Subscribe to Industry View RSS Feed

Industry View

by: Guest Blogger - Monday, June 18, 2012
John Dillard
President, Big Sky Associates

Businesses face a multitude of security threats—from leaks to targeted attacks—that can compromise closely guarded information and day-to-day operations.

Often, the source of the threat comes from within the organization—from individuals with knowledge that would allow them to exploit the company’s security, systems, products or facilities. And, whether the act is white-collar in nature, sabotage or violence against personnel, the effects can be devastating to a company’s operations and financial stability.

The good news? Risks can be minimized by developing a strategic planning framework that addresses threats from insiders. Organizations can address this threat by focusing on improving personnel security, information security, counterintelligence, and training and awareness.

To minimize risk, the process begins with a current-state analysis. This is an inventory of existing programs, practices and initiatives that address the insider threat. Once the analysis is complete, organizations can identify focus areas and develop strategic objectives.

Three strategies can work together to help organizations evaluate and address threats from within: deter, detect and neutralize.

Deterrence helps prevent insider threats to critical information, personnel and facilities. This is accomplished by focusing on personnel security and suitability screening, awareness and training, continuous evaluation and information sharing. Organizations should inform employees that a detailed security plan is in place to protect the company. Additionally, organizations should remain vigilant and identify employees who pose potential threats, and then communicate between departments about those potential threats.

Detection is the process by which organizations identify insider threat activity and safeguard their resources. Focus areas include counterintelligence, managing the risks associated with information and data transmission, and security auditing and monitoring. This strategy works to protect an organization’s resources from threats and actively seeks to identify suspicious activity.

Finally, neutralization is the means by which organizations respond to hostile insiders, as well as additional threats and vulnerabilities. This is achieved through surveillance and monitoring, the use of informants and employing preventive measures. When threats are detected, organizations must investigate the source in order to bring an end to the current situation and take steps to prevent similar attacks or breaches from occurring again.

The specific vulnerabilities and risks vary with each organization. That is why it is important to develop an overall framework to address insider threats once a company’s strategic objectives and focus areas are mapped out.

Big Sky Associates recently helped the U.S. Army’s Deputy Chief of Staff for Intelligence develop a strategic planning framework in the wake of the Fort Hood shootings and WikiLeaks debacle—two cases in which an insider caused considerable harm to the organization. After an inventory of on-going work and the steps in place to mitigate insider threats, Big Sky developed a concept for the Army using the deter, detect and neutralize model. The framework included the final step of effecting change once the first three were completed.

The Army established objectives for each initiative, beginning with enhancing their deterrence procedures by improving personnel security and information sharing, as well as better education and training. To better detect threats, the Army turned to the use of leading technologies, which allowed the organization to manage information faster and more effectively.

To neutralize and exploit threats, the Army relied on its existing security programs while actively working to identify new methods and techniques. And with the final goal, effect change, the Army partnered with internal and external stakeholders to implement the vision of the strategic planning framework and improve the effectiveness of the new security program.

Big Sky also helped the Army create a database to track funding across each of the initiatives within the scope of the security project. And, the company developed risk scenarios and recommended courses of action, as well as a portfolio management methodology to help the Army measure the effectiveness of the new initiatives against the status quo.

Today, the Army’s intelligence operation has a strategic planning framework in place to address the insider threats, and the processes are being shared across the Department of Defense as a potential leading practice to be adopted by other groups.

The objectives developed for the Army can serve as a guide for commercial organizations to address their own security concerns and reduce the risk of insider threats.

John Dillard is president and co-founder of Big Sky Associates, a management consulting firm. Prior to Big Sky, Dillard was an intelligence officer with the U.S. Navy and a lieutenant with the U.S. Navy Reserve, where he is currently listed as inactive reserve.

Tags:
big sky associates, john dillard, insider threats, management consulting
by: Guest Blogger - Monday, June 11, 2012

Editor's note: This post is a response from J.C. St. John to my initial post about the debate over the use of the word "guard" versus "officer" when discussing private security professionals.

Another example of language getting sloppy. Since the words can be traced back to origins that had more specific meaning at one point, deciding to diverge from that meaning without good reason seems to be just plain, bad English.

If the words were used more true to their past, the word "officer" would be reserved for someone who had powers representative of a parent authority (not just a parent entity but one of authority). A police officer is empowered by the Sovereign with an arrest authority and immunity from certain related liability for arrests and reasonable/authorized use of force. Probation officers represent the Sovereign. Corrections officers represent the Sovereign. There are a number of other public officers. All represent the Sovereign and generally have some degree of protection from liability for acts under the color of authority.

