Strategic Security

 

 

https://sm.asisonline.org/Pages/Five-Not-So-Easy-Pieces.aspxFive Not-So-Easy PiecesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-08-01T04:00:00Z<p>​Alignment is in. Many cities, municipalities, corporations, and school systems are taking steps to align their physical security systems so that security programs across locations will be fully integrated.</p><p>The benefits of such a move are numerous. Uniformity across systems makes it easier for end users, and converged systems are easier to manage from operation centers. Moreover, having only one system makes maintenance and upgrades easier, and this can help provide long-term stability. </p><p>But achieving alignment is no easy feat. Navigating a physical security installation across several facilities can be a difficult undertaking; often, such a project includes wrangling a mish-mash of individual products to get them to function under one cohesive system. Alternatively, some take the approach of completely redesigning the physical security system so that it reflects current best practice design standards. Both paths can be difficult.  </p><p>In addition, the potential pitfalls of attempting a unification project are numerous. What is the installation environment in each facility? Which key players need to be involved at each facility, and at what level of involvement? What type of network infrastructure must be in place to integrate the systems? </p><p>In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management.</p><p>Although there is no one roadmap for successful project completion, and despite all the caveats, most projects can be broken down into five stages. The main purpose of this article is to walk the reader through these stages, which experts sometimes refer to as "process groups." The five process groups are initiating, planning, executing, monitoring and controlling, and closing. For our purposes, the second process, planning, can be considered the design process, and the third process, executing, can be considered the installation process. </p><p>Although these stages will remain consistent, the role and scope of a project manager's responsibilities will change from project to project. And, there may be many project managers on a single project: one for the design team, one representing the owner, one who serves as an installation project manager in the field, and others. Each will have different responsibilities.   </p><p>Primarily, this article is written from the point of view of the project manager who is outside of the org­anization and is hired by an owner to design and manage a project that will be installed by a third-party contractor, either through a public bid or the solicitation of proposals. Typically, this type of manager would be a consultant who works on a project-by-project basis with different teams and organizations, for the procurement and installation of a multi-facility physical security system.</p><p>However, the concepts and best practice guidance offered here could be applied to almost anyone involved with the management or supervision of physical security projects, whether that person is inside or outside the organization.​</p><h4>Initiating</h4><p>As a project kicks off, the act of project management is often the act of discovery. The project may be ill-defined, just a blurry picture of the needs and goals of the project's owner. But an ill-defined project cannot be effectively managed, so it is often the project manager's task to focus the project with the owner into a clear and actionable roadmap.</p><p>For the project manager, one of the main goals of the initiating process is to get up to speed with the requirements, history, and expectations of the project. This includes understanding who the project stakeholders are and determining the project's requirements, constraints, and assumptions.  </p><p>Physical security projects can be sponsored by a range of departments in an organization, including security, facilities, IT, finance, and general management. But these departments may have different levels of familiarity with physical security systems, so the project manager must gain an understanding of how well the owner's team knows physical security. This understanding should then inform the project manager's general approach, including the process of assembling the design team. </p><p>This understanding can be gained during the meetings that take place during the initiating process. For example, the design or project management teams may be akin to experts—they will design and demonstrate how the systems work and function together and explain design best practices. In another project, the design team may merely be documenting the project for an owner who already has a strong grasp and understanding of physical security best practices and the needs of each facility. </p><p>Another key task of the initiating process is to learn the requirements and goals of the project. What is the general scope? What physical protection systems will be affected? Will this be a replacement project, or will it integrate with existing systems? Is there a deadline for installation completion? If grant money is involved, is there a deadline for spending funds? Each answer is part of the roadmap.</p><p>Once the initially hazy picture has come into focus, the project manager may take the next steps. These include developing a rough estimate of how many days will need to be spent in the field documenting existing conditions and systems, and how many designers should be hired to create design documents. Other decisions involve who will sit on the project stakeholder's team, whether the owner will require manufacturer demonstrations, and what a reasonable cost for the project looks like. </p><p>During this stage, the project manager may discover that the existing team of stakeholders is inadequate. In this case, the project manager should try to ensure that all decision makers are included, and that, if applicable, teams not directly associated with security are also represented, or at a minimum made aware of the project. Other stakeholders, for example, could include facility directors, senior management, service providers, IT teams, and grant funding representatives. If the project is for a municipal, city, or public organization, the owner may prefer to involve law enforcement in the early stages and throughout the process.</p><p>By the end of this first stage, all stakeholders should understand their roles within the project, what will be expected of them, and the type of work that will be performed on their systems or the facilities they manage. Accomplishing this early is important. It is never a good idea to inform an IT director of an IP video surveillance project a week before the network electronics are scheduled to be installed.