CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Editor's-Note---Dangers.aspxEditor's Note: DangersGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-06-01T04:00:00Zhttps://adminsm.asisonline.org/pages/teresa.anderson.aspx, Teresa Anderson<p>​On November 18, 1987, at around 7:30 p.m., a passenger traveling up the wooden escalator from Kings Cross station on the London Underground dropped a match. The resulting inferno would kill 31 people and result in significant changes to the transit system's safety and security.</p><p>According to an article written by Godfrey Holmes for The Independent in November 2017, the 30th anniversary of the tragedy, a passerby told a security guard that there was "a bright glow" beneath the King's Cross escalator.</p><p>Holmes notes that this was not particularly worrying. "After all, Underground staff have become accustomed to escalator fires, with 46 recently and a total of 400 fires since 1956, each put down as a 'smoldering.'"</p><p>However, even if officials wanted to announce an evacuation, they could not have done so, because the public-address system was not working. Passengers continued to work their way off trains and toward the escalator.</p><p>Meanwhile, the fire continued to grow. Only minutes after firefighters arrived at 7:45 p.m., the small fire erupted into a flashover. "A violent and prolonged tongue of fire rises swiftly from the escalator, licking over the tunnel roof above it; entering the main booking hall at an estimated speed of 40 feet a second; engulfing anyone in its path, police and firefighters included," wrote Alice Evans and Clifford Thompson for the BBC.</p><p>The fire was finally extinguished at 1:40 a.m.</p><p>The resulting investigation ruled out arson and terrorism. However, it found safety procedures lacking. </p><p>In his article, Holmes writes that officials issued "157 recommendations: everything from sprinklers and loud fire alarms to speedier evacuation procedures; from the installation of less flammable metal escalators to the appointment of safety officers charged specifically with fire prevention."</p><p>Trains were refurbished, and public-address systems improved. </p><p>Evans and Thompson note that "staff were trained in rigorous fire safety plans, and, more recently, communications between Underground staff and emergency services have greatly improved."</p><p>The investigation also found that the wooden escalators themselves were not a significant contributor to the initial fire or the fireball, which directly caused the deaths in the incident. The danger lay in the decades of grease and flammable garbage that lurked under the escalator, unseen and, thus, unheeded.</p><p>In this month's cover story, Associate Editor Megan Gates explores another unseen danger threatening transit systems worldwide.</p><p>She examines how two major transportation systems—the London Underground and the Washington Metropolitan Area Transit Authority—are addressing the threat of sexual harassment. Efforts are also underway to combat the reluctance to report incidents, which keeps dangers unseen and unaddressed.</p>

CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Editor's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers
https://sm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspx2018-05-17T04:00:00ZBully Bosses Can Inflict More Damage with Negative References
https://sm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspx2018-05-15T04:00:00ZThe Science of Organizing Security
https://sm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspx2018-05-01T04:00:00ZHow to Lead a Diverse Security Workforce
https://sm.asisonline.org/Pages/Certification-Profile---Douglas-Beaver,-CPP.aspx2018-05-01T04:00:00ZCertification Profile: Douglas Beaver, CPP
https://sm.asisonline.org/Pages/Editor's-Note---Awareness.aspx2018-04-01T04:00:00ZEditor's Note: Awareness
https://sm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspx2018-03-22T04:00:00ZFour Trends That Will Shape Recruiting in 2018
https://sm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspx2018-03-19T04:00:00ZStarting from the End: Creating a Master Security Plan
https://sm.asisonline.org/Pages/Editor's-Note---Timing.aspx2018-03-01T05:00:00ZEditor's Note: Timing
https://sm.asisonline.org/Pages/Coachable-Employees.aspx2018-03-01T05:00:00ZCoachable Employees
https://sm.asisonline.org/Pages/Fair-and-Neutral.aspx2018-03-01T05:00:00ZFair & Neutral
https://sm.asisonline.org/Pages/Certification-Profile---Leon-Beresford,-CPP.aspx2018-03-01T05:00:00ZCertification Profile: Leon Beresford, CPP
https://sm.asisonline.org/Pages/Editor's-Note---Incentive.aspx2018-02-01T05:00:00ZEditor's Note: Incentive
https://sm.asisonline.org/Pages/Pamela-Cichon,-CPP.aspx2018-02-01T05:00:00ZCertification Profile: Pamela Cichon, CPP
https://sm.asisonline.org/Pages/Paved-with-Good-Intentions.aspx2018-02-01T05:00:00ZPaved with Good Intentions
https://sm.asisonline.org/Pages/The-Strategic-Leader.aspx2018-02-01T05:00:00ZThe Strategic Leader
https://sm.asisonline.org/Pages/Speak-the-Language-of-Payroll.aspx2018-01-18T05:00:00ZSpeak the Language of Payroll
https://sm.asisonline.org/Pages/Editor's-Note-Resolutions.aspx2018-01-01T05:00:00ZEditor's Note: Resolutions
https://sm.asisonline.org/Pages/Certification-Profile---Darin-Dillon,-CPP.aspx2018-01-01T05:00:00ZCertification Profile: Darin Dillon, CPP
https://sm.asisonline.org/Pages/Chase-Leading-Through-Change.aspx2018-01-01T05:00:00ZChase: Leading Through Change

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/What's-New-in-Access-Control.aspxWhat's New in Access Control?<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465