Strategic Security

 

 

https://sm.asisonline.org/Pages/How-Security-Leaders-Can-Use-Their-Own-Stories-.aspxHow Security Leaders Can Use Their Own StoriesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-08-01T04:00:00Z<p>A security manager’s personal and professional journey can be the basis for compelling stories that educate, inspire, and make emotional connections.</p><p>​Stories wield immense power. They capture emotions and make the listener think. They often motivate us to imitate, or to refrain. They can move people into action.</p><p>For these reasons, stories offer great value for security leaders. Stories based on a leader’s own personal history, experience, and career can trigger emotions in listeners that convince and energize them to make necessary decisions and take important steps. And stories cement one’s legacy; those who have nothing to tell will be forgotten sooner than those who have something to say. But many security leaders and managers can do a better job of using their own stories than they have in the past.</p><p>In job interviews, conversations with recruiters, consultations with supervisors, performance evaluations, and department staff meetings, it is common for employees to discuss their professional experiences and accomplishments in order to demonstrate their abilities and potential. Perhaps the quintessential example of this occurs when you are in a job interview, and the interviewer asks you to describe a situation in which you succeeded in dealing with a problem at work. </p><p>During such situations, conversations do not have to be limited to professional accomplishments. You may also weave in personal stories, such as how you developed certain skills because of personal experiences, or how you discovered your different strengths and abilities, or how a life situation offered you a new and valuable perspective. Successful business leaders learn how to apply these personal stories to situations outside the job interview, allowing them to connect with stakeholders and employees and to demonstrate their expertise in a relatable way. These stories often have much to offer as motivational tools and teaching aides. They can even help make security proposals more compelling to board members and C-suite executives.</p><p>Let's have a closer look at this, using the careers and life histories of three security managers as examples.</p><h4>The Inner Compass </h4><p>Paul has been a policeman for several years, and he has always had good instincts in difficult situations. He has what some call the sixth sense or a gut feeling; he immediately notices when something seems wrong.</p><p>One day on patrol, Paul and his colleague were called to a traffic accident in the city center. Upon arrival, the incident seemed to be a conventional one. Both officers took care of their assigned tasks: securing and photographing the site and interviewing all those involved. On the surface, things seemed normal, yet Paul had a gut feeling that something was not right. He called for reinforcements. When they arrived, the vehicles were searched more thoroughly. </p><p>Paul’s instinct was right. </p><p>While checking one vehicle, an officer discovered photos and documents relating to a colleague at the police department. Included were photos of the officer’s family, house, and surroundings—even his dog. There were also notes about his and his wife’s daily routine, and details of the children's weekly activities.</p><p>Eventually, the investigation revealed that the people involved in the accident had been hired by a man who wanted revenge on the colleague’s family, because the officer had helped arrest and convict the suspect’s relative. The people in the accident had been hired to kill the officer’s wife and abduct his children. These intended crimes were prevented because Paul trusted his intuition.</p><p>Now, let’s say Paul is interviewing for a security administrator position with a private sector firm. He tells the interviewer the story above, about his sixth sense and how it has helped him foil crimes. To the interviewer, this story may demonstrate that Paul has an intuitive feeling for situations that remain hidden from most managers. This talent could save an entire organization from damage, and it gives the company a competitive advantage. </p><p>Paul gets the job. Early in his tenure, he participates in a meeting about the various personal threats company employees might face and the appropriate defense measures. Here, Paul’s sixth sense story may also be useful. In a compelling way, the story illustrates how situational factors often cannot be seen or known at first, but they should be considered when formulating strategy regarding possible threats and responses. </p><p>This could help convince cautious, critical executives of the seriousness of a comprehensive approach to threats. As a result, a forward-looking, proactive approach might be adopted by leadership to ensure a secure companywide environment. This could strengthen the link connecting business processes with security considerations, which often helps in saving costs and preventing damage.</p><p>Paul’s story also demonstrates how taking responsibility for security can mean paying attention to things that are not always easy to explain. And it is an emotionally powerful reminder of the value of intuitive feelings in vulnerable situations.