In a related sense, a corporate officer is empowered by a corporation—itself empowered by the Sovereign (though not as a power representative of the Sovereign itself obviously)—with powers relating to the corporation and some degree of protection from personal liability for acts done on behalf of the corporation.

So, with any security personnel, the question as to whether or not they are an "officer" is dependent on the power they have and from whence it came. Security personnel who are empowered by some sort of state or federal scheme and authorized to arrest under some authority of the state (outside of a common law citizen's arrest) could be accurately called "security officers." Really, though, they should also be granted some level of immunity for official acts. (Notice how "official" has the same root.)

Operating in the Commonwealth of Virginia, I see this nomenclature sloppily applied on a regular basis. Security personnel are called "security officers" by the state regulatory agency. Unarmed security "officers" are not granted any extraordinary arrest authority (but they are trained and registered under the state schema). Unarmed "officers" are trained to "deter, detect, and report." Armed security officers are trained to be more engaging and they supposedly have "arrest authority"—though it's one that is very limited (largely related to retail loss prevention) and without any immunity from liability. So, for registered armed security officers in Virginia, the title is just barely appropriate.

Guards (and guardians) have a protective duty that doesn't assume any sort of engagement that isn't directly related to protective actions—and their authority isn't necessarily derived from a higher authority. One can hire private guards to protect assets, but that doesn't mean that those guards have any authority (outside of the usual citizen's authority) to the conduct of their protective actions. Here too, though, the root and historical use of the word isn't precisely connected to more modern usage. Traditionally, guardians not only had the power to protect something/someone but also a legal DUTY to do so. (See also "fiduciary" and compare to "agency.") I suspect that a lot of modern day "guards" aren't also liable when they fail to protect.

So, to summarize, officers assert an authority granted to them by some greater power (usually a sovereign power—directly or indirectly) and guards protect things or people not neccessarily with a grant of power from the Sovereign or a greater power. If you are a private citizen with no recognition or empowerement from the Sovereign and you're doing protection work for a private entity then chances are you're a guard. If you have been empowered by the Soverign to assert some level of authority (like arrest authority) or you work as an agent of the Sovereign, then calling you an "officer" isn't inaccurate.

by: Guest Blogger - Friday, May 25, 2012
Renae Leary
Tyco Integrated Security

Business operations in today’s market increasingly take on a global approach. Many of today’s growth-oriented businesses tend to extend operations to other states and countries once solidifying success in existing markets, and this trend will only continue to accelerate. Corporations conduct business with a number of entities in a variety of locations and their customers can be as close as Poughkeepsie or as far as Peru.

The global approach to business drives a need, desire and requirement for a streamlined approach to security. Technologies, services and procedures need to be managed from a centralized location to bring not only increased security and safety, but deliver long-term ROI and business efficiencies to the customer. A security systems integrator dedicated to providing a high-level of service and innovative technologies to multinational customers is an ideal partner for an enterprise security leader. Therefore, such a customer’s security program requires a structured approach from a single service provider to bring a worldwide security program together successfully.

One Worldwide Partner
Whether you’re a C-level executive at a large, multinational enterprise or a smaller corporation with various locations, it is ideal to rely on a single set of security standards and ideally a single service provider to fulfill security needs. With one systems integrator, there is no more searching through databases to determine who to call for a specific need or looking for someone to address critical concerns quickly. When an organization partners with a global vendor, they are provided with one point of contact for all their needs, while streamlining technology and service deployments across the globe.

As security solutions have become more complex, IT-centric and network-based, a knowledgeable solutions company can execute cohesive logical and physical security installations across the globe, which is critical to ensure consistent and cost-effective operations. This approach also lends itself to more efficiency in the enterprise and assists in defining management objectives. With this in mind, enterprise organizations are an ideal candidate to contract a single integrator for all its physical and logical security solutions. An experienced service company will provide one team for all plans and devise cohesive and well-executed loss prevention, security, business management, and risk assessment goals and strategies.

There are many options available to the enterprise that wants to leverage logical and physical security on the network. Software platforms, such as physical security information management systems, can be deployed and managed in-house or in the cloud. IP or analog surveillance is another consideration, as well as access control ranging from simple single door control to managed access. The possibilities for effectively managing physical security and logical network controls are endless and it takes a comprehensive solutions provider to provide a robust plan and the personnel needed to effectively deploy a worldwide security program. A single-source technology and service provider that is experienced in global operations connects the end user enterprise to all the efficiencies of the network and streamlines business on the IT network.

A dedicated, experienced security systems integrator will also know and easily grasp the pain points of global customers. These providers critically understand the local and regional regulations and legalities of overseas operations; effectively plan and execute, and communicate regularly; consistently follow project status; and update and maintain services and software. This frees management of these day-to-day tasks to allow enterprise security teams to focus on their vision and roadmap of building a successful security and business analytic program across the globe.