​</p><h4>Design</h4><p>The greatest indicator of a well-executed project is a well-executed design process. The overall objective of this process is to create a complete set of project documents that a third-party contractor or integrator can then use to create a proposal or bid. </p><p>These documents, typically referred to collectively as the project manual, will typically include plan drawings, wiring diagrams, and riser and elevation drawings. They also include specifications explaining the scope, the installation standards, the configurations of various systems, and other pertinent information. Front-end documents in the manual often describe the nature of the project and any general requirements that the bidding contractor must adhere to. </p><p> To create a thorough project manual, it is important for the project manager to assemble a qualified design team. Physical security projects can be derailed by subpar designs that do not consider each facet of each system's requirements. The design team must be able to accurately document the correct configuration requirements among systems; all installation best practices and requirements; the code requirements and testing parameters; and the closeout tasks such as training.</p><p>Once the design team is assembled, the project manager begins the process of creating progressively more detailed designs and reviewing them periodically with the owner. A good guide is to review the design documents at 50 percent completion, 75 percent, 98 percent, and 100 percent. At each review, it should be conveyed to the owner what was refined, changed, omitted, or added from the last review. </p><p>The overall cost and the installation schedule should also be reviewed at those junctures. Most likely, the project will have a specific budget and installation schedule that the design team must adhere to. At each design milestone, the project manager must ensure that the owner understands the budget and schedule. Any major design change should be reviewed with the owner.</p><p>If the project does not have a predetermined budget, the project manager should have a usable estimated cost range after project initiation. At the halfway point, an estimate within a few percentage points of the actual cost should be completed and reviewed with the owner. It is also important the owner understands how any future requests will affect the budget and installation schedule. </p><p>Ideally, the project should leave 10 percent of the total budget in contingency to cover unforeseen costs. For example, for a project with a budget of $1 million, the design team should allocate up to $900,000 and leave $100,000 for contingencies. Aside from this practice, some projects also contain a management contingency designed to cover changes in project scope directed by management. However, this contingency may or may not be shared with the project manager, and it may not be included in the total project budget. </p><p>When it comes time to estimate individual costs, the environment and condition of existing facilities should be kept in mind. Areas likely to add surprise costs to the project should be reviewed. Take ceilings, for example. If the facility has open ceilings, will the low-voltage cabling need to be run in conduit? If so, how much cost will that add? Or, consider data closets. Is there adequate wall space to mount patch panels, switches, and servers? Is there wall space to mount security panels? Other areas that should be reviewed for cost impact include power requirements, configuration fees for integrating systems, and software fees for updating out-of-date systems, among other items.</p><p>Taken together, the overall goal of the planning and design process is to create a project manual that is fair to both the owner's needs for attaining the project goals, as well as the contractor's needs to correctly price the project. </p><p>Many potential headaches that could occur during the installation process can be mitigated by giving the contractor a realistic schedule for procurement and installation of the systems, and by ensuring that the project comes in at or under budget. This is done by informing the owner early and often of the realistic requirements that the scope of the project will require. All cost-saving measures should be considered during the design process when at all possible.</p><p>Throughout the design process, the project manager and design team should constantly ask themselves, "If I were a contractor, would I be able to properly price this project based on the project manual documents without adding change orders in the field?" Many projects are soured by an incomplete project manual that puts the contractor in the disadvantaged position of having to constantly submit change orders to correct their fee. ​</p><h4>Executing</h4><p>If the goals of the planning process were accomplished—including properly and completely documenting the physical security systems, their installation requirements, and all responsibilities required by the installation contractor—then the executing process should run relatively smoothly.</p><p>During the executing process, the contractor who was awarded the project proceeds with installing and testing the systems. Sometimes the project manager and design team stay on to manage the schedule and invoices, review the installation and test results, and generally ensure that that the project is being installed to the quality standards documented in the project manual on behalf of the owner. </p><p>The relationships among designers, consultants, project managers, and contractors should be built on teamwork and based on the shared goal of providing the owner with a well-executed project and physical security system. The best projects are those where a mutual respect and a spirit of genuine collaboration are exhibited by all parties and where the project manager has the best interest of all parties in mind.</p><p> Although, careful initial documentation of exactly what is expected of the installation will help avoid oversights and miscommunications, it is still prudent, and often mandatory, for the project manager to review and approve the work being completed. During this process, the manager's best strategy for ensuring that the project is executed well is to stay vigilant in correcting all possible holdups.</p><p>If the overall budget fails to capture all installation costs, change orders can occur during the installation process, after the project has been awarded to a contractor. A change order is a claim to a change in scope that usually comes with an associated cost. It is used by the contractor to seek fees for the change. Change orders can be owner directed or project directed, and they can be legitimate or illegitimate. </p><p>Here's an example of a legitimate, owner-directed change order. After a project manual went out to bid and the project was awarded to a contractor, the owner requested to add access control hardware to a door. This hardware was not included in the design, so the contractor was not allowed to give a cost associated with it. Seeking a fee to now include that door in the installation was a legitimate change order. </p><p>Here's an example of a legitimate project-directed change order. The contractor discovered that 100 feet of conduit was needed to mount a video surveillance camera in an open-ceiling mechanical space. The project manual did not clearly document that the contractor would need conduit at this location, so the contractor sought to submit a change order for the cost of procuring and installing the conduit.