Michael Fickes

Michael Fickes
End User Correspondent, SecurityInformed.comMichael Fickes is a business journalist with 25 years of experience. Mike has published hundreds of security articles over the years in trade publications serving professionals in industries including security, retail, K-12 schools, universities, the supply chain and others. For SourceSecurity.com US Edition, Mike develops articles about trends, best practices and personalities from the point of view of security end users. Mike graduated cum laude from Princeton University with a degree in English. In his spare time, Mike reads history, plays golf and takes ballroom dancing lessons.
Articles by Michael Fickes
The 62nd ASIS International Seminar and Exhibits will run from September 12 to September 15 in Orlando, Florida. ASIS estimates that the Seminar may attract more than 20,000 security professionals to the Orlando Convention Center, where the event is being held. Giving back to the host community The Seminar always has a major economic effect on the host community. This year, ASIS will inaugurate a programme called Security Week, which is designed to give something back to the Seminar’s host city in exchange for its hospitality. “This is our first Security Week,” says Peter O’Neil, CEO of ASIS. “We were originally planning to inaugurate Security Week next year, but the tragedy at the Pulse nightclub led us to do it this year in Orlando.” “A shooter killed 49 people and wounded 53 others at the Pulse nightclub back in June,” says Michael Gips, chief global knowledge and learning officer for ASIS. “The Orlando segment of the programme will start on Sunday with a two-hour presentation for Orlando community members at the local Hyatt Regency hotel.” "We were originally planning to inaugurate Security Week next year, but the tragedy at the Pulse nightclub led us to do it this year in Orlando" “The programme will include an essay competition in which we award $20,000 to a school,” says Gips. “The essay topic is why your school needs security upgrades, what those upgrades are and what benefits the upgrades will provide. The award will help pay for the upgrades." Seminars and presentations Over the course of the week, ASIS will hold a series of seminars for local business and organisations to better prepare for current physical security threats. The Sunday presentation will feature a moderator and three speakers. It will be open to members of all local community organisations, including schools, law enforcement, the fire department and community organisations and businesses. “These are people and groups that don’t consider themselves targets of violence and so have never developed sophisticated security programmes,” Gips says. Kevin Doss, CHP, CEO of Level 4 Security — a security and training firm — will serve as moderator. He is the author of the book “Active Shooter: Preparing for and Responding to a Growing Threat.” Speakers will include Marty J. Smith, the protective security advisor for Eastern and Central Florida, DHS District 5; U.S. Air Force retired Air Force Col. Jennifer L. Hesterman, author of “Soft Target Hardening: Protecting People from Attack;” and Paul Timm, PSP, president of RETA Security and author of “School Security: How to Build and Strengthen a School Safety Programme.” The importance of security was highlighted when a shooter killed 49 people and wounded 53 others at the Pulse nightclub in June (Image credit: Neville Elder / Shutterstock.com) Building an effective plan for preparedness They will discuss how to build an effective plan for preparedness, hardening soft targets, fundamentals of proper safety and security planning and how to work effectively with local law enforcement. According to Gips, ASIS will invite members of the military, first responders and law enforcement professionals to attend the seminar free of charge. “Everyone that attends our Sunday programme will receive a free pass to the show floor from Monday through Wednesday,” he says. “They can take in the exhibits and attend the educational sessions on a wide variety of subjects,” continues Gips. “It will be an opportunity to learn about meeting security challenges by learning about security technology and talking with security professionals.” Gips adds that the Department of Homeland Security (DHS) has signed on as a supporting partner for the Sunday event. Why? “As Assistant Secretary of DHS Caitlin Durkovich says, ‘Communities are the first line of defence,’” explains Gips. All told, the inaugural ASIS Security Week will aim to impart information about best practices to the local community in an effort to enable Orland to build this first line of defence. Save Save Save Save
A force of 85,000 police and military will patrol the Olympic grounds and environs to provide security A week before the Rio Olympics were slated to begin, Brazil fired the private security firm assigned to hire personnel to screen people entering the various Olympic venues located around Rio De Janeiro. The security plan called for 3,400 screeners. The security firm had only found 500. What happened? Today, prospective security officers must undergo background checks that do not raise red flags. Observers noted that unsatisfactory background checks and drug tests probably explain why it has been so difficult to find and hire the large numbers of security people needed in the short period of time allotted. That problem aside, a force of 85,000 police and military will patrol the Olympic grounds and environs to provide security. “Security officers and soldiers have different ways of thinking,” says Ron Lander, a principal with Norco, California-based Ultrasafe Security Specialists. “Soldiers may be more aggressive than security officers. That may be appropriate for an event like the Rio Olympics.” “Then again, security officers are trained to de-escalate aggressive behavior and calm unruly customers so that everyone walks away with a handshake,” says Lander. “The army may not have had that kind of training.” Olympic security technology Olympic size events make liberal use of technology. The Olympic grounds in Rio have surveillance cameras as well as access control points. In addition, there are cameras connected to facial recognition systems. “Facial recognition is getting better and better,” says Lander. “Camera placement is an important key. There are mullion cameras placed in doors that take head on video that is required for reliable facial recognition. As the camera system clears people, the access control system checks them in.” Checkpoint technologies also include magnetometers that check for metal weapons. It is recommended to create two or more concentric security circles around the perimeter of an event, with attendees passing through access points in the circles Concentric security circles Lander recommends creating two or more concentric security circles around the perimeter of an event. Physical barriers and ropes can create the barriers and funnel people to checkpoints that also provide access. Why concentric circles? “It is a security technique called progressive redundancy,” Lander says. “There could be many steps. In a security facility, for instance, you lock the door, place an alarm at the perimeter, put up a fence and assign a patrolling guard.” So security at an Olympic-style event will feature two concentric security circles around the location of the event. Attendees will pass through access points in the circles. At one checkpoint, they may pass through a magnetometer. At the second, two officers will check purses and bags, while a third officer looks for telltale behavioral recognition signs — individuals who are nervous and sweating, wearing a heavy coat on a warm day or exhibiting behavior that is unusual in some way. Video analytics “Today, some organisations are moving toward video analytics,” Lander says. “There are cameras with analytics software and network video recorders with analytics inside the engine. I prefer analytics on the front end.” Users can program video analytics cameras to look for and alarm on certain kinds of video. For instance, analytics can be set to alarm when people run through a camera’s field of view. Analytics can look for motion in a place and at a time when nothing should be moving. The technology can identify abandoned packages and alert security to investigate. There are a number of security scenarios that video analytics can stand in for human beings, who often get tired. Video analytics don’t tire out and fall asleep. In the end, the role of security technology is to support security officers, and their role is to remain alert, aware and responsive to alarms. Save
Hospital security always counts. Patients may arrive from a crime scene and someone has to make sure they weren’t followed by trouble. Doctors, nurses and other medical personnel may come under blame for the death of a loved one and need protection. Heightened security needs Think for a minute, though, about the elevated need for security when the victims of a massacre — such as the Orlando massacre — arrive at the hospital. On the heels of the shooting at the Pulse Nightclub in Orlando a month ago, patients began pouring into hospitals across the city. Florida Hospital Orlando received 12 patients, who were treated for non-life threatening injuries. “All patients have since been released,” says William Marcisz, Senior Director of Security with Florida Hospital’s multi-campus system in metro Orlando. "According to FBI records, there were 45 active shooter events between 2000 and 2006. The number of events rose to 115 over the next seven years" In the immediate aftermath of the shooting, law enforcement officials indicated that the police were investigating whether or not the attack had been the work of a group of conspirators. They worried that other shooters might pick up again elsewhere — perhaps at one of the several hospitals that accepted patients. To address this concern, Marcisz and his team tightened security throughout the hospital as patients arrived. “We partnered with local law enforcement and followed their lead,” he says. “In situations like this, we set up a unified command and work closely with the police to adjust our situational awareness and security.” Marcisz also activated the hospital’s lockdown plan, which transforms the hospital’s open access environment into a hardened target. Active shooter plans Florida Hospital also has a comprehensive plan and to address an active shooter incident. Many hospital institutions have developed similar plans because active shooter incidents are on the rise. According to FBI records, there were 45 active shooter events between 2000 and 2006. The number of events rose to 115 over the next seven years, from 2007 to 2012. What’s going on? Television and social media may be feeding the phenomenon, speculates Marcisz. He also suspects that shooters are learning from past incidents, researching tactical elements from past attacks and copying them. “On the security end, we are also learning how to defend better against attacks,” Marcisz says. Organisations need a formal threat management team, with members drawn from security, human resources, the legal department and administration Workplace violence prevention “In addition, we are educating the workforce and taking steps to become more proactive to address workplace violence in general.” Is it possible to prevent active shooter incidents? Marcisz and his team use various methods to keep patients, employees and visitors safe. “The key is building a solid, multi-layered workplace violence prevention programme,” he says. The programme should include physical security measures, people with assigned security functions, and technology — plus education and training for people throughout the organisation. Organisations also need a formal threat management team, with members drawn from security, human resources, the legal department and administration, adds Marcisz. “The threat management team investigates threats and incidents of workplace violence to ensure that there is no evolving or continuing threat,” he says. “Threat management teams are essential to mitigate risk to the organisation, avoid liability and ensure business continuity.” "Every member in the Florida Hospital Security Department has some level of certification through ASIS or IAHSS. Each job description calls for a certain level of certification" Marcisz believes in training and requires substantial training for everyone in the hospital’s security department. “Every member in the Florida Hospital Security Department has some level of certification through ASIS or IAHSS [International Association for Healthcare Security and Safety],” he says. “Each job description calls for a certain level of certification. If you don’t have the right certification for the job, you have to get it within a certain period.” For instance, new security officers have 90 days to obtain a Security Officer certification from IAHSS. Marcisz’s security platform includes 2,500 security cameras and 2,500 access control points across the entire hospital system. The system Security Operations Division responds to 350,000 service calls of all kinds per year, while the security operations centre receives 120,000 phone calls annually. The successful programme earned a 2014 Programme of Distinction Award from IAHSS recognising Florida Hospital as the largest hospital to certify 100 percent of its security force through the Association.
