sdnTVnews

Last week, I traveled down to Orlando, Fla. for a preview of the ASIS International conference in September. We took some incredible tours including a behind-the-scenes look at Kennedy Space Center, just days before the second-to-last shuttle launch (see story here), Daytona International Speedway (story here), and the upscale Mall at Millenia (story here). We also had the opportunity to participate in some military simulation training programs with Cubic Defense Applications, which resulted in one of the best adrenaline rushes I've had in a while. They let us "drive" hummers through simulated streets of Afghanistan (it felt so real I got a little motion sick) and shoot "real" weapons (equipped with lasers) while running down an abandoned alley. When I "died" I'm pretty sure my heart stopped beating and I will forever have the image of that guy pointing a gun at me appearing out of nowhere. It was a pretty awesome day, especially since we ended it with a quick stop at the Harry Potter theme park ride at Universal. It is Orlando after all.

As you might be aware, Orlando is an epicenter of tourism. We sat down with some folks from Visit Orlando who told us that the region has 50 million visitors a year, who spend $30 billion. And it's not just people here to see Mickey, either. Orlando has the second largest convention center after Las Vegas.

One of the most interesting discussions was some of the unique challenges that such a high-tourist area presents to law enforcement. Orlando Police Department has a special unit dedicated to tourist-related issues, aptly called Tourist Oriented Policing or TOPS. I wrote about the challenges of a similar department in Anaheim, Calif. for the ASIS seminar in 2009, which focused on how police deal with the constant influx of people to the area.

Corporal Marcus Camacho with the Orange County Sheriff's Office emphasized how crime can impact not only the experience of that person, but it can also have widespread economic impacts on the area. For example, if someone gets their wallet stolen they probably won't come back any time soon, but they'll probably tell their friends and family about that experience and perhaps dissuade those people from visiting the area.

The TOPS department also focuses on being a liaison between private businesses and the police department. They host an online briefing board with information on crimes and suspects as well as ongoing scams. As I said earlier, there are some unique issues in being a tourist town. The police deal with theme-park ticket scams, for example, which would be expected. But one of the most unique scams involves bogus pizza fliers. These scam artists will enter hotels and put pizza fliers under guest doors. If someone orders a pizza they will often try to get a credit card number over the phone. Or, even worse (I think), is when these scammers will actually deliver pizzas that were made in a car or nearby area that are unsanitary and frankly, just gross. Then, of course, guests aren't happy and call the hotel guest services, who in no way promote or allow these fliers to be distributed. It sounds sort of trivial, but it was surprising how many people referred to the pizza flier scam during our visit.

Hotels and law enforcement have also been dealing with a rash of pranksters who call hotel guests and convince them to do the most outrageous tasks, including trashing their rooms. This article in the Orlando Sentinel highlights a ridiculous scenario:

A woman in a hotel took a call from the person who claimed to be a front-desk clerk about a gas leak in their hotel room near Orlando International Airport. She frantically relayed the information to her husband, who was a deputy, mind you. He followed the caller's instructions . . . and smashed the window of his room with a toilet tank.

And he kept following the guy's instructions:
Break the mirror on the wall. Check.
Use the lamp to bash in the wall to get to the trapped man on the other side. OK.
Throw the mattress out the window and jump for safety. Out the mattress went.

And the caller hung up. Guess what? It wasn't someone from the front desk and when a hotel employee showed up, they informed the couple that there wasn't a gas leak. But the room was destroyed. These are the types of issues police are dealing with and a big part of their job has been to educate businesses and tourists about such scams. It sounds ridiculous and outrageous, but such scams have a huge impact on tourist areas.

My advice to you during the ASIS International Seminar on Sept. 19-22 is not to order pizza from your room and don't break any windows, even if someone tells you to.

Just last week, I wrote about the convergence between IT and physical security after Gareth Webley, the keynote speaker at TechSec Solutions, discussed his effort to consolidate security and IT during his tenure as the chief security officer of National City Corporation.

