Security Lessons Learned

By The Editors


 Attendees Gather Information, Gain Insight

 Security professionals must anticipate new threats as the landscape of risks grows and evolves. To bring home the latest in technology and techniques, speakers at more than 170 sessions gave information on a range of topics from homeland security to liability protection. Following are summaries from just a few of the week’s presentations.

 Critical infrastructure. Seminar attendees charged with protecting the nation’s critical infrastructure and key resources (CI/KR) received an overview of the Department of Homeland Security’s (DHS) risk mitigation outreach efforts during a session on the agency’s Protective Security Advisor (PSA) program.

 The initiative has placed 79 advisors in 60 districts across 40 states and Puerto Rico. PSAs are security experts, most with at least 20 years of experience, typically in law enforcement, the military, or counterterrorism specialties. PSAs serve primarily as facilitators in protecting 3,000 assets DHS has designated for heightened protection based on the consequence factors of an attack, such as potential loss of lives and economic impact.

 The work done by PSAs consists primarily of one-on-one interaction with CI/KR operators, including site visits and assistance with vulnerability assessments to help those operators determine where and how best to direct limited resources for protective measures.

 Mike Norman of DHS’s Protective Security Coordination Division, within the Office of Infrastructure Protection (OIP), spoke in place of division Director William F. Flynn, who was unable to attend due to the agency’s response to Hurricane Ike in Texas and Louisiana. Norman explained that DHS has set about the massive task of assessing both risk across CI/KR sectors and the cascading nature of failures based on the interdependence of multiple sectors.

 OIP has begun the challenging job of assessing consequences within systems, as opposed to hard assets, Norman said. “We’ve done a few, and we’re looking at doing more in the coming year—many, many more.”

 Coming years’ budgets will fund added PSAs, Norman said, with plans to post a PSA to each of the nation’s more than 50 state, regional, and urban intelligence fusion centers, where officials seek to detect emerging terrorist threats. “If you don’t know your protective security advisors, I recommend you reach out to them,” Norman told the audience. “They’re out there every day, doing great things, working in the community. They’re very energetic.”

 Vendor relationships. Product and service suppliers play a vital role in security. But companies have to know how to ensure that these relationships do not create vulnerabilities that can open up opportunities for crime. That was the topic of a session titled “Vendors: Are They Ripping You Off?”

 R.A. (Andy) Wilson, CPP, CFE (Certified Fraud Examiner), and George E. Curtis, a professor in the Economic Crimes Program at Utica College in New York, provided an overview of the crime risks facing security managers who use vendors.

 Curtis said that any client company hiring a vendor should require that the vendor abide by the same laws and guidelines as it does—from an internal code of conduct to statutes like Sarbanes-Oxley. Service contracts should afford the client the right to audit the vendor’s books, to ensure they match up with the client’s, Curtis said.

 Curtis further advised client firms to keep in-house vendor files current. Typically, about half the vendors in those files are inactive and, thus, unduly expose firms to phony billing. Companies must also eliminate duplicate or erroneous company information—for example, when the same company is listed two different ways, such as “IBM” and “I.B.M.”

 The session also covered “the fraud triangle” that is present when employees rip off employers: opportunity, motivation, and moral justification. Red flags for fraud include employees facing personal financial difficulty or suddenly living beyond their legitimate means.

 Asked about best practices relative to gratuity policy, such as guidelines for employees accepting gifts from vendors, Wilson recommended a value limit, like $25 or $50, rather than a ban. If gifts are banned, he explained, employees are likely to still accept things like mugs or computer mouse pads, which could create a slippery slope.

 Terrorism trends. A scholar from the University of Central Florida led a session titled “Looking Beyond the Threat Horizon: Future Trends in Terrorism and their Strategic Implications,” which highlighted the importance of identifying trends amid the violence.

 “The need to identify future movements is absolutely important,” said Dr. Stephen Sloan, professor and fellow in the university’s Office of Global Perspectives. He noted that future analysis may seem like an academic endeavor, but has “serious operations implications.”

 Citing the work of his colleague Abeer Abdalla, a Global Connections Advanced Scholar on Terrorism at the university, Sloan discussed the importance of tracking attacks to better understand important trends, including geographic distribution of attacks and information about the perpetrators and the victims. For example, data shows that more than 50 percent of terrorist attack victims in 2007 were Muslim. Sloan anticipates that inter-religious, sectarian violence will intensify.

 Another issue is the impact on the youngest members of communities affected by terrorist violence. More than 2,400 children were reported killed or injured in terrorist attacks in 2007, 25 percent more than in 2006. Sloan worried about the legacy left behind. “You have youngsters who are combat veterans at 12 years old,” he said. “I think increasingly warfare will be fought by these youngsters.”

