CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Mentor-Y-Yo.aspxMentor Y YoGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-20T04:00:00Z<p>​Como practicantes de seguridad, aprender de nuestros propios errores puede ser costoso. “Todos nosotros estamos a un mal día de distancia de ser despedidos”, es como un colega una vez sintetizó nuestra situación. La observación fue un recordatorio realista de que los gerentes de seguridad no pueden cometer error tras error y aun así esperar mantenerse exitosos en la profesión.</p><p>Con éso en mente, dar un paso adelante hacia el liderazgo de una operación de seguridad puede ser una experiencia aterradora, especialmente para el joven profesional haciendo su debut como líder. Yo definitivamente sentí mi propia ansiedad cuando asumí el rol de gerente externo de seguridad en un gran centro comunitario de estudios superiores en 2008.</p><p>En el momento, los medios parecían presentar todas las semanas una nueva historia sobre una tragedia en un centro comercial, un lugar de trabajo, una escuela, o cualquier otro espacio público donde hubo vidas que se perdieron o que fueron afectadas para siempre. Cada vez, yo seguiría la noticia intentando entender exactamente qué ocurrió desde el punto de vista de la seguridad. ¿Le hubiera mejor a mi propio programa, o hubiera resultado en una tragedia y en mi destitución? </p><p>Afortunadamente para mí, no estaba solo. Yo tenía un mentor que se tomó el tiempo de ayudarme a convertirme en un profesional de seguridad experimentado. A través de la mentoría, un nuevo responsable de seguridad puede experimentar situaciones profesionales y hasta tomar decisiones que pueden resultar equivocadas, sin sufrir las consecuencias de realizar errores en el trabajo. Una oportunidad así es invaluable, porque contar con un espacio seguro en el que se puede fallar es crucial para el crecimiento profesional y el desarrollo de habilidades.</p><h4>EXPLORA LA COMPATIBILIDAD</h4><p>La mentoría es una asociación simbiótica entre un experto y un principiante en la que se comparten de igual manera el conocimiento y la confianza. Pero conseguir un buen mentor puede ser complicado, ya que requiere encontrar a un gerente “veterano” que tenga tanto un significativo nivel de experiencia como pasión por compartirla.​</p><p>Las organizaciones profesionales de seguridad, tales como ASIS International, son un gran lugar para mirar cuando se buscan mentores dentro de la industria. Incluso, la organización que emplee a un gerente de seguridad puede contar con un programa formal de mentoría. Sin embargo, nunca debe ser necesario obtener un permiso formal que no sea el tuyo y el del experto del que quieres aprender, para poder comenzar una relación de este tipo.</p><p>En mi caso, el experto fue George, el director de seguridad de la casa de estudios en la que yo estaba trabajando como gerente externo de seguridad. El centro empleó a George alrededor de un mes antes de que yo sea contratado; de hecho, mi fecha de inicio fue retrasada un poco para que él pudiera asentarse primero, y tener una oportunidad de entrevistarme.</p><p>Antes de la llegada de George, uno de los vicepresidentes del instituto era el encargado de la supervisión del programa de seguridad. Pero el estudio de seguridad realizado por un contratista llevó al centro a contratar un nuevo director de seguridad para desarrollar un departamento independiente de seguridad. Yo fui involucrado como un gerente externo de seguridad, con contrato permanente. La empresa de seguridad me hizo una oferta informal poco antes de que George llegara; la oferta era dependiente de una entrevista exitosa con él, lo que significaría la aprobación final.​</p><p>Como resultó, George y yo utilizamos nuestra entrevista inicial para tener una conversación amplia y agradable sobre un poco de todo, desde ética de trabajo hasta conocimientos de seguridad. Este encuentro fue muy importante, porque el éxito de una relación mentor-aprendiz depende de la compatibilidad de ambos individuos.</p><p>En general, los potenciales mentor y aprendiz siempre deberían tener una oportunidad de conocerse y determinar individualmente si van a ser capaces de trabajar juntos; un concepto que los programas formales de mentoría deben considerar antes de emparejar a sus participantes. Sinó, la relación puede verse destinada a fallar incluso antes de despegar.</p><h4>INVESTIGA</h4><p>Al elegir el mentor adecuado, el aprendiz posiblemente quiera considerar un número de variables, incluyendo el nivel de pericia del mentor y su disposición a compartir su conocimiento, así como el alineamiento general de los intereses de ambas partes. A través de la investigación en línea se pueden verificar su experiencia, sus credenciales, y sus logros; a veces pueden descubrirse fracasos de alto perfil, también.</p><p>En el caso de George, su perfil en línea mostró que él era un exitoso teniente de policía universitario que había transicionado a la seguridad corporativa, primero encabezando un sistema hospitalario multisitio, antes de llegar a la dirección de seguridad del centro comunitario de estudios superiores. También era un miembro longevo de ASIS y estaba certificado como <em>Certified Protection Professional</em>© (CPP); en definitiva, un profesional de seguridad veterano.</p><p>Por supuesto, el proceso de valorar la pericia de un mentor no tiene que terminar una vez que el proceso de selección se ve completado. Un aprendiz puede evaluar sus análisis a través de investigaciones independientes. Ésta es una gran herramienta para determinar si las acciones del mentor son consistentes con las mejores prácticas nacionales.</p><p>En mi caso, a medida que me fui involucrando con ASIS y mi propio desarrollo profesional progresaba, pude ver por qué George tomó ciertas decisiones y realizó ciertas acciones.</p><p>Por ejemplo, recuerdo haber creado una plantilla revisada de informe de incidentes para el departamento de seguridad, que incluía un glosario de tipos de incidentes con definiciones. La idea era hacer que a los guardias de seguridad les resultara más fácil elegir un tipo de incidente a reportar y promover informes más unificados entre diferentes instalaciones y entre guardias individuales. </p><p>Yo había usado las categorías del Programa de Denuncias Uniformes de Crímenes de la FBI como una base para establecer los tipos de incidentes. Cuando George los revisó, realizó una cantidad de ediciones que combinó categorías o las renombró, agregando delitos como robos, incendios provocados, y homicidios no negligentes a la lista.