Strategic Security

 

 

https://sm.asisonline.org/Pages/How-to-Manage-Your-Team’s-Cognitive-Stress.aspxUnder Pressure: Managing Team WellnessGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-07-01T04:00:00Z​"How can I keep my overburdened team from cracking up?" The question has increasing relevancy for security managers in the contemporary business world. Continually bombarded with information, these managers also face a growing number of security threats. The collective effect can be serious stress overload. <br><p>​<br>​Science shows us that stress can have a marked effect on performance. The study of how stress affects human physiology is extensive, and much of this work allows for better ways of understanding behavior. </p><p>Psychologists Robert Yerkes and John Dodson observed the empirical relationship between arousal and performance over 100 years ago. The relationship they identified (coined the Yerkes-Dodson curve) was that stress can create sharpened senses and readiness—both positive effects—but if arousal becomes too intense, a tipping point is reached and performance begins to deteriorate.</p><p>More recently, in 1994 neuroscientist Robert Sapolsky wrote <em>Why Zebras Don't Get Ulcers, </em>an acclaimed contribution to lay understanding of the effects of chronic stress on bodies and brains. Sapolsky explained how chronic stress wreaks havoc on our bodies, increasing vulnerability to metabolic disorders, cardiac disease, and depression. Although a bit of stress can enhance performance, clearly the health effects of chronic stress are bad. </p><p>We should also be aware of how acute stress affects the brain. In 2009, scientist Vicki LeBlanc conducted a literature review of effects of acute stress on performance and its implications for medical professionals. “Elevated stress levels,” she found, “can impede performance on tasks that require divided attention, working memory, retrieval of information from memory, and decision making.” Ironically, we often rely on our workers to possess full acuity in these areas during a stressful event. </p><p>What can we do to mitigate the effects of a chronically stressful job on our teams? And how can we adjust our expectations of their cognitive function in stressful times?</p><h4>​Warning: Wide (Cognitive) Load</h4><p>Multitasking is a myth. One may believe he or she is multitasking under the commonly understood definition of simultaneous task achievement. In actuality, this is simply switching back and forth between cognitive tasks at a furious pace. Human brains cannot conduct two conscious tasks simultaneously, however much we love to believe that they can.</p><p>Each time you switch from one task to another, you experience a cognitive lag that may last a quarter of a second or more. That lag time may not seem like a lot, but it adds up. With each switch, your ability to make critical decisions is diminished. This functionality only deteriorates when more tasks are added to your cognitive plate. This is especially problematic when speed and accuracy are at a premium. As cognitive neuroscientist Earl Miller once said, “People can't multitask very well, and when people say they can, they're deluding themselves.” </p><p>So how should a manager proceed? Begin with the acceptance that giving individuals many different types of information to process or different tasks to accomplish in virtually the same time frame will result in more lag time and errors. The situation only gets worse when managers emphasize a list of tasks that must be accomplished without offering a clear order of prioritization or preference. In low-stress times, employees are reasonably likely to manage multiple tasks well. But during a crisis, cognitive capacity decreases with the physiological stress response. </p><p>Instead, managers can attack the problem head-on by first educating employees on how multitasking depletes cognitive focus and crisp decision making. Managers can also create blocks of time for team members to focus on specific tasks and types of information, and enable teams to schedule their time in more efficient ways. Moreover, creating visual process maps, decision trees, swim lane diagrams, and checklists can effectively eliminate cognitive load during high-stress incidents that are sure to tax brain power. </p><p>Consider emergency response and continuity plans. Often, these documents are text-heavy and laden with detailed and frequently extraneous information. However, when we understand the pressures on the cognitive brain during a crisis, it makes sense to streamline such instructions as much as possible. Thus, employees should have a clear order of operations, a visual tool for moving through the decision-making process, and differentiated roles so that one person isn’t responsible for multiple simultaneous tasks. </p><p>We used this approach at my workplace at Temple University, with favorable results. We switched out dense continuity plans for quick operational manuals that enable a more seamless continuity of operations, regardless of whatever disruption occurs.