Well, apparently everyone wants to jump on board. I just received a press release from ASIS International announcing that this year's conference in Orlando (Sept. 19-22) will co-locate with (ISC)², a large membership body of certified information security professionals. (ISC)² (not to be confused with ISC West and ISC Solutions) will hold their first annual Security Congress in conjunction with ASIS International. According to the release, the two associations will share educational programming, which I think could be great for security practitioners who may feel intimidated by IT folks and their techie talk.

Why did ASIS make this move? Here's what Ray O'Hara, the president of ASIS, has to say:
“This agreement reflects the rapidly evolving, converging roles of the information security and traditional security professionals within the global business marketplace,” stated O’Hara. “By strategically aligning our organizational resources, our combined memberships of more than 100,000 professionals gain access to core knowledge and best practices across the full spectrum of information and traditional security. The opportunity to connect with one’s security counterpart and to build a solid practitioner network is one of the most valuable benefits to be derived from this relationship.”

It seems fair to say that the more physical security practitioners know about the world of IT, the more valuable they will be to their respective organizations. I'll be leaving room on my schedule to check out some of these educational programs - you should, too.

I took a nice long weekend to recover from my travels to Cabo San Lucas, Mexico for i3 International's annual event followed by a very successful TechSec Solutions in Delray Beach, Fla. (I know, both tough places to be in February, especially when you call Maine home). But no time to relax, we're jumping right into the next round of security conferences.

ISC West Security Conference and Exposition at the Sands in Las Vegas is right around the corner on April 5-7. If you're an end user who's planning to attend the show, I'd like to meet with you. These conferences are a great opportunity to meet face-to-face with folks and I'm always interested to hear about the challenges and successes security practitioners are experiencing out there in the real world. Likewise, if you're a manufacturer or integrator and have some customers who will be attending the show, also feel free to contact me to set up an appointment: LStelter(at)securitydirectornews.com.

Also, don't forget to sign up for the Security 5K. Last year we had more than 300 people from the security industry running the streets of Vegas at 7:30 a.m. It created a ton of buzz at the show so this year we're expecting even more people to participate. All proceeds generated by the race will be contributed to Mission 500, an organization determined to get the security industry to sponsor 500 (or more) children through the World Vision humanitarian organization. The 2011 goal is to raise $100,000, which will feed, educate, clothe and tend to the health needs of more than 300 needy children around the world. Not a runner? Not a problem. It's a fun run, people, do it for the children.

In other conference news, ASIS International announced two big name keynote speakers for their conference in Orlando, Fla. on Sept. 19-22. This year Jeb Bush, the former governor of Florida, will give the opening address on Tues., Sept. 20. And on Wedn., Sept. 21, Vicente Fox, President of Mexico, 2000-2006, will discuss the economic and social challenges facing Latin America. Frankly, I'm very excited to hear what Fox has to say about the political landscape and security challenges in Mexico right now. Mark your calendars.

Now that I've had some distance from the ASIS International Seminar & Exhibits in Dallas, I must say it was an extremely productive show. While it was hectic, as always, I had the opportunity to sit down with several security professionals to talk about their challenges and the solutions they're using to solve those challenges. And, the best part, is that I got most of those conversations on video. I'll be posting new sdnTVnews videos weekly, so be sure to check back often.

One of the common themes from my conversations was that security professionals have to be problem solvers. This isn't news, I know that, but what is new is the complexity of the systems security professionals are using to solve their problems. And, because budgets and C-Suite folks require it, often it's not just about solving the problems of today (although that's critical), it's ensuring that the investment being made today will be robust enough for the future. Let's just say I heard the term 'future proof' more than once.

A significant part of a security practitioners job is to ask the right questions. And, it's not easy to know what to ask when it's all new to you. Plus, it's often made more difficult when we're talking about sophisticated technology and networks and systems that are probably far beyond the expertise of anyone without a computer science degree.

But that's just the day and age we live in and security professionals know one of their most important partners needs to be their IT department. When I sat down with Ramsey Valentine, who is an IT guy as the director of technology at the University of Tennessee, he discussed the process of designing a system using off-the-shelf products (you can watch our interview here). Basically, the university built a new College of Business Administration building and needed to protect the assets in the facility. But it wasn't just all about security. Valentine helped design a system that integrated an off-the-shelf scheduling system with its access control system to allow students to sign up to use the building's meeting rooms. But that wasn't always the plan:

"In the original planning for this system, we thought we might have to have a fully comprehensively built custom system, but the initial pricing for that was so high we decided to use an existing scheduling system we already were using and interface that with our door access system," Valentine said during our interview.