</p><p>George había reformado la lista de tipos de incidentes para seguir las categorías de la Ley Clery, lo que tenía más sentido ya que nuestro lugar de trabajo era un establecimiento educativo (la Ley Jeanne Clery requiere demanda que los institutos superiores y universitarios reporten información sobre delitos ocurridos dentro o cerca de sus instalaciones). Yo ya estaba familiarizado con tal ley en ese punto, pero hasta que no empecé a investigar no había comprendido del todo por qué habíamos cambiado los nombres, hasta ver qué la Ley Clery en efecto especificaba cómo se le debía llamar a los incidentes.</p><p>Ésto se volvió un patrón recurrente: cuanto más yo aprendía, más hondo podía investigar; y cuando más extensas eran mis investigaciones, más hallazgos validaban la pericia de George. Pero el proceso de evaluar la experticia de manera independiente tiene otro beneficio: a veces puede revelar que la brecha de conocimiento entre el mentor y el aprendiz es demasiado grande, y que no puede conciliarse.</p><p>Por ejemplo, si un aprendiz es apenas capaz de usar el correo electrónico, va a necesitar un mentor que lo utilice diariamente, no a un desarrollador de software que escribió el código que hace que el correo funcione. Una brecha de conocimiento demasiado extensa puede llevar a una ruptura en la comunicación entre ambas partes, en la que el aprendiz no puede comprender completamente los conceptos que el mentor considera de sentido común. Es casi como si estuvieran hablando idiomas diferentes.</p><p>Ésto no siempre se tendría que dar así, por supuesto; algunos profesionales altamente consumados también son talentosos comunicadores y docentes que pueden superar amplias grietas de habilidades. Pero a veces las brechas generan tanta frustración que ambas partes se dan por vencido. En el peor de los casos, esta mala experiencia puede impedir que ambos vuelvan a intentar establecer una relación de mentoría con un socio más apropiado en el futuro, perdiéndose así de los beneficios mutuos de este tipo de relación.</p><p>Si cualquiera de las partes siente que la pareja es insostenible, ambos deberían terminar la relación cordialmente e intentarlo nuevamente con otra persona. La industria necesita que los expertos y los novatos se busquen entre ellos y trabajen juntos, de modo que ninguno permita que la asociación se deteriore.</p><p>La investigación independiente puede ser valiosa de otra manera: como una gran herramienta educacional para los mentores. Ellos pueden usarla para desarrollar ejercicios que permitan que los aprendices analicen situaciones por su propia cuenta y seleccionen acciones apropiadas basadas en las condiciones a enfrentar.</p><p>Ejercicios como éstos ilustran que la mentoría no consiste simplemente en llevar de la mano al aprendiz; éstos deben estar dispuestos y ser hábiles para actuar y pensar por sí mismos. Practicar estas habilidades en el contexto de un ejercicio es una excelente manera de aprender.</p><p>Finalmente, la relación mentor-aprendiz puede no funcionar si ambos son considerados competidores para el mismo puesto de trabajo. El lugar de trabajo moderno puede ser territorial, y recibir mentoría de alguien que está preocupado porque eventualmente puedan tomar su trabajo (en vez de sucederlo en caso de que eventualmente se vaya de la empresa voluntariamente o se retire) será problemático. Es probable que las preocupaciones sobre un puesto de trabajo mermen la confianza de una o ambas partes, causando que la relación falle.</p><p>Dicho ésto, varios de los mejores mentores son aquellos que se están acercando al fin de su carrera profesional, son expertos en el nicho de la industria en la que el aprendiz quiere destacarse, y son entusiastas por transmitir su conocimiento a profesionales jóvenes y prometedores.​</p><h4>AVANZA</h4><p>Una vez que has identificado un mentor, crees firmemente que su pericia es genuina, hay una confianza mutua y un deseo de trabajar juntos, debes comprometerte a la relación completamente.</p><p>Cuando George y yo comenzamos a trabajar juntos, no había una separación real entre nuestros trabajos y el aprendizaje. No separábamos un día de la semana para las actividades de mentoría, con los otros cuatro días ocupados por tareas operacionales o reuniones disciplinarias. En cambio, ocurrió lo contrario: el trabajo tradicional y la mentoría se combinaron en perfecta armonía. Cada actividad se volvió una lección en potencia, y cada interacción una oportunidad para el traspaso de información.</p><p>Ambos nos reuníamos alrededor de dos veces a la semana para discutir las operaciones generales de la fuerza de guardias de seguridad. En esas reuniones, frecuentemente me serían asignadas tareas; lo que sea, desde redactar un borrador de una política sobre un tema en particular hasta desarrollar un plan para la cobertura de un evento especial. Yo volvería a mi oficina para trabajar en el proyecto, y entonces llevaría un borrador funcional a la próxima reunión.</p><p>George sacaría su bolígrafo rojo y, sin remordimientos, hacer correr la tinta por todos mis borradores. Él explicaría los errores cometidos, devolviéndome los documentos para que los corrija y vuelva a entregarlos.</p><p>Tal vez el obsequio más grande que recibí de George fue su paciente y firme rechazo a aceptar trabajo por debajo de los estándares o pobremente investigado. Desde entonces, me di cuenta qué tan tentador puede ser, cuando estamos muy ajetreados, reunir documentos e informes entregados con errores y enviarlos al siguiente destinatario, sólo para seguir de largo. Pero en el final, lo único que éso garantiza es que vas a continuar viendo documentos presentados con errores. Tomarse el tiempo para explicar qué está mal en un documento y devolvérselo al aprendiz para que lo arregle toma paciencia y un deseo por instruir.</p><p>La mentoría no tiene que ser unidimensional o exclusiva. De vez en cuando, yo recurriría al consejo de otros cuando la situación lo requería. Los dueños de la empresa de seguridad para la que trabajaba tenían una extensa experiencia como contratista de seguridad, así que fueron mi fuente primaria cuando necesité experticia específica en esa subárea. No hay una escasez de buenos mentores, así que no hay motivo para limitarte a ti mismo con uno sólo cuando buscas consejos.​</p><h4>TRANSICIÓN</h4><p>A medida que continuamos trabajando juntos, la complejidad de las tareas que me eran asignadas naturalmente creció. Cuanto más aprendía, más era capaz de hacer, y mayor era la cantidad de proyectos en los que me involucraba.