Building a ‘standard’ system    
Consider a sole integration company your single source of command and control. A single source provider that acutely understands business here and abroad can help organizations standardize technology and services no matter where a company conducts business or has facilities. A dedicated team focuses on delivering integrated enterprise security projects in a consistent solution. Hands down, customers who standardize on products and services realize immediate and long-term cost efficiencies and improved levels of security. By partnering with a security integrator that can deliver a consistent level of support and security systems across the world, customers have access to dedicated account management, and the latest updated product and services specifically tailored to an organization’s needs.

Trusting a security program to an experienced systems integrator delivers the same type of service in one location as it can at another 5,000 miles away, and allows security practitioners to realize significant savings in time, resources and money. The real value to a global company is the consistent integration of systems to provide central control through a single point of contact, delivering peace of mind to the security team and C-level executives.

Topic:
Commercial and Enterprise
Tags:
Tyco Integrated Security, enterprise security, renae leary, Security Director News
by: Guest Blogger - Monday, April 30, 2012
Steve van Till
CEO, Brivo Systems

BETHESDA, Md.—I attended TechSec earlier this year, and I’ve just returned from ISC West, and it’s clear to me that many people still don’t understand the difference between real cloud solutions and products that merely connect to the Internet. It’s equally clear that many vendors are not helping matters, and are in fact actively confusing the market.

Let’s begin by reminding ourselves what the cloud is all about. At a bare minimum, “cloud” unequivocally implies “hosted.” The National Institute of Technology and Standards has published the most widely accepted and universally referenced definitions of cloud technology (NIST SP 800-145), and every one of them includes the concept of hosting.

In practical terms, this key definition excludes systems that merely support connections to the Internet for remote access. Think about it: If Internet connectivity was the main criterion, your PC with an AOL account in 1995 would have qualified as a “cloud system.” In our industry, IP-based security products connected to the Internet solve many important problems, but they are not cloud products in and of themselves. To say otherwise is highly confusing and is a disservice to customers.

A common offender in this regard is the new breed of IP security appliances—not the products, but the marketing. First, let me say that I fully believe there is an important niche for products with an appliance architecture. For end users who can’t yet wrap their heads around the cloud, it’s a comfortable alternative to the complexity and expense of legacy server designs. But making the leap from a local device that can be remotely accessed through holes in the customer’s firewall to “cloud-based system” is a pretty big fib indeed.

A second point of distinction: Simply moving a software application from a local server to a third-party data center does not make it a cloud application.

Here again, we look to NIST to clarify matters: Cloud systems are distinguished by multi-tenancy, metered usage, rapid provisioning and massive scalability. Think about it this way: If you have a server with an old application architecture, and you move it 1,000 miles to someone else’s data center, have you transformed it into a cloud application? No, you have not; in fact, you’re just playing hide-the-server. And hiding the server won’t magically support thousands of end-user organizations (scalable, multi-tenancy) or suddenly be any faster for new users to provision.

Common offenders at the recent ISC event were typically old-line software systems that needed a fresh coat of virtual paint to get gussied up for the show. In one of the more egregious examples I saw, one company claimed to be offering a security system “using cloud-based protocols.” Ummm … that’s just good old IP.

They can call it cloud, but this was just an old-fashioned case of remote access. Clearly, marketing departments are eager to shoehorn the word “cloud” into their publicity and literature. It’s no wonder people are confused.

So, where are the real cloud applications? By category, the biggest emerging crop is in video surveillance, variously known as hosted video or Video Software as a Service (VSaaS).

Many of these are true cloud applications because they are:

a) hosted;

b) multi-tenant, supporting numerous customers in a single instance;

c) massively scalable;

d) sold per-camera-per-month as a metered service.

There were many examples of VSaaS at the show and this whole area of the industry is still developing in terms of pricing, features and market fit.

My hope is that as customers become better educated about the cloud, we will see less misapplication of the term. For those of us in the cloud business, it is our job to provide leadership, clear away confusion, and help them along.

Steve Van Till is president and CEO of Brivo Systems, a provider of software-as-a-service applications for security management based in Bethesda, Md.

Topic:
Vendors
Tags:
steve van till, Brivo, cloud, vsas
by: Guest Blogger - Monday, April 9, 2012

By Catherine Penizotto, The Loss Prevention Foundation

My, how things have changed! Gone are the days when the primary function of the Loss Prevention department was simply physical controls, weeding out the dishonest associates, capturing shoplifters and controlling shrink. No longer is the sheer quantity of resolved cases and a good shrink number, a valid gauge of effectiveness. So what’s on the plate of the LP professional in today’s fast changing, more risky, higher stakes and technology laden world? Physical security, dishonest associates, shoplifters and shrink, are now joined by safety &risk, organized retail crime, fraud, data protection, crisis management, business continuity, supply chain, mobile technology, e-commerce, and workplace violence to name a few. That’s a complex and heavy load, not for the faint of heart, and today’s professional must be equipped and ready handle it.