Those are the types of solutions that security folks are having to come up with. It's not always cut and dry and there's not always an easy solution to put in place. Actually, I would say based on my conversations, rarely is there an easy solution. That's why I think it is important for security professionals to get out and attend these trade shows. Valentine said this was the first time he had attended ASIS International and I think he was impressed by how much there was out there. It's overwhelming, certainly, but increasingly important for end users to talk to these companies to find those solutions that may not initially jump out at them.

I also spoke with Bill Crews, director of port security at the Port of Houston Authority, about how he approaches such trade shows (also on video, to be posted soon). Crews is no newbie to the industry and he said he spends the majority of his show time cruising the small booths on the fringes of the floor (that's how he ran into me at the SDN booth, actually). He said that's where a lot of the new technology and innovation happens. Plus, he knows about the big guys and more or less what they're doing. It's the small guys, who often get swallowed up by the bigger guys, that he's unfamiliar with and said he has had success finding some of the more unique solutions this way. I know there's a tendency for end users to stick with the big names, and good for reason. You want to make sure the company you're using today is going to be around tomorrow. That's wise. But I would have to agree with Bill that it's important to check out the new and emerging companies to see what they're doing that maybe the bigger guys aren't betting on yet. That's how you stay on top of these trends and prepare your organization for the technology of tomorrow.

The economy has been bad - that's no secret. Today, I confirmed that economic factors have impacted the security industry's largest association, ASIS International, and in late June the organization laid off some of its staff.

I spoke with Eileen Smith, vice president of marketing for ASIS, and she confirmed the layoff event in June. "There were some layoffs to rightsize the organization," she told me. "We’re facing the same economic issues that most businesses are facing."

When asked if this had been spurred by other factors like reduced membership or lower-than-expected show attendance, Smith said the association would not comment beyond citing economic factors. Fair enough.

A credible source told me that the association laid off somewhere between 11 and 13 employees. According to its Web site, ASIS has approximately 95 full-time employees at its headquarters in Alexandria, Va. By my math calculations, that's about 8 percent of its total staff (assuming all layoffs were at its headquarters and were full-time employees, which have not been confirmed).

Regardless, this is just another sign that security is not immune to economic pressures and hopes for a quick turnaround from last year's recession are probably unfounded.

I subscribe to the Department of Homeland Security's media alert list and most of the time I get news about Secretary Napolitano's travels or budget requests - nothing too exciting or newsworthy. But, yesterday I received a press release regarding DHS's adoption of an ASIS International standard for its Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep). This standard, as you may have guessed, is largely about encouraging private businesses to develop and implement business continuity plans (and now receive certification for it) a duty which comes largely under the responsibility of the security department.

"Private organizations across the country—from businesses to universities to non-profit organizations—have a vital role to play in bolstering our disaster preparedness and response capabilities," said Secretary Napolitano. "These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation."

In a press release from ASIS International, the standard (officially called the ASIS Organizational Resilience Standard) "provides a framework for businesses to assess the risks of disruptive events, develop a proactive strategy for prevention, response and recovery, establish performance criteria, and evaluate opportunities for improvement."

Here are some of the bullet points for what the standard can offer:
* Create a balanced strategy for both likelihood and consequence reduction for incident
prevention and management.
* Establish, implement, maintain and improve an organizational resilience
management system.
* Demonstrate resiliency and continuity for supply chain and contractual agreements.
* Assure conformance with stated organizational resilience management policy.
* Implement a maturity model approach to cost-effectively enhance
resilience performance.
* Make a self-determination and self-declaration of conformance with
ANSI/ASIS SPC.1-2009.
* Seek certification/registration of its organizational resilience management system by
an accredited third-party certification body.
* Leverage an existing investment in other ISO management system standards (e.g.
ISO 9001, ISO 14001, ISO 27001, ISO 28000) to improve security, preparedness
and continuity performance.
* Integrate plans for managing the risks of disruptive events into their
enterprise-wide risk management programs, consistent with the ISO 31000 for
risk management.