</p><p>Overall, the more we can eliminate expectations of multitasking during a crisis, the faster the response will be, and the fewer the errors. </p><h4>The Dangers of Deprivation</h4><p>Sleep is magnificent—and essential—especially in a field like security. So why is sleepiness and burning the candle at both ends the norm in many workplaces, and sometimes even celebrated? </p><p>When employees do not get optimum levels of sleep, it compromises their immune systems, making them more susceptible to illness. Their memories are hampered; it is harder for them to recall appropriate procedures. Sleep-deprived people also have an impaired ability to react to insulin; they are hungrier and at higher risk of chronic disease. </p><p>In a 2012 clinical study conducted in South Korea, researchers validated the profoundly negative effects of sleep deprivation on executive function and attention. The study also found a link between sleep deprivation and increases in stress hormones, blood glucose, and inflammation. Conversely, while there are legitimate claims that oversleep can make us sluggish, very few employees are devoting that much time to sleep to reach those extreme levels. </p><p>To support the right balance, managers can emphasize that an appropriate amount of sleep will make team members sharper, less irritable, and more effective. Whether they present it in terms of tactical acuity, operational effectiveness, work–life balance, or self-care, managers should do what they can to make sure team members aren't showing up to work exhausted and compromised. One key way to do this is to consistently support an organizational culture that encourages rest. </p><p>For example, a young first responder recently remarked to me that to get a task done she would just stay up all night until it was complete. I countered that losing sleep was, in fact, the worst of all of her options, because she needed to be cognitively sharp and ready the next morning. As an alternative, we enlisted the help of other colleagues outside of our unit to ensure that all the necessary work was completed that afternoon. </p><p>If managers are clear in their message about the harmful limitations of deficient sleep, they will set an expectation that optimum performance requires sufficient rest, and team members will begin to internalize and prioritize that view.</p><h4>​Duty of Team Care </h4><p>Some teams are in a constant state of overwork and intense activity. A colleague recently told me that her team is subject to relentless and unmitigated pressure and high-stress assignments. This has created a revolving-door-like turnover, as staff seek employment elsewhere that will provide a more balanced workflow.</p><p>Savvy managers understand that they may need to protect their teams by providing opportunities to wind down operations a bit after periods of intense activity. Some give team members an opportunity to work on projects they enjoy, without brutal deadlines. This helps team members regain a sense of work balance before a new high-intensity period arrives.</p><p>I recently faced a related dilemma in my current role. We undertook an unexpected response to an infectious disease outbreak at our institution that required full-team activation and high-intensity performance. To get the job done, team members had to stay late and report early, and the multiple-day mass vaccination clinic operation required steady alertness and continuous activity.</p><p>It was an exhausting operation for the team. And when it ended, there was little opportunity for pulling back; the team had to keep up a high tempo in preparation for a planned functional exercise in two weeks’ time. </p><p>I asked my team to maintain intensity for these two weeks so we could have a successful exercise operation with the promise of a pulling-back period and team-focused rejuvenation afterward. I drove home this promise in a team meeting by planning a group lunch outing, as well as some easy activities, for the weeks immediately following the exercise operation. I made it clear that this would enable everyone to refresh, pull back a little bit, and become more mentally ready for the next period of intensity. Knowing this break waited for them in the near future helped everyone stretch their performance for a few more weeks. </p><p>Some teams are so understaffed that the members feel they will never have the bandwidth for this type of recalibration. Successful leaders ensure that their teams are protected from overwork; it is part of the duty of care of any manager. Sometimes, that requires tough conversations between the manager and his or her supervising executive. If a manager does not protect his or her team members, they will leave the operation. Or worse, they will end up burned out. </p><h4>​Creative Rejuvenation </h4><p>When Nassim Taleb wrote <em>The Black Swan</em> in 2007, he illustrated that many of the worst events that occur are improbable and unpredictable. Black swan events, in his telling, included situations such as the terrorist attacks of 11 September 2001, and the financial crisis of 2008. This raises a question: how do we prepare for unexpected—and even unimagined—possibilities? </p><p>Cognitive research on performance and stress has found that the degrading effects of high levels of stress are particularly acute when situations are novel, unpredictable, or not controllable by the individual. Thus, practicing for rare and improbable scenarios may be a way to increase comfort with the unfamiliar, to remain open to the possibility of improbable events, and to even provide rare opportunities for innovative problem solving. Not only is this a way of partially inoculating the team against the negative impact of novel circumstances, but it also provides an avenue for fresh approaches and different perspectives on potential hazards. </p><p>The ideal option, then, may be to exercise creatively and often, with simulations of various imaginative black swan events. Some might say that exercising unexpected scenarios may decrease the team’s sense of realism. In my view, the bigger hazard is the repeated practice of running through the same typical scenarios, which makes exercising seem stale and rote. Innovation occurs when curiosity is encouraged and nothing is off the table. Creativity is rejuvenating, and it leads to the identification of new problems and new solutions. In that way, creativity can be the “secret sauce” to successful teams.