</p><p>Many former law enforcement officers can take the same approach as Paul when entering the security field. Thanks in large part to their training, education, and professional experiences, most officers are adept at reacting appropriately in tricky situations and know how to protect others from damage.</p><p>Their singular experiences can often be the basis for powerful stories. Stories that include astute actions in potentially dangerous situations can be especially impressive and influential to employees, colleagues, and executives who have not had such experiences. And they can also be an opportunity to memorably communicate one's own values—something that is often forgotten in today's dynamic market economy. </p><p>Common values among law enforcement offices often include the importance of protecting people and their environments from potential danger. These values, in turn, are prized by many companies, because they are a prerequisite for fulfilling most business goals. Other common law enforcement values such as respect, discipline, order, honesty, reliability, professionalism, trust, and courage are also held in high regard in the business world. Many see these as values that turn managers into leaders and role models.</p><p><span style="color:#222222;text-transform:uppercase;font-family:novecentosanswide-bold,sans-serif;font-size:1.1em;">P</span><span style="color:#222222;text-transform:uppercase;font-family:novecentosanswide-bold,sans-serif;font-size:1.1em;">roject Manager Extraordinaire </span></p><p>Maria, 28, is a security manager for a large company. Her company can afford to hire its own security staff to manage corporate security at several locations. To many, hers seems to be a great job, yet she is dissatisfied. She does not find her work to be highly engaging, and she feels that much of her professional potential is going unused. </p><p>As the single mother of a young boy, she learned to take responsibility and deal with difficult situations at an early age. She became a mother soon after her university graduation, and later separated from her husband. </p><p>As it happens, Maria’s security department coordinates not only the standard security services but also the emergency management and crisis management functions. Maria is one of the youngest workers on the team, and she has something some of her colleagues do not have—a university degree. However, with her drive and frequent suggestions of new ideas, she sometimes feels some friction from her supervisors and others. While she is unhappy in her current situation, she is also afraid of losing her job. </p><p>Although Maria’s concerns are understandable, she has many of the skills and experiences necessary for future success in the security field. She just needs to know how to use and promote her potential, her valuable life experiences, and the skills she has developed. For her to do this, a change of perspective from her own current point of view would be helpful.</p><p>As a college student, Maria learned to how to obtain, analyze, and process copious information through various channels. She also learned to express herself well in writing. She is full of intellectual energy and ideas.</p><p>Outside of the classroom, Maria learned as a young single mother to take responsibility for herself and others at an early age. In this role, she uses her organizational skills and her ability to think in variants and monitor different channels at the same time. When difficulties arise, either due to her son or other personal factors, she must be able to act flexibly and create alternatives as quickly as possible, all while upholding her responsibilities as a mother.</p><p>Maria also wants her professional work to be meaningful, and she wants to play an active role in the development of her company. To gain a role she is proud of and engaged in, Maria should convey her abilities and skills through her own stories. She has what the corporate security world of today and tomorrow needs—servant leadership qualities. She has a talent for understanding the needs of others and is an excellent communicator.</p><p>This skill set, combined with her valuable life experience, could make Maria a superb project manager within her company. So, in discussions with executives about this possibility, Maria could use her story to emphasize how her life experiences as a single parent helped her develop her skills for monitoring different developments simultaneously, for thinking on her feet, and for creating alternatives quickly—all crucial abilities for a project manager. </p><p>In addition, Maria could be an excellent candidate to lead an initiative such as an internal think tank or advisory committee on security issues. Maria could take a proactive approach and initiate a discussion with human resources, framing her personal story to emphasize her drive, her constant creation of new ideas, and her university-honed writing and analytical skills. She could be the perfect young leader to assemble a group of the company’s best thinkers who could bring out the untapped potential of the firm. </p><h4>​From Lone Leader to Mentor </h4><p>Frank is an old hand when it comes to security services. He currently works as a security director at a university hospital. He is convinced he has achieved a lot in his career, especially when one considers his past.</p><p>His career started as a part-time doorman in a pub. He later moved to a security company, where he carried out many different jobs, such as traffic services, event services, construction site guarding, and public order services. </p><p>Frank worked his way up from a line officer to a department head. Then, his company offered him a position as a contract security director in healthcare. For him, this was a crowning achievement.