https://adminsm.asisonline.org/Pages/Catastrophe-on-Delivery.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Catastrophe on Delivery0

 

 

https://adminsm.asisonline.org/Pages/Eye-on-the-High-Life.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Eye on the High Life

 

 

https://adminsm.asisonline.org/Pages/Preserving-Precious-Property.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Preserving Precious Property

 

 

https://adminsm.asisonline.org/Pages/The-Returned.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Returned

 

 

https://adminsm.asisonline.org/Pages/Bridging-Worlds.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Bridging Worlds

 

 

https://adminsm.asisonline.org/Pages/April-2018-ASIS-News.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465April 2018 ASIS News2018-04-01T04:00:00Z
https://adminsm.asisonline.org/Pages/supply-chain-security-009867.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Supply Chain Security2012-06-01T04:00:00Z
https://adminsm.asisonline.org/Pages/Superior-Supervision.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Superior Supervision2016-12-01T05:00:00Z
https://adminsm.asisonline.org/Pages/chicago_E2_80_99s-big-security-shoulders-0012688.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Chicago’s Big Security Shoulders2013-09-01T04:00:00Z
https://adminsm.asisonline.org/Pages/Complex-Rules-Present-Compliance-Challenge.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Complex Rules Present Compliance Challenge2009-07-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://adminsm.asisonline.org/Pages/Striving-for-Higher-Standards.aspxStriving for Higher StandardsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The cannabis industry is full of contradictions. Although more than half of the United States has legalized—and therefore legitimized—some form of cannabis commerce and usage, it remains illegal under federal law. The drug's stringent controlled substance label prevents it from being researched, and banks take a risk if they accept money from cannabis companies.</p><p>The industry's strict state-by-state regulations mix policy, political influence, and borrowed best practices to create detailed rules that vary vastly by location and can be difficult to interpret and implement, and a lack of overarching guidance can leave organizations vulnerable. </p><p>And where the security industry falls into all of this—with its reliance on metrics, experience, and best practices—is still being explored. The challenge of protecting a product that just years ago was considered criminal cannot be ignored. And, as each U.S. state implements different regulations that are enforced by different entities, it's difficult to compare notes with other security practitioners trying to navigate the nascent industry.​</p><h4>A Growing Industry</h4><p>Tim Sutton, CPP, was working as a senior systems engineer for a security integrator in 2013 when his company received a call from someone who was going to apply for a cultivation center permit. Medical cannabis legalization in Illinois was going into effect at the start of 2014, and the caller needed someone to write a security plan—one that would set the standard for cultivation center security in Illinois.</p><p>The task fell to Sutton, who used his experience with creating security plans for other industries to outline a proposal to win the contract. He integrated foundational security principles, including asset identification, threat assessment, hazard vulnerability analysis, and physical security measures, into the proposal. The plan also took other factors into consideration, such as geographical, architectural, and operational elements, as well as electronic security systems and policies and procedures. </p><p>His firm won the job, and that's when the real work began, Sutton says.</p><p>"There really aren't too many resources available for security plans in general, let alone within the medical cannabis industry," Sutton explains. "As much as security principles remain constant, the application of these security principles must remain variable to be effective."</p><p>Site security plans had to follow the newly outlined laws, which differ from state to state and range from vague to incredibly detailed—and, at times, confusing, Sutton says.</p><p>"Many of the requirements under the law really made me wonder how in the world they were included, but the security plan had to meet all of the requirements," he says. "The security plans are generally considered for between 20 to 30 percent of the total score for the application depending upon the particular state, and many times the score of the security plan is used as a tie-breaker in the awarding of a permit."</p><p>Sutton was able to tour established cultivation centers and dispensaries in another state to better understand how they worked, what security measures were in place, and how those compared to what Illinois would require. "This also allowed me to see many things that I wanted to be sure to avoid or improve upon when writing plans for other organizations," he adds.</p><p>The application Sutton created was approved, and the cannabis company was able to open two cultivation centers. "That was huge," Sutton says. "Illinois is very highly regulated."</p><p>Sutton went on to work with another cannabis company, won three dispensary permits for them, and suddenly found himself an expert in the industry's security. "That's the way it was," he says. "You win one permit in Illinois and that means something. I didn't realize how important that was."</p><p>Since then, Sutton has helped cannabis organizations all over the country apply for dispensary and cultivation center permits and now works as the director of security for Grassroots Cannabis, where he's responsible for security at sites in several states, including Illinois, Pennsylvania, and Maryland. Many cannabis organizations are consolidating, since it takes a lot of money—and expertise—to successfully open and run a dispensary or cultivation center. </p><p>"Nobody knows what they are doing," Sutton notes. "I've never grown marijuana and not many people have ever even seen it. These organizations are consolidating and trying to branch out to other states."​</p><h4>Varied Governance</h4><p>The path a state takes to legalize medical or recreational cannabis—and who is involved in that process—is one of the biggest indicators of what the law looks like and how it's regulated, says Bob Morgan, special counsel for Much Shelist and former statewide project coordinator for Illinois' medical cannabis pilot program. Morgan was involved in crafting the legislation and framework for the program and managed its implementation once the law was enacted in January 2014. </p><p>"Every state that develops a medical cannabis program creates it in its own image, which reflects the political, cultural, and administrative structure of its respected law," Morgan tells Security Management. "Illinois was no different. It had multiple agencies that were responsible for implementing the program—the Illinois State Police and the Departments of Agriculture, Public Health, and Financial and Professional Regulation (IDFPR). Those agencies collectively were responsible for establishing security measures and regulations for the industry, from start to finish."