</p><p>George y yo escribimos en conjunto artículos y desarrollamos programas de entrenamiento para guardias de seguridad de<em> campus </em>y para gente en transición a la seguridad desde otras industrias. Aprendí que no hay mejor manera de reforzar el conocimiento sobre un tema que enseñarlo. Ésto se vuelve aún más cierto si tus estudiantes son adultos. Cuando sea que creas que te has vuelto conocedor de una materia, intenta pararte en frente de una clase de adultos que creen que también lo son, y afronta sus preguntas.</p><p>Éste es un momento de transición profesional: el aprendiz ya no es un principiante, pero definitivamente aún no es un experto. Avanzar de los conceptos básicos hacia los más avanzados puede ser apasionante y gratificante, y puede presentarse una peligrosa tentación para el aprendiz: creer que la mentoría ha terminado. Por supuesto, alguna vez ese pensamiento me cruzó la cabeza, especialmente durante días difíciles y pesados en la oficina, cuando la última cosa que quería era a George señalando qué había hecho mal.</p><p>Sin embargo, me di cuenta que la relación todavía era muy valiosa para mí como para descontinuarla; pero sí tenía que cambiar. Cuando la mentoría alcanza un estadío avanzado, se debe reemplazar el énfasis por obtener conocimiento específico del trabajo y enfocarse más en el aprendizaje estratégico y el desarrollo de la carrera.</p><p>Las habilidades operacionales, tales como realizar cronogramas, entrevistar candidatos y desarrollar políticas y procedimientos estándar, ya fueron aprendidas. Ahora, tanto el mentor como el aprendiz se pueden enfocar en cultivar habilidades de alto nivel, así como saber predecir dónde y cuándo se puede necesitar una nueva política, y analizar tendencias actuales en prevención del crimen o seguridad de <em>campuses</em>.</p><p>De manera muy similar al liderazgo tradicional, el estilo de la mentoría puede ser alterado y ajustado a lo largo del tiempo, a medida que la relación se profundiza.</p><p>En las últimas etapas de mi mentoría, George me animó a tomar ventaja de cada vez más oportunidades de desarrollo, tales como educación profesional, cursos en línea de la Agencia Federal de Gestión de Emergencias de USA (FEMA), conferencias de los Servicios del Departamento de Justicia Criminal estatal, y muchas otras clases y seminarios de entrenamiento, incluyendo el evento <em>ASIS International Seminar and Exhibits </em>de 2011 en Orlando, Florida.</p><p>El seminario de ASIS fue una experiencia reveladora que permitió a un gerente de seguridad relativamente nuevo como yo explorar la profesión en toda su profundidad. En una semana, descubrí que no importa cuánto haya creído que aprendí durante mis tres años trabajando con George: sólo había tocado la superficie.</p><p>No obstante, mi primer seminario de ASIS sirvió como el perfecto catalizador para que George me presionara a proseguir mi designación como CPP, la cual eventualmente obtuve.</p><p>Dos años después de certificarme, un colega de ASIS me reenvió una nota sobre una oportunidad de trabajo como el administrador de seguridad para la ciudad en la que vivía. Era una oportunidad demasiado buena como para dejarla pasar, y, sorprendentemente, el anuncio buscaba específicamente un CPP con experiencia en gestión de seguridad en instalaciones múltiples.</p><p>Obtuve el trabajo, y me volví el administrador de seguridad para la Ciudad de Newport News, Virginia. George prosiguió a convertirse en el mentor de un gerente de seguridad física que fue contratado antes de que yo me vaya.​</p><h4>EL APRENDIZ SE VUELVE MENTOR</h4><p>George y yo aún nos mantenemos en contacto, poniéndonos al día a través de algún almuerzo ocasional en el que comparamos estrategias en asuntos similares. Cuando avancé a mi nuevo puesto, encontré nuevos mentores con extensa experiencia en el sector público que me ayudaron a navegar los campos minados que existen en los gobiernos locales.</p><p>Me topé con un ritmo de operaciones aún más rápido en este nivel, y hay menos paciencia por compartir conocimiento de nivel de básico porque las expectativas de mí ya se ven reflejadas en las responsabilidades añadidas del nuevo puesto. Sin embargo, la dinámica de mentoría se mantiene igual: yo trabajo para un individuo con un enorme nivel de conocimiento en administración municipal, y sus consejos en esa área de mi trabajo son inestimables.</p><p>Intenté compartir conocimiento con la gente a mi alrededor de una manera muy parecida a la que George lo hizo conmigo: pacientemente animando a quienes me rodean a aprender más sobre la industria y sus funciones dentro de ella. Mi aproximación, sin embargo, ha sido algo diferente a la suya. Mientras George dedicaba una cantidad significativa de tiempo a ser el mentor de una sola persona, yo he intentado influenciar a toda persona con la que entro en contacto.</p><p>Mirando atrás, no hubo ningún momento de película exacto en el que yo pudiera decir “fui enseñado para lograr exactamente ésto”. La mentoría no funciona así, en mi experiencia. Es un proceso gradual que requiere trabajo constante e infinita paciencia de ambas partes.</p><p>También se trata de una asociación que ayuda al desarrollo de ambos individuos, y potencialmente inculca en ellos una apreciación por aprender y enseñar que se mantendría durante todas sus carreras. Este interés nos lleva a continuar avanzando en nuestra industria, buscar nuevos mentores, y tomar el rol de mentores para aquellos que vienen detrás de nosotros; elevando a la profesión entera, un aprendiz a la vez.</p><p>--<br></p><p>Yan Byalik, CPP, es el administrador de seguridad para la Ciudad de Newport News, Virginia. Tiene más de 15 años de experiencia incluyendo seguridad en educación superior, parques temáticos, e infraestructuras críticas. Byalik es el vicepresidente asistente para la región 5A.</p>

CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Mentor-Y-Yo.aspx2017-07-20T04:00:00ZMentor Y Yo
https://sm.asisonline.org/Pages/Changing-Course-for-Success.aspx2017-07-10T04:00:00ZChanging Course for Corporate Success
https://sm.asisonline.org/Pages/Editor's-Note---A-Stronger-Web.aspx2017-07-01T04:00:00ZEditor's Note: A Stronger Web
https://sm.asisonline.org/Pages/Certification-Profile---Malcolm-Reid,-CPP.aspx2017-07-01T04:00:00ZCertification Profile: Malcolm Reid, CPP
https://sm.asisonline.org/Pages/A-Psychological-Price.aspx2017-07-01T04:00:00ZA Psychological Price
https://sm.asisonline.org/Pages/The-Meaning-of-a-Merger.aspx2017-07-01T04:00:00ZThe Meaning of a Merger
https://sm.asisonline.org/Pages/Protecting-Executives-at-Home.aspx2017-06-19T04:00:00ZProtecting Executives at Home