</p><p>But more and more he thought of all the sacrifices he made for his job. He has worked so many overtime hours, extra shifts, and weekends in recent years that he has hardly seen his own family, including several new grandchildren. </p><p>After two years on the new job, it is clear that the position is different from what he had imagined. In the past, Frank was always able to make a difference in his function as department head. As an old hand, his opinion was valued and sought after. He could always communicate with others.</p><p>Now, he is no longer on the road as a department head, but as a lone fighter on loan in a new environment. The nurses, doctors, technicians, and academics who presently shape his environment harbor very different attitudes towards safety and security than Frank was used to. He feels isolated among many people who do not seem to understand any of his contributions, despite his wealth of experience. His proposals and efforts to improve security are largely met with disinterest. </p><p>He often thinks about quitting his job, but that seems impractical. He simply doesn't know how to make himself heard at the highest management level. He sometimes wonders: is his experience worth anything these days?</p><p>The answer is that Frank can demonstrate the great value of his professional and life experiences by using his story to shift him back into a role he is better suited for and one he would prefer. </p><p> For example, Frank should view his career from pub security employee to department head to security director as a grand journey that featured an almost infinite number of learning experiences. These experiences could be turned into teachable moments and lessons for younger employees, highlighting how he is well-suited to be a mentor for the next generation of security leaders.</p><p>However, he needs to make a few adjustments. In his current role, he must better understand the language of the industry and healthcare professionals. He can make simple amendments to ensure his stories apply to other professional and leadership functions in the healthcare field, which will help his colleagues connect with Frank, his ideas, and security programs.</p><p>Small stories in a meeting, at a business lunch, or during a proposal to management are not only informative, but they help make an invaluable emotional connection. He could, for example, tell new managers how he tackled the challenges of going from specialist to manager, while always remaining connected with the team. His open and honest storytelling manner radiates transparency, and this helps build trust. Employees would likely appreciate how he is passing on important information that will help them thrive in the organization.</p><p>Moreover, these stories could spur personal conversations and opportunities for Frank to learn more about the well-being of his employees. He can demonstrate that he is actively and honestly interested in their concerns, aspirations, and dreams. </p><p>Many younger security specialists and managers want a mentor at their side to help with career path challenges. This is a great opportunity for Frank to profitably share his own life experience with others. In this way, Frank can pass down hard-earned wisdom on the larger career questions that security professionals face. Offering such valuable mentorship may also increase Frank’s weight in the organization.</p><h4>The Essence of Leadership</h4><p>Everyone has a story to tell. Some may feel their lives, both professional and personal, seem almost too ordinary to be the basis of an interesting story. But that is not true. Those who feel that way should realize the unique value that their own experiences have.</p><p>If security managers disregard the importance of emotional connections, others will feel this lack. But if managers bring their own emotions into play and engage the emotions of others—in a positive way—they increase their chances of capturing the true attention of others.</p><p>To use their own stories, managers must have a clear vision of themselves. If leaders know what they stand for and understand their journey, they can provide true self-awareness and presence to their leadership. This authenticity is key for making emotional connections.</p><p>The other key factors in making connections are being honest and open. Through storytelling, a manager can demonstrate that he or she has experienced challenges, danger, pain, confusion, humor, and failure, as well as success. These human experiences may connect the leader with others who have been through similar situations, despite differences in background. Those shared incidents and connections can build trust. </p><p>Stories manage to create interest, similarities, and emotional connection in the easiest way. Everyone has something to share. Tell your story and listen attentively to the stories of others, because their stories may hold something of value for you.  </p><p><em>Anton Doerig, CSM (Certified Security Manager from Steinbeis University Berlin), is a former security specialist and instructor for the Swiss Military Police. He has held top security management positions in several companies. doerig is an internationally recognized expert, speaker, and author on leadership, management, and security, and is an executive coach and consultant. He is a former board member of the ASIS International Chapter in Switzerland.</em></p>