As leaders of Security Management it is incumbent on us to build a team of talented, driven and diverse individuals with the mettle to handle the complex role of loss prevention.  While it was once possible to allow our teams to learn as they grew into their role, it’s too risky to take that approach in today’s world. The bar has been raised for new talent pursuing a career in loss prevention. Entry level LP management positions that require a Bachelor’s degree are now the norm but even that benchmark is being one-upped with many companies now looking for additional credentials that set applicants apart from their peers.

The LPQualified (LPQ), an entry level & junior management certification which provides those very credentials that set applicants apart was developed in collaboration with industry professionals and academic partners powered by The Loss Prevention Foundation.  An entry level or college graduate’s LPQ designation tells a story about the applicant even before the interview. It indicates the applicant has an understanding of the fundamentals and broad base-level knowledge of the loss prevention industry. It also indicates the applicant is specifically looking for a career in this field, not just a job until something else comes up.  Finally it shows the applicant is savvy and astute in credentialing themselves at the entry level making them a desirable applicant and giving them more choices now and =throughout their career.

While building a talented team is crucial, it is as critical, as a security leader, to continue our own education and stay versed in this ever changing industry. The LPCertified (LPC) is an advanced certification for experienced professionals or executives such as Security Directors wanting to test or broaden their own skill profile. The LPC certification course covers advanced functional areas that the professional may not have been exposed to over the course of their career. In short the LPCertified professional is well prepared for additional roles and responsibilities as companies streamline function and look for ways to do more with less.

As an indication of the credibility of certifications, over 45 companies now prefer LPQ or LPC credentialed applicants over their job-seeking peers.

With the current environment of high stakes, high risk, and high technology, the LP industry, through certifications such as the LPQ and LPC, is now replete with knowledgeable professionals equipped to handle it.

For more information about these certifications visit The Loss Prevention Foundation.

Catherine Penizotto is Academic and Retail Partnerships Liaison at The Loss Prevention Foundation.

Tags:
Industry View
by: Guest Blogger - Monday, March 19, 2012

By Andrew Wren

Who thought we’d see the day when a popular brand of laundry detergent would become the main target of organized crime rings and make nationwide headlines? It is the unpredictable nature of these crime waves that show us why LP professionals must maintain the strictest of controls, watchful eyes, and agile responses to effectively combat, not only organized retail crime (ORC), but also any kind of loss-causing activity.

It took retailers struck with the recent “grime wave” some time to realize the extent of the thefts. By the time they examined and addressed the problem, they racked up hundreds of thousands in losses. Stopping ORC is a moving target and always will be. To identify emerging ORC trends, retailers can rely on a variety of methods and technologies that will enable them to respond quickly in order to protect merchandise, curb losses of high-value targets, and ideally catch the perpetrators.

Use data, security equipment to see trends, deter theft

Technology gives retailers a clear view into transactional trends and inventory accounting data. Any retailer should be looking at analytics around the items that they know to be high-value targets to look for trends that might indicate something suspicious is happening within a certain category of product, or to spot possible return fraud rings.

In addition, retailers have long relied on video. However, retailers should periodically reassess to determine if they have the right surveillance coverage to yield the maximum benefit, based on an understanding of criminals’ patterns.

For example, a retailer may have full video coverage of fire exits, but camera angles can only detect activity rather than provide a clear facial image of individuals exiting those fire doors. In most cases, an identification shot is needed at the exit due to a large number of “push outs.” Video captured near exterior doors should also be set up to clearly capture the license plates of any suspicious get-away cars. Or maybe video coverage has been focused on the jewelry and electronics cases but needs to be set up in the health and beauty aisle based on new ORC crime patterns. It’s important to reassess needs and high-risk areas frequently and to adjust technologies as necessary.

If push-outs are occurring at fire exits, retailers should investigate options for reducing the likelihood that criminals will take advantage of these hidden exits. Some push-to-exit systems now offer a 10-second delay between the time when the button is pushed and when the door opens, deterring this kind of activity.

Public view monitors (PVMs) offer precise, at-the-shelf video coverage, which can deter criminals and provide close-up video in case of theft. Today’s PVMs are easy to mount and deploy and offer a cost effective way for retailers to shift video coverage easily as ORC trends change. Whether placed at checkout, by doors or in the aisles as close as six to eight inches from merchandise, PVMs are masterful ‘tools of deterrence.’