https://sm.asisonline.org/Pages/Mentor-and-Me.aspx2017-06-01T04:00:00ZMentor & Me
https://sm.asisonline.org/Pages/Editor's-Note---Diversity.aspx2017-06-01T04:00:00ZEditor's Note: Diversity
https://sm.asisonline.org/Pages/Certification-Profile---Anjali-Sniadowski,-CPP,-PSP.aspx2017-06-01T04:00:00ZCertification Profile: Anjali Sniadowski, CPP, PSP
https://sm.asisonline.org/Pages/SM-Online-June-2017.aspx2017-06-01T04:00:00ZSM Online June 2017
https://sm.asisonline.org/Pages/Bully-for-You-.aspx2017-05-01T04:00:00ZBully for You?
https://sm.asisonline.org/Pages/Flying-Solo.aspx2017-05-01T04:00:00ZFlying Solo
https://sm.asisonline.org/Pages/Certification-Profile---Nicholas-G.-Breiner.aspx2017-05-01T04:00:00ZCertification Profile: Nicholas G. Breiner
https://sm.asisonline.org/Pages/How-Organizations-Prompt-Different-Levels-of-Engagement.aspx2017-04-01T04:00:00ZHow Organizations Prompt Different Levels of Engagement
https://sm.asisonline.org/Pages/Book-Review---Operational-Policy-Making.aspx2017-04-01T04:00:00ZBook Review: Operational Policy Making
https://sm.asisonline.org/Pages/Cultivate-Engagement.aspx2017-04-01T04:00:00ZCultivate Engagement
https://sm.asisonline.org/Pages/SM-Online-April-2017.aspx2017-04-01T04:00:00ZSM Online April 2017
https://sm.asisonline.org/Pages/Servant-Leader-Counterpoint---President-Trump.aspx2017-03-01T05:00:00ZServant Leader Counterpoint: President Trump
https://sm.asisonline.org/Pages/Editor's-Note---Trigger.aspx2017-03-01T05:00:00ZEditor's Note: Trigger

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Voice-of-Experience.aspxThe Voice of Experience<p>​<span style="line-height:1.5em;">Two accomplished CSOs, both of whom have been successful in forging strong relationships with other C-suite executives, agree on a key principle behind building executive allies: be present when the organization is holding high-level strategy or finance meetings. </span></p><p>"Gaining access to major strategic meetings and sessions is a must, even if the CSO does not have a speaking role," says Martin Barye-Garcia, a veteran security executive and former U.S. Drug Enforcement Border Patrol Agent who has worked for Lockheed Martin, Boeing, and the U.S. State Department. He is currently Latin American security director for Mars, Inc.</p><p>Clint Hilbert, who has been a security executive for companies such as General Electric and Pacific Gas & Electric, and is now global CSO of Betafence, has found that company financial reviews, which give security executives the opportunity to participate in the major business decisions under discussion, are an excellent setting for connecting with C-suite executives.   </p><p>"In the security profession, many of us tend to shy away from number-crunching, and we often struggle with ways to place a value on the services we provide to the company," Hilbert says. "So, on the road to reaching an executive level in security, it's crucial to hone a whole new set of skills on business processes and gain a deep understanding of how profit and loss is managed."</p><p>Barye-Garcia concurs. "Under-standing business strategy, and anticipating the security needs of specific initiatives and overarching goals, is another must," he says. </p><p>However, high-level meeting attendance, while crucial, is often not sufficient to build and strengthen executive relationships, he adds. Contact needs to be routine.  </p><p>"Even when the CSO is not a member of the executive leadership team, the CSO should maintain a daily rapport with them," he says. "It is during that daily interaction where the CSO will find opportunities to show value."</p><p>Furthermore, Hilbert says the organization itself should work toward building a culture in which a "relationship-building environment" can flourish. "Teamwork is often considered the conduit that hosts a relationship building environment, but trust is the seed from which a relationship grows," he says. </p><p>What facilitates trust, he adds, is having leaders come together to work toward organizationwide goals.   </p><p>"I've learned that when leaders work together on clearly stated common goals and talk often, silos seem to disappear," he explains. "For instance, if as a company unit, improving your bottom line and becoming more productive are common goals, and you regularly participate in achieving measureable targets in a framework of defined roles and responsibilities, then relationships tend to come naturally as you begin to trust one another." </p><p>What can work against this is a lack of information, with vagueness clouding what is expected. "When the playing field is not fully understood or rules not clearly defined, then meaningful participation and contribution become more difficult to achieve," he says. "It is up to you to modify the environment to one that promotes relationship building."</p><p>Of course, all of this takes considerable initiative on the part of the CSO. For example, Barye-Garcia counsels CSOs to learn as much as they can about different division operations and the leaders of those divisions. "The CSO must have a deep understanding of each functional area within the executive leadership team, and also the personalities involved," he says. "Finding those particular interests that leaders seek to advance, and those that they consider part of their legacy to the enterprise, will enable the CSO to be timely and pertinent when engaging them," he adds. </p><p>For CSOs willing to take the initiative, Barye-Garcia and Hilbert offer some tips on moving forward on a strategic plan to build executive allies:  </p><ul><li><span style="line-height:1.5em;"> </span><span style="line-height:1.5em;">Reach out to key executives, including those who manage and drive the company's core business processes.<br></span><br></li><li><span style="line-height:1.5em;"> </span><span style="line-height:1.5em;">Participate in executive staff meetings that are held routinely. Getting invited to these meetings might require a bit of finesse, but it is worth the effort. </span><span style="line-height:1.5em;">Attendance will give you some exposure in a valid forum, and the opportunity to be noticed.<br><br></span></li><li><span style="line-height:1.5em;">Once noticed, be cautious about sharing your opinions until you are familiar with C-suite members, including their concerns, business challenges, and social and professional behaviors.</span><span style="line-height:1.5em;"> <br></span><br></li><li><span style="line-height:1.5em;">Be prepared to bring solutions to the table rather than problems. Develop your credibility by offering cost-effective and synergistic security solutions that not only avoid risk but add value to the organization. In this manner, seek to become one of the "go-to" people in the organization when issues need to be addressed.