</p><p>Ultimately, each state will model the cannabis industry after another existing industry—often based on what agencies are responsible for its implementation, Morgan notes.</p><p>"Colorado's medical cannabis program was overseen by its Department of Revenue," Morgan says. "So, the culture and process and structure of the Department of Revenue has laid the groundwork for the subsequent medical, and now recreational, marijuana industry. In Illinois, our agencies here all put a significant imprint of their agency culture on the program we have now. In a state like Florida, the Department of Health is overseeing implementation of the medical marijuana program. That determines whether a state will treat the cannabis industry like a pharmacy, or a bank, or a casino."</p><p>Sutton has experienced firsthand the challenges of the differing approaches to the industry. Despite being proficient at writing security plans for the cannabis industry in Illinois—a notoriously highly regulated state—he says navigating security specifics in many states can be daunting for an unexperienced practitioner. "I always read the rules and the law, and every part of the law," he says.</p><p>For example, Sutton was tasked with developing a security plan for a cannabis organization in Hawaii. Its permitting rules are broken down into sections, including one for security, which dictates that, among other things, an organization must retain 30 days of video in its archives.</p><p> "An inexperienced person would design a system that retains 30 days of footage and feel like they're doing what they should do," Sutton says. "But, if you read the rest of the rules and the section on records retention, there's a retention requirement of a year for you to keep inventory reports, employment files, and electronic video archives. If you didn't read that whole rule, you'd never know that and would design the system for 30 days and it would be 12 times too small. It's terrible. That's how I attack it—I read the whole rule, not just the security section."</p><h4>Regulations vs. Best Practices</h4><p>To overcome the challenge of crafting Illinois' medical cannabis regulations in 2014 without national guidance, Morgan created a listserv of state cannabis program directors from around the country to share best practices. He also pulled ideas from the rules in place for pharmacies and casinos in the states.</p><p>"We weren't really recreating the wheel, we were taking the best ideas and security measures we could find and incorporating that into the industry as we shaped it," Morgan explains. "Part of this is driven by the problem of the federal government's prohibition, which requires each state to do this in a haphazard way."</p><p>Some states—including Illinois—may have "gone overboard" with regulating the nascent industry due to a lack of national best practices, Morgan notes. For instance, Illinois is the only state that requires patients to be fingerprinted to get a medical cannabis card. </p><p>"That was a political consideration—it had nothing to do with policy or security, it was politics, unfortunately," Morgan says. "Almost every state has some variation of that."</p><p>Sutton agrees, noting that he has had to comply with head-scratching security requirements in both Illinois and other states. Illinois' Department of Agriculture oversees regulation at cultivation centers, while distribution centers answer to the IDFPR. The two departments wrote the regulations for their respective facilities, meaning that an organization trying to open both cultivation and distribution centers may need to abide by two separate sets of rules. And sometimes those rules don't align with overarching best practices in the security industry, Sutton says.</p><p>"For cultivation centers I record on motion, at five frames per second, even though the rules require three frames per second on an alarm—that's it," Sutton says. The video surveillance rules for dispensaries were initially vague, and Sutton says most security directors defaulted to using security industry best practices and designed their systems to record on motion. However, IDFPR later clarified that dispensaries would require constant recording, not motion-based.</p><p> "Now you jump up about three or four times the storage and processing power, just to satisfy that," Sutton says. "And then they went and arbitrarily pulled this number out of their back pocket that we would need to record at seven frames per second—I have no idea where that came from."</p><p>Sutton has run into similar challenges in several states. </p><p>"There are a lot of things written that don't make sense with why they were done—it depends on who contributed to writing the law," Sutton says. "They all think they are very secure and are writing the best plans, but there are some really big variants out there. Some do not have many requirements at all and leave them written pretty vaguely and open for interpretation, which has its own pitfalls, and a lot of others are so extremely specific, and I don't know where they get this stuff. They've got a lot of old technology and use terminology that's really outdated."</p><p>Morgan says this type of experience is not unusual. "With cannabis, it's still such a new industry and so heavily influenced by politics that we result in these kinds of sometimes unnecessary regulations," he notes. "The political pressures and ideology drives ridiculous regulation and laws that are based on fear as opposed to pragmatic security measures."</p><p>Regulation enforcement is a regular part of the cannabis industry, even after an organization is approved for a license. In Illinois, the state police enforce the state's regulations, while one of the two designated departments makes sure each facility is adhering to its permit specifications. Sutton says that while the inspections help prevent people from skirting regulations, they can also focus on the wrong problems. </p><p>"The Illinois Department of Agriculture comes every week and audits us against our security plan that we submitted," Sutton says. "All they care about is what we said we'd do in our application. If I said in my plan that all my cameras are going to be three megapixels and that I will have 200 days of archives, they'll come inspect those things every week. The Illinois State Police come in and audit to the actual law. They're going to make sure you have a video system that meets whatever the law says. They don't care how you're using it or that you're being effective and proactive."</p><h4>Above and Beyond</h4><p>These challenges were apparent to a group of people who last year started the National Association of Cannabis Businesses (NACB), the first and only self-regulatory organization in the cannabis industry. NACB President Andrew Kline, a former federal prosecutor and White House advisor, says that the organization establishes industry best practices that help cannabis businesses transcend varying state regulations and hold themselves to a higher standard.