</p><p>Illegitimate change orders occur when a contractor seeks fees for a task or product that was clearly documented in the project manual and, therefore, should have been included in the proposal or bid. It should be noted that legitimate or illegitimate status will not determine if the change order will be accepted by the project. Change order acceptance or rejection is determined by the project manager, owner, and other applicable stakeholders.</p><p>One benchmark of success for the project is the number and scope of change orders. In other words, how close was the executed project to the agreed upon budget and original design?​</p><h4>Monitoring and Controlling</h4><p>If the project manager's responsibility is to review and sign off on the installation, it is best to do so early and often. The goal is to correct minor issues before they grow into major issues. </p><p>For example, let's assume a contractor completes a 200-door access control project across 20 different facilities, but does not properly secure the cabling above the ceiling grid as designed. The longer the project manager waits to get on site and review the work, the more difficult it will be to fix this mistake. If the cabling contractor is a subcontractor of the prime contractor and is finished with the scope of work, by the time the project manager is on site to review the work, it may be impossible to correct these mistakes.</p><p>The project manager should be on site to review, at a minimum, the first few devices that are installed to ensure that the installation is clean and to specification. Indeed, many contractors prefer this method of installation kickoff because it will ensure that the installation is on the right track. </p><p>Common installation mistakes found on physical security projects can include sloppy or exposed cabling to devices; installation of sensors, cameras, and other devices that are not plumb or properly secured; low-voltage cabling strung across the ceiling grid and not on cabling support; failure to firestop applicable penetrations; and poor cable management and cable terminations in the data closets and control panels, among other things.</p><p>All site visits, communications between owner and contractor, issuances of work that need to be fixed, and approvals of work done correctly should always be formally documented and distributed to the entire team in field reports and punch lists. In turn, the contractor must document any corrections or installation requirements that are completed. </p><p>Requests for information from the field, product submittals, invoice submittals, and general project housekeeping should be reviewed and answered by the project manager in a timely matter to ensure that the project is not delayed due to lack of direction for the contractor or owner.  </p><p>Sometimes, the biggest roadblocks to completing a project on schedule are the tasks that must be completed by the owner. It is important that the project manager also manage this side of the project. He or she should inform the owner early and often when tasks will be due and should sometimes advise them on how they can be best completed. These tasks may include providing IP addresses for cameras, printing and issuing badges for new access control systems in time for system cutovers, providing configuration on network electronics if required, and configuring and relaying information related to VLANs, among other things. </p><p>Often, contractors are only allowed to invoice for work completed or for devices that were purchased and delivered to the facility. If the project manager is tasked with reviewing invoices, it should be easy to approve or reject fees based on work completed because the project manager has periodically seen and reviewed the work in person.</p><p>Most projects will require that the project hold a retainer against the contractor's fee until the project is 100 percent complete. This retainer is held until the end of the project, after all the installation and miscellaneous responsibilities of the contractor have been met. Each project may have specific requirements in terms of payment and proof of work for payment that should be reviewed and adhered to by all parties.  ​</p><h4>Closing</h4><p>The closing process can be initiated when 10 percent of the project is left to complete. Common tasks to be completed during the closeout process include administering training, delivering operation and maintenance manuals, final testing of systems, reviewing the system test results, reviewing cabling test results, and handing over the systems to the owner. </p><p>It is a good idea to start closeout tasks when the project is around 75 percent complete. However, getting the owner and relevant stakeholders together for training and close-out meetings can be a difficult task depending on their schedules. If the project is being completed in a school district, for example, training may need to wait for a professional development day, so it is best to book training as soon as the trainer is available. </p><p>Depending on the owner's level of expertise, it may also be beneficial to include additional training in the project manual two to six months after the project is handed over to the owner. This will allow the owner to schedule refresher training if desired. </p><p>Once the project manager and design team accept the final installation; all closeout deliverables are finalized; and all final fees, contingencies, and invoices are paid; the project is handed over to the owner and the project is considered complete. </p><p>Successful project completion requires improvisation, teamwork, thoroughness, and foresight. All are skills that are developed over time and through hands-on experience on projects of different sizes and types. The best project managers are those who learn from their mistakes, document their lessons learned, and share those insights with the project management and security management communities.  </p><p><em><strong>Nicholas D'Agostino, </strong>PSP, PMP, is a senior manager of system design for D'Agostino & Associates, a technology consulting firm. He has spearheaded multiple city-wide physical security upgrade projects throughout the Northeast. He can be reached at [email protected] D'Agostino is a member of ASIS International.</em></p>