 Sloan outlined other ongoing challenges including: state sponsorship of terrorism with Iran and Syria supporting the destabilization of Iraq; the Taliban resurgence in Afghanistan; the Israeli-Palestinian conflict that remains a source of terrorist motivation; and the opportunities for recruitment that multimedia channels offer.

 He also noted other current trends, including an intensification of terrorist propaganda warfare, al Qaeda as a global insurgency, and the radicalization of immigrant populations, especially youth and minorities in Europe, Africa, and the Middle East.

 Training. Attendees at a session on security awareness learned that despite the growing affordability and sophistication of security technology, the most important factor in protecting facilities and information is an organization’s staff. “It is fundamental to have an excellent security awareness program…. The most important resource you have is people,” said Deborah Russell Collins, executive director of the Chantilly, Virginia-based National Security Training Institute.

 Shawn S. Daley, chief security officer of the Massachusetts Institute of Technology Lincoln Laboratory in Lexington, Massachusetts, described a multifaceted security education and awareness program that regularly engages employees and researchers in different ways, whether they learn best by listening, reading, or watching.

 “Audio” learners can be engaged in their new employee orientation, briefings, or a novel device Daley employs: regular security seminars. “Readers” might best be reached through informational packets, newsletters, and easy access to government counterintelligence materials. “Visual” learners might benefit most from World War II-style security posters, which Daley recommended arranging on a strategically placed bulletin board, which he calls a “security corner.”

 Daley recommended reaching out to the National Security Agency (NSA) based at Fort Meade, Maryland, where fellow speaker H. Robert Kennedy Jr. runs the agency’s Counterintelligence Awareness Division.

 Kennedy’s office indoctrinates all new NSA employees and contractors to ensure that they are prepared for the ever-present threat from foreign agents. The division also produces myriad visual education materials, like posters, which it distributes free-of-charge to all government security stakeholders who ask.

 All the speakers, including Kennedy, said security units must be accessible so that employees feel comfortable reporting concerns. Training and education programs can help demonstrate that accessibility. “We want people to come see us. We want to stop something before it becomes a real problem,” Kennedy said.

 Workplace violence. In the session “Recognizing, Assessing, and Managing Those Who Present Workplace Risk: A Case Study,” speaker John Lane, vice president of crisis and security consulting at Control Risks, provided advice on how to recognize and deal with potentially violent employees. He pointed out to a standing-room-only crowd that 70 percent of workplaces do not have a formal workplace violence program, despite findings that there are thousands of threats of violence every workday.

 One challenge in fighting workplace violence is the fact that about 43 percent of those threatened and 24 percent of those attacked at work do not report the incident, according to the Bureau of Labor Statistics. Lane said it’s important to conduct training and demonstrate to workers that your team is capable and prepared to respond to workplace violence issues.

 Lane dispelled several common workplace violence myths, including the perception that most incidents come out of the blue. “These incidents don’t just happen spontaneously,” said Lane. “People work through a process—there is a pathway that people will pursue toward ultimately committing violence.”

 Some of the risk factors for workplace violence that Lane pointed out are paranoia, depression, and feelings of grievance. “People [who] will rationalize in the workplace that others are out to get them…will ultimately have increased potential to commit violence.”

 The process of evaluating an employee’s risk of becoming violent should be a fluid one, warned Lane, because the evaluator won’t get all the information right away, if ever. For example, it’s difficult and sometimes impossible to get accurate mental health and criminal histories. As more information comes to light, the conclusion about the risk an individual presents is going to change.

 Weapons detection. The challenge with regard to weapons detection is the range of everyday objects that terrorists can use to conceal weapons or to serve as them. And perhaps no other country faces as many of these rapidly changing security challenges as Israel.

 In a session titled “Cutting-edge Security Development in Israel—Intensive Co-op and High-tech,” a senior advisor at the Israel Export Institute said the next great terrorism threat will be the unconventional weapon of mass destruction. “There is a lot of activity among terrorist organizations trying to obtain this type of weapon,” Major General David Tsur said.

 There is also the traditional bombing attack delivered by a suicide bomber. He pointed to the Madrid train bombings as an example of the effectiveness of the suicide attack strategy. The attack prompted voters not to reelect the incumbent political party, and the new government pulled Spanish forces out of Iraq. Even though the bombing was not a huge terrorism attack in terms of casualties, “it became a strategic attack because of the influence on the government, which had to take actions and measures because of the public pressure.” He added: “It’s the most primitive weapon you can think about.”

 Several companies made presentations about new high-tech tools used to fight terror, but Tsur warned, “Technology by itself cannot solve the problem.”



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.