As a society, we have been studying crime for years, with an eye to prevention. Now that mass shootings have seized our attention, experts have begun studying this particularly violent crime, again with an eye to prevention. “Our view is that inside a large enterprise — a corporation or government agency — anyone can be the risk you may face someday,” says Bryan Ware, CEO of McLean, Virginia-based Haystax Technology, a business that identifies risks before they come threats. Insider trust model Haystax looks for threats at all levels, from petty theft to mass murder. Law enforcement agencies use Haystax software products to prevent attacks and manage large events. Fire departments use Haystax software to manage life safety. Today, large commercial enterprises are using Haystax products to identify potential insider threats. How does software identify someone that poses a threat? “We started by building a software model that thinks like a human being – that is, thinks by using concepts,” Ware says. “We also asked why we trust people. What characteristics does an individual possess that build trust in others? Using individual data to assess risks “Our models pull in data on individuals from background investigations, log in and log out times and many other factors. All in all, our insider trust model includes 700 factors that all of us have to some degree.” "Our models pull in data on individuals from background investigations, log in and log out times and many other factors" Haystax uses those 700 factors to build models for everyone employed by its clients. When people go through divorce or run into financial difficulties or develop substance abuse problems, they change, Ware continues. By fusing all of these factors together and monitoring for changes, it becomes possible to make decisions about an individual’s level of risk. “There is a pattern to everyone’s life,” Ware says. “What does it mean when the pattern changes? We have developed algorithms that track these changes and produce risk factors on each individual on a continuous basis. We can tell who the highest risk personnel are. “Suppose we find that a manager is going through life difficulties. We might suggest a different level of supervision.” Identifying violent risks Experts that study mass murders say that perpetrators often have similar personalities: During the investigation of virtually every mass shooting, descriptions of the shooters in the days before the shooting are similar: He is typically male, single, white and in his 30s or 40s. He had grown sullen and withdrawn in recent weeks. He bought his guns legally. Some, but not all, exhibit signs of mental illness. As a rule, they are outsiders. And many friends, relatives and work associates notice disturbing changes in behaviour before the tragedy occurs. "In Orlando, the shooter was a security guard. Wouldn’t it have made sense to have monitored him in some way?" “It’s true,” Ware says. “In every single case we’ve looked into, there is always a lot of information in advance in the heads of friends and family and in databases. While we don’t want to become a society of tattletales, we need to think about these issues as a society. “I believe we will see more and more of these kinds of threats in our workplaces. In Orlando, the shooter was a security guard. Wouldn’t it have made sense to have monitored him in some way?” What privacy issues does this high level of individual scrutiny raise? “Good question,” Ware says. “We can’t violate expectations of privacy. Many of our customers are high security government agencies and businesses. When they hire someone, that individual consents to being monitored.” Ware goes on to note that companies with lower security concerns would require a lower level of monitoring — a level tailored to the company’s particular needs. Still, it would be important that employees know about and consent to being monitored.
A public facility with too much security or the wrong kind of security can discourage the public from visiting (Photo credit: Steve Williams Photography) The lethal November 2015 terrorist attacks against several soft targets in Paris have inspired changes in security at facilities considered soft targets across the United States and around the world. Today’s security directors well understand that “it can happen here.” To be clear, it probably won’t. But because it can, security directors are moving to harden their soft targets against security breaches, from minor to major. It’s a challenge. Soft targets are typically soft because they must provide easy public access. A public facility with too much security or the wrong kind of security can discourage the public from visiting. Tightening security at Dr. Phillips Center Consider the Dr. Phillips Center for the Performing Arts in Orlando, Florida. Opened in November of 2014, the centre spans two city blocks, rises three floors and offers three theatres. The Walt Disney Theater, the largest of the three, seats 2,700 people and handles major theatrical and concert productions. The two smaller theatres each seat fewer than 300 people and accommodate private groups such as weddings and corporate events. Construction will begin this year on a medium-sized, 1,700-seat theatre. It will form a wing of the existing building. Another theatre will break ground in several years and attach as a second wing on the other side of the building. "As a cultural and arts centre, the facility hadn’t really focused on security. They weren’t even checking bags at entrances" The main building was up and running when Chris Savard came on board as security director a year ago. He and Andy Frain Services, a security management firm retained by the Phillips Center, worked together to design and implement a comprehensive security programme. “As a cultural and arts centre, the facility hadn’t really focused on security,” Savard says. “They weren’t even checking bags at entrances.” Savard’s first move was to remedy that and begin checking bags. He was stunned to learn that the bag checkers immediately began to collect large numbers of guns and knives that people were attempting to bring into the theatre. The warm Florida climate leads many residents and vacationers to don loose-fitting shirts that aren’t tucked in. So Savard is also thinking about “wanding” visitors randomly (using a metal detector) as a supplementary weapons inspection. “While the building wasn’t designed with security in mind, some of the design features are useful,” Savard says. “For instance, there are tunnels that cross under the building. The purpose of the tunnels is to facilitate moving equipment and set pieces. But it also creates an escape path for people in the building and an entrance for emergency responders.” Any basic training for staff and employees teaches that the first step is to run. If you can’t run, hide. If you can’t hide, fight (Photo credit: Steve Williams Photography) Guarding with security systems and staff training Savard instituted video surveillance, placing about 60 fixed and pan-tilt-zoom cameras throughout every level of the facility and outside the front entrance. The “back of the house,” where cast members are often in various stages of dressing and undressing, has no cameras. Plans include the installation of a guard tour system with more than 30 touch points for security officers to tap with a wand as they patrol. Another of Savard’s main concerns was to develop procedures to protect against today’s security bane of workplace violence. Steps included training security staff and employees to react to various kinds of workplace violence including active shooters. The basic training teaches that the first step is to run. If you can’t run, hide. If you can’t hide, fight. Another element of the training programme covers situational awareness. Employees learn techniques of behaviour pattern recognition to enable them to identify and approach individuals exhibiting behaviour patterns that may indicate security threats. Self-defence training is part of this as well. Security, without compromising comfort Finally, Savard asked the Department of Homeland Security (DHS) to conduct a security assessment and make recommendations. During the assessment, DHS developed a 3D virtual analysis of the centre that calls out access points and pathways through the building. First responder teams dealing with emergencies can access the analysis and plan the safest, most effective response. In the end, Savard’s programme touches all the bases without becoming oppressive. The programme provides a tutorial on securing soft targets without harming the appeal of public facilities.
Drones can satisfy five commercial needs, today: surveillance, patrolling,incident response, mapping and site assessment The military uses drones. So do the police. Drones serve as weapons and surveillance tools.Today, businesses and institutions are applying drone technology to a variety of private security surveillance challenges. Private uses include patrolling facilities and installations such as pipelines from the sky. To be sure, private contractors sometimes weaponise drones, but more often use them as flying surveillance and tracking cameras. Then again, surveillance drones have developed useful add-ons. Among the newest applications, for instance, is a Japanese technology that enables drones to detect and follow intruders. Drones can also carry licence plate recognition systems and motion detection technology. “Drones also patrol remote areas that are dangerous or hard to reach,” says Bernard Gollotti, CPP, founder and owner of LARGO Consulting Services, a Philadelphia-based firm that consults on security issues with higher education facilities, businesses and institutions. Jobs for drones According to Gollotti, drones can satisfy five commercial needs, today: surveillance, patrolling, incident response, mapping and site assessment. “The size of a dronecan go from a bug thatfits into your hand to agood-sized aircraft” “But the technology is constantly changing and adding capabilities,” says Gollotti. “Cameras are improving. Systems can provide GPS tracking today. Biometrics are improving and developing tools like air sniffers for drones. “Drones can also connect to the Internet and integrate with fixed video surveillance systems and access control systems. At this point, drone technology can do pretty much what you can imagine.” How big does a drone have to be? Drones come in all sizes and capabilities. “The size of a drone can go from a bug that fits into your hand to a good-sized aircraft,” says Gollotti. “Hobbyist drones might have a single blade propeller. These are called copters. “Some drones have four propellers. These can carry cameras and other security equipment. Hexacopters have eight blades. As the number of propellers grows, so does the size of the drone.” Military style drones might be jet propelled, which goes beyond the needs of commercial security, adds Gollotti. Drone safety In recent years, hobbyists have garnered plenty of bad publicity for drones by flying too high and interfering with private or commercial aircraft. “There are no regulations about training to fly drones,” Gollotti says. “But you do have to register a drone with the FAA, and when you go to the FAA website to do that, you’ll find a list of do’s and don’ts.” Although you must register drones with the FAA, there are no regulations about training to fly them Gollotti goes on to note that it is important to consider privacy issues. It can be upsetting for someone working in his or her backyard to see a drone hovering overhead. In addition, operators need to be aware of the safety of individuals on the ground and in the air where a drone is flying “Last year, during the wildfires in California, drones interfered with planes trying to deliver fire retardant,” Gollotti says. Do you really need a drone? Some security directors have brought in drones because they can and not because of a real need. Before buying a drone, determine if there is a real need, advises Gollotti. What is a real need? A large open campus with a lengthy perimeter exemplifies a need. A single drone with a camera could patrol an entire campus much more efficiently than a handful of security officers in vehicles. “You must also develop policies and procedures directing how the drones will be used,” Gollotti says. “For example, a policy might describe how a drone will provide surveillance for a remote pipeline connection or a cell tower. How often will patrol? What parts of the facility will it monitor? “If you are deploying it on a college campus, what is the goal? For instance, the policy may say that the purpose of the drone is to monitor the perimeter for unauthorised entries – and not to people watch over the swimming pool.” Restricting drones from spying Finally, Gollotti notes that you have to protect your facility from other drones. A competitor may want to spy on a manufacturing facility. A company can use microwave and radar systems to track drones approaching its property – especially critical infrastructure — and use radio signals to disrupt them. “In the end, though, using drones for commercial security has only just begun,” says Gollotti. “You can expect to see constant change as the idea evolves and matures.”