</p><p>"Professional organizations like banks and insurance companies had no idea who to do business with," Kline says. "The idea was to start a self-regulatory organization where we would vet our members and then develop national standards and use those standards as rules for our member companies. We want to demonstrate that these companies meant business, that they were trying to go above and beyond what they were required to do at the state level in terms of compliance requirements, and signal to professional entities that these businesses can be trusted, because it's a new industry and there are some actors who aren't as trustworthy."</p><p>NACB is also setting its sights to a future where the cannabis industry would be federally recognized, and a set of national guidelines would be needed. Kline says that when the organization started, it positioned itself to create best practices in line with the Obama Administration's priorities, but with the rescission of the Cole memo—which culled enforcement of the federal marijuana prohibition—and the Trump Administration, there is less clarity of national priorities.</p><p>In fact—despite the vague or overregulation issues Sutton and Morgan experienced—Attorney General Jeff Sessions suggests that many of the individual states' regulations that are on the books today are not sufficient to protect the public interest, Kline notes.</p><p>"The national standards that we're looking to build are in alignment with federal priorities for public health and safety, and as we develop them with our members, in many cases we will be more rigorous than state law to show just how serious these members' businesses are in demonstrating they are good actors," Kline says. "We're baking into our standards what we believe the federal government should care about, but there isn't as much clarity today as there was a few months ago."</p><p>The current environment of regulatory uncertainty—both at the state and federal levels—can be a hindrance to cannabis organizations, and the NACB's approach is especially useful for organizations that operate in several states with disparate regulations.</p><p>For instance, Nevada's regulations do not permit fruit imagery on cannabis product packaging, while Colorado—which has more liberal regulations than Nevada—does allow fruit imagery, Klein explains. In such a case, NACB would create a standard that would be more akin to Nevada's rules than Colorado's.</p><p>Well-researched best practices are especially important when it comes to security, since dispensaries have products and financial assets that are lucrative to criminals (see Security Management's May 2018 News and Trends department for more on how banks and cannabis businesses interact).</p><p>"Security becomes even more complicated when you're dealing with people who are taking in large amounts of cash and don't necessarily have a good place to put it," Kline says. "It's costly, particularly for companies who are operating in more than one state."</p><p>Sutton agrees that overarching guidance is needed in the cannabis industry, especially when it comes to the nuanced role of security. Those who want to start a cannabis-based organization may not know what to look for in a security director, Sutton notes, and operational security personnel may be reluctant to work for an industry that remains taboo. The cannabis industry needs experienced operational security practitioners to continue paving the way, and Sutton says he would like to see more security directors become board-certified through ASIS or similar organizations.  </p><p>"I refuse to be siloed and just be the guy who is worried about video and access control," Sutton says. "I worry about it and I love it; however, there are so many other things you have to make sure you're following that do involve security. It touches everything. Security has to be at the table in deciding how you're going to operate, it's more than just your physical systems."</p><p>Morgan says he has seen a shift in the role security and law enforcement are playing in the cannabis industry. Initially, he says the Illinois State Police and local law enforcement were opposed to medical cannabis programs, but today his successor who runs the program at the state level is a former sheriff who changed his way of thinking. "He has seen the way the program works and can articulate how it's safe," Morgan notes.</p><p>"Everyone who knew me beforehand was shocked to hear that I was writing security plans for the medical cannabis industry," Sutton says. "I was the no-fun guy who was very much anti-drug and, for the most part, toed the line when it came to abiding the law. I rationalized it as making sure these companies were tight when it came to security and felt that as it was not illegal, I had no problem with it.... The turning point for me was the passion of the people in the industry and the fact that I wasn't dealing with hippies growing pot in their basement or garage. I was working with people who genuinely believed in their cause and truly considered cannabis as medicinal."  </p><p>Morgan continues to help governments and businesses create medical cannabis programs and says he hopes Illinois—which renewed its medical cannabis program through 2020—will revisit some of its more stringent regulations.</p><p>"It would absolutely be fair to say that Illinois has more than enough data points to show that our regulations can be scaled back in some areas where they were overly politicized," Morgan says. "Regulations such as fingerprinting patients and the extent of security measures each facility has to have in terms of the number of cameras and other requirements. This was an experiment to see how it was working and what wasn't working well, and to improve it. And that's what's happening throughout the country."  </p>
https://adminsm.asisonline.org/Pages/Blockchain-Buzz.aspxBlockchain BuzzGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The year was 1960. And Charles W. Bachman was unsatisfied with computers. They were supposed to revolutionize the way companies did business but accessing vital information and making changes was a time consuming—and frustrating—process.</p><p>Bachman, then a software engineer at General Electric, and his team came up with a solution to the problem. He created the Integrated Data Store (IDS), the first direct-access database management system, which would allow businesses to link data sets and make changes to them with greater ease.</p><p>IDS would change the future of computing, and databases and their management systems are now used in millions of applications around the world for inventory control, employment records, and transactions.</p><p>"IDS and its derivative systems are still in use today, supporting a thousand mainframe installations," Bachman wrote in an article for IEEE Annals of the History of Computing in October 2009.</p><p>Around the same time that Bachman wrote his article, another piece of technology was invented that is now changing computing in a similar way: the blockchain.</p><p>"A blockchain is similar to a database, but rather than being stored in one place and governed by one company or one set of people who run it and administer it, a blockchain is simultaneously run by thousands—or millions—of people around the world," says Michael Perklin, chief information security officer at ShapeShift.io and board member of the CryptoCurrency Certification Consortium and The Bitcoin Foundation. "There is no real, geographic home."