 

 

https://sm.asisonline.org/Pages/Book-Review-Security-and-Loss-Prevention.aspx2019-07-01T04:00:00ZBook Review: Security and Loss Prevention
https://sm.asisonline.org/Pages/Starting-From-Scratch.aspx2019-05-01T04:00:00ZStarting From Scratch
https://sm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspx2019-04-01T04:00:00ZHow to Bridge the Gap

 

 

https://sm.asisonline.org/Pages/How-Security-Leaders-Can-Use-Their-Own-Stories-.aspx2019-08-01T04:00:00ZHow Security Leaders Can Use Their Own Stories
https://sm.asisonline.org/Pages/How-to-Manage-Your-Team’s-Cognitive-Stress.aspx2019-07-01T04:00:00ZUnder Pressure: Managing Team Wellness
https://sm.asisonline.org/Pages/Your-First-90-Days-as-a-New-Leader.aspx2019-06-01T04:00:00ZYour First 90 Days as a New Leader

 

 

https://sm.asisonline.org/Pages/Book-Review-Reducing-Crime,-A-Companion-for-Police-Leaders.aspx2019-07-01T04:00:00ZBook Review: Reducing Crime, A Companion for Police Leaders
https://sm.asisonline.org/Pages/March-2019-Legal-Report.aspx2019-03-01T05:00:00ZMarch 2019 Legal Report
https://sm.asisonline.org/Pages/Seek-Joy.aspx2019-01-01T05:00:00ZSeek Joy

 

 

https://sm.asisonline.org/Pages/For-Business-Continuity,-Accept-the-Unexpected.aspx2019-08-01T04:00:00ZAccept the Unexpected
https://sm.asisonline.org/Pages/Bringing-Back-Power-to-Puerto-Rico.aspx2019-07-01T04:00:00ZBringing Back Power to Puerto Rico
https://sm.asisonline.org/Pages/How-Culture-Influences-Disaster-Recovery.aspx2019-07-01T04:00:00ZHow Culture Influences Disaster Recovery

 

 

https://sm.asisonline.org/Pages/Book-Review-GDPR-Compliance.aspx2019-08-01T04:00:00ZBook Review: GDPR Compliance
https://sm.asisonline.org/Pages/August-2019-Legal-Report.aspx2019-08-01T04:00:00ZAugust 2019 Legal Report
https://sm.asisonline.org/Pages/July-Legal-Report.aspx2019-07-01T04:00:00ZJuly Legal Report