 

 

https://sm.asisonline.org/Pages/Starting-From-Scratch.aspx2019-05-01T04:00:00ZStarting From Scratch
https://sm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspx2019-04-01T04:00:00ZHow to Bridge the Gap
https://sm.asisonline.org/Pages/Book-Review-Corporate-Security.aspx2019-02-01T05:00:00ZBook Review: Corporate Security

 

 

https://sm.asisonline.org/Pages/Security-and-the-Gig-Economy.aspx2019-05-01T04:00:00ZQ&A: Security and the Gig Economy
https://sm.asisonline.org/Pages/Getting-to-Know-Jaime-P-Owens-CPP.aspx2019-05-01T04:00:00ZGetting to Know: Jaime P. Owens, CPP
https://sm.asisonline.org/Pages/Certification-Profile-Myron-Love-CPP-PCI-PSP.aspx2019-05-01T04:00:00ZCertification Profile: Myron Love, CPP, PCI, PSP

 

 

https://sm.asisonline.org/Pages/March-2019-Legal-Report.aspx2019-03-01T05:00:00ZMarch 2019 Legal Report
https://sm.asisonline.org/Pages/Seek-Joy.aspx2019-01-01T05:00:00ZSeek Joy
https://sm.asisonline.org/Pages/Preserving-Precious-Property.aspx2018-07-01T04:00:00ZPreserving Precious Property

 

 

https://sm.asisonline.org/Pages/Safety-and-Security.aspx2019-03-01T05:00:00ZSafety and Security: Building Relationships For Effective Management
https://sm.asisonline.org/Pages/March-2019-SM-Online.aspx2019-03-01T05:00:00ZMarch 2019 SM Online
https://sm.asisonline.org/Pages/Book-Review-Disaster-Science.aspx2019-02-01T05:00:00ZBook Review: Disaster Science

 

