Security.</p><p>October 21-26.</p><p>Philadelphia, Pennsylvania.</p><p>With so many new threats confronting today's organizations, corporations are challenged by competing security priorities, as well as how to invest their resources wisely. </p><p>How do they best protect their employees and their organizations' networks and data from harm? As a security professional, how do you communicate the security story so leaders fully understand the costs, benefits, and risks of not having a comprehensive strategy?</p><p>Designed for senior security leaders, the Wharton/ASIS Program for Security Executives will enhance participants' business acumen and effectiveness in key areas of strategy, negotiation, critical thinking, and managing change. Attendees will gain the leadership and management skills needed to help them work more effectively and communicate the bottom-line impact of security decisions to the C-suite—so security priorities can be moved forward. </p><p>Through interactive lectures, exercises, and case studies, both in the classroom and in smaller work groups, this custom-designed program will enable participants to create effective security strategies in a fast-changing, global environment. Attendees will come away with a strategic toolbox that will help put these business skills into immediate practice, as well as recognition of their own leadership and communication strengths.</p><p>ASIS members save $1,000 (and CSO Center members qualify for an additional discount) on the regular program fee—which includes all meals and accommodations. Visit asisonline.org/wharton to learn more and apply.​</p><h4>IT SECURITY COUNCIL SPOTLIGHT</h4><p>"Cybersecurity is like painting a bridge," says ASIS Information Technology Security Council Vice Chair Robert Raffaele, CPP. "As soon as you decide on a practice and implement it, it's time to start over again. The technology advances so rapidly that documented best practices can quickly become obsolete."</p><p>The IT Security Council carries the unique burden of sharing its members' world-class information security expertise in forms that won't be outdated by the time they reach their audience.</p><p>Earlier this year, the council published Security on the Internet of Things: An Enterprise Security Risk Management Perspective, a white paper examining risks security professionals need to keep in mind as today's devices become more and more connected.</p><p>Given the nature of IT security, the council emphasizes person-to-person knowledge-sharing—timely advice delivered when it's needed most. This September, the council will sponsor  11 education sessions at GSX. These sessions will cover topics like cyber terrorism, mobile device security, cybersecurity for physical security professionals, emerging technologies, safe cities, and more.</p><p>The council also offers itself as a yearlong resource, connecting security professionals with the appropriate council members and trusted industry experts needed to tackle real-time IT security problems.</p><p>"In security, trust is such a big factor," says 2018 Council Chair Jeff Sieben, CPP. "It's so much easier to rely on a particular process when that process has been vetted by someone you trust. As a council, we're happy to be that bridge between members and the reliable, immediate information they need."</p><p>Sieben says the council's role is to be a consultative body of subject matter experts. </p><p>"This council's greatest asset is members who stay current and are available to talk about current topics," he says. "Our members are plugged into the greater IT security sphere, contributing to ISACA, ISSA, SIA, (ISC)2, and more."</p><p>To consult with the IT Security Council, email council leadership or message a council member on ASIS Connects. The full council roster can be found on the council's community page. Search "Information Technology Security Council."​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Eduardo Martinez Fulgencio, CPP; Leonard A. Rosen; and H. John Bates, CPP; who were granted lifetime ASIS membership.</p><p>Fulgencio served as an ASIS assistant regional vice president for many years. He also held the positions of chapter newsletter chair, chapter chair, treasurer, and chapter program chair for the Philippines Chapter of ASIS. He has been a member of ASIS for more than two decades.</p><p>Rosen and Bates were automatically honored with the lifetime award for their continuous membership of more than 50 years. ASIS is grateful for their loyalty for more than half a century.  ​ </p><h4>MEMBER BOOK REVIEW</h4><p><em>Private Security and the Law, Fifth Edition</em>. By Charles P. Nemeth. CRC Press; crcpress.com; 739 pages; $89.95.</p><p>As the security profession makes strides in education and training, there is a concurrent need for books that light the path. Dr. Charles Nemeth has written such a book: <em>Private Security and the Law. </em>This fifth edition is a big one, both in size and what it has to say. The author has significant experience as both a security practitioner and a scholar. In this book, he nimbly toggles between the two worlds, presenting a viewpoint that is unbiased and comprehensive.  </p><p>Nemeth acknowledges the tension between public policing and private security, while showing how the two can work symbiotically. The first chapter presents the historical underpinnings of the profession, giving a rich history of private security protection. </p><p>The next chapters focus on regulation and licensing; the law of arrest, search, and seizure; civil causes of action; criminal culpability and the private security industry; and evidentiary issues. These chapters help the reader understand how complex areas of the law relate to the security profession.  </p><p>As both an attorney and a professor of security management, I would refer to this book because it presents statutory and common law elements and legal explanations in a straightforward manner, while also presenting case law and helpful study questions. I appreciate the standout inserts that allow readers to update their knowledge, as well as the citations of websites, handy tables, charts, and sample forms sprinkled throughout the book.</p><p>Bringing it all together are Chapter 7, a model for cooperation between public and private law enforcement, and Chapter 8, a compilation of seminal case law. Nemeth has this to say about the roles of public policing and private security: "Factionalism is surely not a fixed state for either side of the policing model. What appears more likely on the horizon is the recognition that these are two armies operating under one flag."</p><p>I highly recommend this book for the classroom, the security practitioner seeking to know more about the law, and the lawyer representing a security provider as a client. This fifth edition is a monumental work, deserving of space in the libraries of students, lawyers, and security professionals.</p><p><em>Reviewer: Lydia R. Wilson, CPP, is an attorney admitted to practice law in Virginia, New York, and Florida. She is a member of the ASIS Information Asset Protection and Pre-Employment Screening Council.</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465