ISE’s research shows that healthcare facilities & hospitals security programmesto ward off determined attackers going after specific targets A well-known security axiom posits that an effective security programme can discourage would-be attackers, causing them to move on in search of softer targets. But it doesn’t always work that way. Take healthcare facilities such as hospitals, for example. Prospective attackers with no particular target in mind may see a well-protected hospital facility and move on in search of another target, just as you would expect. On the other hand, some healthcare attackers have specific targets in mind, and they will try to get at those targets using all of their digital cunning. According to Geoff Gentry, Director of Healthcare with Independent Security Evaluators (ISE), a security-consulting firm, healthcare facilities and hospitals in particular lack security programmes that can ward off determined attackers going after specific targets. Stealing or altering medical records “An adversary targeting a specific facility will spend the time and resources necessary to ensuring a successful attack,” Gentry says. “Imagine, as a hypothetical example, a celebrity undergoing treatment in a hospital. Attackers might want to acquire and release the celebrity’s medical records — in order to embarrass him or her. “They would break into the hospital information technology network and search for specific files. It is more difficult to discourage attackers with specific targets like this.” Could attackers go after the celebrity patient as well, by corrupting the medical equipment and systems being used in a treatment programme? “To our knowledge, no real-world attacks have been reported targeting patient health,” says “Securing Hospitals,” a two-year, research study conducted and financed solely by ISE. However, the ISE study goes on to say: “Research has shown that medical devices are susceptible to compromise, such as pacemakers, and insulin pumps. Similar attacks have even been demonstrated on simulated patients in a laboratory setting. Though attacks against these systems have only been performed in a research setting, they demonstrate a grave problem. When these or similar attacks are finally exploited in the wild, lives will be lost. In 2015, attacks were documented using medical devices as the pivot onto the hospital’s production network.” Attackers may aim to steal and expose a target’s medical records, oreven alter them to interfere with their treatment The vulnerability of specific targets “Securing Hospitals” also reports successful demonstration attacks by researchers in field settings that might have killed or at least harmed patients had malicious hackers been behind them. In one case, for instance, attackers took over a patient monitor and altered the vital signs being displayed, which could alter the treatment program for a patient. In another scenario, attackers manipulated the flow of medicine and blood samples, causing the delivery of the wrong medicines and dosages. The booklet reports several other scenarios and notes that: “The examples listed above represent a small fraction of the attack scenario possibilities that could result in the injury or death of a hospital patient.” What can a hospital do? Pointing to the results of the ISE study, Gentry recommends re-doing hospital security from scratch — starting by resetting priorities. “What is the worst thing that can happen in a breach?” he asks. “Patients can die. Patients are the real assets that need protecting.” “Hospitals are inclined to focus on health records first, but the priorities should be patients first and then records. If you think first about securing the safety of patients, I think you will develop a better overall security program.” When patient security comes first, continues Gentry, administrators tend to work on securing online medical devices, equipment and systems from digital attackers. In addition, physical access control and video surveillance cameras can support the electronic security systems by ensuring that only authorised people can enter the hospital. Once electronic and physical access can be controlled and managed, hospitals will be much more securely protected than they are today.
ASSA ABLOY door handles with built in reader, strike, request-to-exit sensorand door contacts help maintain sterile environment of stainless steel rooms Access control technology has been around for a long time, but security professionals still run into weird problems when designing and installing systems. For example, when a hospital discovered that it was losing $4,000 per patient bed annually in medicines and other supplies, it asked ASSA ABLOY for an access control solution. The problem involved nurse servers, which are portable cabinets filled with medicines and supplies and located in or adjacent to patient rooms. Like portable nursing stations, nurse servers provide a great convenience for nurses. Instead of running back and forth to supply rooms for medicines and other supplies, they can fill up a nurse server with whatever individual patients need. In a technical sense, no one stole the $4,000 in lost supplies. Instead, busy nurses and physicians often grabbed supplies they needed from the nearest server and used them to treat other patients. “For instance, one nurse might be caring for a special needs patient on a home-care route and lift some supplies from a server while hurrying to get to appointment on time,” says Toby Heath, Electromechanical Specialist with ASSA ABLOY. While medicines and supplies used to treat the patient in the room would be recorded on the patient’s chart, no one recorded items used for other purposes — hence the losses. Wireless access control for nurse servers Why not lock the nurse servers with a key lock? “Of course, you can do that,” says Heath. “But you would still want to know who opens the cabinet. To acquire and store that information, you would need an access control system with a credential log.” Heath specified an ASSA ABLOY door contact, locking mechanism and a credential reader for the cabinets. “The wow factor is that it is a wireless system,” continues Heath. “The mobile nurse servers can go anywhere without wires. So the access system has to be wireless as well. With our wireless systems, the cabinet can go anywhere and still provide a full access control system that logs who goes into the cabinet.” ASSA ABLOY access control systems with a credential log preventedunauthorised usage of medical supplies from nurse servers Those authorised to open the cabinets do so with their hospital access and ID credential. ASSA ABLOY installed 380 of these systems on nurse servers in a tower expansion of a Midwestern hospital. While the system is so new, the hospital has not been able to tally up the savings yet. According to Heath, hospital officials are confident that losses are way down. Access control in sterile facilities Heath encountered another odd access control installation in a factory located in the northwest. “Several rooms within the factory were made with stainless steel panels to create a near sterile environment,” he says. “To maintain the cleanliness standard, management wanted to minimise access to the rooms. The challenge here involved running access control wiring to the doors.” A typical access control system places contacts on the door and a reader on the wall. Both connect by wire to a local control panel, Heath explains. Two more devices, a request-to-exit sensor and the electric strike within the frame, run wires back to the control panel. Shining stainless steel walls and doors made such a conventional installation not just difficult but also aesthetically unappealing. “Instead of gouging the stainless steel,” Heath says, “we used the door handles with all four access control components built in: the reader, strike, request-to-exit sensor and the door contacts. As a single home-run master control, the access controlled door handles minimised damage to the stainless steel during installation, while speeding installation. The integrator handled the entire installation in less than an hour.” Access control technology, today, can find ways to solve problems that may well have argued against access control in the past. So when you run up against such a problem, ask around. Chances are someone has designed a product or a system that can solve your problem.
Many people who decide to run, hide or fight during an active shooter event survive. John Matthews, a decorated law enforcement veteran and nationally known public safety consultant, studies this premise in his 2013 book: Mass Shootings: Six Steps to Survival. “To survive, you have to be mentally prepared,” Matthews says. “You have to know what to do the minute the first shots ring out.” For his book, Matthews researched 60 mass shootings that occurred between 1980 and 2010. As part of his research, he talked to those who survived and asked them how they managed to stay alive. “The book is designed for corporate security and safety managers who can effectively train their work forces and mitigate the harm from these attacks,” says Matthews. Matthews summarises his six steps with the acronym ESCAPE: Exit when possible without presenting a target Seek cover to protect yourself from harm Conceal yourself from the offenders Assess all alternatives Present a small target Engage only as a last resort It is a more detailed take on the traditional advice offered by law enforcement: If you hear shots or explosions, run. If you can’t run, find a place to hide. If you can’t run or hide, fight — but only as a last resort. Run from the gunshots Matthews observes that it frequently takes people several moments to realise that gunshots are gunshots and not firecrackers or vehicle engine backfires. “If you are a teacher in a school, an employee in a post office or a worker in an office building and hear sounds similar to gunshots,” writes Matthews, “you should recognise that firecrackers or other pyrotechnics are not normal for your workplace and immediately take action.” As soon as you hear a gunshot — exit as soon as possible. Don’t present a target. Run in a direction away from the shots. Go outside. Get away from the building and call 911. He also advises that you plan your escape ahead of time. Learn where the doors in your building are located. When something happens, head in the direction of the closest door that is farthest away from the trouble. If you are caring for children, the elderly or patients and have to get them out of the building, another part of your task will be to keep everyone calm, focused and moving forward. Matthews also warns against running when it would expose you to the shooter. You might have to crawl army-style across the floor and find a temporary hiding place. When you get outside, keep your hands in plain view so that responding police officers can see that you do not have a weapon. Matthews researched 60 mass shootings and interviewed survivorsto assess the best way to escape a shooting unharmed If you can’t run, hide or take cover According to Matthews, there are two ways to hide. You can conceal yourself or take cover. Your first choice should be to seek cover that will protect you from harm. Matthews suggests parked cars, cement barriers in parking lots, brick walls and other solid masses that will stop bullets. If there is no place to take cover, concealing yourself behind bushes, trees, banners and other non-transparent objects is the next best thing. Inside a building, take cover behind large filing cabinets and heavy equipment. Matthews notes that locked rooms can be effective hiding places. Block the door with furniture. Lock the windows. Turn off the lights and stay low. If there is more furniture in the room, hide behind it. In the events that Matthews studied, a number of people tried to conceal themselves under desks. All too often, they were found and shot. Desks aren’t cover or concealment. Don’t pop out of your hiding place because the shooting has stopped. There’s a good chance the shooter is simply reloading and getting ready for another onslaught. From your place of concealment, assess all possible alternatives before deciding on what to do next. If you decide that you can escape the building, move out, while presenting a small target. For instance, you might decide to stay low and crawl on all fours, keeping yourself in a tight compact ball. Such a small target is harder for a shooter to hit, explains Matthews. As a last resort, fight While studying active shooting events, Matthews discovered that “when a single individual engages an armed offender, the individual almost always loses.” That is why fighting must be viewed as the absolute last resort. In light of this, if fighting does become necessary, find others to help you fight. Even when you have assembled a group, don’t simply jump up and rush the shooter. Make a plan. Matthews cites a case in which a group laid low until the shooter stopped to reload. Then they attacked and quickly subdued him. The ultimate goal is to do as little as you can to extricate yourself. Run away as soon as you hear shots. If you’re lucky the event will be essentially over for you. If you can’t run, hide and wait for a chance to run. If you don’t see an opportunity to run, wait out the event in the safety of your hiding place. If you have to fight, fight hard and fight smart. To survive a shooting incident, you have to be mentally prepared and you have to know what to do the minute the first shots ring out