 

https://sm.asisonline.org/Pages/May-2019-Legal-Report.aspx2019-05-01T04:00:00ZMay 2019 Legal Report
https://sm.asisonline.org/Pages/French-Regulator-Issues-First-Major-GDPR-Violation-Fine.aspx2019-05-01T04:00:00ZFrench Regulator Issues First Major GDPR Violation Fine
https://sm.asisonline.org/Pages/March-2019-Legal-Report.aspx2019-03-01T05:00:00ZMarch 2019 Legal Report

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspxTop Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspxLess is More: A KISS Approach to ESRM<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="https://cso.asisonline.org/esrm/Documents/CSORT_ESRM_whitepaper_%20pt%201.pdf">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="https://www.iso.org/standard/44651.html">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="https://riskademy.co/twelve-core-elements-for-risk-management/" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="https://riskademy.co/what-do-you-mean-by-risk/" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="https://riskademy.co/wdymb-risk-perception-and-risk-communication/" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="https://riskademy.co/integrating-a-risk-management-system-into-your-organization/" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="https://riskademy.co/" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/ASIS-Awards-School-Security-Grant-and-More-ASIS-News.aspxASIS Awards School Security Grant & More ASIS News<p>This month, the Dallas Independent School District opens the doors to its newest transformational school, which is designed specifically for high school students interested in architecture, urban planning, environmental science, and community development. CityLab High School will offer students the opportunity to leverage the city of Dallas as their own hands-on laboratory.</p><p>But this cutting-edge “best-fit-school” concept, part of the city's public school choice program, comes with a daunting challenge: ensuring a safe and secure environment in an urban city center, and doing so on a limited budget.</p><p>That’s where the School Security Grant Competition, started by ASIS International and the ASIS Foundation in 2003, plays a critical role. This year, in conjunction with the ASIS International 63rd Annual Seminar and Exhibits, ASIS is awarding CityLab High School a $22,000 grant to pay for upgrades to the school’s camera system, access control system, and classroom intercoms. Axis Communications is making an in-kind donation of cameras and other equipment.</p><p>ASIS 2017 Host Committee Chairman Martin Cramer, CPP, worked closely with the Dallas Independent School District Police Department to get the word out about the grant and to identify the school with the greatest need.</p><p>“CityLab really stood out,” said Cramer. “Parents had voiced concerns about the school’s proximity to downtown Dallas, a busy interstate highway, and a homeless shelter. But with most of the school’s budget going to new construction, renovations, and asbestos removal for the 1950s building, there was little more the school could afford to improve security. These funds will go a long way to provide students and staff a safe and secure learning environment.”</p><p>The school identified a number of needed security upgrades, including network improvements, new security cameras, access control devices, and classroom intercoms covering all five floors of the building. </p><p>“In a large urban school district with limited funds, the responsibility of campus safety falls within the school’s budget,” wrote CityLab High School Principal Tammy Underwood, in her grant competition application. “This grant is an amazing opportunity for CityLab students and staff to be in a safe environment so that they can focus on their highest educational goals.”</p><p>The School Security Grant Competition is just one of the many ways ASIS International pursues its mission to advance security management best practices and give back to the community hosting the Annual Seminar and Exhibits. </p><p>“Without a doubt, school safety contributes to academic success, and promotes innovation, inquiry, and risk taking in high-poverty, high-performing schools,” wrote Underwood. “Students who feel safe are more attentive and efficient in the classroom, and they also have fewer symptoms of depression. I want parents, students, staff, and visitors to be comfortable and confident coming to our building.”​</p><h4>A World of Opportunity at the ASIS 2017 Career Center </h4><p>As the premier education and technology event for security professionals worldwide, ASIS 2017 promises unparalleled networking and career development options. </p><p>Now in its sixth year, the Career Center will continue to offer unprecedented professional value. Free to all attendees, the Career Center offers résumé reviews, career coaching, networking opportunities with employers and peers, and access to career development tools and job postings—plus free professional headshots in the Headshot Studio.