If you're not really sure how to implement such a standard, ASIS is offering a two-and-a-half-day class on Organizational Resilience: Implementing and Auditing the ANSI/ASIS American National Standard. With all the craziness happening in the world these days, frankly, businesses can't afford not to have strong continuity plans in place.

According to ASIS International's annual security salary survey, it does pay pretty well to be in the security industry. The survey reports that the average compensation for security professionals in the United States this year is up 2 percent from last year to $102,000.

I just got off the phone with Mike Moran, who conducted the survey for ASIS, and he said that while this growth is good (especially in this economic climate), it is down from the average of 4 to 5 percent growth from year's past. Still, it goes to show that security remains a growing and stable industry, and that it's not a terrible way to make a living.

But, one thing that Moran noted as a developing trend over the years is that more and more security professionals in the private sector had backgrounds in the government, opposed to military or law enforcement. That definitely surprised me. The majority of folks I speak with often have a backgrounds in military or law enforcement, but perhaps these results will begin to dispel the idea of security as a "second career."

A lot of this is due to the fact that the government sector provides a good starting point for people to begin their careers in security and while they might not make "rockstar" salaries like some of those in the private sector, the median wages are consistently higher.

Of the 2,000 respondents to this survey (all of whom are ASIS members), he said the biggest indicator of high salaries is the amount of responsibilities of a security professional (i.e. if you lose a lot of sleep, you're likely compensated for it). And, the higher the security budget of a company, the better paid are the security professionals. The survey results also found that educational background doesn't necessarily correlate to higher salaries, although professional certifications does. So having that Master's degree may not get you a better paying security job, but getting your CPP in theory would.

To get the complete breakdown of this survey, you'll have to pay for it (and apparently you can afford it). Check it out here.

During Condoleezza Rice's speech at ASIS this year, the one thing that stuck in my mind was how the attacks of 9/11 were devastating not only because of the actual destruction caused, but because of the use of everyday items:

I would suggest what was scary about 9/11 was that the attacks weren’t missiles. It came out of normal life. They took artifacts of normal life and turned them into the worst attack in America. A bus loaded with bombs, people with a backpack. It’s the daily, everyday stuff around us that’s dangerous.

I just read this breaking news story from the Boston Globe about how a 27-year-old man was just arrested for allegedly plotting with other terrorist organizations to attack a shopping mall in Mass.

Tarek Mehanna and co-conspirators allegedly had multiple conversations about obtaining automatic weapons and randomly shooting people in a shopping mall, including discussions of the logistics of the mall attacks, assaulting from different entrances, obtaining the automatic weapons, and possible attacks on emergency responders.

This type of story is evidence that security professionals (and the public) must always remain vigilant and aware, regardless of the setting.

Finally back in Maine after a long week of security overload. I have an unbelievable amount of emails to go through, calls to follow up on and information to process, but just wanted to put out a few final thoughts from the show floor.

I didn't have a chance to blog about the Women in Security session. Sadly, it was the only educational session I had a chance to attend, but was glad to find a packed room (and the most women I've ever seen in one place during a security event!). I heard many of the educational sessions were very well attended, which I think goes to show how valued education is in this industry. I'm in the process of writing up an actual article about the event, which has become a hot topic following an editorial about how few women nominations we had received for our '20 under 40' process.

The primary message from this session was the struggle for women to compete in a traditionally male-dominated industry. One woman, who was one of the first women to graduate from Westpoint, said that her superiors spent four years trying to make her a man, and she obviously wasn't. There was some humorous, but relevant comments about how one panelist loves to cook, but couldn't bring in baked goods, because that was what 'a woman would do.' What she learned in the end is that she doesn't have to be like a man. She doesn't have to change who she is in order to compete with men and that the leadership skills of women can be very well received and equally (if not more) effective than the approach of men.

Another woman talked about how the only way she felt she could get things accomplished was by convincing people that they had come up with a certain idea and then getting them to sell it. However, she said while her projects and objectives would ultimately be fulfilled, she was undermining herself and not getting the credit that she deserved.