Security is becoming increasingly business-like, with corporate security departments having to justify their budgets and support business operations Persistent crime — both physical and logical — and the rise of terrorism around the world have led more and more corporations to expand their focus on security. In that effort, C-suite executives have added significantly to the responsibilities of corporate security departments. Security functions have grown far beyond patrolling guards, a few cameras and a monitoring guard. Today’s security departments employ comprehensive physical and IT security technology systems monitored and managed 24/7 by highly trained security officers. Security department expenses In recent years, many C-suites have begun to chaff under the enormous expense of such huge security installations. In response, corporate executives have begun to demand that security departments find ways to support themselves financially and perhaps even contribute to business profits. That’s what senior executives expect of other departments. A Human Resources department finds talented people who can lead the corporation to higher revenues and profits. IT provides the tools that make the various corporate departments — especially operations — more productive. Sales, manufacturing, distribution and other departments must also contribute to the bottom line. Now security is being asked to contribute to the corporate effort. As a result, executives have become more cost-conscious, says Mario Moussa, Learning Director of the ASIS International programme with The Wharton School at the University of Pennsylvania in Philadelphia. Moussa is also President of Philadelphia-based Moussa Consulting, a security consultancy. Corporate security departments ensure “business continuity” for organisationsby preventing costly IT & physical breaches that disrupt or damage business Maintaining business continuity “These days, all functional specialists have to justify their budgets in terms of business benefits,” Moussa says. “Very few executives will sign off on an initiative or activity that cannot be cost-justified. In this respect, security professionals are feeling the same pressures as specialists in HR, IT, and other departments.” While security today is becoming more and more business-like, the function has always provided certain business benefits, observes Moussa. “One of the most important traditional benefits is business continuity,” he says. “In any competitive industry, disruptions to a company’s services and operations can have catastrophic effects on a brand — from customer retention to profitability.” “The importance of business continuity grew much greater after 9/11, as executives realised that the world had become so interconnected that companies were now frighteningly vulnerable to physical as well as IT security breaches.” “Today, it is essential that security professionals extend security’s business benefits to the entirety of an organisation.” The Wharton School at the University of Pennsylvania & ASIS International offeran educational course to help security professionals work more effectively with othercorporate leaders to create beneficial financial results Building a larger security strategy The entirety of a commercial corporation encompasses IT, HR, sales, purchasing, manufacturing and other functions. According to Moussa, a joint venture educational course between Wharton Executive Education and ASIS can help security professionals work more effectively with other corporate leaders to create beneficial financial results. Called the “Program for Security Executives: Making the Business Case for Security,” the weeklong course covers basic business concepts designed to improve managerial and strategic capabilities. In addition, the course aims to communicate the business case for investments in organisational security policy — and how to present a strategy to the C-suite in a way that could earn an approval of part or all of an expanded security programme. Justifying budgets with the language of business “Security professionals must use the language of business to describe their operations and to make the case for the budgets needed to support them,” says Moussa. A security director can use such training to expand a corporate security department to meet today’s new challenges. Moussa says the transformation begins with training for officers as well as. Once everyone has been trained, the conversion can get under way. “It is always a step by step process,” Moussa says. “You have to sell ideas one at a time to decision makers.”
Deadly terrorist attacks on buildings have highlighted the need of a well-designedand well implemented physical security programme What constitutes a well-designed physical security programme? Deadly terrorist attacks on buildings such as the San Bernardino Administrative Centre, Riverside Countyin California., have highlight the need of a well-designed and well implemented physical security programme. S.Steven Oplinger, Chair of the ASIS Physical Security Council, outlines 5 basic principles for any effective security plan that should be executed by all security stakeholders including building owners, construction managers, security integrators and security supervisors. Terrorist attack on the San Bernardio Administrative Center in California Since the 2nd December terrorist attack on the San Bernardino center in which 14 people were killed, uniformed private security officers are now inspecting visitors’ purses, briefcases, bags and containers at the facility’s main entrance. In addition, a small public entrance has now become an employee-only entrance. Security officers will check employee IDs at that door. The moves have required Riverside County to hire additional security guards.Other public entrances have been locked or converted to card-access for employees and other authorised personnel. Prior to the attack, the physical security programme protecting the centre included security officers, cameras, card-access controlled doors and protective glass in front of service counters. It was a good system, but not good enough to protect against a completely unexpected onslaught by terrorists armed with semi-automatic weapons and pipe bombs. One of the security lessons that can be drawn from this tragedy is the importance of a well-designed and implemented physical security programme. Five basics of physical security According to S. Steven Oplinger, Chair of the ASIS Physical Security Council, there are five basics that practitioners must learn and master: Communicating clearly about physical security Assessing existing security programmes and analysing needs for new programmes Maximising security value and protecting security system investments Understanding the basics of the networks and infrastructure that support security technology Identifying and communicating the returns available from security investments Oplinger recommends designing security programmes by working through these basics on paper. “If you make sure it works on paper first, you won’t have nearly as many expensive problems to solve when you install it in the field,” he says. With the explosion of security technology needs, most large security systems today operate on their own network independent of IT, sending video, access control requests and alarm signals to a security command centre where officers monitor building security 1. Clear communications “Start off by establishing a language with stakeholders by defining terms,” says Oplinger, who is also a system design executive with Fort Meyers, Florida.-based Integrated Fire and Security Solutions. Stakeholders include owners, construction managers, security integrators, finance people, security supervisors, officers and others with an interest in a facility’s physical security. “We often talk about the same things but use different terms,” continues Oplinger. “It can be confusing when you refer to a video surveillance system and someone else says closed circuit TV (CCTV). These are two different things. Which term describes what you have?” Oplinger offers other examples. How do you define video recording systems and digital video recorders, he asks? What’s a server farm? What’s the cloud? 2. Assess your security Programme: What do you need? Once the stakeholders are communicating clearly, the discussion can turn to an analysis of security needs or an assessment of an existing programme. Why is security important to this facility? What are the risks and vulnerabilities? How do you mitigate risks and mitigate vulnerabilities? Focus on what you need at specific locations, continues Oplinger. “What do you need to do at this door?” he asks. “Do you need access control? A camera? An intrusion alarm? A combination of all three? Do enough to accomplish what you want and then stop. Don’t throw bells and whistles at anything. Bells and whistles only raise costs.” 3. Maximise the value of security investments Next, review each piece of the security program laid out in step two. “Define every single device,” Oplinger says. “What is its purpose? If you can’t clearly define its purpose, the device has no value and would be a wasted investment. Get rid of it. “What is the purpose of the camera you specified at this door? How will it add to security? If you can’t answer these questions, you probably don’t need the device.” 4. Learn the basics of security networks and infrastructure When security first logged on to company IT networks a number of years ago, a tug-of-war broke out over bandwidth between the IT and security departments. With card-access control, owners no longer have to change the locks when someone loses a key. When an employee loses an access card, you simply turn off the lost card and issue a new one with different permission codes With the explosion of security technology needs, most large security systems today operate on their own network independent of IT, sending video, access control requests and alarm signals to a security command centre where officers monitor building security. “More and more, the signals ride through the building to a server farm somewhere or up to a cloud,” Oplinger says. “You don’t need to learn how to wire and repair the technology, but you do have to match up the equipment you buy with existing in-house equipment. Moreover, if you are working with a cloud service, you have to match up your technology with the cloud’s technology.” 5. Identify and communicate return on investment Today’s security directors must justify security budgets for chief financial officers (CFOs). “I’ve seen instances where the security director puts together a great plan, and the CEO says yes, but the CFO says no,” Oplinger warns. “You have to explain to the CFO how your system will save money,” he continues. “Perhaps you can reduce the number of security officers you need.” Some service, manufacturing and other labour-intensive businesses function more efficiently when security cameras appear. “The best example of this that I have occurred years ago,” Oplinger says. “We tested a four-camera system in a restaurant for a prospective client. We watched the video, looking for an employee doing a good deed, and we found a young waiter helping an elderly couple maneuver through the restaurant. “The owner phoned the store, asked to speak to the waiter and complimented him on his excellent work. Suddenly everyone working in the restaurant realised they were being watched. Thirty percent of the staff quit the next day. “The owner found that he didn’t have to replace anyone. The restaurant operated just fine without the 30% of staff that weren’t doing any work.” Oplinger observes that security cameras can show ROI pretty easily. ROI for access control shows up in savings on hardware and labour. With card-access control, owners no longer have to change the locks when someone loses a key. When an employee loses an access card, you simply turn off the lost card and issue a new one with different permission codes. Alarm systems justify themselves by alarming when a door or window opens without authorisation. As long as you’ve tailored the system to limit false alarms, there is no quarreling about the value of being able to respond to an unauthorised intruder. In summary, a well-designed security programme requires speaking a common language. Security personnel and interested stakeholders continually assess the existing programme and analyse needs for new features. The programme pursues strategies designed to maximise security value and protect investments in security. And, finally, it aims to produce a return on investment at every opportunity.