</p><p>The excitement starts on Tuesday, September 26, with a Coffee and Careers Networking Event sponsored by the Young Professionals Council, a perfect place for great networking. Attendees currently seeking jobs in the security field will want to return later for an interactive panel session, “What Security Employers Look For and What Makes Candidates Stand Out,” where senior security executives and hiring managers will share what elements in an applicant’s history impress employers, describe what they look for in interviews, and provide advice on how to stand out from the crowd. </p><p>The day culminates with a session for ambitious professionals who have set their eyes on the top and are looking for an answer to the question, “How do you become a CSO?” This is their opportunity to hear straight from senior executives how they reached the top, lessons learned along the way, and how attendees can benefit from their experiences. </p><p>On Wednesday, the Career Center will hold another Coffee and Careers Networking Event for those looking to transition into the security field to help them create new professional connections, foster ones already made, and take part in engaging discussions on career development. Afterwards, attendees will have a chance to further build on those discussions when they take part in the “Career Development in Security” session, which will offer young security professionals the tools and best practices they need to grow their security careers.</p><p>The Career Center wraps up with a bang on Thursday with two of its most impactful sessions. The first, “Mentoring: Guiding Tomorrow’s Leaders” will provide the next generation of security industry leaders with another avenue to hone their skills to achieve their career goals, whether it’s to embark on a new challenge or advance within their organization. Panelists will examine the importance of mentoring, as well as what to look for in a mentor, key factors in building an effective relationship, and the qualities of a successful mentee. </p><p>Attendees will continue examining the future of security with a convergence panel that will explore the ever-changing relationship between information technology and physical security. As threats around the globe become increasingly sophisticated, it is vital that security professionals in every focus area can collaborate and identify comprehensive solutions for the risks facing citizens, industry, and governments around the world.</p><p>Career Coaching and résumé reviews will take place during exhibit hours. Stop by to book an appointment. </p><p>“ASIS has been instrumental to my professional development and as cochair of the Young Professionals Council, it has been particularly rewarding to help shape the high-caliber programming. From CSO perspectives to employer hiring needs to mentorship best practices and leadership skills, ASIS 2017 will provide security professionals at every stage of their careers with the tools they need to succeed in today’s job environment,” says Angela Osborne, PCI, regional director for Guidepost Solutions. “I encourage security professionals across every sector to take advantage of the breadth of career-enhancing education, advice, and professional development that will be available.”</p><p>Whether attendees are new to the security field and looking for those first valuable connections, or seasoned veterans of the industry seeking to further their existing careers, the Career Center offers a world of opportunity ready to be explored.</p><h4>International Buyer Program Helps Expand ASIS 2017’s Global Footprint</h4><p>Attendees and exhibitors at ASIS 2017 will have the chance to expand the scope of their business opportunities to a global level. Thanks to the U.S. Department of Commerce International Buyer Program (IBP), a joint government-industry effort, hundreds of global buyers from multiple delegations will attend ASIS 2017 for business-to-business matchmaking with exhibitors and attendees. The buyers represent security professionals from around the world.  </p><p>“The International Buyer Program provides an excellent opportunity for security professionals globally to benefit from the collective wisdom of the 22,000 attendees and exhibitors at ASIS 2017,” says Godfried Hendriks, CPP, managing consultant at GOING Consultancy BV and secretary of the ASIS International Board of Directors. “In today’s threat environment, security professionals need a global community of peers they can turn to year-round for support, best practices, and information sharing. ASIS 2017 will help facilitate these relationships.” </p><p>Every year, the IBP generates approximately $1 billion in new business for U.S. companies, primarily through increased international attendance at participating U.S. trade shows. </p><p>ASIS 2017’s participation in the IBP provides attendees with access to a broad array of security professionals, qualified international buyers, representatives, and distributors. It also increases the chances of finding the right international business partner. Not only will attendees meet more global buyers, representatives, and distributors, but exhibitors’ products and services can be listed in the Export Interest Directory and distributed to all international visitors for additional awareness.</p><p>Once a potential partner is identified, attendees have complimentary use of the on-site International Trade Center, where companies can meet privately with prospective international buyers, prospective sales representatives, and other business partners.