CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Editor's-Note---Failing-to-Plan.aspxEditor's Note: Failing to PlanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-08-01T04:00:00Zhttps://adminsm.asisonline.org/pages/teresa-anderson.aspx, Teresa Anderson<p>​In December 1998, the U.S. National Aeronautics and Space Administration (NASA) launched the Mars Climate Orbiter. The unit was designed to land on Mars and undertake a scientific mission, including looking for water, monitoring the weather, and recording atmospheric effects. Once the mission was underway, however, NASA scientists discovered that a piece of software tasked with gathering critical information to guide the craft's thrusters was recording and transmitting data in metric units. Ground control was using imperial measurements.</p><p>The unit entered the Martian atmosphere much lower than anticipated, and the $125 million project disintegrated.</p><p>In 2005, the United Kingdom announced that it would spend £285 million to build an airport on the small Atlantic island of St. Helena, roughly 2,500 miles east of Rio de Janiero. However, when the airport opened in 2016, no commercial planes could take off or land from the facility. The volcanic mountain that dominates the island creates dangerous wind shear, making conditions treacherous for aircraft. </p><p>A 2017 House of Commons report on the airport noted that "while the airport has since handled a small number of flights, the wind conditions have precluded operation of the planned commercial service."</p><p>In 2015, the U.S. city of Flint, Michigan, decided to change its water source from Lake Huron and the Detroit River to the Flint River to save $5 million. By January 2016, it became clear that the city's residents were being poisoned by lead contamination. An investigation revealed that city officials failed to mandate the use of chemicals known as corrosion inhibitors. These chemicals keep lead and other heavy metals from leaching out of old pipes into the water supply. </p><p>While the full cost of the contamination has not been tallied, victims have filed lawsuits against city officials for the poisoning of thousands of children, and the city's entire water system must be replaced.</p><p>Each of these costly mistakes could have been discovered and mitigated by implementing a thorough project management program. Though the process is not glamorous, it is effective at uncovering risks to the project, identifying a schedule, and organizing tasks and deliverables. All of these issues can be critical to a security project.</p><p>In this month's cover story, "Five Not-So-Easy Pieces," Nicholas D'Agostino, PSP, goes into detail about how security professionals can use project management techniques to ensure that a project is completed correctly, on time, and on budget. Using the example of a company replacing various legacy products with a new, unified security system, D'Agostino emphasizes: "In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management." our highest potential is not about survival of the fittest," writes Achor. "It is survival of the best fit."  </p>

CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Editor's-Note---Failing-to-Plan.aspx2018-08-01T04:00:00ZEditor's Note: Failing to Plan
https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspx2018-07-01T04:00:00ZPerformance Conversations: Checking In & Coaching Up
https://sm.asisonline.org/Pages/Editor's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync
https://sm.asisonline.org/Pages/Editor's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers
https://sm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspx2018-05-17T04:00:00ZBully Bosses Can Inflict More Damage with Negative References
https://sm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspx2018-05-15T04:00:00ZThe Science of Organizing Security
https://sm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspx2018-05-01T04:00:00ZHow to Lead a Diverse Security Workforce
https://sm.asisonline.org/Pages/Certification-Profile---Douglas-Beaver,-CPP.aspx2018-05-01T04:00:00ZCertification Profile: Douglas Beaver, CPP
https://sm.asisonline.org/Pages/Editor's-Note---Awareness.aspx2018-04-01T04:00:00ZEditor's Note: Awareness
https://sm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspx2018-03-22T04:00:00ZFour Trends That Will Shape Recruiting in 2018
https://sm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspx2018-03-19T04:00:00ZStarting from the End: Creating a Master Security Plan
https://sm.asisonline.org/Pages/Editor's-Note---Timing.aspx2018-03-01T05:00:00ZEditor's Note: Timing
https://sm.asisonline.org/Pages/Coachable-Employees.aspx2018-03-01T05:00:00ZCoachable Employees
https://sm.asisonline.org/Pages/Fair-and-Neutral.aspx2018-03-01T05:00:00ZFair & Neutral
https://sm.asisonline.org/Pages/Certification-Profile---Leon-Beresford,-CPP.aspx2018-03-01T05:00:00ZCertification Profile: Leon Beresford, CPP
https://sm.asisonline.org/Pages/Editor's-Note---Incentive.aspx2018-02-01T05:00:00ZEditor's Note: Incentive
https://sm.asisonline.org/Pages/Pamela-Cichon,-CPP.aspx2018-02-01T05:00:00ZCertification Profile: Pamela Cichon, CPP
https://sm.asisonline.org/Pages/Paved-with-Good-Intentions.aspx2018-02-01T05:00:00ZPaved with Good Intentions
https://sm.asisonline.org/Pages/The-Strategic-Leader.aspx2018-02-01T05:00:00ZThe Strategic Leader
https://sm.asisonline.org/Pages/Speak-the-Language-of-Payroll.aspx2018-01-18T05:00:00ZSpeak the Language of Payroll

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/What's-New-in-Access-Control.aspxWhat's New in Access Control?<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465