</p><p>And blockchain technology is poised for a bright future. Research and advisory firm Gartner predicts that the business value-add of blockchain will reach $176 billion by 2025 and be more than $3.1 trillion by 2030.</p><p>What is a blockchain? In October 2008, Satoshi Nakamoto created the cryptocurrency known as Bitcoin. To keep track of Bitcoin transactions and verify them, Nakamoto also created another technology—a blockchain. </p><p>A blockchain is a database system that allows peers to validate changes made to the system, rather than relying on central authority. One of the easiest ways to explain how a blockchain works is to discuss it in terms of a transaction. </p><p>For example, Alice requests that Bob pay her 15 Bitcoins. Her request is broadcast to a network of computers—called nodes. Using cryptography, the nodes make sure the transaction is valid. If it's valid, a new block is added to existing blocks associated with Alice's account to create a chain. Built into these blocks are digital hashes, which make it evident if anyone attempts to alter a block in the chain. </p><p>"With a database, it's possible to falsify a record without leaving any trace because, by default, most databases don't have these tamper-evident capabilities—but blockchains do," Perklin says. "So, if I try to alter my balance and say I have 1,000 Bitcoins. I send this update to the world through the replication mechanism; as every other computer in the world starts receiving this message from me, they take a look at the tamper-evident seal on it, and they realize immediately that this is not a valid update and ignore it." </p><p>Most other systems, including databases, lack this validation factor.</p><p>"By default, databases don't do any checking at all because it's assumed that you have access to that database," Perklin says. "You have an account, you have permission to make a change, it assumed that change is valid, and if you have permission to make it, it'll make it for you."</p><p>By contrast, there are no user accounts associated with blockchains. Nodes on the network act as validators, conducting integrity checks to make sure that false information is not added to the blockchain. And this validation process happens within nanoseconds. </p><p>Beyond validation, there are other benefits to blockchain technology. For instance, it is more resilient than relying on a central authority.</p><p>"The data simultaneously exists on thousands or millions of computers around the world at the same time," Perklin explains. "If one server were to go down, the data is still available to everyone else in the world. By contrast, if something like PayPal were to go offline, nobody can use PayPal until PayPal comes back online."</p><p>If one server, or several went out due to a massive Internet outage, a blockchain would continue to work using servers located elsewhere. </p><p>How are they used? Blockchains were initially created to facilitate Bitcoin and have also been used to support other cryptocurrencies. Since then, blockchains have been applied to other projects but the technology is still in the early phases of adoption. </p><p>One use case is for document validation. Users can employ block-chain technology to verify the integrity of a document to ensure that it has not be altered. </p><p>For instance, publicly traded companies release certain financial records to the public every month. If a malicious insider who stole from the company wanted to alter the documents to cover up the crime, the insider could do that after the chief financial officer prepared the documents.</p><p>Using software that uses blockchain technology, a chief financial officer could add a time stamp to the prepared financials that would appear in the blockchain. </p><p>"This adds a tamper-evident seal that lives in the…blockchain that can attest that at this time and on this day, this was the exact state of the financial affairs," Perklin says. "Now a few days later when bad guys take these financials, alter them, and publish them to the world, if somebody wanted to check the validity they can compare it to what the CFO put in…they will see it has been altered."</p><p>This type of timestamping authenticator can also be used to verify video recordings, Perklin says, such as a recording of a police officer using excessive force against a protestor.</p><p>"A few months later when they are in court and the recorder is accused of photoshopping the video, they can say, 'No, this time stamp proves that this existed on the day at exactly 3:30 in the afternoon—the time this really happened,'" he explains.</p><p>These are just some initial use cases for blockchain and more will come, but one area Perklin says he does not think blockchain technology will be used for is anything involving private information.</p><p>"The nature of blockchain is that all the information is public, and every one of those thousands or millions of computers around the world, they can read all the information, so they can validate all the information," Perklin adds. "Now I've lost my privacy. Anything that has a privacy component is not a good fit for a blockchain application."</p><p>Others are also skeptical of the potential security use for blockchain technology, including Ron Rivest, institute professor at the Massachusetts Institute of Technology and one of the inventors of the RSA algorithm.</p><p>Speaking at the RSA Conference in San Francisco in April 2018, Rivest said that blockchains are being viewed as "security pixie dust" with developers promising that any application will "be made better by blockchain properties."</p><p>This is not accurate, Rivest said, citing the example of using blockchain technology for election security in the United States. </p><p>"In voting, it would be a bad idea because of the private ballot—and it needs to be centralized," he said, adding that the centralized system is needed to ensure that votes are counted but that the identity of who cast them would remain private.</p><p>"Blockchains have limited security properties that may or may not fit what you need," Rivest said.</p><p>The U.S. Securities and Exchange Commission (SEC) has also stepped up recently to crack down on companies that are adding blockchain to their name to raise their stock price.</p><p>"The SEC is looking closely at the disclosures of public companies that shift their business models to capitalize on the perceived promise of distributed ledger technology and whether the disclosures comply with the securities laws, particularly in the case of an offering," said SEC Chairman Jay Clayton in a statement. </p><p>All of this is part of a technology that's just in its beginning phases, similar to what the world saw with the introduction of computers and databases. </p><p>"It took decades for people to apply interesting features to that dumb wire between boxes," Perklin says. "I'm sure that in 20 years, we're going to look back at all the different ways companies started using blockchain and think...this was the future." ​</p><p> </p>
https://adminsm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxPerformance Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  </p>