Check and double-check your processes

Retailers are brilliant at setting the strategy and design of processes that make operations run as efficiently as possible. However, implementation in different locations with different people presents a multitude of challenges.

To identify signs you’ve been hit by ORC, these processes should be ironclad across a retail organization:

  • Regular, frequent “merchandising” walk-throughs by store managers to take a visual inventory
  • Employee training to ensure they appropriately report suspicious activities in the store
  • Testing and evaluation of security equipment

By auditing these processes regularly, retailers can verify consistency across all stores. For example, an audit of the store walk-through process should seek to establish if the store manager conducts visual inventory checks to identify things that don’t seem quite right. Is there a system for any store employee to report or further investigate oddly low inventory of product? Are back end systems used to verify increased sales to accommodate for low product? Are suspicious findings tracked in a central database and shared with key executives across the organization?

Retailers should ensure that processes are in place to help identify problems early and that these processes are consistently implemented throughout all stores at all times.

Connect the dots

LP professionals are intuitive, responsive and great at problem solving in creative ways. In most cases, the challenge is seeing the forest for the trees. Connecting the dots through information sharing is difficult because of communication challenges. Technology lends a hand in this area, allowing stores to communicate and share information from emails to data to video clips and audit results. If any problem is suspicious and plaguing one store, chances are the same problem is plaguing at least one other store. LP professionals should share, communicate and collaborate. Technology and new social media channels make it easy—retailers need only have programs and guidelines in place for doing so. Retail associations are also working to encourage sharing of information across the entire industry. This can make a big difference in identifying tactics that work and ensuring those best practices are shared to protect the entire industry.

Because retailers can never predict what the next ORC wave will bring, they must be positioned to see the trends and act on them to stop the losses from walking out the door.

Andrew Wren serves as chief executive officer of Wren Solutions, a loss-prevention technology provider helping leading retailers reduce loss and increase profits. Wren is responsible for corporate and product strategy, leveraging his more than two decades of security technology expertise.

Tags:
Industry View
by: Guest Blogger - Monday, February 27, 2012

By David C. Sawyer, CPP

Sometimes tragedy creates change for the better—a sad reality that is being illustrated on campuses across the country as an increasing number of colleges mandate background screenings for students, particularly those enrolled in health science programs.

While this call to action appears to be more prevalent for students whose training will place them in clinical settings, such as hospitals, pharmacies and social agencies, there is a sound argument to be made for background queries, if not full screenings, for all college-bound students … and for annual checks while the student is enrolled on campus.

In fact, this may be the ultimate lesson learned from the infamous April 2007 incident when Seung-Hui Cho, an English major at Virginia Tech, killed 31 and wounded another 25 students and faculty before taking his own life. According to published reports, it was later learned that Cho had been diagnosed and received therapy for severe anxiety disorder while in middle and high school; however due to federal privacy laws, Virginia Tech was not informed of his previous diagnosis.

The massacre has prompted more schools to at the very least inquire about disciplinary issues, acts of violence or criminal convictions of students while in high school. While not all colleges are conducting a comprehensive background screening—for criminal convictions and/or against the sex offender registry—an increasing number are checking into self-reported problems appearing on college applications or on students with unexplained gaps in their school careers.

And, according to a 2009 survey conducted by the Center for Community Alternatives (CCA) in collaboration with the American Association of Collegiate Registrars and Admissions Officers (AACRAO), a majority (66%) of responding colleges collect criminal conviction data, although not all use it in the admissions process. Self-disclosure through the college application was the most common method reported for collecting the information.

Perhaps most eye-opening is that only about 16% reported conducting a background check on college applicants. An affirmative response to the background check survey question could mean the school checks all applicants, only applicants to certain programs, only those who disclose a prior conviction or those whose application raises a red flag for any number of reasons such as a gap in school attendance, multiple schools, dishonorable military discharge, etc.

Certainly, conducting even minimal level background checks is beneficial, but there exists a number of compelling reasons for colleges to consistently check for criminal records. In addition to keeping their campus safe against acts of violence, this preventive measure can protect a school’s reputation and safeguard against potential law suits.

This is not to say that college entrance should be denied based on a minor offense—consideration of the type and level of criminal conviction should be taken into account. School policies should differentiate between past imprudent teenage behavior and students whose records indicate they pose a current threat. That said, all colleges would benefit from an awareness of who is on their campus and living in their dormitories … with the appropriate precautions taken.

But collecting appropriate data is just part of the equation when conducting background checks on students. Institutes of higher education that decide to implement such a policy cannot do so on a wing and a prayer. Working with school administrators, Human Resources departments should take the lead on developing a comprehensive written policy and a stringent set of procedures specific to their college or university—not a mere “cut and paste” of another school’s policy.