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspxTop Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspxLess is More: A KISS Approach to ESRM<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="https://cso.asisonline.org/esrm/Documents/CSORT_ESRM_whitepaper_%20pt%201.pdf">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="https://www.iso.org/standard/44651.html">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="https://riskademy.co/twelve-core-elements-for-risk-management/" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="https://riskademy.co/what-do-you-mean-by-risk/" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="https://riskademy.co/wdymb-risk-perception-and-risk-communication/" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="https://riskademy.co/integrating-a-risk-management-system-into-your-organization/" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="https://riskademy.co/" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/ASIS-Awards-School-Security-Grant-and-More-ASIS-News.aspxASIS Awards School Security Grant & More ASIS News<p>This month, the Dallas Independent School District opens the doors to its newest transformational school, which is designed specifically for high school students interested in architecture, urban planning, environmental science, and community development. CityLab High School will offer students the opportunity to leverage the city of Dallas as their own hands-on laboratory.</p><p>But this cutting-edge “best-fit-school” concept, part of the city's public school choice program, comes with a daunting challenge: ensuring a safe and secure environment in an urban city center, and doing so on a limited budget.</p><p>That’s where the School Security Grant Competition, started by ASIS International and the ASIS Foundation in 2003, plays a critical role. This year, in conjunction with the ASIS International 63rd Annual Seminar and Exhibits, ASIS is awarding CityLab High School a $22,000 grant to pay for upgrades to the school’s camera system, access control system, and classroom intercoms. Axis Communications is making an in-kind donation of cameras and other equipment.</p><p>ASIS 2017 Host Committee Chairman Martin Cramer, CPP, worked closely with the Dallas Independent School District Police Department to get the word out about the grant and to identify the school with the greatest need.</p><p>“CityLab really stood out,” said Cramer. “Parents had voiced concerns about the school’s proximity to downtown Dallas, a busy interstate highway, and a homeless shelter. But with most of the school’s budget going to new construction, renovations, and asbestos removal for the 1950s building, there was little more the school could afford to improve security. These funds will go a long way to provide students and staff a safe and secure learning environment.”</p><p>The school identified a number of needed security upgrades, including network improvements, new security cameras, access control devices, and classroom intercoms covering all five floors of the building. </p><p>“In a large urban school district with limited funds, the responsibility of campus safety falls within the school’s budget,” wrote CityLab High School Principal Tammy Underwood, in her grant competition application. “This grant is an amazing opportunity for CityLab students and staff to be in a safe environment so that they can focus on their highest educational goals.”</p><p>The School Security Grant Competition is just one of the many ways ASIS International pursues its mission to advance security management best practices and give back to the community hosting the Annual Seminar and Exhibits. </p><p>“Without a doubt, school safety contributes to academic success, and promotes innovation, inquiry, and risk taking in high-poverty, high-performing schools,” wrote Underwood. “Students who feel safe are more attentive and efficient in the classroom, and they also have fewer symptoms of depression. I want parents, students, staff, and visitors to be comfortable and confident coming to our building.”​</p><h4>A World of Opportunity at the ASIS 2017 Career Center </h4><p>As the premier education and technology event for security professionals worldwide, ASIS 2017 promises unparalleled networking and career development options. </p><p>Now in its sixth year, the Career Center will continue to offer unprecedented professional value. Free to all attendees, the Career Center offers résumé reviews, career coaching, networking opportunities with employers and peers, and access to career development tools and job postings—plus free professional headshots in the Headshot Studio.</p><p>The excitement starts on Tuesday, September 26, with a Coffee and Careers Networking Event sponsored by the Young Professionals Council, a perfect place for great networking. Attendees currently seeking jobs in the security field will want to return later for an interactive panel session, “What Security Employers Look For and What Makes Candidates Stand Out,” where senior security executives and hiring managers will share what elements in an applicant’s history impress employers, describe what they look for in interviews, and provide advice on how to stand out from the crowd. </p><p>The day culminates with a session for ambitious professionals who have set their eyes on the top and are looking for an answer to the question, “How do you become a CSO?” This is their opportunity to hear straight from senior executives how they reached the top, lessons learned along the way, and how attendees can benefit from their experiences. </p><p>On Wednesday, the Career Center will hold another Coffee and Careers Networking Event for those looking to transition into the security field to help them create new professional connections, foster ones already made, and take part in engaging discussions on career development. Afterwards, attendees will have a chance to further build on those discussions when they take part in the “Career Development in Security” session, which will offer young security professionals the tools and best practices they need to grow their security careers.</p><p>The Career Center wraps up with a bang on Thursday with two of its most impactful sessions. The first, “Mentoring: Guiding Tomorrow’s Leaders” will provide the next generation of security industry leaders with another avenue to hone their skills to achieve their career goals, whether it’s to embark on a new challenge or advance within their organization. Panelists will examine the importance of mentoring, as well as what to look for in a mentor, key factors in building an effective relationship, and the qualities of a successful mentee. </p><p>Attendees will continue examining the future of security with a convergence panel that will explore the ever-changing relationship between information technology and physical security. As threats around the globe become increasingly sophisticated, it is vital that security professionals in every focus area can collaborate and identify comprehensive solutions for the risks facing citizens, industry, and governments around the world.</p><p>Career Coaching and résumé reviews will take place during exhibit hours. Stop by to book an appointment. </p><p>“ASIS has been instrumental to my professional development and as cochair of the Young Professionals Council, it has been particularly rewarding to help shape the high-caliber programming. From CSO perspectives to employer hiring needs to mentorship best practices and leadership skills, ASIS 2017 will provide security professionals at every stage of their careers with the tools they need to succeed in today’s job environment,” says Angela Osborne, PCI, regional director for Guidepost Solutions. “I encourage security professionals across every sector to take advantage of the breadth of career-enhancing education, advice, and professional development that will be available.”