</p><p>A second benefit of preparing for black swan events is that it builds team resilience. Taleb’s adjectival term for resilience is “anti-fragile,” or the quality of being able to adapt to the sometimes catastrophic curveballs that life throws your way. Being resilient means being easily able to adapt to change, a critical attribute for any team. </p><p>In 2011, Japan experienced an earthquake, a tsunami, and a nuclear reactor meltdown in quick succession. No one had predicted this devastating cascade. In that case, like any black swan event, success of recovery depended upon the resilience and agility of the people managing the event to adapt, be flexible, and swiftly move to a new normal. It is those people who we need to prepare. </p><h4>​Be a Vacation Votary</h4><p>Employers seek out a laundry list of desired traits and talents when hiring employees. But in return, employers need to consider what they are obligated to provide their workers. Employers need to integrate companywide strategies to protect employees from undue cognitive stress and enable workers to reach peak performance. The latter has a parallel benefit: achieving peak employee performance helps the organization outshine its competition.</p><p>Operational psychology has told us from its inception that if you understand the machinations of the human brain, you can capitalize on its strengths and mitigate its weaknesses. Thus, employers may use findings from clinical, psychological, sociological, and cognitive science to help maximize the team’s tactical and operational value. Employers owe these healthful and reenergizing practices to their employees, and they ultimately bring value to the organization’s mission at the same time.</p><p>These science-supported practices are especially important in the contemporary workplace. In some organizations, the sheer volume of workload placed on workers makes taking a full week or two off nearly impossible. In fact, some employees say they don’t go on vacation because the workload upon return is simply too stressful. Others don’t go because they believe no one else is trained in their specific tasks. Some employees are even punished—in subtle and not-so-subtle ways—if they take vacation. For instance, in minds of their supervisors, these employees might be branded as insufficiently dedicated, and this judgment can influence overall performance evaluations and promotion opportunities.</p><p>According to a recent study cited in the Harvard Business Review, 52 percent of U.S. workers left some vacation time unused. Forty percent of male workers and 46 percent of female workers said that just thinking about the piled-up work awaiting them upon return was a major reason why they had not used up their vacation days.</p><p>Like sleep, vacations are essential for workers, especially ones in higher-</p><p>stress security positions. Getting away from sources of anxiety and stress that vacations provide has many positive benefits. It’s up to managers to ensure their organizational culture is pro-vacation. Sometimes, this is trickier than it sounds. </p><p>In a 2018 study, <em>Project Time Off,</em> researcher Katie Denis points out that many workers don’t hear about vacation time from their employers, nor are they encouraged to use it. This silence, in and of itself, can create trepidation about taking time off.</p><p>How can managers encourage employees to use vacation time? First, they should model good behavior by making sure that they take vacation time themselves. Adequate personnel that can fill in for the vacationing manager in all but the most extreme cases should be in place, as should supportive procedures for fill-ins. </p><p>Second, managers should educate teams about the researched benefits of time off. Regular vacations can be a key source of positive thinking, and in a 2010 study, the American Psychological Association (APA) found that when the brain thinks positively, productivity improves by 31 percent, sales by 37 percent, and creativity and revenues explode.</p><p>However, a more recent APA study in 2018 left us with a cautionary note: employers cannot expect the occasional vacation to solve all stress issues. The benefits of vacation are only meaningful when they are one component in a broader culture of ongoing stress management. </p><h4>​Don’t Be Blind to Science</h4><p>Research shows that there are limitations to our brain's cognitive capacity, and teams deserve managers who are able to put this knowledge into practice. </p><p>Nonetheless, some organizational cultures still work against that knowledge. Vacation shaming, mandated multitasking under pressure, rewards for workers who work the most extreme hours, and other such management practices found in these cultures are counterproductive and shortsighted, and they increase the risk of burn out. </p><p>Instead, security managers should make the effort to follow the science and ensure that their management practices are consistent with what we know about the brain and body. As part of their duty of care for employees, security leaders should integrate department or companywide strategies to encourage self-care, increase wellness, and encourage breaks. It's the manager’s job to help enable employees to thrive, rather than increase their risk of cracking under the burden.  </p><p><em>Sarah J. Powell is director of emergency management at Temple University, where her work includes critical incident management, risk assessment, strategy, operations coordination, and training and exercises. She has also served as a consultant and educator in the areas of business continuity, public health, and disaster mental health response.</em></p><p><br> </p>