While contemplating strategies for screening students, colleges and universities should take time to review their policies pertaining to the screening of faculty, staff and contractors as well. Fortunately we know of no physical harm stemming from the fairly recent discovery that a school videographer working as a contractor at the New England Conservatory of Music in Boston is a registered sex offender, but the media firestorm that followed had the school scrambling to explain the oversight to students as well as parents.

Instituting screening policies will certainly come at a cost to schools, financially and in terms of time; but avoiding potential tragedy before it strikes is a priceless commodity.

Most people would agree that employers should bear the responsibility to provide a safe work environment—colleges should do no less.

David C. Sawyer is president of Safer Places Inc., a Middleboro, Mass.-based firm that specializes in pre-employment screening, security consulting, and tenant screening.

Tags:
Industry View
by: Guest Blogger - Thursday, February 16, 2012

By Michael Ramstack, Senior Security Manager, Covance Laboratories

Many law enforcement professionals make a natural transition into private sector security. However, many get to the private sector and find a very different environment than the one they're use to in the public sector. They struggle with that transition and can't understand why they are not being effective, especially since they were very successful in their law enforcement career. What someone in this position needs to understand is that their new role is not about power or authority. It's about influencing the organization based on your knowledge and experience.

The goal is to get the organization to understand the importance of security policies and practices in protecting the organization's people, property and assets. To succeed in that goal, you need to know what steps to take in order to influence your colleagues and generate the support for what you want to accomplish. Security is not as black and white as law enforcement tends to be. Below you will find four tips which can help you make a transition from the public to private sector a successful one.

1. Change Your Mindset
You need to change your mindset from an authoritative one to a persuasive one. Law enforcement is a very authoritative position, which inherently comes with a lot of power. In this position you spend time telling people what they can and cannot do based on the law. If they don't follow your direction there are consequences for their actions. Additionally, law enforcement supports an authoritative mindset with a rigid staff and command structure. In these structures, orders are given and the expectation is they will be followed. If they are not, there are consequences for those actions. Many law enforcement professionals walk into the private sector and think they can give orders and they will be obeyed. However, the reality is this is the worst way to approach the security mission in a private organization. In order to be successful in your new role you need to take some time to understand the culture and how it views security in its current state and how security impacts the current operations. You need to get to know the organization and become intimate with what and how it delivers its product. If you want to be persuasive then you will need to understand the big picture and how security impacts the organization and those processes. Then, and only then, can you begin to make the best decisions and have security be accepted into the organization's culture.

2. Change Your Approach from Reactive to Proactive
Law enforcement professionals spend most of their time being reactive to calls for service or behaviors and activities once they are already occurring. Security is about being proactive to reduce the risk of something bad happening and limiting the impact if it were to happen. Being proactive can come in many forms, such as a robust workplace violence program with the intent to head off the behavior before it turns negative.  Educate the organization about the costs of taking proactive steps to protect your company from security concerns and how they are far less than the cost of having to react and recover from an event.

3. Get Buy In
Know how the current security processes will impact each business unit, and the impact of any changes to those processes. Then take the time to explain and educate all those impacted as to why a certain security process is needed. Get them to understand and accept the need and agree with the solution. Once there is agreement, the most important element is to then get them to commit to support the decision. The best way to get agreement and support is to ask them for their input and suggestions as to how they think the security objective could be accomplished. As professionals in our industry, we sometimes think we always know the best answer, but sometimes input can lead to a different option with less impact on their processes, but still deliver the same security goal in the end. Keep in mind that there is always more than one solution to every security problem, so you need to be open to their input. Your role is to take the input and apply your skills and expertise to create a solution that accomplishes all interested parties' needs, with the bottom line supporting the security objective. Once you can learn to do this, your objectives will become more accepted and supported.

4.  Educate, Educate, Educate
You will spend an enormous amount of time educating the organization on the reasons why they have security and why security is important to them. Many organizations have security professionals, but honestly most employees don't really understand why or what they do. You as the security leader need to market your group and show the relationship between the business being successful and having good security practices. Remember your experiences in the "real world" are very different than those experiences most of your new colleagues in the private sector have had. Most people go through life never experiencing the "bad" in other people and therefore their perception is that most people are good and bad things don't happen. The biggest hurdle you will face is being questioned as to why certain procedures are needed when "that sort of thing never happens here." Don't get frustrated. Understand their perception of the "real world" is based on their limited exposure to bad experiences. You need to figure out how to get your organization's leadership to understand the need behind security and show them that the cost of having security is important, that the value you bring is immeasurable, and prevention outweighs any cost.