Command centres allow physical and IT security to collaborate for greatersituational awareness and responsiveness Conventional command centres focus on video and access control system monitoring. When something happens at a door, the video system reports the event to one monitor in the command centre, while the access control system reports to another monitor. It is up to the operator to imagine the possibilities, draw the right conclusions, decide on a response and, if necessary, dispatch officers. “Up until two-and-a-half years ago, we relied on this reactive approach to security,” says Scott Phemister, Executive Director of Global Risk and Crisis Management with Hollywood, California-based Paramount Pictures. “We focused on our production lot and offices here but not necessarily on our other offices, production locations, travelling production units and people.” Phemister says that Paramount’s intelligent command centre has transformed the company’s security capabilities from reactive to proactive. “We’ve added intelligence with tools that bring all of the systems together into a single user interface that paints a situational awareness picture and helps to drive our responses to events,” he says. Centralised management “Today, our command centre is an intelligent communications and response coordination tool that covers our operations and people around the world wherever they may be — on location as well as in hotels.” Building an integrated central command centre requires knitting together a host of systems often powered by different operating systems. Paramount, for instance, wanted to manage 10 key security systems including perimeter protection, fire alarm, intrusion alarms, access control and video surveillance. Paramount centralised the monitoring and management of all these systems with an Enterprise Command Centre software (ECCS) called Immix Command Center or Immix CC. Provided by SureView Systems in Tampa, Immix CC consolidates all of Paramount’s platforms into a single point of monitoring, management and control. Using the system, two people, an analyst and a supervisor, per shift monitor security 24/7 across Paramount’s global operations. Every day, they look in on all offices, production lots, warehouses, active film shoots and more than 250 travelling executives and employees. Immix CC also enables security officials to script protocols for operators to follow, ensuring a single streamlined and sure-handed response to similar incidents. Using the scripts, operators can respond to incidents more easily and quickly. Paramount Pictures, California, uses an intelligent central command centreto monitor their global operations 24/7 Network connectivity between systems Networked intelligent devices are improving the security capabilities of today’s command centres. “Network connectivity between security systems has opened the door for enhanced interoperability,” says Mark Peterson, principal, with Littleton, Colo.-based MC Peterson & Associates. “More data from subsystems are available more quickly than ever before, enhancing situational awareness. “Integration capabilities enable systems to do some of the work, freeing up operators to expedite detection, assessment and response. In most applications, we are not doing new things so much as we are doing what we’ve always done, but much faster.” “In addition, security systems today can be installed within the enterprise IT environment,” continues Peterson. “IT can then apply cyber security solutions across all deployed technologies. It should not be left to physical security practitioners alone.” In other words, security today is a matter that both physical and IT security professionals must address in collaboration with each other – bringing many systems together into an intelligent mix that gives command centres great capabilities. Handling more than security Peterson also recommends that command centres, like any other security tool or technology, support comprehensive security strategies. “For example, deciding to deploy a local or centralised control strategy depends on the needs of the user. “One size does not fit all. While the tools used in control centres are pretty much the same across applications, the way the tools are used depends upon operational requirements.” In addition, operational requirements aren’t always limited to security. Today’s command centres are handling more than security says Peterson: “Traditional security control/command centres are becoming command centres that handle security plus building environmental controls, lighting and other operational building systems.” They can do that because they are smart.
Soft targets are civilian-centric places suchas churches and retail centres, where securityis not as fortified The terror attack on Paris on Nov. 13 lasted just 23 minutes. The bombers and gunmen split up and attacked seven sites: the soccer stadium where it all began, four restaurants, a bar and a concert venue. All told, they killed 130 people and injured 368 in the time it takes for a coffee break. This situation has raised questions about the security management for concerts, stadiums and restaurants. Without adequate perimeter protection and security systems in place, such places are often at risk from anti-social elements wanting to cause disruption and chaos. The terrorists picked what security professionals call soft targets — targets that would be easy to attack and offer up lots of people that could be killed quickly and easily. “A soft target is a civilian-centric place,” says Dr. Jennifer L. Hesterman, Colonel, U.S. Air Force, retired, the former Vice-Commander of Andrews Air Force Base and now an independent security consultant based in Washington, D.C. “Examples of soft targets are churches, K-12 schools, college campuses, stadiums, other sporting venues, retail centres and hospitals,” continues Hesterman. “By contrast, government buildings and military bases are hardened targets.” Of course soft targets need not fortify themselves to the level of a military base. “The goal is to do enough to make a possible attacker pass you by in favour of finding a softer target.” Hardening begins with a security assessment An open college campus, for example, can invite predators, burglars and other kinds of bad actors. Depending on the security assessment hardening an open campus might require different steps Like virtually any security initiative, hardening a soft target begins with a security assessment that identifies risks – the harm that terrorists, criminals or natural or manmade disasters may do to a facility or campus of facilities. An assessment also calls out the vulnerabilities that make a facility or campus a particularly easy target. An open college campus, for example, can invite predators, burglars and other kinds of bad actors. Depending on the security assessment hardening an open campus might require different steps. A centre city campus located in a relatively high crime area might want to build a wall and station security officers in booths at the entrances. Concrete barriers might protect the wall — again, depending on what the security assessment makes of the risks and vulnerabilities connected to the campus. A suburban school with fewer concerns about crime might forgo the wall and take a few simple steps: trim the trees up above the campus light poles. Trim the shrubs around buildings down low to make it impossible for a mugger to hide. Protect dormitories, confidential information and intellectual property with access control. “The perimeter has to be tight,” continues Hesterman. “Of course, this can be difficult. People don’t want to feel like they are in prison. So balance is important. “People are getting smarter about security, and owners have to keep up. For instance, shoppers don’t want to visit retail destinations perceived to be unsafe. In the education world, parents will guide their children away from campuses perceived to be unsafe.” People are getting smarter about security, and owners have to keep up. For instance, shoppers don’t want to visit retail destinations perceived to be unsafe Less about technology, more about people Hesterman also notes that hardening is less of a technology effort than a human effort. She points to research by Dr. Martin Gill, who interviewed murderers on death row in the U.K. According to Hesterman, Dr. Gill learned that cameras don’t affect the way violent actors commit their offenses, and, in fact, may escalate their actions. Another conclusion drawn by Dr. Gill was that violent actors are more concerned about being stopped by people than by being detected by security technology. On the subject of people and security, Hesterman says: “Hardening starts in the mind. You have to believe that you are vulnerable – that it can happen here. Then, you will want to find out what actions you have to take to protect your facility and your people. “The importance of people goes even further. People are the best sensors. They are better than technology at picking up information. Today, regular people are our first responders. By the time the police arrive at an event, it is over. So civilians need training about what they can do.” Finally, all of this may embody security’s new mantra: When a crisis erupts, run. If you can’t run, hide. If you can’t hide, fight. In addition to tightening the perimeter, hardening, then, also includes creating pathways to run, building a safe-room or a place to hide and training people about using these tools.
Hackers probably take more interest in your home computer and information about your identity stored there As the Internet of Things (IoT) grows, so does the hackable universe. Equipment designers need to start thinking about security in the first steps of manufacturing products, and companies and individuals need to start implementing secure coding practices to avoid hacking incidents. Last July, for instance, two security researchers hacked the computer in a Chrysler Jeep and took over the dashboard, steering, transmission and brakes. To fix the problem — a software vulnerability — Chrysler issued a recall for 1.4 million vehicles. Instead of bringing the vehicles back to dealers, however, Chrysler sent a software fix to owners on a USB drive. All they had to do was plug the drive into a port on the dash. In addition, Chrysler beefed up security on the Sprint network, the carrier Chrysler uses to connect its vehicles to the Internet. Devices lacking adequate security Hackers are also messing with baby monitors at home, equipment used at the office and machines on the factory floor. “More and more devices are being connected to the Internet,” says Terry Dunlap, Founder and Managing Partner of Columbia, Maryland-based Tactical Network Solutions, LLC. “Many of these devices are being developed without adequate security. Manufacturers don’t want to add cost to relatively cheap devices with security — which can be expensive.” Dunlap adds that while anything connected to the Internet might interest hackers, they would probably take more interest in your home computer and information about your identity stored there. Businesses, of course, must also protect their business data — customer information and credit card and bank account numbers. SCADA system attacks Manufacturers that run factory-floor equipment with online systems have even bigger worries. “At a recent conference, we had a number of discussions about preventing firmware attacks on SCADA systems designed to affect water supplies and the electric grid,” Dunlap says. SCADA is an acronym for Supervisory Control and Data Acquisition. SCADA systems control remote equipment such as that used by water and electric utility companies. Think about security first, andimplement it from the beginning.Second, use secure codingpractices. That will make thesoftware a little harder to hackand may cause hackers to moveto an easier target — softwarecreated without secure coding Governments as well as hackers attack each other’s SCADA systems. For instance, U.S. and Israeli government agencies collaborated on a hacking tool called Stuxnet. “They used Stuxnet to destroy nuclear centrifuges in Iran by making them spin out of control,” Dunlap says. “The attempt reportedly disabled a fifth of Iran’s supply of centrifuges.” Hacker shields How can equipment designers and manufacturers fight off hackers? What role do security firms like Tactical Network Solutions play? What can individuals do? Dunlap suggests that equipment designers and manufacturers take two steps right now. “Think about security first, and implement it from the beginning,” he says. “Second, use secure coding practices. That will make the software a little harder to hack and may cause hackers to move to an easier target — software created without secure coding. “These relatively simple steps will go a long way.” Security firms also play a role. Dunlap’s company, for instance, works with manufacturers, integrators and governments to review the operating systems, called firmware, that run devices. “Any device that connects to the Internet of Things — a car, a camera, or any other Internet-enabled thing — has an embedded operating system called firmware,” explains Dunlap. Firmware often has or develops holes that would give hackers a way to get into the device. Companies like Tactical Network Solutions find these holes and build patches them. Most of us have received patches from the makers of computer software and hardware. Those patches help keep hackers out. Your role in securing the Internet of Things The final link in Internet security for businesses as well as homes is the individual. “Take it seriously,” urges Dunlap. “Do whatever you can. Change the default passwords on your devices. Hackers know all the default passwords, and that is the first thing they try. “Watch for release of firmware updates and install them. They’ve been developed to protect your devices.” In the end, securing the Internet of Things helps to secure you and your property.