 

 

https://sm.asisonline.org/Pages/Book-Review-Security-and-Loss-Prevention.aspx2019-07-01T04:00:00ZBook Review: Security and Loss Prevention
https://sm.asisonline.org/Pages/Starting-From-Scratch.aspx2019-05-01T04:00:00ZStarting From Scratch
https://sm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspx2019-04-01T04:00:00ZHow to Bridge the Gap

 

 

https://sm.asisonline.org/Pages/How-to-Manage-Your-Team’s-Cognitive-Stress.aspx2019-07-01T04:00:00ZUnder Pressure: Managing Team Wellness
https://sm.asisonline.org/Pages/Your-First-90-Days-as-a-New-Leader.aspx2019-06-01T04:00:00ZYour First 90 Days as a New Leader
https://sm.asisonline.org/Pages/Security-and-the-Gig-Economy.aspx2019-05-01T04:00:00ZQ&A: Security and the Gig Economy

 

 

https://sm.asisonline.org/Pages/Book-Review-Reducing-Crime,-A-Companion-for-Police-Leaders.aspx2019-07-01T04:00:00ZBook Review: Reducing Crime, A Companion for Police Leaders
https://sm.asisonline.org/Pages/March-2019-Legal-Report.aspx2019-03-01T05:00:00ZMarch 2019 Legal Report
https://sm.asisonline.org/Pages/Seek-Joy.aspx2019-01-01T05:00:00ZSeek Joy

 

 

https://sm.asisonline.org/Pages/Bringing-Back-Power-to-Puerto-Rico.aspx2019-07-01T04:00:00ZBringing Back Power to Puerto Rico
https://sm.asisonline.org/Pages/How-Culture-Influences-Disaster-Recovery.aspx2019-07-01T04:00:00ZHow Culture Influences Disaster Recovery
https://sm.asisonline.org/Pages/Lessons-Healthcare-Security-Professionals-Learned-from-Hurricane-Harvey.aspx2019-06-01T04:00:00ZLessons Healthcare Security Professionals Learned from Hurricane Harvey

 

 

https://sm.asisonline.org/Pages/July-Legal-Report.aspx2019-07-01T04:00:00ZJuly Legal Report
https://sm.asisonline.org/Pages/June-2019-Legal-Report.aspx2019-06-01T04:00:00ZJune 2019 Legal Report
https://sm.asisonline.org/Pages/May-2019-Legal-Report.aspx2019-05-01T04:00:00ZMay 2019 Legal Report