https://adminsm.asisonline.org/Pages/Catastrophe-on-Delivery.aspxCatastrophe on DeliveryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Austin, the warm and colorful Texas capital—known for its Tex-Mex cuisine, live music, and popular grassroots slogan "Keep Austin Weird"—was set completely on edge in March 2018 by an unusual and most unwelcome threat: a package bomber.</p><p>From March 2 through March 20, Mark Anthony Conditt perpetrated five bomb attacks before blowing himself up. In each of his first three attacks, Conditt dropped off a conventional-looking delivery package at three different residences in the city. All three packages contained pipe bombs that exploded when opened. The first two recipients were killed; the third was badly injured. These three doorstep bombs were followed by a tripwire bomb Conditt left on the side of a road. It injured two nearby pedestrians when it detonated.<img src="/ASIS%20SM%20Callout%20Images/0718%20NT%20Chart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:225px;" /></p><p>But on March 20, the bomber changed his modus operandi (M.O.). He sent his next package through the Federal Express (FedEx) delivery system; it exploded on a conveyor belt at a FedEx facility in Schertz, Texas, a town outside of San Antonio. One employee was injured. About six hours after the Schertz explosion, Austin police received a call about another suspicious package at a FedEx facility in southeast Austin, not far from the airport. That package was disrupted by law enforcement, and no injuries were reported. A day later the b​omber blew himself up inside his vehicle after he was pulled over by police, injuring one law enforcement officer in the process. </p><p>That switch in M.O. from dropping off bombs at houses and roads to shipping them is somewhat unusual for a bomber, says Fred Burton, an Austin-based chief security officer for Stratfor who followed the events closely.  </p><p>"The change seemed predicated on adjustments he made due to the news media coverage surrounding the events that were taking place. There was tremendous local and national news coverage, press conferences, and everything," Burton explains.</p><p>Had the bomber stuck to his original approach of doorstep bombing, he likely would have been able to wreak havoc for even longer than he did, Burton says. Instead, when he started using FedEx, his bombs entered an efficient, tightly tracked supply chain that leaves a lot of digital bread crumbs. "That was a big plus for the investigation," Burton explains. </p><p>The unsettling events in Austin also put a spotlight on the issue of postal and shipping security. Burton, who was a counterterrorism agent for the U.S. Department of State from 1985 to 1999, remembers the Pan Am Flight 103 bombing in 1988, where a suitcase bomb placed in the luggage cargo area of the plane exploded over Lockerbie, Scotland.</p><p>Since that incident, package security has improved by leaps and bounds, with vast improvements in screening device technology and explosive detection instruments, Burton explains. In the United States, the anthrax attacks of 2001 spurred many advances in postal security: "You have had so many drastic changes since the anthrax scare," Burton says. </p><p>Indeed, the anthrax episode did lead U.S. officials to beef up postal security. The U.S. Postal Inspection Service (USPIS), the security arm of the U.S. Postal Service (USPS), enhanced its Dangerous Mail Investigation program to deal with the threat. And since then, authorities have established the National Postal Model for the Delivery of Medical Countermeasures, a contingency program under which medical countermeasures can be delivered in case of a catastrophic event such as an anthrax attack. </p><p>Currently, packages sent through the U.S. mail face several layers of security, according to Pamela Cichon, CPP, a program manager and postal inspector with the Security and Crime Prevention Group at USPIS. "Postal employees are trained to identify suspicious parcels and are provided standard operating procedures to follow when they encounter a suspicious parcel," says Cichon. "Specially trained postal inspectors recognize the common characteristics of suspicious mail."</p><p>In addition, retail clerks ask customers questions about the contents of an item being mailed, Cichon explains. But beyond those generalities, the USPIS does not discuss specific operating procedures regarding suspicious packages. "We do not comment publicly on our security measures, in order to prevent attempts to compromise or minimize their effectiveness," she says.</p><p>Since the USPS is typically the final delivery point for UPS and FedEx packages, the agency has collaborative relationships with both services. "We collaborate on best practices and also work joint investigations," she explains. </p><p>Collaboration also occurs between U.S. federal postal authorities and law enforcement agencies, in cases of potential security breaches or fraud. For example, in March 2017, the FBI announced that it was conducting a joint investigation with the USPIS regarding packages that contained potential destructive devices which were sent to U.S. military sites.</p><p>Such collaborations are "not an uncommon event," Cichon says: "The Inspection Service conducts joint investigations with all federal and state law enforcement partners frequently. When the mail system or USPS employees are at risk or being used to further criminal activity, the Inspection Service responds and investigates."</p><p>But officials, postal workers, and law enforcement officers are not the only ones responsible for postal and package security, Burton says. Demand for services like Amazon have spiked, and this has led to a sharp increase in "the sheer volume of packages on any given day around the whole world, and the United States," he explains. "What the Austin bombing did is remind all of us in this business the importance of mail and package handling." </p><p>For the services that work with packages, having a well-trained workforce with sharp observational skills is critical. But consumers must also play their part. "If you come home from work and there's an unexpected package, be careful. Don't touch it unless you are expecting something," Burton advises. </p><p>It's best not to move the package, he adds. And the consumer should try to do a little due diligence through observation, and consider: Who is it specifically addressed to? Is the sender's name blank? What is on the return address?  </p><p>These tips may seem simple, but they can be a challenge to follow, because they work against a common human impulse: the enticing feeling of possibility, or delight, embodied by an anonymous package, which may contain an unexpected gift or something equally wonderful. "You want to see what's hidden behind Door Number Three," Burton says. "But you may not want to know."  </p><p>Another challenge is the diminishing situational awareness of contemporary life. "Most people are multitasking all the time, and they are not very aware of their surroundings," Burton says. So, they may be checking email messages on their smartphone while they absentmindedly pick up a package with one hand and drag it into the house.</p><p>"I think it boils down to common sense and situational awareness," Burton says. "Is that package addressed to you? If not, why are you opening it? There has to be a little common sense to security at times." </p><p>In that respect, the bombing episode held some valuable security lessons. But "the one fearful part," Burton explains, is that it could serve as an unwitting demonstration to a militant group like the Islamic State (ISIS) on how to create chaos: "I worry about the copycat terrorism ramifications." </p><p>And this concern stems in part from the fact that the Austin-based Burton felt firsthand the waves of fear that swept through the streets as the bomber remained at large for days on end. "Oh my gosh," he says, "it quasi-paralyzed the city." ​</p>