Remember, your new role is about influencing the organization's decision makers. You accomplish this by creating buy in through working together and on educating and marketing security as a critical component to the organization's success.

Michael Ramstack is senior security manager at Covance Laboratories in Madison, Wis. Prior to his current position in the private sector, he served as a police officer in a suburb of Milwaukee for 13 years.

Tags:
Industry View
by: Guest Blogger - Wednesday, September 7, 2011
Martin Huddart
ASSA ABLOY

Recent developments in door opening technology have empowered today’s security directors to play a neat trick. Walk into a building, any building—a corporate office, a hospital, a school. Now select a door, any door. Look at the assets behind that door. Voila: an opening technology is available to match the exact security risks and needs for that specific door.

This is pretty mind blowing if you think back just a few short years ago when the only options for securing a door—regardless of the assets under protection—were either a relatively expensive hardwired, online access control system or a simple mechanical lock and key. Medium security openings that fell in the middle of this spectrum left security directors with the difficult choice of under-securing or sometimes over-securing and over-paying for a door.

Today, you’ve got options in this world of ‘medium security’. And best of all, especially in our tepid global economic climate, they don’t have to cost you a fortune. It’s now possible to implement varying degrees of access control at each opening that mesh together and operate seamlessly with the enterprise access control system to create a fully secure facility. All of this is possible thanks to innovation in a place you may not have been expecting it: the humble lock.

To understand the capabilities of this new class of locks, it’s helpful to look to the past. For years, traditional access control systems consisted of a host computer connected to controllers that connected to electrified locking hardware. The host computer, usually located in a security office, serves as the brains of the system and links to the controllers through long runs of wiring often dedicated to the security system. Additional runs of proprietary wiring then connect a controller with hardware components on multiple doorways.

Lock manufacturers originally offered an alternative in the form of a PDA programmed lock. Sure, these locks were relatively inexpensive, but generally required proprietary lock software and lots of ‘sneaker power’, as guards had to run from door to door to get transactions or change access rights.

Technology marched on and wireless technologies enabled locks to communicate with panels wirelessly, which brought many of the features of online access control to a lower cost than a wired opening. Not only were these ‘wire free’ openings less expensive to deploy, they can work with the same enterprise access control software that manages the online wired openings. Some of the savings come from fewer wire runs to the door, and other savings come from the integrated designs of locks where readers, REX, DPS and locking devices were integrated into a single device with about an hour of installation.

The next evolution was to tie locks into the existing IP network infrastructure to lower cost even further by avoiding the need for proprietary hubs and access control panels. Using smarter locks (essentially the panel is in the lock) and standard Wi-Fi access points, access control can be added for roughly 50% of the cost of wired access control per opening. Other variations use the same IP-based technology as your VOIP phone. Power Over Ethernet locks give end users full, real-time access control with all the same features you get with traditional access control for about 75% of the cost and you still get to control the lock from your favorite enterprise access control system.

Of course, not every opening requires the level of security delivered by online connectivity. But there may still be a desire to frequently change access rights, control the hour each person can access the door and/or track the door access history.

The least disruptive way to achieve this level of offline access control is with an electronic cylinder that fits directly into the existing lock. The cylinder can be programmed to allow access only to specific key holders and can be interrogated to determine who opened a door and at what time. If key control is compromised by a lost or stolen key, the cylinder can be reprogrammed to shut out that missing key. This eliminates the need for replacing cylinders or reissuing keys to a large-scale building population. Electronic cylinders can be used in a very wide variety of applications including cylinders, cam locks, cabinet locks and padlocks.

Keypad locks also fit into the category of offline access control. Like electronic cylinders, keypad locks can be re-keyed electronically. Codes can be changed on the fly if there are any concerns about who has access to different areas of a building. Keypads also have a convenience benefit; not all applications require a key. If the primary concern is controlling traffic to a particular area—say a bathroom door in a commercial building—it may be inconvenient to keep issuing keys to people coming in and out of that building. However, a code can be issued that provides a low-level, but more convenient type of security.

The available options for controlling access to medium security doors is at an all time high. By combining components, leveraging existing network infrastructure, and emphasizing convenience features, modern technology has created a much broader set of products than $300 mechanical locks or $3,000 online access-controlled openings. This allows for the selection of the right product to provide the right level of security within a given budget.

Martin Huddart is Vice President of Electronic Access Control at ASSA ABLOY Door Security Solutions

Tags:
Industry View, Paxton, assa abloy, wireless locks
by: Guest Blogger - Wednesday, June 29, 2011

By Rolland Trayte, FutureSentry

Parking areas are challenging spaces to secure because they vary greatly in size, geographic make-up, location and risk profile. Parking lots provide vehicle and customer access to area businesses and are often times one of the most traveled areas in a city or business district. Therefore, security managers must take the appropriate steps to make parking areas as safe as possible as an enhanced approach to security and safety in these areas only works to boost economic activity.