(Click to see larger image) The ASIS Foundation & the University of Phoenix College of Security and Justice's Enterprise Security Competency model Are you competent in your security job or profession? How do you know? According to research carried out by the ASIS Foundation, security has begun to evolve beyond guarding doors, checking IDs and screening briefcases and purses. Today, something called Enterprise Security Risk Management (ESRM) is subsuming the traditional concept of physical security. Enterprise Security Risk Managers identify and mitigate risks department-by-department, location-by-location, across a company’s entire business structure — in ways that contribute to the organisation’s business goals. They also respond to and lead the recovery from Enterprise Security events. “Security as guards, gates and guns is the old paradigm,” says Dr. Linda Florence, CPP, Vice President and Dean of Specialized Programs of the University of Phoenix College of Security and Criminal Justice. “ESRM goes well beyond the old paradigm.” The new paradigm Florence observes that large and small businesses, corporations and government agencies organise themselves with departments that perform different functions, each raising certain enterprise risks. Human Resource departments, for instance, recruit and retain new people. While it may not happen often, new employees sometimes have criminal pasts and current criminal plans. Thoroughly checking the backgrounds of new hires ranks as an enterprise risk management function that protects business goals. The ASIS Foundation hasundertaken a series of researchprojects designed to definesecurity risks that will arise incoming years, while identifyingthe skills necessary to mitigatingthose risks Similarly, other departments face enterprise risks. Accounting and finance risks include fraud and waste. Purchasing departments risk buying from companies that can’t ultimately deliver. Production and warehousing risks include safety lapses leading to injuries. Transportation departments risk liability problems stemming from negligent accidents. “A large company may have thousands of people providing security and risk management functions in various departments in dozens of multi-national offices around the world,” Florence says. “Yet the only obvious security functions are the guards and the gates.” In light of the comprehensive scope of ESRM, it stands to reason that ESRM organisations require more comprehensive sets of risk management skills from security staffs as well as employees working behind the scenes battling enterprise risks in various corporate departments. What skills and competencies does ESRM require? In recent years, the ASIS Foundation has undertaken a series of research projects designed to define security risks that will arise in coming years, while identifying the skills necessary to mitigating those risks and responding to and recovering from events. With the benefit of that research, the ASIS Foundation and the University of Phoenix College of Security and Criminal Justice developed an Enterprise Security Competency Model. Florence was part of the team that developed the model, which identifies competency skills required by entry-level people as well as by those developing careers across a broad spectrum of ESRM capacities. Enterprise Security Competency Model The accompanying illustration above shows that the Competency Model takes the form of a tiered pyramid that illustrates how various sets of personal and occupational skills fit together to form a professional career path. The model identifies competencyskills required by entry-level peopleas well as by those developingcareers across a broad spectrumof ESRM capacities The broad foundational first tier represents “personal effectiveness competencies,” which include skills such as working with others, integrity, professionalism, the ability to take initiative and others. These are entry level qualities that anyone interested in a job in corporate America needs — including those that study for and eventually enter ESRM functions noted in the model’s higher tiers. Academic competencies follow on Tier 2. These include critical and analytical thinking, STEM (science, technology, engineering and mathematics) literacy, communications skills as well as business and security basics. Anyone who wants a career needs personal and academic competencies — as well as the workplace competencies identified on Tier 3 of the Competency Model. The workplace requires skills in teamwork, planning, innovative and strategic thinking, technology skills and the business acumen one develops with experience. “Tiers 4 and 5 describe competencies related to entire industries and within specific industry sectors,” Florence says. “People spend their entire careers in one or another of the functions described in those two tiers. “If you are managing a function on Tier 5, you must know everything on each of the tiers below.” The areas above Tier 5 move into the C-Suite, where competencies include everything from Tier 1 up plus the fine judgments and creative initiatives that competent C-Suites use to push their companies to the top of the heap. The Competency Model: That’s how you can find out if you’re competent in your current position and what you have to do to take the next step in your career.
For high value individuals such as the Pope,agencies have access to unlimited publicresources in terms of money and people The Pope’s visit to the United States reminds us that protecting big-name executives, celebrities and dignitaries is a highly specialised security function. Public and private executive protection groups begin preparing for the visit of major world figures months ahead of time. “It is a task of massive proportions,” says Tom M. Conley, CPP, CISM, CMAS, president and CEO of The Conley Group, Inc. “The Pope, presidents, presidential candidates and others want to meet people, and they often plunge into crowds.” Then again, Conley notes that unlimited public and government assets become available to protect major public figures like the Pope. Their safety is of the utmost importance, and public agencies invest huge amounts of time and resources in their protection. National Special Security Events According to the Secret Service, dozens of federal, state and local agencies combined forces to protect the Pope in his visits to Washington, D.C., Philadelphia and New York City. The Department of Homeland Security designated the Papal visit to New York City a National Special Security Event. For such an event, the Secret Service acts as the lead federal agency for the design, implementation and oversight of the operational security plan. The plan creates and secures perimeters around events, sets up security checkpoints to screen people for admission to facilities as well as parade routes. The plan also includes a long list of prohibited items that screeners will confiscate from people passing through the checkpoints. In addition, there are airspace restrictions and maritime restrictions enforced by the U.S. Air Force, Coast Guard and Department of Homeland Security. Public agencies’ combined protection The private sector doesn’t havethe manpower, technology or thegovernment’s access to threatintelligence. That can significantlyhinder the effectiveness of a privateprotection detail “It is a huge task,” Conley says. “But public agencies have handled these kinds of security programmes so often that they know how to do it well. Even more importantly, for high value individuals such as the Pope, agencies have access to unlimited public resources in terms of money and people.” For example, every security operations force runs TTPs, an acronym for tactics, techniques and procedures, continues Conley. These are virtual toolboxes that combine surveillance and intelligence collection and analysis. “The agencies combine assets and people to create a controlled environment — similar to battlefield dominance as it is called in the military,” says Conley. That is how public figures are protected. Protecting executives, celebrities and other private luminaries with private resources is quite different. “The private sector doesn’t have the manpower, technology or the government’s access to threat intelligence,” Conley says. “That can significantly hinder the effectiveness of a private protection detail.” Private executive protection challenges Every private security company today must deal with the corporate demand to make some business contribution to the company. Executive protection firms are no different. “We have developed metrics to prove the business value that our corporate executive protection services provide,” says Robert Oatman, CPP, president of RL Oatman & Associates, Inc., and chair of the ASIS International Executive Protection Council. Oatman’s new book, “Executive Protection: Smarter, Faster, Better,” makes a business case connected to travel time. “If we save an hour or more per day for the principal,” he says, “we can produce a true return on investment. “With that in mind, our firm’s mission is to provide executive protection as a security specialty focused on safeguarding the life, health, time, reputation and peace of mind of corporate executives and others who face elevated risk.” Oatman also says that executive protection today no longer looks like bodyguards with guns. “No one wants in-your-face protection,” he says. “Our clients want us to be more stealthy and under the radar — to get it done without any drama.” Oatman’s company provides executive protection and executive protection training for public and private companies as well as government entities. “We recently established the first ASIS International Council on Executive Protection,” Oatman says. “Launched in October, 2014, the EP Council is now accepting membership.” Taking a cue from Oatman’s goal of serving corporate business purposes, the new ASIS Council aims to focus on executive protection as a business enabler to keep clients safe as well as productive.
Enterprise security strategies identifyliabilities & ways to mitigate risks, showinghow the cost of mitigation prevents largerliabillity costs The security profession continues to take on new risk management responsibilities. The big thing now is called Enterprise Security and Risk Management (ESRM). ASIS International has issued a standard on the subject: ANSI/ASIS/RIMS RA. 1-2015, and a couple of booths at the recent ASIS International 2015 Seminar explored the subject. Mitigating risks “Enterprise Risk Management or ERM is a common business term, so we differentiate ERM from the security world by adding the word security to it,” says Ray O’Hara, CPP, Executive Vice President in the Palm Desert, California, offices of AS Solution. The growth of multi-national business enterprises with multiple locations domestically and internationally has given rise to this new and multi-faceted form of security. “ESRM covers a myriad of areas that need to be protected today,” says O’Hara. O’Hara lists domestic and foreign executive travel, manufacturing and production facilities here and around the world, third-party manufacturing facilities, executive offices, intellectual property and the supply chain that ties all of these assets together. ESRM requires continuous risk and vulnerability assessments, too, because the risks change with circumstances. “What if I have a tractor trailer with electronic equipment sitting in an unsecured truck yard 2,000 miles from its destination?” asks O’Hara. “Do I care? If I transfer the responsibility to the shipper and the shipper’s insurance, I don’t care. Then again, what if I have a customer with a deadline waiting for that equipment? Now I do care. Effective protection requires corporate security to identify all risks — in every department — and rank them as low, medium or high. Then, where appropriate, you mitigate risks to a level that the company can absorb.” Senior executive buy-in Effective protection requirescorporate security to identify all risks -in every department - and rankthem as low, medium or high. Then,where appropriate, you mitigate risksto a level that the company can absorb For an ESRM programme to succeed, senior corporate executives must endorse it and actively support it, continues O’Hara. Suppose you walk into the Human Resources department to discuss risks involved in hiring people around the globe. Suppose further that you have discovered that HR is using a questionable (and inexpensive) service to conduct background checks, and you would like to address that risk. If the Director of Human Resources doesn’t have time for you, you will need to be able to ask the CEO to tell the director to make time, listen to what you have to say and to act on the advice you give. Without the active support of senior executives, ESRM programmes addressing departmental risks throughout every department and in facilities around the world cannot succeed. How does a security department generate that kind of support? Developing enterprise security strategy According to O’Hara, you have to develop an enterprise security strategy, present it to C-Suite executives and show them how your strategy synchronises with the corporate business strategy. The presentation identifies risks and liabilities, recommends ways to mitigate those risks, and shows how the cost of mitigation can prevent much larger liability costs. “Mitigation measures could be insurance, where you transfer the risk to someone else,” O’Hara says. “It could be security technology, security patrols, better background checks. It all depends, of course, on the nature of the problem right now.” For example, explains O’Hara, suppose you have protected a warehouse that is storing a custom-made inventory worth a million dollars awaiting delivery to customers. You’ve secured the warehouse with card access locks, intruder alarms and several cameras. For good measure, you have a security guard swing by a couple times each night. As the inventory is picked up and trucked away to customers, the financial risk declines. At some point, you might decide the risk isn’t great enough to send the security officer to check on the merchandise. By the time the warehouse empties out, you won’t need anyone to monitor the surveillance cameras. Depending on when you expect the warehouse to fill up again and the value of the materials, you could move one or all of those cameras to another location. Enterprise Security and Risk Management is the next big thing for security professionals — and it is a very big, comprehensive thing.