</p><p>To assist in facilitating conversations, international trade specialists will be available on-site in the International Trade Center to provide matching assistance and expert trade counseling to global delegates and U.S. exhibitors.</p><p>Don’t miss out on the chance to expand your global footprint. Stop by the International Trade Center on the expo floor to learn more. ​</p><h4>All the Hub-Bub</h4><p>ASIS 2017 promises a show floor filled with fantastic networking opportunities, groundbreaking security products and service solutions from industry-leading exhibitors, and second-to-none education opportunities. At the center of it all is the ASIS Hub, an enormous 1,600-square-foot presence on the show floor that is serving as the place for all things ASIS International. </p><p>The Hub is the primary location for meeting with ASIS staff and learning more about becoming a member, obtaining one of the three board certifications, and getting involved in one of the professional interest councils. It’s also the place to unwind and recharge—literally—in the lounge with several charging stations.</p><p>The Hub will function as the go-to space for everything related to ASIS councils, with council members standing by to answer questions and offer expertise. The 34 ASIS councils explore focus areas like Crime Prevention and Loss Prevention, Healthcare Security, Information Technology Security, Investigations, Physical Security, and much more. There is a council for security professionals in nearly every discipline and industry sector.</p><p>The staging point for multiple Fireside Chats, the Hub will provide attendees an opportunity to interact in small groups with speakers after select education sessions. Members can visit the Hub for updates on the certification programs and exhibitor press conferences. And this year, the prize booth is located inside the Hub, where, twice a day, lucky attendees will walk away with exciting prizes.</p><p>Members of ASIS International are part of the largest community of security professionals worldwide, all with the shared goal of advancing global security. Engaged in their local communities year-round, members are dedicated to the security mission and making all communities safer places to live. Additionally, ASIS certifications are recognized worldwide as the gold standard of excellence in security management. Offering Certified Protection Professional® (CPP), Professional Certified Investigator® (PCI), and Physical Security Professional® (PSP) accreditations that are transferable across all industry sectors and geographic borders, ASIS certifications are valuable investments in advancing a security career. </p><p>Those who stop by the Hub can gain insights and tools needed to further their careers, get more involved in the Society, and learn about the unmatched benefits of membership in ASIS International. ​</p><h4>LIFETIME CERTIFICATION</h4><p>Congratulations to the following members who have been named Lifetime Certificants.</p><p>• Thomas M. Prochaska, CPP</p><p>• W. David Rabern, CPP</p><p>• David O. Best, CPP</p><p>• Walter F. Bodner, CPP</p><p>• James M. Gill, CPP</p><p>• Peter Urbach, CPP, PCI, PSP</p><p>• Richard G. Steele, CPP</p><p>• Samuel E. Manto, CPP​</p><h4>LIFE MEMBER </h4><p>The ASIS Board of Directors has granted life membership to Bob Battani, CPP.</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Key to Keys: 5 Steps to Developing an Effective Access Control System</em>. By Randy Neely. CreateSpace Publishing; available from Amazon.com; 118 pages; $15.95.</p><p>While this book could more aptly be titled <em>Keys: A Memoir</em>, author Randy Neely does a sound job of highlighting a widespread challenge that everyone in the security business has experienced at one time or another—the effective control and accountability of key and access systems.</p><p>Neely employs first-person narrative to recount his professional history and how he invented key and access control systems, relying too much on personal description for a professional publication. </p><p>Nonetheless, the author does a superb job of bringing to life the adage that necessity is the mother of invention. After experiencing a series of expensive lost key episodes, he created a system to more effectively manage keys. Valuable first-hand stories help round out the problem-impact-solution triad. </p><p>Neely chronicles the financial and legal impacts that inadequate controls can bring. For example, a single set of lost master keys cost a university nearly $350,000. The impact doesn’t end with the bottom line, but it can also adversely affect legal documents and court cases, as well as an organization’s reputation.</p><p><em>The Key to Keys </em>has some instructive value to students of security management, but it goes too far in promoting the author’s products. Further, some of the photos, tables, and figures lack defining labels or captions, are presented out of focus, or do not adequately line up.  </p><p>The most valuable lesson from this book is that motivation and initiative can inspire an earnest practitioner to not only safeguard people and property, but also to take that next step and invent new and effective ways to help improve security practices.</p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force chief master sergeant. He is a doctoral candidate in organizational management and a member of ASIS. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465