<br></span><br></li><li><span style="line-height:1.5em;">Avoid being an alarmist because this will do nothing to better your image.</span><span style="line-height:1.5em;">​</span><br></li></ul>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspxOn-Site and Cloud Access Control Systems<p>​Back in the 1970s, electronic access control systems were rudimentary by today’s standards. Those early systems consisted primarily of simple keypads for inputting PIN (personal identification number) codes, or ID cards and readers using magnetic stripe or Wiegand technology to grant or deny access while also maintaining a record of user access. There were few choices when it came to options, integration, and vendors.</p><p>Fast forward to today: now access control systems are frequently the main control platform in a physical security system. These evolved systems allow authorized staff to move freely while keeping a facility or an area secure—and they do much more. Network connectivity allows integration with security subsystems, as well as with business and operational systems such as retail and HR functions. Open architecture designs allow for compatibility with multiple technologies. Smartphones are becoming a mainstream tool in access control systems, and they can sometimes be used in place of an access card. </p><p>Even the most basic access control solution provides some level of tracking, auditing, and reporting. The combination of advanced functionality, flexible features, and integration with other systems allows current systems to provide in-depth information that far exceeds the capabilities of earlier systems.</p><p>Considering these many sophisticated features and functions can be a challenge for the end user, who must not only select an access control system but also determine how and where it will be managed and which solution best meets the organization’s financial and operational needs. Because physical security is vital to the protection of people, premises, and assets, it’s a decision that requires understanding of the technology and the applications. Following are a few examples of the options available for managing an access control system and where they are best suited.</p><h4>Credential Type</h4><p>In addition to incorporating biometrics and other advanced access credentials, today’s solutions can support PIN pads, magnetic stripe and/or Wiegand cards, proximity readers, and other technologies that organizations already use. This provides customers with the flexibility to select the credential type that best suits their needs. </p><p>For example, magnetic stripe and Wiegand access cards offer the convenience of embedding user-specific information in addition to access privileges. Because they incorporate embedded wires as opposed to magnetic material and can be used with contactless sensors, Wiegand technologies are less susceptible to extreme temperatures and other hostile environments. Cards used in systems that require contact with readers suffer from wear and tear and therefore must be replaced on a regular basis.</p><p>Proximity readers offer tremendous ease of use and the ability to quickly deactivate lost cards and issue new credentials. Because no contact is required between card and reader, credentials don’t suffer from the wear and tear common with magnetic stripe and Wiegand systems. </p><p>PIN pads are often employed for single-door applications, and their lower cost makes them attractive to organizations with limited budgets. They are extremely easy to use but also less secure, because users can easily share their codes with others.</p><p>In addition to cost, security level, and system size, organizations must also consider each technology’s ability to work with a range of access control software, as well as the ability to deploy and manage the solution using any or all of the below models.</p><h4>User-Managed on Site</h4><p>In this scenario, the customer purchases or leases equipment from an authorized reseller/integrator, who installs the system and provides training. A service contract may be included in the sale or lease. The customer is responsible for all programming activity on the dedicated PC, including data entry and updating for names, scheduling, reports, backup, and software updates. Depending on the system, badging may also be included. Other than the installation and training and any service agreement, the reseller/integrator has no additional responsibility.</p><p>Systems managed by the user on site are ideal for small to medium-sized businesses, local government offices, sporting facilities, and the like, where one or two individuals are tasked with maintaining the database, software upgrades, and infrastructure maintenance.  </p><h4>User-Managed Cloud </h4><p>Like the on-site user-managed scenario, this version starts with equipment that is purchased or leased from an authorized reseller/integrator, who installs the hardware and provides training. The difference is that the software is in the cloud and is managed, along with the supporting infrastructure, by the integrator or service provider. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, and other vital access control actions are performed remotely by professional monitoring providers. The user may manage only the simple functions of entering, deleting, and modifying names, and possibly badging via a Web portal.</p><p>User-managed cloud systems work well for sites with few or no IT staff—such as franchise locations or property management sites. Each location can handle the day-to-day functions of database maintenance and scheduling via a Web portal, but reports, applying patches and updates, backup, and other group functions are handled in the cloud by the integrator. One useful advantage of this scenario is that the browser application can be accessed at any time and from any device by the user. </p><h4>Remotely Managed Cloud   </h4><p>The user has little or no access to the head end software in this scenario, and all activity is performed by the service provider. Sometimes known as ACaaS (Access Control as a Service), this service is popular with enterprise-level organizations. Hardware can be new or legacy, owned or leased. When modifications are required, the service provider makes the changes. Reports can be run and sent to the end user on a scheduled or as-requested basis. Credentialing is also handled by the service provider.