The pre-seminar will also offer educational sessions on cutting-edge subjects It is that time of the year again, when security industry stalwarts gather together at ASIS to showcase the latest in physical security systems and other technological innovations. The event will focus on domestic threats as well as intelligence gathering tools to protect organisations against social media threats. The organisers of the ASIS International 61st Annual Seminar and Exhibits — ASIS 2015 — expect to welcome nearly 20,000 operational and information security professionals this year. Attendees will discover the hottest new technologies, products and services offered by 600-plus companies. Once again, this year, the (ISC)2 Security Congress will co-locate with the ASIS Seminar. “(ISC)2 will offer educational sessions that are much more than Information Security 101,” says John A. Petruzzi, Jr., CPP, Vice President of the Enterprise Security Operations Group with New York City-based Time Warner Cable. “They will begin with cyber-security 101 but ultimately cover comprehensive deep-dive cyber security for security directors’ staffs.” The ASIS show will run from the 28th of September – 1st October 2015, in the convention centre in Anaheim, California. The exhibits will fill the exhibition hall with hundreds of booths featuring the latest in physical security technologies. The pre-seminar If you come in over the weekend — Saturday and Sunday, 26th and 27th September — you can catch the pre-seminar for fun, for additional educational offerings, or both. Pre-seminar fun includes a fundraising motorcycle ride around scenic Los Angeles and Anaheim, a golf tournament and three welcome receptions for members with various interests. The pre-seminar will also offer educational sessions on cutting-edge subjects such as emerging security technologies, strategies for mitigating vulnerability, security strategies for the Federal market, schools, facilities, cyber-security and more. Exhibits to focus on disruptive technologies The main floor of the accompanying exhibits – open Monday through Wednesday – will house disruptive technologies, technological innovations and companies offering leading security services. “You will learn how dynamic the security profession and the technologies it employs has become,” says Petruzzi. “For example, companies are tapping more and more technologies in the cloud so they don’t have to buy equipment and software and house it and maintain it on their sites.” Cloud providers typically pay to maintain and upgrade their software and equipment, freeing up end-user capital. "Not long ago, biometrics were clunky to use and difficult to maintain. Today, more flexible solutions provide increased levels of security and control. Visitors can learn about these technologies at The Seminar, too", says John Petruzzi VP of Enterprise Security Operations Group And the available technical tools have been tailored to the challenges of the modern world. “For example, there are more investigative tools out there than ever before,” Petruzzi says. “In today’s world, threats come from new and different places. “Consider social media. Security programs, today, need to collect intelligence available on social media about possible threats to a company’s personnel, buildings, intellectual property and products. New intelligence gathering tools — and companies — monitor social media environments. “There are more nimble biometric platforms, too. Not long ago, biometrics were clunky to use and difficult to maintain. Today, more flexible solutions provide increased levels of security and control. Visitors can learn about these technologies at the seminar, too.” Education tracks for every need Of course, the main event is the seminar itself, running from Monday through Thursday. Historically, security departments have monitored threats at locations abroad, for the sake of company personnel travelling to those locations, continues Petruzzi. Depending on the location, those threats may be greater than ever. Domestic threats have grown to include terrorism as well as lone-wolf shooters, disgruntled current and former employees, angry spouses and so on. “From the educational point of view, security professionals from all levels with find tracks or individual sessions that will fulfil their educational needs,” says Petruzzi. You will also find the ASIS and (ISC)2 Career Center on the main floor. Here visitors can talk to experts about career building strategies and job-search techniques including effective resume presentations. Keynote speakers Three strong keynote speakers will set the tone for the seminar. Raymond W. Kelly, former commissioner of the New York Police Department, will share his insights on counter terrorism and cyber security. General Michael Hayden, former director of the Central Intelligence Agency and former director of the National Security Agency will assess the political climate in hot spots across the globe. At the closing luncheon on Thursday, General James Mattis, former commander of the United States Joint Forces Command will discuss leadership. By the end of this year’s seminar, visitors will have a sense that the industry is growing in professionalism and capabilities in ways that are necessary to managing growing threats here and around the world.
Police intelligence can help security directorsto understand the criminal trends across theirarea or city Corporate security has changed dramatically over the last few years. Traditionally, security has always been associated with physical protection and installation of security systems. In this article, Tom M. Conley, president and CEO of The Conley Group, discusses the importance of information received from law enforcement. A good rapport with law enforcement can help security directors get local criminal intelligence, which in turn will help them secure their enterprise and its assets. A police officer recently called the security director of a multi-storey downtown office building. “You might want to tell your people to stay away from the convenience store across the street for a week or so.” “There are ways of passing along information without really saying what you mean,” says Tom M. Conley, president and CEO of The Conley Group, a Des Moines, Iowa-based security-consulting firm. “In this case, the police indicated that there might be some kind of criminal activity at the convenience store.” “Perhaps a snitch told them that a robbery is being planned,” says Conley, who is also a former police captain. “By law, the police can’t pass along specific intelligence, but they can suggest a path of action such as telling people to avoid the convenience store for a week or so.” Would your local police department share such a suggestion with you? If you haven’t built a professional and credible relationship with that department, the answer is no. Intelligence on criminal trends “Typically, the police don’t know about security and risk management. That isn’t their area of expertise. But the police do have good data about criminal trends and the types of crimes occurring in and around all of the areas in their cities,” says Conley. “They also have specific intelligence that can help your security cause.” “A security director has to look past the end of the property’s sidewalk. It’s very important to understand the criminal trends across the area of the city around their property.” The police would be able to point out the gang area a couple of blocks south of your building. They might also tell you that the block of storefronts to the north is usually safe during the day, but iffy from the early evening on. The police will fill you in when you ask for the data. “You can find out how many robberies and other crimes occurred in an area in the past year,” Conley says. “While it is important to know what has happened in your area, you can’t address tomorrow’s threats with yesterday’s data.” Trusting relationship with police Of course, you need to assemble a security program capable of dealing with the risk profile your security assessment has developed for your building. "By law, the police can’t pass alongspecific intelligence, but they cansuggest a path of action" You also need the area intelligence picked up by the police. “Intelligence is loosely defined as non-public information that may be relevant to your enterprise,” Conley says. “For instance, your police contact might mention that there are rumours of a robbery being planned for that block of storefronts to your north. They might mention that they are keeping an eye on the spouse of a woman working in your building.” “That is the kind of timely and actionable intelligence that you need.” But the police won’t share such intelligence with you unless they trust you. You will have to build a professional and trusting relationship with them. “The police won’t work with people that aren’t professional and credible,” says Conley. “Forming such a relationship can be challenging.” “You will have to reach out to law enforcement and work to develop a two-way information sharing relationship.” InfraGard - sharing threat information InfraGard is an organisation that can extend your relationships to and beyond local law enforcement to the FBI and other security directors in your city. “InfraGard is a public-private organisation started by the FBI in the late 1990s,” Conley says. “You’ll have to be vetted, but you can join for free.” As a member, security professionals and law enforcement will share threat information with you and you with them — with no chance that security threats involving your company will be made public. “InfraGard is a way for law enforcement to reach out to security directors, build trust and find ways to work together,” Conley says. “Equally important, it is a way for security directors to build a trusted working relationship with law enforcement.”