Unfortunately, there are very real reasons to feel unsafe in parking lots or garages because these spaces, due to their nature, are ideal places to commit crimes. Security guards are often charged with patrolling and monitoring parking lot activities, but this approach has its limits as it is not possible for security personnel to be everywhere at one time. Parking lots must be managed and monitored 24/7 to provide residents, employees and customers with a feeling of security, and advanced technology solutions can augment the capabilities of traditional security guards to increase safety and deter crime.

When evaluating enhancements or changes to existing security programs and technologies at parking areas, it is important to conduct a thorough review of the background issues and the environment that is contributing to security concerns. How are these issues currently being addressed by security patrols and technologies?

Security managers should review incident reports and benchmark incidents at one area with comparable facilities. Are your garages more successful at deterring crime than others? An assessment of each parking garage’s physical and operational characteristics must also be completed. All of these steps will help determine what mix of security personnel and security systems are most beneficial for your facility.

Detection Through Intelligence
Innovations in motion sensors and advanced algorithms enable the development of a new kind of automated detection technology that mimics the actions of traditional security guards. These systems are applicable in a variety of environments but are especially well suited for parking lots. These systems leverage built-in intelligence to automatically identify potentially dangerous targets within 1,000 feet and once detected, track objects to deter criminal behavior. Once it detects motion in a user-defined area, the system illuminates activity with a high-intensity LED light, and rotates to and from the detected activity. Once motion is no longer detected, it will conduct an area-wide search. If no additional movement is found, the system will conduct regular patrols of an area, scanning for unusual behavior, detecting criminal behavior before loss or damage occurs.

The system, described above, engages in the same motions and movements of a patrolling security force to enable security personnel to focus on other tasks, such as ID badging, inspecting vehicles or observing suspicious behavior. Business operations and security are maximized while maintaining a secure perimeter, and this is especially true in parking facilities with limited budgets.

Safe Passage
The most common crimes that occur in parking facilities are theft and vandalism but other more violent attacks, such as abductions and carjacking, are also real risks. To limit the occurrence of such incidents, facilities must have a solid security plan in place that incorporates personnel and technology, and evaluates environmental design.

Lighting is another important factor in keeping facilities secure. Proper lighting not only helps people feel safer, but it can also deter crime dramatically. Lighting is commonly used to enhance safety by increasing visual range during night hours and ensure a minimum level of visibility. Furthermore, lighting also has value as a deterrent to crime. It can be challenging to effectively illuminate small areas or corridors, such as those between parked cars. Since an automated detection solution tracks motion within 1,000 feet, it leverages the power of its built-in LEDs to shine light on those confined areas when it detects motion.

An automated detection solution can also be used to in place of a having security personnel escort customers or employees to their cars in the evening. The system tracks the person’s movement, shining its high-intensity lights to the detected area. Not only is the system illuminating the person’s activity to keep them safe and increase visibility, it deters potential criminals from approaching the individual. Therefore, the technology is useful at both providing peace of mind for shoppers and employees, and keeping criminals at bay. Combined with the additional feature of two-way audio, the system is a customer service tool as well as a security tool.

A True Solution
Although video surveillance plays an important role in monitoring activity and reducing crime in parking lots, it is only truly effective when it is being monitored in real time. Without 24/7 monitoring, it is not possible to respond to an emergency situation.

Automated detection systems work independently to continually monitor activity in high-risk areas. When cameras are leveraged alongside an automated detection system, the solution can be used for both proactive and reactive purposes, including investigations and crime reconstruction. The integration of high-resolution or HD surveillance cameras enable security teams to gather high levels of detail, while IP cameras enable remote monitoring of the system, providing even more ROI.

Another benefit of integrating cameras with an automated detection system is that it provides guards with an avenue in which to make an assessment of a situation before responding. This provides an additional layer of situational awareness.

The issue of parking garage security and the level of inappropriate and illegal activity that occurs on these premises continue to receive considerable attention. Facilities must establish security policies and practices as a way to enhance the business and entertainment environment, and mitigate the negative impacts of crime in parking areas. Automated detection technologies provide continuous patrol of a parking lot or garage, acts as a significant deterrent to criminals, and provides reassurance to customers and employees. Overall, a multi-layered approach to security that includes experienced personnel, innovative technologies and strong procedures will create a safer and more secure environment, and reduce undesirable activities.

Rolland Trayte is president and COO of FutureSentry. He can be reached at rollie.trayte@futuresentry.com.

Tags:
door security, Industry View, Inovonics, FutureSentry, martin huddart

Pages