Another strong  message was how important it is for women to mentor other women in the industry. Being a primary source of contact and offering experience and background can catapult women forward is nothing but good things for women and for the industry.

The last day of the ASIS International. It's been three (actually four) long days meeting new people, having very interesting conversations about some of the challenges that security practitioners face and attempting to get a handle on all the new offerings from an array of manufacturers. But, this last day starts off with what I hope will be an insightful look into government security policy with a speech by Condoleezza Rice. The majority of this blog post is more or less a transcript (or my best effort) in order to capture her speech for those of you who couldn't be here (or were here and want to review it).

UPDATE: Click here to read SDN's article on Rice's speech.

8:18 She started out with a comment on the theme of the conference "security never sleeps." I'm very grateful to finally get some sleep and not read the paper in the morning and know I have to do something about it.

There was no greater honor than to serve this country.

9/11 was a watershed of an event in the U.S. It was a crack in time and we've never been the same since. Now we have a sense of vulnerability. America had been protected by our great shores and US hadn't seen an attack on homeland, and certainly not against citizens, since days of British attacks. And I would suggest that day necessitated a major shift in how we thought of dangers in this country. Protecting at home was something that we had not done before. Military had commands for every part of world, but no command for US itself.

Now we have the Dept. of Homeland Security and as difficult as it was to put those organizations together, we're better off with it than without. First couple days after 9/11 after recovering from shock we would gather the cabinet folks together. All of sudden we were talking to the Dept. of Transportation and such and we practically needed an auditorium to hold all the people who were required to protect and defend. DHS gave us a single address for doing that. We didn't have a good way to talk to each other, DHS became way to talk to each other. Still a work in progress.

Port security, how make certain that someone hasn't planted in containers radiological or nuclear weapons, the ability to secur our ports was something we hadn't paid a lot of attention to before.

Coordination with the private sector is critical. Trying to protect ourselves at home that was new. When I became Sec. of State I knew how to deal with power conflicts and fully understood challenges from Russia and China. Big powers know how to deal with each other and first crisis in Washington was EPA conflict downed plane in Chinese island. Thought would be dealing that kind of thing. On 9/11 we learned a powerful lesson that it's not the powerful states, it's the failed states that present the most risk. That failed state was Afghanistan. We abandoned Afghanistan and Pakistan and Al Queda plotted and planned. Governments where corruption, it's the same problem that leads to arm runners and drug runners. I can assure you failed states are very dangerous. Heaven forbid if Pakistan starts to look failed with nuclear weapons or the Mexico and US starts looking like a failed state, we have a real problem. US has started to deal with failed states because trying to protect and bring new constructs in government. Afghanistan hard because it's the 5th poorest country in world. There's barely electricity and road networks are terrible. This is a tough fight. If US doesn't find a way to prevent the return of terrorist to Afghanistan we will pay for it. Abandon Afghanistan and attacks are imminent. We're in a long war, not a short one.

At 9/11 I was in my office. When heard about a plane, I thought 'What a strange accident.' President Bush was in Florida and normally I'd be with him, but it was only a short four hour drive. I went to the situation room and was passed a note that the second plane had hit and before I got to the bunker, the plane hit the Pentagon. Began to understand better radicalism. Know have to hunt terrorist and pursue them and remain vigilant and you can't sleep because they're out there trying every day. They have to only be right once. We have to right every time. It's not a fair fight.
Environment that terrorists have created is one of hopelessness. Something woefully wrong that is why our agenda, why our war on terror, has to have a positive answer. Free societies where women are respected and people are free.

We have to help them to come to a more democratic future. As we protect at home and defend abroad, it's necessary to marry power and principle in defense of free peoples everywhere. Sometimes we get tired of tremendous burden of responsibility.

8:34 If you govern from today's headlines, you won't have history on your side. Need to remember time when values and perseverance got us through other times. Another reason America can do this, we're an extraordinary experiment in human history. Melange of people who wanted to be American, and who don't have to be one of anything to be American. When I was Secretary of State, I got to see what people really admired, our military power some admired and some feared, but know too that around world people admire our national myth. The log cabin and the idea that you can come from humble beginnings and it doesn't matter where you came from, but where you're going. We've attracted the best and the brightest. It's the most ambitious people who want to be here. That national myth has to relate to people who are already here. That's the value of education.