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspxTop Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspxLess is More: A KISS Approach to ESRM<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="https://cso.asisonline.org/esrm/Documents/CSORT_ESRM_whitepaper_%20pt%201.pdf">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="https://www.iso.org/standard/44651.html">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="https://riskademy.co/twelve-core-elements-for-risk-management/" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="https://riskademy.co/what-do-you-mean-by-risk/" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="https://riskademy.co/wdymb-risk-perception-and-risk-communication/" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="https://riskademy.co/integrating-a-risk-management-system-into-your-organization/" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="https://riskademy.co/" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/ASIS-Awards-School-Security-Grant-and-More-ASIS-News.aspxASIS Awards School Security Grant & More ASIS News<p>This month, the Dallas Independent School District opens the doors to its newest transformational school, which is designed specifically for high school students interested in architecture, urban planning, environmental science, and community development. CityLab High School will offer students the opportunity to leverage the city of Dallas as their own hands-on laboratory.</p><p>But this cutting-edge “best-fit-school” concept, part of the city's public school choice program, comes with a daunting challenge: ensuring a safe and secure environment in an urban city center, and doing so on a limited budget.</p><p>That’s where the School Security Grant Competition, started by ASIS International and the ASIS Foundation in 2003, plays a critical role. This year, in conjunction with the ASIS International 63rd Annual Seminar and Exhibits, ASIS is awarding CityLab High School a $22,000 grant to pay for upgrades to the school’s camera system, access control system, and classroom intercoms. Axis Communications is making an in-kind donation of cameras and other equipment.</p><p>ASIS 2017 Host Committee Chairman Martin Cramer, CPP, worked closely with the Dallas Independent School District Police Department to get the word out about the grant and to identify the school with the greatest need.</p><p>“CityLab really stood out,” said Cramer. “Parents had voiced concerns about the school’s proximity to downtown Dallas, a busy interstate highway, and a homeless shelter. But with most of the school’s budget going to new construction, renovations, and asbestos removal for the 1950s building, there was little more the school could afford to improve security. These funds will go a long way to provide students and staff a safe and secure learning environment.”</p><p>The school identified a number of needed security upgrades, including network improvements, new security cameras, access control devices, and classroom intercoms covering all five floors of the building. </p><p>“In a large urban school district with limited funds, the responsibility of campus safety falls within the school’s budget,” wrote CityLab High School Principal Tammy Underwood, in her grant competition application. “This grant is an amazing opportunity for CityLab students and staff to be in a safe environment so that they can focus on their highest educational goals.”</p><p>The School Security Grant Competition is just one of the many ways ASIS International pursues its mission to advance security management best practices and give back to the community hosting the Annual Seminar and Exhibits. </p><p>“Without a doubt, school safety contributes to academic success, and promotes innovation, inquiry, and risk taking in high-poverty, high-performing schools,” wrote Underwood. “Students who feel safe are more attentive and efficient in the classroom, and they also have fewer symptoms of depression. I want parents, students, staff, and visitors to be comfortable and confident coming to our building.”​</p><h4>A World of Opportunity at the ASIS 2017 Career Center </h4><p>As the premier education and technology event for security professionals worldwide, ASIS 2017 promises unparalleled networking and career development options. </p><p>Now in its sixth year, the Career Center will continue to offer unprecedented professional value. Free to all attendees, the Career Center offers résumé reviews, career coaching, networking opportunities with employers and peers, and access to career development tools and job postings—plus free professional headshots in the Headshot Studio.