</p><p>Whether attendees are new to the security field and looking for those first valuable connections, or seasoned veterans of the industry seeking to further their existing careers, the Career Center offers a world of opportunity ready to be explored.</p><h4>International Buyer Program Helps Expand ASIS 2017’s Global Footprint</h4><p>Attendees and exhibitors at ASIS 2017 will have the chance to expand the scope of their business opportunities to a global level. Thanks to the U.S. Department of Commerce International Buyer Program (IBP), a joint government-industry effort, hundreds of global buyers from multiple delegations will attend ASIS 2017 for business-to-business matchmaking with exhibitors and attendees. The buyers represent security professionals from around the world.  </p><p>“The International Buyer Program provides an excellent opportunity for security professionals globally to benefit from the collective wisdom of the 22,000 attendees and exhibitors at ASIS 2017,” says Godfried Hendriks, CPP, managing consultant at GOING Consultancy BV and secretary of the ASIS International Board of Directors. “In today’s threat environment, security professionals need a global community of peers they can turn to year-round for support, best practices, and information sharing. ASIS 2017 will help facilitate these relationships.” </p><p>Every year, the IBP generates approximately $1 billion in new business for U.S. companies, primarily through increased international attendance at participating U.S. trade shows. </p><p>ASIS 2017’s participation in the IBP provides attendees with access to a broad array of security professionals, qualified international buyers, representatives, and distributors. It also increases the chances of finding the right international business partner. Not only will attendees meet more global buyers, representatives, and distributors, but exhibitors’ products and services can be listed in the Export Interest Directory and distributed to all international visitors for additional awareness.</p><p>Once a potential partner is identified, attendees have complimentary use of the on-site International Trade Center, where companies can meet privately with prospective international buyers, prospective sales representatives, and other business partners.</p><p>To assist in facilitating conversations, international trade specialists will be available on-site in the International Trade Center to provide matching assistance and expert trade counseling to global delegates and U.S. exhibitors.</p><p>Don’t miss out on the chance to expand your global footprint. Stop by the International Trade Center on the expo floor to learn more. ​</p><h4>All the Hub-Bub</h4><p>ASIS 2017 promises a show floor filled with fantastic networking opportunities, groundbreaking security products and service solutions from industry-leading exhibitors, and second-to-none education opportunities. At the center of it all is the ASIS Hub, an enormous 1,600-square-foot presence on the show floor that is serving as the place for all things ASIS International. </p><p>The Hub is the primary location for meeting with ASIS staff and learning more about becoming a member, obtaining one of the three board certifications, and getting involved in one of the professional interest councils. It’s also the place to unwind and recharge—literally—in the lounge with several charging stations.</p><p>The Hub will function as the go-to space for everything related to ASIS councils, with council members standing by to answer questions and offer expertise. The 34 ASIS councils explore focus areas like Crime Prevention and Loss Prevention, Healthcare Security, Information Technology Security, Investigations, Physical Security, and much more. There is a council for security professionals in nearly every discipline and industry sector.</p><p>The staging point for multiple Fireside Chats, the Hub will provide attendees an opportunity to interact in small groups with speakers after select education sessions. Members can visit the Hub for updates on the certification programs and exhibitor press conferences. And this year, the prize booth is located inside the Hub, where, twice a day, lucky attendees will walk away with exciting prizes.</p><p>Members of ASIS International are part of the largest community of security professionals worldwide, all with the shared goal of advancing global security. Engaged in their local communities year-round, members are dedicated to the security mission and making all communities safer places to live. Additionally, ASIS certifications are recognized worldwide as the gold standard of excellence in security management. Offering Certified Protection Professional® (CPP), Professional Certified Investigator® (PCI), and Physical Security Professional® (PSP) accreditations that are transferable across all industry sectors and geographic borders, ASIS certifications are valuable investments in advancing a security career. </p><p>Those who stop by the Hub can gain insights and tools needed to further their careers, get more involved in the Society, and learn about the unmatched benefits of membership in ASIS International. ​</p><h4>LIFETIME CERTIFICATION</h4><p>Congratulations to the following members who have been named Lifetime Certificants.</p><p>• Thomas M. Prochaska, CPP</p><p>• W. David Rabern, CPP</p><p>• David O. Best, CPP</p><p>• Walter F. Bodner, CPP</p><p>• James M. Gill, CPP</p><p>• Peter Urbach, CPP, PCI, PSP</p><p>• Richard G. Steele, CPP</p><p>• Samuel E. Manto, CPP​</p><h4>LIFE MEMBER </h4><p>The ASIS Board of Directors has granted life membership to Bob Battani, CPP.</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Key to Keys: 5 Steps to Developing an Effective Access Control System</em>. By Randy Neely. CreateSpace Publishing; available from Amazon.com; 118 pages; $15.95.</p><p>While this book could more aptly be titled <em>Keys: A Memoir</em>, author Randy Neely does a sound job of highlighting a widespread challenge that everyone in the security business has experienced at one time or another—the effective control and accountability of key and access systems.</p><p>Neely employs first-person narrative to recount his professional history and how he invented key and access control systems, relying too much on personal description for a professional publication. </p><p>Nonetheless, the author does a superb job of bringing to life the adage that necessity is the mother of invention. After experiencing a series of expensive lost key episodes, he created a system to more effectively manage keys. Valuable first-hand stories help round out the problem-impact-solution triad. </p><p>Neely chronicles the financial and legal impacts that inadequate controls can bring. For example, a single set of lost master keys cost a university nearly $350,000. The impact doesn’t end with the bottom line, but it can also adversely affect legal documents and court cases, as well as an organization’s reputation.</p><p><em>The Key to Keys </em>has some instructive value to students of security management, but it goes too far in promoting the author’s products. Further, some of the photos, tables, and figures lack defining labels or captions, are presented out of focus, or do not adequately line up.  </p><p>The most valuable lesson from this book is that motivation and initiative can inspire an earnest practitioner to not only safeguard people and property, but also to take that next step and invent new and effective ways to help improve security practices.</p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force chief master sergeant. He is a doctoral candidate in organizational management and a member of ASIS. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465