The worst insider threats are existential, dangerous enough to literally destroy an organisation The key to maintaining an effective security system is timely detection of security breaches. Widespread use of technology has resulted in massive amounts of data transfer which in turn makes organisations vulnerable to both internal and external threats. Mass shootings, data thefts and other internal breaches of security have cast a spotlight on the issue of insider threats. According to the Security Executive Council, an insider threat is: “Any risk posed by current or formerly trusted individual(s) with access or privileged knowledge; used to damage, deprive, diminish, injure or interrupt organisational stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal, prohibited or unauthorised conduct (acts or omissions).” What kind of harm do insider threats cause? Not long ago, a computer programmer working for a Wall Street firm stole 32 megabytes of proprietary computer code with the idea of selling the data to a competing firm. The company discovered the theft through routine network monitoring. The employee was charged and convicted of stealing trade secrets. This and a number of other examples of the trouble insider threats can cause come from an FBI brochure entitled “The Insider Threat.” The examples in the brochure mostly relate to thefts of computer files, but experts caution that insider threats go far beyond data theft. For example, they point to Nidal Malik Hasan, the U.S. Army Major who shot and killed 13 people and injured more than 30 others at Fort Hood in Texas in 2009. He worked at Fort Hood as a psychiatrist. Insider threats can harm a company — or a government agency — in dozens of ways, from stealing proprietary information to injuring or killing people. The worst insider threats are existential— dangerous enough to literally destroy an organisation or business. Experts say that insider threats don’t necessarily match the description of a mass shooter before the act. Identifying insider threats Experts say that insider threats don’t necessarily match the description of a mass shooter before the act. You’ve heard that description: Someone who has grown withdrawn, moody and disagreeable. An insider threat secretly plotting to do harm will likely try to hide his or her emotional state from others. “The FBI lists a number of behavioural indicators that insider threats might display,” says Mike McCall, owner and president of MPM Consulting LLC, a consultancy that helps clients deal with inside threats. Insider threats might indicate their attention by: Taking proprietary material home without need or authorisation. Paying too much attention to matters outside the scope of duties, particularly those of interest to competitors. Accessing the company network remotely while on vacation, sick leave or other unusual times. Disregarding IT security policies by installing personal software or hardware, conducting unauthorised searches or downloading confidential material. Visiting foreign countries for unexplained or odd reasons. “I’ve asked one of my contacts at the FBI how many of these indicators you would want to see before taking steps,” says McCall. “The answer is three or four.” The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks Mitigating insider threats The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks. Among the many types of risks these councils evaluate are insider threats. “Members of the council are drawn from many functions across the corporation that deal with risk” says Kathleen Kotwica, executive vice president and chief knowledge strategist with the Security Executive Council. “That’s important because different departments will focus on different risks or aspects of risks.“ “R&D might be concerned about intellectual property theft, while personnel might be more concerned about workplace violence ,” she adds. “IT will concentrate on cybercrime, permission issues and the misuse of passwords. By creating an umbrella group, you can look at all the risks facing a company, and communicate it up the chain, including insider threats. If the security department is starting an insider risk mitigation program, revamping an existing insider risk program or reviewing the current program, the Security Industry Council can take them through the steps to identify insider risks, rate those risks on a scale from a minor threat to a major threat, identify potential actors and targets, who in the corporation is responsible for mitigation, and look at the balance between mitigation options and cost. “From there, we create a scorecard that reflects which insider threat risks are adequately covered and which are not,” says Kotwica. “This can be used to plan appropriate strategies to reduce the gaps identified.”
News mentions
Many of the most well-trafficked articles posted at SourceSecurity.com in 2015 were those that addressed timely and important issues in the security marketplace. In the world of digital publishing, it’s easy to know what content resonates with the market: Our readers tell us with their actions; i.e., where they click. Let’s look back at the Top 10 articles we posted in 2015 that generated the most page views. They are listed in order here with the author’s name and a brief excerpt. 1. Video analytics applications in retail - beyond security [Larry Anderson] Analytics can help catch suspects by alerting in real-time. After the fact, analytics used for search purposes are far more effective to identify a theft. Secondly, analytics can be used in retail to track customers, understand their age and gender, manage queue lines, know how long people dwell at an end cap, provide heat maps, etc. 2. Cybersecurity - hackers target SCADA embedded systems [Vicki Contavespi] “SCADA monitors devices on the grid many times per second and was never intended or designed to have virus protection or security protocols,” says Dave Hunt, an independent homeland security consultant and a founding member of the National InfraGard Electromagnetic Pulse special interest group. In fact, continuous monitoring makes it virtually impossible for a SCADA system to validate a security protocol. 3. Home automation standards and protocols [Randy Southerland] As the home automation industry has expanded with an ever-growing number of devices and services, companies are placing bets on which wireless protocols will dominate. The past few years, the leaders have been Z-Wave and ZigBee. Companies are also using a variety of other standards including Crestron’s Infinet, Insteon, and proprietary technologies such as Lutron’s ClearConnect. Readers were interested in Prism Skylabs' retail applications, utilising IP cameras as sensors to gather data on customer behaviour 4. The numbers tell the video story at ISC West: 4K and H.265 [Larry Anderson] The latest in video surveillance equipment at ISC West [in 2015] is reflected by the numbers you hear repeatedly on the show floor, numbers like 4K and H.265. Big players like Panasonic have joined the 4K bandwagon in a big way. Sony introduced a 4K camera with a larger sensor size (1-inch) to increase light sensitivity, displaying the better view alongside a “Brand X” competitor in the Sony booth. 5. Video analytics: Prism Skylabs envision IP cameras as sensors to expand their role in retail [Larry Anderson] Prism Skylabs is helping to drive a re-evaluation of the role of video cameras in the market. Founded in 2011, the San Francisco cloud service company thinks of IP cameras as sensors that are capable of providing a range of data that can be managed and processed in the cloud to provide more useful information to end-user customers. Prism’s current implementations of the “software as a service” approach focuses on retail merchandising and marketing applications, but Prism Co-Founder and Senior Vice President Bob Cutting sees many other opportunities too. 6. Video analytics for forensics: Analytics-based forensic evidence collection [Larry Anderson] Another aspect of video analytics is how the technology can be used for forensics. Basically, intelligent searches of video archives provide investigators faster access to any needed video clip based on the content of the video. It’s a monumental improvement over the old days of searching for hours while rewinding and fast-forwarding videotape. 7. IP video surveillance market – revealing the ‘industry standards’ myth [Mark Collett] Considering the state of the IP surveillance industry, standardisation would likely drive vendor consolidation and force companies to evolve in order to succeed. Many industries have successfully implemented standards – including energy, telecommunications, consumer electronics and aerospace. These are all vibrant industries; standards have not driven any of them to extinction, as some in the security industry believe they would. Another topic of interest was the public and private protection of public figures, spurred by the Pope's visit to America earlier this year 8. Physical Security Information Management (PSIM) – the death of an acronym? [Larry Anderson] Lately, we have even begun hearing manufacturers starting to avoid the PSIM term and its historic baggage and preconceptions. When a buzzword takes on a negative stench, it loses its impact. If a PSIM is perceived as negative, the initials lose their usefulness even as a marketing term (which some say PSIM was all along). 9. Avigilon acquires fundamental patents covering video analytics [Larry Anderson] What are the ramifications when a major supplier in the video analytics space owns many of the patents that are fundamental to its competitors’ businesses? It’s one thing to pay licensing fees to a fading player like ObjectVideo (perhaps to avoid costly litigation?), but isn’t paying those fees to a direct competitor another matter? 10. How public and private security operations protect celebrities, big-name executives and dignitaries [Michael Fickes] According to the Secret Service, dozens of federal, state and local agencies combined forces to protect the Pope in his visits to Washington, D.C., Philadelphia and New York City. The Department of Homeland Security designated the Papal visit to New York City a National Special Security Event. For such an event, the Secret Service acts as the lead federal agency for the design, implementation and oversight of the operational security plan. See the full coverage of 2015/2016 Review and Forecast articles here
Observers suggest asking open-ended questions and focusing in on specific details as the conversation moves ahead If a trained interviewer has ever questioned you, you may have started out by promising yourself to keep certain information secret. Then during the interview, you spilled it all. Police detectives, officers and savvy security professionals have learned how to talk to people in ways that will elicit information that subjects prefer to conceal. How do they do that? “Start out by building trust and rapport,” says James E. Whitaker, CPP, President and CEO of The Whitaker Group in Cincinnati. “Keep it conversational and friendly.” Whitaker also suggests making the interviewee feel as comfortable as possible. “Don’t sit between the individual and the door,” he says. “Have them sit with their back to the door so that they can get up and walk out without having to navigate around tables and chairs.” If the individual might be subject to criminal charges, you should offer an opportunity to confer with an attorney and to have an attorney present during the interview. Similarly, information obtained through threats or force will be thrown out of criminal as well as civil court if matters get that far. It is probably wise to conduct the interview as if the matter will go that far. “In that regard, you should conduct the interview in ethical and lawful ways,” Whitaker says. Creating a comfortable atmosphere Begin by getting to know the individual, Whitaker continues. Ask interviewees about themselves. What do you do for a living? How long have you been doing that? Do you like it? Asking about themselves gets them talking about themselves, a subject they know and enjoy discussing. Once they are talking, ease into questions related to the investigation. Open-ended questions for fact extraction "Focus on eliciting facts and avoiding suppositions and opinions. Look for signals that you are being lied to. Pay attention to body language," says James E. Whitaker, President and CEO, The Whitaker Group Observers suggest asking open-ended questions and focusing in on specific details as the conversation moves ahead. Instead of asking, “Why did you steal that laptop,” you might say: “The policy against taking laptops and other electronic equipment home is well publicised. Why did you think it would be okay this time?” A rationale as a response might be akin to an admission of having stolen the laptop. Body language speaks volumes “Focus on eliciting facts and avoiding suppositions and opinions,” Whitaker continues. “Look for signals that you are being lied to. Pay attention to body language. When someone lies, he or she might lean or step back — it might be a big step or a slight movement. He or she might also break eye contact.” Observers also suggest watching for yes and no answers and long-winded answers. Truthful answers are typically direct. “No, I wasn’t there, yesterday,” sounds truthful to an interviewer. Then again, “No, I walked home in an entirely different direction, and I was probably miles away,” sounds contrived. Refrain from using loaded language At the same time, Whitaker cautions against using loaded terms such as lying, stealing, thief, and other words that will only make the person being interviewed pull back. Another suspicious category of answer is “huh?” Police interrogators say that guilty individuals often answer accusatory questions with a “huh?” or “what?” or other question that fakes not having heard the question. Know what you want Most importantly, make sure you know as much of the story as possible before undertaking an interview. “You have to do the investigative work, first, and learn the answers — or at least the likely answers — to most of the questions you plan to ask,” he says. “That way you will know when you are being lied to, and you can follow up with questions based on the factual findings of your investigation.” Finally, don’t forget that an interview is one piece of a larger puzzle including other interviews, inspections of the scene where the event took place, as well as the overall corporate environment. While there are always a few anomalies, most of the pieces must fit together into a whole that seems a realistic explanation of what happened.