</p><p>The excitement starts on Tuesday, September 26, with a Coffee and Careers Networking Event sponsored by the Young Professionals Council, a perfect place for great networking. Attendees currently seeking jobs in the security field will want to return later for an interactive panel session, “What Security Employers Look For and What Makes Candidates Stand Out,” where senior security executives and hiring managers will share what elements in an applicant’s history impress employers, describe what they look for in interviews, and provide advice on how to stand out from the crowd. </p><p>The day culminates with a session for ambitious professionals who have set their eyes on the top and are looking for an answer to the question, “How do you become a CSO?” This is their opportunity to hear straight from senior executives how they reached the top, lessons learned along the way, and how attendees can benefit from their experiences. </p><p>On Wednesday, the Career Center will hold another Coffee and Careers Networking Event for those looking to transition into the security field to help them create new professional connections, foster ones already made, and take part in engaging discussions on career development. Afterwards, attendees will have a chance to further build on those discussions when they take part in the “Career Development in Security” session, which will offer young security professionals the tools and best practices they need to grow their security careers.</p><p>The Career Center wraps up with a bang on Thursday with two of its most impactful sessions. The first, “Mentoring: Guiding Tomorrow’s Leaders” will provide the next generation of security industry leaders with another avenue to hone their skills to achieve their career goals, whether it’s to embark on a new challenge or advance within their organization. Panelists will examine the importance of mentoring, as well as what to look for in a mentor, key factors in building an effective relationship, and the qualities of a successful mentee. </p><p>Attendees will continue examining the future of security with a convergence panel that will explore the ever-changing relationship between information technology and physical security. As threats around the globe become increasingly sophisticated, it is vital that security professionals in every focus area can collaborate and identify comprehensive solutions for the risks facing citizens, industry, and governments around the world.</p><p>Career Coaching and résumé reviews will take place during exhibit hours. Stop by to book an appointment. </p><p>“ASIS has been instrumental to my professional development and as cochair of the Young Professionals Council, it has been particularly rewarding to help shape the high-caliber programming. From CSO perspectives to employer hiring needs to mentorship best practices and leadership skills, ASIS 2017 will provide security professionals at every stage of their careers with the tools they need to succeed in today’s job environment,” says Angela Osborne, PCI, regional director for Guidepost Solutions. “I encourage security professionals across every sector to take advantage of the breadth of career-enhancing education, advice, and professional development that will be available.”</p><p>Whether attendees are new to the security field and looking for those first valuable connections, or seasoned veterans of the industry seeking to further their existing careers, the Career Center offers a world of opportunity ready to be explored.</p><h4>International Buyer Program Helps Expand ASIS 2017’s Global Footprint</h4><p>Attendees and exhibitors at ASIS 2017 will have the chance to expand the scope of their business opportunities to a global level. Thanks to the U.S. Department of Commerce International Buyer Program (IBP), a joint government-industry effort, hundreds of global buyers from multiple delegations will attend ASIS 2017 for business-to-business matchmaking with exhibitors and attendees. The buyers represent security professionals from around the world.  </p><p>“The International Buyer Program provides an excellent opportunity for security professionals globally to benefit from the collective wisdom of the 22,000 attendees and exhibitors at ASIS 2017,” says Godfried Hendriks, CPP, managing consultant at GOING Consultancy BV and secretary of the ASIS International Board of Directors. “In today’s threat environment, security professionals need a global community of peers they can turn to year-round for support, best practices, and information sharing. ASIS 2017 will help facilitate these relationships.” </p><p>Every year, the IBP generates approximately $1 billion in new business for U.S. companies, primarily through increased international attendance at participating U.S. trade shows. </p><p>ASIS 2017’s participation in the IBP provides attendees with access to a broad array of security professionals, qualified international buyers, representatives, and distributors. It also increases the chances of finding the right international business partner. Not only will attendees meet more global buyers, representatives, and distributors, but exhibitors’ products and services can be listed in the Export Interest Directory and distributed to all international visitors for additional awareness.</p><p>Once a potential partner is identified, attendees have complimentary use of the on-site International Trade Center, where companies can meet privately with prospective international buyers, prospective sales representatives, and other business partners.</p><p>To assist in facilitating conversations, international trade specialists will be available on-site in the International Trade Center to provide matching assistance and expert trade counseling to global delegates and U.S. exhibitors.