https://adminsm.asisonline.org/Pages/The-Future-CSO.aspxQ&A: The Future CSOGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​CSO roles are becoming more prevalent in corporations while evolving to address security challenges. Scott Klososky, founding partner of Future Point of View, shares how.</p><p><strong><em> Q. </em></strong><em>What do you think the CSO role will look like in five years?</em></p><p><strong>A. </strong>The CSO role will have complete responsibility for integrated security across physical, electronic, and cyber. CSOs will report directly to the board in many cases and will have a long list of specific dangers they are charged with preventing. They will be responsible for things like stopping employee theft of data, preventing employees  from giving up passwords or compromising systems, and drone defense. They will be heavily involved in the organization's risk management system and will have a say in the insurance that is purchased to offset risk in specific threat areas. Another responsibility will be providing personal protection and intelligence in regard to travel for senior executives, board members, and their families. That will include social media scrubbing for the company, as well as for senior executives and board members.</p><p><strong><em>Q</em></strong><em>. What will the reporting structure to CSOs look like in the future?</em></p><p><strong>A.</strong> CSOs will have a VP of cyber, VP of physical, and VP of electronic security reporting to them. They will have specific people who are dedicated to the three different areas of security: the company, access control and surveillance systems, and cybersecurity. They will also be more closely aligned with HR because the human firewall is becoming such a problem. There is no way to protect an organization properly if the CSO does not have control over all aspects of security defense. Today, it is broken up across organizations and is too far removed from HR to be completely effective. The threats we are defending against will require this level of integration and collaboration.</p><p><strong><em>Q.</em></strong><em> Will the dynamic between security and the rest of the organization shift?</em></p><p><strong>A. </strong>To do security well, the CSO will have to develop strong collaboration with HR, IT, and operations. Then the CSO will have to participate in areas like risk and insurance. I see a future where a strong CSO is well-known and well-liked by all leadership. The CSO will be involved in lots of departmental meetings across the organization to determine new threat vectors and to build the relationships necessary to put up a solid defense. Today, CSOs can hide behind the scenes, and that needs to stop. They need to be out front with relationships across the organization, so they are looked at as a necessary element in the strategy of the organization.</p><p><strong><em>Q. </em></strong><em>What about smaller businesses and organizations? How will they keep pace with emerging security threats?</em></p><p><strong>A. </strong>There is only one real answer and that is to use contractors and vendors. Small and medium-sized organizations cannot pay for a full-time CSO in many cases, yet they need a smaller version of an integrated security model. They can rent the talent for a price they can afford by using local and regional security firms who are used to dealing with smaller clients. I suspect that security firms will build processes and systems to better handle these customers, so they are not left out in the cold.   </p>
https://adminsm.asisonline.org/Pages/July-2018-ASIS-News.aspxJuly 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​GSX Promises Vegas Flair</h4><p>World-class networking is a hallmark of the ASIS annual event. In Las Vegas this September, the Society is pulling out all the stops for Global Security Exchange (GSX), formerly the Annual Seminar and Exhibits. From bowling to luncheons to a reception at Drai's Nightclub, GSX offers countless opportunities to forge new connections and cement existing relationships at the industry's premier networking events.</p><p>Kick off the week on Sunday, September 23, by teaming up with friends and colleagues for the ASIS Foundation Golf Tournament at Bali Hai Golf Club, located next to the Las Vegas Strip. Registration includes breakfast, player gifts, and a buffet lunch, with event proceeds benefiting the ASIS Foundation. </p><p>On Sunday evening, the popular Brooklyn Bowl will be transformed into the GSX Opening Night Celebration. Don your bowling shoes and join thousands of peers for a fun-filled night of food, music, and catching up with friends. </p><p>The U.S. Outstanding Security Performance Awards (OSPAs) Luncheon on Monday provides an opportunity to celebrate excellence across the industry—from young professionals to managers to consultants, and more. The deadline to enter for U.S. OSPAs consideration is July 23. Apply at us.theospas.com/enter.</p><p>In addition to opportunities to connect with colleagues in the halls and while perusing the exhibits, the ASIS International Happy Hour on Tuesday on the show floor will celebrate the end of the first day of exhibits. Grab a drink and relive the highlights of the day.</p><p>Close the week in style at the annual President's Reception at Drai's Nightclub. At one of Las Vegas's most exclusive venues, guests will be treated to an evening of live entertainment, food and drinks, networking, and a view of the Strip from the 11th story capstone of the Cromwell hotel.</p><p>Register for an All-Access Pass before August 10 and save $100 on your ticket to these events and more. Visit GSX.org/register to sign up.​</p><h4>SECOND QUARTER GLOBAL EVENTS</h4><p>Excitement is building towards GSX this September in Las Vegas, as evidenced by the energy at the following events that took place in the second quarter of 2018. </p><p><strong>CSO Summit</strong></p><p>Transparency battles. Global rules in flux. Artificial intelligence. </p><p>Global chief security officers and deputies who attended the 11th Annual CSO Summit April 29 through May 1 at Target Plaza Commons in Minneapolis, Minnesota, grappled with how these and other change drivers will affect the security profession. </p><p>While key conversations and experiences—such as a private security tour of U.S. Bank Stadium—were prevalent, at center stage was a forward-looking agenda aiming to make sure security executives adapt and remain relevant to their organizations. </p><p>Futurist and cybersecurity professional Scott Klososky led off the conference by emphasizing that security leaders are responsible for looking into the future and—before anyone else—understanding how the world, their industry, and their businesses are changing, especially with an eye toward future risk. </p><p>For every cutting-edge technology solution or strategic advantage discussed throughout the event, there was equal and appropriate caution regarding unintended consequences. </p><p>For example, artificial intelligence will help security by enabling analysis of logarithmically more data, such as using HR records to identify insider threats, but it has to be implemented properly and with auditability because it can lead to algorithmic bias—that is, it could systematically discriminate against certain groups.