</p><p>Access control systems for several organizations may be hosted in the cloud by the service provider, and the security of the data is ensured with AES encryption. Multilayered filtering and partitioning allows end users to access only their own information (cardholders, access groups, hardware, etc.), while the service provider has full access to all customers’ data.</p><p>By working with a knowledgeable technology partner, such as an integrator or vendor, users will find the help they need to identify which of these solutions best meet their needs. Expertise and experience can help the end user make better and more confident decisions about an access control installation.</p><p><em>Robert Laughlin is president at Galaxy Control Systems. </em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/In-Search-of-Security-Metrics.aspxIn Search of Security Metrics<p>At a major insurance company headquartered in the Midwestern United States, the assistant vice president for corporate security has used an environmental risk metric for the past 12 years to help the company decide where to place office facilities around the country. The company owns or leases hundreds of facilities across the United States. Corporate security regularly collects a suite of data, assigns weights to various factors, and develops a numeric score that places each facility into a low, medium, or high category of risk. For each risk category, written policy specifies a cluster of security measures that should be in place at the site. Exceptions can be granted, but the systematic approach results in uniformity and in efficiency in decision-making and security systems contracting. Most importantly, the metrics-based approach helps senior management understand the level of risk in site selection and make informed decisions on risk management. In addition, over time, the metrics have steered the corporation toward having a smaller percentage of its locations in high-risk sites.</p><p>This example illustrates how security professionals can use metrics to determine what works, measure the value of security operations, and demonstrate security's alignment with its organization's objectives. To help security managers use metrics more effectively, the ASIS Foundation funded research to create tools for discovering, developing, assessing, improving, and presenting security metrics. By using the tools, security professionals may be better positioned to manage their operations, measure their effectiveness, and communicate with senior management. </p><p>Metrics are measurements or other objective indicators collected over time to guide decision-making. The term is sometimes used interchangeably with measurements, analytics, and performance measures. With metrics, security managers can speak to senior leaders in familiar business language, offering measurable results that correlate with investment. Without compelling metrics, security managers and their budgets rely largely on the intuition of company leadership. </p><p>Two years ago, the ASIS Foundation implemented a new structure for assessing and overseeing security research. The first test of that structure was a proposal for research on security metrics, says Linda F. Florence, Ph.D, CPP, president, ASIS Foundation Board of Trustees. "The ASIS International Defense and Intelligence Council had a special interest in the topic, having made several presentations on metrics at the ASIS Annual Seminar and Exhibits. The council formed a vision of what the security field needed, found researchers who could perform the work, and helped the researchers develop a proposal for ASIS Foundation funding."</p><p>The Foundation Research Council approved the proposal, and the Foundation sought and received funding from the ASIS Board of Directors. The result was the ASIS Foundation Metrics Research Project. The Foundation awarded a grant to Global Skills X-Change (GSX) and Ohlhausen Research to undertake the project. GSX specializes in applying validation, measurement, and standards development techniques to produce business tools. Ohlhausen Research, Inc., conducts research in security, criminal justice, and technology.</p><h4>Depth Perception<br><br></h4><p>The project's research team consisted of the author as principal investigator; subject matter expert and former Director of Information Protection for the U.S. Air Force Daniel McGarvey; Senior Analyst Megan Poore; and Technical Advisor Lance Anderson, Ph.D.</p><p>Throughout the research, which be­gan in 2013, the ASIS Defense and Intelligence Council ensured that the security practitioner's point of view was represented by serving on the project's advisory board and expert panel.</p><p>The researchers gained insights into security metrics through a systematic review of the literature, an online sur­vey of ASIS members, and lengthy fol­low- up interviews by phone. In addition, the research team was guided by an advisory board and an expert panel composed of security professionals with experience in the use of metrics. The project was completed in the spring of 2014.</p><p>The research found many books, articles, and reports discussing reasons to use metrics, characteristics of existing metrics, and methods for communicating metrics. Among the most valuable resources on security metrics were George Campbell's <em>Measures and Metrics in Corporate Security: Communicating Business Value</em> and Mary Lynn Garcia's <em>The Design and Evaluation of Physical Protection Systems</em>, as well as numerous articles in both <em>Harvard Business Review</em> and <em>MIT Sloan Management Review</em>—the latter on business metrics generally.</p><p>This noted, most sources that examine security metrics operate at a conceptual level only. The literature has few specific strategies for developing or evaluating security metrics. Likewise, descriptions of empirically sound security metrics with statistical justification and evidence are scarce. </p><p>To uncover specific uses of security metrics and to gain an understanding of the different ways in which security professionals may be using metrics, the research team invited more than 3,000 ASIS members to participate in an online survey. The survey's 20 questions asked about metrics collection, comparison to external benchmarks, return on investment, sharing and presentation of metrics, and alignment with organizational risks and objectives. The survey also examined the particulars of metrics usage among respondents.