Education is key. We as Americans need to be rigorous and have high expectations for our children. If we offer people a democratic and free life and if we to believe in our national myth, the US is going to be all right. We'll need to continue to be vigilant. The reason you and I can sleep at night is because there are women and men in uniform who are willing to defend us and make the ultimate sacrifice. If we refocus our principals and don't get caught up in headlines but look to history for judgment than we'll be alright and if we're alright than the rest of world will be alright, too.

8:45 Question and answer time:

What was it like being a woman in your position?

Found acceptance fine. At some point I'm the Secretary of State and they have to deal with that. You think it would be most difficult in Middle East, but actually found advantage that first of all important women in those societies who are not visible to you. Matriarchs of royalty and a couple of them could not see men outside of families, but I could see them and I would go meet with them and find they're real champions for women. Probably one thing found most heartening was young people. I think important thing to recognize women empowerment world wide. If I could do one thing, it would be to empower women because societies that don't empower women are dangerous.

8:50 Media as unbiased source of information?

I wish they would all quiet their voices a little. If find yourself in company people who say amen to everything you say, than find other company. You only hone your skills hearing people who don't agree with you.

About balance, we've always had rough politics. My criticism of media is the difference between today's headlines and history are rarely the same. Want to know what transpired today without thinking about long term effects. I know you have to report on daily basis, but never forget that today's headlines are going to pass.

9:55 Mentorship?

If you look only to people who look most like you, there would be no firsts. So I think it's wonderful when role models look like you, but more wonderful if what you recognize in people is someone who inspires you. Now, for me, most important thing is to pass that forward.

8:57 Personal achievements and disappointments?

Funny thing about history, something that may look brilliant at the time, history will tell a different story and vice versa. I hope will be right in saying that we were able to defend the country in a way that allowed Americans to go back to their lives after 9/11. I often say that I'm grateful that another attack didn't happen on our watch. It wasn't for a lack of trying, it was being vigilant that improved our chances.

If American's had remained fearful, if somehow people were fearful and turned on each other than terrorists would have won because they would have turned us into something we were not. Very grateful that able to keep the country secure and allow Americans to return to who we are.

Disappointments? In final analysis, the Middle East will turn out far better place because Iraq is a democratic state and far better place because Iran will have to deal with its internal contradictions. Don't know if it'll be in a year or five years, but the regime in Iran is done. The only memory of younger population is what happened of streets of Tehran and this is just one more brutal dictatorship with no credibility. I'm disappointed there's no Palestinian state. I'm a firm believer in Israel. Fact is, Israel is a positive force in the Middle East and wish I could've gotten further to a two state solution and get Arabs to accept that their problem is that they don't treat women well or give people enough freedom and Isreal is in the region to stay. I always wish we had made more progress but think that time is coming.

Foreign policy?

International blanket where practically every country in world shares information and coordinates. We didn't have that prior to 9/11. We do have a pretty effective means for counter terrorism across intelligence services and that's a major shift and requires constant tending because our friends and allies don't like fact that information secret and ends up in the New York Times. We leak too much.

9:03 International policing is part of diplomacy. But means that diplomacy not in guilded room with heads of government talking about problems. It's going out there to solve the problems. Better be doing small deeds of diplomacy , though.

9:10 How private security play a role?

Each have individual security role. If put in context of post-9/11 suggest what scary about 9/11 was that attacks weren't missiles. It came out of normal life. They took artifacts of normal life and turned into worst attack in America. Do with bus loaded with bombs, people do with a backpack. It's the daily, everyday stuff around us that's dangerous. I think government can worry about ports carrying radiological material, but security professionals need to help entities and companies and clients worry about how to connect what might seem harmless or ordinary to terrorists who are getting smarter at using it. Cyber-security something that we're way behind in, but also way behind in using the benefits of interest against these guys who use it well. What you're doing in helping the ordinary be more secure, the daily be more secure, the people coming to work be more secure is a major part of the fight on terror and I want to thank you for what you do every day.