</p><p>A common theme across the two days was to define security initiatives in terms of drivers and enablers of business and savings, rather than as sunk costs. Speakers shared examples of strategies they used to calculate the cost savings of implementing new security projects to justify those programs to the C-suite. </p><p>Another common theme was that the path forward for corporate security, and sustainable success in business, requires effective implementation of enterprise security risk management (ESRM), where the organization formally and holistically manages risk. </p><p>This can go hand-in-hand with a DevSecOps approach, where all employees are empowered to contribute to organizational safety and security, especially as it becomes more difficult to centralize response to the growing activities and vast data sources generated by modern business processes and systems.</p><p>CSOs and their deputies will have the opportunity to continue exploring the evolution of these change drivers and attend exclusive educational sessions in the CSO track at GSX in September. </p><p><strong>ASIS NYC</strong></p><p>Thousands of security and law enforcement professionals gathered at the Jacob K. Javits Center May 16 and 17 for the ASIS 28th New York City Security Conference and Expo to dive into networking, education, and exhibits at the Northeast's leading security event.</p><p>The event started with a Security Rocks welcome party at the Hard Rock Cafe on Tuesday evening. Live entertainment set the scene for fun and networking worthy of the Big Apple.</p><p>Conference education began Wednesday morning with a keynote from JPMorgan Chase Crisis Management Head Scott Morrison, who discussed emerging threats and trends. </p><p>The emerging trends theme continued throughout the day, via a panel discussing the legal and practical applications of drone technologies, a crash course on implementing ESRM to earn security a "seat at the table," and a talk from Facebook Chief Global Security Officer Nick Lovrien, who explored the challenges associated with securing Facebook's open office environment.</p><p>Thursday's education focused on active assailant attacks, with sessions devoted to emergency preparedness and vehicle-involved attacks. At Thursday's Person of the Year Luncheon, the ASIS New York City Chapter honored His Eminence Timothy Cardinal Dolan for his service to the people of New York.</p><p>On both days, a bustling expo floor provided attendees the opportunity to meet with some of the region's foremost solutions providers.</p><p><strong>ASIS Toronto Best Practices</strong></p><p>ASIS Toronto's largest educational event of the year, the 2018 Best Practices Seminar held on April 19, was its largest ever, with a full house of 200 attendees and speakers. It was the 25th annual seminar for the chapter.</p><p>For the first time, the event was held in the Grand Banking Hall of the Dominion Bank building at One King West in downtown Toronto. Attendees enjoyed a jam-packed day of presentations set against the historic ballroom's dramatic backdrop.</p><p>Themed #SecurityEmerging, the seminar featured topical sessions including hyperloop, ESRM, and cannabis. John Minster, physical security manager, TD Bank, discussed video analytics, demonstrating examples of how to apply basic analytics in a variety of real-world applications, with measurable results to the organization. The day concluded with a panel of experts who discussed the role of the security professional in dealing with workplace sexual assault. </p><p>The 26th Annual Best Practices Seminar will be held on April 11, 2019. Visit asistoronto.org for details.​</p><h4>ESRM: MID-YEAR UPDATE</h4><p>By Tim McCreight, CPP, and Rachelle Loyear.</p><p>The ASIS ESRM Initiative is now at its halfway point for 2018. During the leadership sessions held in Washington, D.C., in January, ASIS made it clear that enterprise security risk management (ESRM) is a priority for the Society today, and into our future. As co-chairs of this important work, we are pleased to share a status report detailing the efforts to infuse ESRM into the Society's programs and services. </p><p>It is with great pride we can say that in the past six months, the ESRM Initiative has accomplished a number of significant achievements. Four value streams were established, each led by a subject matter expert and a representative from the ASIS Board of Directors. </p><p>They focus on Education, Standards and Guidelines, Marketing/Branding, and Maturity Model Tool. We are already seeing the fruits of these groups' labor with the following initiatives well underway:</p><p>•   Education. An ESRM webinar, including definitions and key points, was developed to ensure that all the ESRM presenters at Global Security Exchange (GSX) are "singing from the same songbook." In addition, a draft glossary of terms has been created and an ESRM 101 training will be available by GSX. </p><p>•   Standards and Guidelines. A draft ESRM guideline is on track to be completed by GSX. This document outlines an approach to security program management using risk principles to link an organization's security practice to its mission and goals. The working guideline also describes the concept of ESRM, including its four principal elements, as well as additional steps security professionals can take to strengthen an ESRM effort, bring it to maturity, and maintain it over time. </p><p>•   Maturity Model Tool. Require­ments for the tool have been established and a request for proposal for a supplier has been disseminated. </p><p>•   Marketing and Branding. An ESRM slide deck was distributed to all chapter and council leaders, and several articles have been written detailing the need for security professionals to apply ESRM within their organizations. </p><p>There is a great deal of rigor and project management going on behind the scenes within the ESRM Initiative, and it shows. The value streams are all on track to deliver their key project updates by GSX, and there will be a number of educational sessions at GSX to showcase some of the deliverables, including a pre-conference program workshop.</p><p>Check the GSX program guide to see all the ESRM sessions for 2018, and feel free to contact us at esrm@asisonline.org if you have questions or would like more information on any of the value streams.</p><p>Tim McCreight, CPP, is ESRM Initiative board sponsor, and Rachelle Loyear is ESRM Initiative program manager.​</p><h4>EXECUTIVE PROGRAM</h4><p>Wharton/ASIS Program for Security Executives: Making the Business Case for Security.</p><p>October 21-26.</p><p>Philadelphia, Pennsylvania.</p><p>With so many new threats confronting today's organizations, corporations are challenged by competing security priorities, as well as how to invest their resources wisely. </p><p>How do they best protect their employees and their organizations' networks and data from harm? As a security professional, how do you communicate the security story so leaders fully understand the costs, benefits, and risks of not having a comprehensive strategy?