</p><p>The 297 respondents demonstrated a high degree of interest in metrics. Of the respondents who said they are not using security metrics, 78 percent said they would use metrics if they knew more about how to create and use them effectively. More than half of all respondents asked for more information from ASIS regarding metrics.</p><p>Respondents provided the research team with a detailed view of the many ways that security professionals are using metrics today, including focusing on topics, reporting data, sharing with the C-suite, aligning with organizational risk, and using a dashboard tool.</p><p><strong>Metrics topics.</strong> Respondents were asked which aspects of the security program they measure. The top five categories were security incidents, criminal incidents and investigations, cost against budget, security training and education, and guarding performance, which includes turnover and inspections. </p><p><strong>Reporting.</strong> Eighty percent of respondents who use metrics provide their metric findings to persons outside the security department. Recipi­ents of the information include senior management (79 percent of those who share metrics outside the security department), managers of other departments (59 percent), supervisors (51 percent), and people who report to the security department (47 percent). Those who share metrics provide the information quarterly (43 percent), monthly (40 percent), or annually (17 percent).</p><p><strong>Sharing.</strong> Respondents who share metrics with C-suite personnel were asked which elements they share. The top choices were security incidents (80 percent), cost against budget (62 percent), criminal incidents and investigations (57 percent), regulatory compliance (44 percent), and risk analysis process (40 percent).</p><p><strong>Alignment.</strong> Eighty percent of respondents who use metrics said that their metrics are tied to, aligned with, or part of the larger organizational risk process or organiza­tional objectives. For example, some metrics protect the company's most important product line; other metrics may support business continuity, compliance, risk management, or client satisfaction. One respondent explained that top management sets broad goals and writes plans while se­cu­rity metrics demonstrate how effective those plans are.</p><p><strong>Dashboard tool.</strong> Forty-four percent of respondents who use metrics perform their data collection, review, or sharing via a security management dashboard tool.</p><p>This research makes it possible to clearly define security's role and contribution to the organization at the tactical, organizational, and strategic levels. The report provides a working metrics tool that can help practitioners use metrics in the most effective manner. </p><h4>In the Tool Belt<br><br></h4><p>GSX and Ohlhausen Research studied the current uses of security metrics and created several resources for practition­ers. The Security Metrics Evaluation Tool (Security MET) helps security pro­fessionals develop, evaluate, and improve security metrics. A library of metric descriptions, each evaluated according to the Security MET criteria, provides valuable resources. Guidelines for using metrics can help security professionals inform and persuade senior management.</p><p>The tools, especially the Security MET, are designed to help security managers assess and refine metrics that they are using or considering, based on an intimate knowledge of conditions at their organization, in a manner guided by scientific assessment methods. </p><p><strong>Security MET.</strong> The Security MET is meant to aid and empower the security manager, not to dictate any particular security decision. By providing a standard for scientific measurement, it offers guidance for improving the inputs that go into the security professional's own decision-making process.</p><p>The Security MET is a written instrument that security managers can use to assess the quality of specific security metrics. Users can determine whether an existing or proposed metric possesses scientific validity, organizational rele­vance (such as clear alignment with corporate risks or goals), return on investment, and practicality.</p><p>The tool was developed through a comprehensive, iterative process that involved synthesizing scientific literature, reviewing security industry standards, and obtaining input from metrics experts on the project's advisory board and expert panel. Many of the criteria come from the field of psychometrics, which is concerned with the measurement of mental traits, abilities, and processes. The psychometric literature addresses the measurement of complex human behaviors, including sources of error inherent in social and organizational situations. In addition, through its connection with legal guidelines and case law, psychometric theory provides ways to address complicated legal issues related to fairness and human error.</p><p>The tool presents nine criteria for evaluating a security metric. The criteria fall into three groups: technical, operational, and strategic.</p><p><em>Technical.</em> The technical criteria include reliability, validity, and generaliz­ability. Reliability means the degree to which the metric yields consistent scores that are unaffected by sources of measurement error. Validity refers to the degree to which evidence based on theory or quantitative research supports drawing conclusions from the metric. Generalizability means the degree to which conclusions drawn from the metric are consistent and applicable across different settings, organizations, timeframes, or circumstances.</p><p><em>Operational.</em> Operational criteria include the monetary and nonmonetary costs associated with metric development and administration, as well as timeliness and the extent to which metric data can be manipulated, coached, guessed, or faked by staff.</p><p><em>Strategic.</em> Strategic criteria include return on investment, organizational relevance, and communication. Return on investment is the extent to which a metric can be used to demonstrate cost savings or loss prevention in relation to relevant security spending. Organizational relevance is the extent to which the metric is linked to organizational risk management or a strategic mission, objective, goal, asset, threat, or vulnerability relevant to the organization—in other words, linked to the factors that matter the most to senior management. Communication refers to the extent to which the metric, metric results, and metric value can be communicated easily, succinctly, and quickly to key stakeholders, especially senior management.