Security Lessons Learned

By The Editors

IT security. Physical and information technology (IT) security professionals should work more closely together, according to speakers in the Monday session, “Computer Security for the Physical Security Manager.” Security pros from the physical side should also become familiar with many current IT security goals—and pitfalls.

 It’s sometimes been difficult for the two kinds of security professionals to work closely, said Ronald Lander, CPP, chief specialist, UltraSafe Security Solutions. One reason is that both sides worry that working too closely together could diminish the perceived value of each side’s respective jobs. But many companies are well along in converging their IT and physical security, he said. Highly effective physical security professionals learn some IT security basics, and if they are not already doing so, they should speak with their IT security colleagues to make sure core company security procedures are in place.

 A major IT security objective is to keep private data private. This is especially important for companies that need to follow major regulations such as Sarbanes-Oxley (concerning finance and accounting at public companies regulated by the Securities and Exchange Commission) or the Health Insurance Portability and Accountability Act (on health data). Another key IT security goal is to locate and protect the company’s most valuable data assets first. In addition, it’s becoming increasingly important for IT managers to look at security problems within the context of broader company business goals.

 Lander also listed a number of major, but surprisingly common, IT security mistakes. One is failing to regularly patch applications; another is neglecting to install and update antivirus software. Another problem is leaving default passwords on applications ranging from firewall appliances to wireless networks.

 As physical security systems migrate to the corporate network, physical security professionals should ensure that the systems remain secure. One example includes Internet Protocol video. Physical security professionals should make sure the firm’s network can remain running after a power failure, he said.

 Ethics. In the session titled “The Business of Ethics in Today’s Security,” led by Mike Kolatski, CPP, security manager for the City of Seattle, attendees learned that establishing a code of ethics is particularly important for those in the security industry. This is because its professionals often have access to information that others in the company might not.

 The ethics challenge is a unique one for companies because it is not just a question of right and wrong; rather, there are three major types of ethics (personal, business, and cultural) that are often in opposition to each other. For example, Kolatski cited California Governor Arnold Schwarzenegger’s recent plan to cut wages for state workers while waiting for a new budget to pass. While Kolatski said that was likely the right business decision to force the issue and get the budget passed, it was not necessarily ethical on a personal level to the employees who would be taking the pay cuts. And cultural ethics, or what is “right and wrong” in a specific society, can vary not only from nation to nation but also within different areas of the same country.

 Kolatski said it’s not enough to have a written policy or code of ethics in a business or organization. “If the culture’s not there, if those ethics aren’t there, if we’re not leading them by example, how can we expect them to understand what we’re saying about what’s right and what’s wrong?” He illustrated the point by reading from Enron’s code of ethics from 2000, which he called a “typical” code of ethics. Although the company hit all the right points in its policy, the leadership obviously did not follow them, as evidenced by Enron’s accounting scandal and 2001 bankruptcy. Kolatski says leaders must ask themselves if their company’s code of ethics truly represents what is believed in the organization.

 Port security. While the need to protect coastal ports has received much attention, new efforts aim to protect smaller high-risk maritime facilities in rural jurisdictions, said Laurie Thomas of the University of Findlay in Ohio.

 The scope of the challenge is daunting. “Forty-one states, 16 state capitals, and all states east of the Mississippi River,” she said, “are served by commercially navigable waterways.”

 Rural high-risk maritime facilities face many of the same threats that large ports do, but the perception of “It won’t happen here” still persists, said Thomas. Nevertheless, many “facility security officers fear being used for practice, like a tackling dummy,” by terrorists, she said.

 To ensure that rural responders are prepared for a terrorist incident in their jurisdictions, Congress and the Department of Homeland Security created the Rural Domestic Preparedness Consortium. Led by Eastern Kentucky University, partners are researching what common emergency response gaps many rural communities share so that rural emergency responders can get the necessary training they need to handle a terrorist attack or a natural disaster.

 Thomas also stressed that all security breaches that occur at rural, high-risk maritime facilities must be reported to the National Response Center. It could be the last link analysts need to recognize an emerging threat, she said.

 Special events. Two security professionals whose companies had a presence at the 2008 Beijing Olympic Games shared insights gained from the experience in the Tuesday session, “Global Security Planning and Operations Supporting the 2008 Summer Olympic Games: Challenges, Success, and Lessons Learned.”

 Steve Chupa, CPP, security director for Johnson & Johnson, and Raymond Mey, chief executive officer for Security Consultants International Corp., provided a retrospective view of the games, packing their presentation with practical advice learned the hard way: on the ground.

 Chupa and Mey warned that the response from a host government in an emergency situation may not be what you expect it to be, and they stressed the importance of communications systems in emergencies and otherwise. “You have to take care of yourself,” Chupa said. “You can’t rely on the government; they have their own concerns.”

 The presenters also advised that you should expect the unexpected. On the morning of the opening ceremonies, 200,000 soldiers with guns replaced the unarmed policemen on security detail in Beijing, Chupa remembered. But by the next morning, the soldiers were gone. “With constant changes in security,” Mey said, “we didn’t know how to act.”

 The two professionals mentioned several of the efficient processes they saw from other companies as well. Visa placed a bar code on their credentials and used portable scanners to keep track of their guests and staff. Coca-Cola accounted for all of their tickets by counting, shrink-wrapping, and then moving them to the area on an armored truck.

 Chupa stressed the problems cultural concerns can cause and the importance of having local, on-site contacts. He learned quickly that when you hire security officers in China, you are responsible for feeding them. You are also responsible for bringing in bottled water. “It’s not so easy to bring large quantities of bottled water into the Olympic Green,” he said.

 A different kind of special event is being planned for next year—the ASIS International 55th Annual Seminar and Exhibits. The highlights above are only a sampling of the information available to seminar attendees. Don’t miss next year’s opportunities in Anaheim, California from September 21 through 24.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.