</p><p>Designed for senior security leaders, the Wharton/ASIS Program for Security Executives will enhance participants' business acumen and effectiveness in key areas of strategy, negotiation, critical thinking, and managing change. Attendees will gain the leadership and management skills needed to help them work more effectively and communicate the bottom-line impact of security decisions to the C-suite—so security priorities can be moved forward. </p><p>Through interactive lectures, exercises, and case studies, both in the classroom and in smaller work groups, this custom-designed program will enable participants to create effective security strategies in a fast-changing, global environment. Attendees will come away with a strategic toolbox that will help put these business skills into immediate practice, as well as recognition of their own leadership and communication strengths.</p><p>ASIS members save $1,000 (and CSO Center members qualify for an additional discount) on the regular program fee—which includes all meals and accommodations. Visit asisonline.org/wharton to learn more and apply.​</p><h4>IT SECURITY COUNCIL SPOTLIGHT</h4><p>"Cybersecurity is like painting a bridge," says ASIS Information Technology Security Council Vice Chair Robert Raffaele, CPP. "As soon as you decide on a practice and implement it, it's time to start over again. The technology advances so rapidly that documented best practices can quickly become obsolete."</p><p>The IT Security Council carries the unique burden of sharing its members' world-class information security expertise in forms that won't be outdated by the time they reach their audience.</p><p>Earlier this year, the council published Security on the Internet of Things: An Enterprise Security Risk Management Perspective, a white paper examining risks security professionals need to keep in mind as today's devices become more and more connected.</p><p>Given the nature of IT security, the council emphasizes person-to-person knowledge-sharing—timely advice delivered when it's needed most. This September, the council will sponsor  11 education sessions at GSX. These sessions will cover topics like cyber terrorism, mobile device security, cybersecurity for physical security professionals, emerging technologies, safe cities, and more.</p><p>The council also offers itself as a yearlong resource, connecting security professionals with the appropriate council members and trusted industry experts needed to tackle real-time IT security problems.</p><p>"In security, trust is such a big factor," says 2018 Council Chair Jeff Sieben, CPP. "It's so much easier to rely on a particular process when that process has been vetted by someone you trust. As a council, we're happy to be that bridge between members and the reliable, immediate information they need."</p><p>Sieben says the council's role is to be a consultative body of subject matter experts. </p><p>"This council's greatest asset is members who stay current and are available to talk about current topics," he says. "Our members are plugged into the greater IT security sphere, contributing to ISACA, ISSA, SIA, (ISC)2, and more."</p><p>To consult with the IT Security Council, email council leadership or message a council member on ASIS Connects. The full council roster can be found on the council's community page. Search "Information Technology Security Council."​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Eduardo Martinez Fulgencio, CPP; Leonard A. Rosen; and H. John Bates, CPP; who were granted lifetime ASIS membership.</p><p>Fulgencio served as an ASIS assistant regional vice president for many years. He also held the positions of chapter newsletter chair, chapter chair, treasurer, and chapter program chair for the Philippines Chapter of ASIS. He has been a member of ASIS for more than two decades.</p><p>Rosen and Bates were automatically honored with the lifetime award for their continuous membership of more than 50 years. ASIS is grateful for their loyalty for more than half a century.  ​ </p><h4>MEMBER BOOK REVIEW</h4><p><em>Private Security and the Law, Fifth Edition</em>. By Charles P. Nemeth. CRC Press; crcpress.com; 739 pages; $89.95.</p><p>As the security profession makes strides in education and training, there is a concurrent need for books that light the path. Dr. Charles Nemeth has written such a book: <em>Private Security and the Law. </em>This fifth edition is a big one, both in size and what it has to say. The author has significant experience as both a security practitioner and a scholar. In this book, he nimbly toggles between the two worlds, presenting a viewpoint that is unbiased and comprehensive.  </p><p>Nemeth acknowledges the tension between public policing and private security, while showing how the two can work symbiotically. The first chapter presents the historical underpinnings of the profession, giving a rich history of private security protection. </p><p>The next chapters focus on regulation and licensing; the law of arrest, search, and seizure; civil causes of action; criminal culpability and the private security industry; and evidentiary issues. These chapters help the reader understand how complex areas of the law relate to the security profession.  </p><p>As both an attorney and a professor of security management, I would refer to this book because it presents statutory and common law elements and legal explanations in a straightforward manner, while also presenting case law and helpful study questions. I appreciate the standout inserts that allow readers to update their knowledge, as well as the citations of websites, handy tables, charts, and sample forms sprinkled throughout the book.</p><p>Bringing it all together are Chapter 7, a model for cooperation between public and private law enforcement, and Chapter 8, a compilation of seminal case law. Nemeth has this to say about the roles of public policing and private security: "Factionalism is surely not a fixed state for either side of the policing model. What appears more likely on the horizon is the recognition that these are two armies operating under one flag."</p><p>I highly recommend this book for the classroom, the security practitioner seeking to know more about the law, and the lawyer representing a security provider as a client. This fifth edition is a monumental work, deserving of space in the libraries of students, lawyers, and security professionals.</p><p><em>Reviewer: Lydia R. Wilson, CPP, is an attorney admitted to practice law in Virginia, New York, and Florida. She is a member of the ASIS Information Asset Protection and Pre-Employment Screening Council.</em></p>

 UPCOMING EVENTS AND EDUCATION

25 July 2018
​Preventing the Next School Shooting (Webinar)

26 - 27 July 2018
ASIS International African Security Conference​ (Lagos)

08 August 2018
Safety and Security During After School (Webinar)

15 August 2018
​Collaborative Leadership: Security and IT (Webinar)

​22 August 2018
Protecting Soft Targets from Active Shooters (Webinar)

23 - 27 September 2018
GSX​ (Las Vegas)

21 -26 October 2018
Wharton/ASIS Program for Security Executives (Philadelphia, Pennsylvania)

​More Events>>​​​
​​​​