</p><p>A score sheet is presented at the end of the Security MET. The instrument is easy to score and imposes little to no time burden on staff. Lower scores on particular criteria show where a metric has room for improvement. </p><p>Here's an example of how the Security MET can be used to evaluate a real-life metric. At a major financial services firm, employees were being robbed of their mobile phones on the sidewalks all around the office as they came to work, when they went outside for lunch, or when they left to go home. The firm identified hot spots and times for phone theft and applied extra security measures. After reaching a maximum of 40 thefts in a two-month period, the number soon declined to zero.</p><p>Evaluating the metric with the Security MET provides some valuable insights. The metric—the number of mobile phone thefts—is highly reliable, as it is based on incident reports from employee victims, police reports, and video surveillance. Its validity appears to be confirmed by the outcome—that problem was eliminated. Collecting the data has little marginal cost, as the company already tracks and trends security incidents. Its organizational relevance is high, as it aligns with the firm's goal of attracting workers to the central business district. As for communication, it is a straightforward metric that is easy to explain. In terms of return on investment, it is hard to quantify the value of keeping employees safe and continuing to attract new employees.</p><p>Thus, while the metric appears to present a reasonable return on investment, the Security MET helps the user see that developing clear proof of ROI would be one way to strengthen this particular metric. The addition of a short survey asking employees if they feel more se­cure and would recommend the company to others would provide validation for both the solution and the metric.</p><p><strong>Metrics library.</strong> The researchers de­veloped 16 summaries of metrics currently in use in the security field. The summaries were developed primarily through telephone interviews with on­line survey respondents. The summaries may serve as examples for security pro­fessionals who are considering ways to use metrics. (See box on page 58 for a complete list of topics.)</p><p>The library presents a three- to four-page summary of each metric. In addition, each metric is evaluated by several metrics experts, using the Security MET. The metrics library is presented in the full project report.</p><p>These real-world metrics come from a variety of industries including defense/aerospace, energy/oil, finance, government, insurance, manufacturing, pharmaceuticals, real estate management, retail, security services, shipping/logistics, and telecommunications.</p><p>Some of the metrics are more sophisticated and detailed than others, providing a range of examples for potential users to consider. The metrics are not presented as models of perfection. Rather, they are authentic examples that security professionals can follow, refine, or otherwise adapt when developing their own metrics.</p><p><strong>Guidelines.</strong> A key task in this research was to develop guidelines for effectively using security metrics to persuade senior management. What would make those presentations more compelling? Several recommendations emerged.</p><p>Present metrics that are aligned with the organization's objectives or risks or that measure the specific issues in which management is most interested. One of the most important measures is return on investment (ROI).</p><p>Present metrics that meet measurement standards. A metric may be more persuasive to senior management if it has been properly designed from a scientific point of view and has been evaluated against a testing tool, such as the Security MET, or established measurement and statistical criteria.</p><p>Tell a story. If the metric is prevention-focused, a security professional can make the metric compelling by naming the business resources threatened, stat­ing the value of those resources, and describing the consequences if the event occurs. Another part of a compelling story is the unfolding of events over time. Metrics can show progress toward a specific strategic goal. </p><p>Use graphics and keep presentations short. Senior managers may be interested in only a few key measures. While security professionals may choose to monitor many metrics via a dashboard interface, they should create a simpler dashboard for senior management. Some security professionals said they limit their presentations to five minutes.</p><p>Present metric data regularly. As data ages it becomes more historical, less actionable, and thus potentially less valuable. The research does not suggest an optimal interval for sharing security metrics with senior management, but the survey shows that 83 percent of security professionals who share metrics outside the department do so at least quarterly. </p><p>Future steps for helping security professionals improve their use of metrics include a webinar sponsored by the ASIS Defense and Intelligence Council and the further development of the metrics library. Other ideas under consideration include metrics training for security practitioners, the development of a tool for creating a metric from scratch and implementing it in an organization, and the creation of a library of audited— not merely self-reported—metrics. </p><p>The best security practice is evi­dence-based; without research, practitioners must rely on anecdotal information to make decisions. The ASIS Foundation continues to seek ideas for research projects that would increase security knowledge and help security professionals perform their work more effectively. </p><p>The complete project report, <em>Persuading Senior Management with Effective, Evaluated Security Metrics</em>, is available as a free download. The 196-page report contains the full text of the Security MET, the library of metric summaries (with evaluations), guidelines for presenting metrics to senior management, the project's literature review, and detailed results of the online survey.</p><p>Florence says, "We are proud to brand this quality research with the ASIS Foundation logo and share the findings with our members and the security profession as a whole. This research will help propel security from an industry to a profession, where we belong."  <br></p><p>Peter E. Ohlhausen is president of Ohlhausen Research, Inc., and served as principal investigator for the ASIS Foundation Metrics Research Project. He is a member of ASIS.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465