</p><p>Don’t miss out on the chance to expand your global footprint. Stop by the International Trade Center on the expo floor to learn more. ​</p><h4>All the Hub-Bub</h4><p>ASIS 2017 promises a show floor filled with fantastic networking opportunities, groundbreaking security products and service solutions from industry-leading exhibitors, and second-to-none education opportunities. At the center of it all is the ASIS Hub, an enormous 1,600-square-foot presence on the show floor that is serving as the place for all things ASIS International. </p><p>The Hub is the primary location for meeting with ASIS staff and learning more about becoming a member, obtaining one of the three board certifications, and getting involved in one of the professional interest councils. It’s also the place to unwind and recharge—literally—in the lounge with several charging stations.</p><p>The Hub will function as the go-to space for everything related to ASIS councils, with council members standing by to answer questions and offer expertise. The 34 ASIS councils explore focus areas like Crime Prevention and Loss Prevention, Healthcare Security, Information Technology Security, Investigations, Physical Security, and much more. There is a council for security professionals in nearly every discipline and industry sector.</p><p>The staging point for multiple Fireside Chats, the Hub will provide attendees an opportunity to interact in small groups with speakers after select education sessions. Members can visit the Hub for updates on the certification programs and exhibitor press conferences. And this year, the prize booth is located inside the Hub, where, twice a day, lucky attendees will walk away with exciting prizes.</p><p>Members of ASIS International are part of the largest community of security professionals worldwide, all with the shared goal of advancing global security. Engaged in their local communities year-round, members are dedicated to the security mission and making all communities safer places to live. Additionally, ASIS certifications are recognized worldwide as the gold standard of excellence in security management. Offering Certified Protection Professional® (CPP), Professional Certified Investigator® (PCI), and Physical Security Professional® (PSP) accreditations that are transferable across all industry sectors and geographic borders, ASIS certifications are valuable investments in advancing a security career. </p><p>Those who stop by the Hub can gain insights and tools needed to further their careers, get more involved in the Society, and learn about the unmatched benefits of membership in ASIS International. ​</p><h4>LIFETIME CERTIFICATION</h4><p>Congratulations to the following members who have been named Lifetime Certificants.</p><p>• Thomas M. Prochaska, CPP</p><p>• W. David Rabern, CPP</p><p>• David O. Best, CPP</p><p>• Walter F. Bodner, CPP</p><p>• James M. Gill, CPP</p><p>• Peter Urbach, CPP, PCI, PSP</p><p>• Richard G. Steele, CPP</p><p>• Samuel E. Manto, CPP​</p><h4>LIFE MEMBER </h4><p>The ASIS Board of Directors has granted life membership to Bob Battani, CPP.</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Key to Keys: 5 Steps to Developing an Effective Access Control System</em>. By Randy Neely. CreateSpace Publishing; available from Amazon.com; 118 pages; $15.95.</p><p>While this book could more aptly be titled <em>Keys: A Memoir</em>, author Randy Neely does a sound job of highlighting a widespread challenge that everyone in the security business has experienced at one time or another—the effective control and accountability of key and access systems.</p><p>Neely employs first-person narrative to recount his professional history and how he invented key and access control systems, relying too much on personal description for a professional publication. </p><p>Nonetheless, the author does a superb job of bringing to life the adage that necessity is the mother of invention. After experiencing a series of expensive lost key episodes, he created a system to more effectively manage keys. Valuable first-hand stories help round out the problem-impact-solution triad. </p><p>Neely chronicles the financial and legal impacts that inadequate controls can bring. For example, a single set of lost master keys cost a university nearly $350,000. The impact doesn’t end with the bottom line, but it can also adversely affect legal documents and court cases, as well as an organization’s reputation.</p><p><em>The Key to Keys </em>has some instructive value to students of security management, but it goes too far in promoting the author’s products. Further, some of the photos, tables, and figures lack defining labels or captions, are presented out of focus, or do not adequately line up.  </p><p>The most valuable lesson from this book is that motivation and initiative can inspire an earnest practitioner to not only safeguard people and property, but also to take that next step and invent new and effective ways to help improve security practices.</p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force chief master sergeant. He is a doctoral candidate in organizational management and a member of ASIS. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465