Dedicated security professionals arrived early in Atlanta to take advantage of the various preseminar programs on offer at the Marriott Marquis. The programs, which were held on Saturday and Sunday before the launch of the ASIS International 54th Annual Seminar and Exhibits, offered information on various topics. Some of the programs offered were security consulting, detecting deception, security management for beginners, college and university security, developing business acumen, critical infrastructure protection, and convergence.
A line-up of experienced security consultants shared their expertise with those looking to start a consultancy at the “Successful Security Consulting” program held on Saturday and Sunday. The session was sponsored by ASIS and the International Association of Professional Security Consultants.
Steve Kaufer of Inter/Action Associates, Inc., in Palm Springs, California, led the opening session of the program. “We will give you the information you need to consider whether you want to pursue consulting,” he told the attendees.
Kaufer explored the positives of a consulting career, including an interesting range of projects, flexibility in the number and complexity of jobs, and, of course, additional income. He also noted that the need for consultants is on the rise. “There is a greater demand from organizations for outside help and temporary help because companies can’t always add staff,” Kaufer said.
In the program, speakers covered every aspect of security consulting from writing winning proposals and gaining clients to preparing reports, performing security surveys, partnering with other consultants, establishing fees, and marketing. However, the program did not cover security. “You already have a tremendous base of knowledge,” said Kaufer. “We aren’t going to talk about security. You already have this knowledge, and other people need it.”
Attendees gathered on Saturday and Sunday to learn a critical investigative technique—how to tell whether someone is lying. In the program “Statement Analysis and Verbal Clues of Deception,” presenter John H. Dietz, CPP, covered issues such as how to eliminate multiple suspects from an investigation and how to develop rapport with the person being interviewed.
Dietz then led attendees through a series of exercises to help them pick up on deceptive language. For example, in written statements, investigators can learn much from the insertions and deletions suspects make to a document. Changes in the use of nouns and verb tenses as well as skipping forward in time can indicate deception, according to Dietz.
As a practical exercise, the group analyzed real cases. Dietz pointed out how helpful this can be. In one training exercise, the class analyzed a group of interviews and narrowed the list of suspects down to one person. “The class worked it out and the police went to interview the prime suspect the next day,” said Dietz. “They got a confession.”
Attendees at “Security Management for the Beginner: Where Even Experts Can Go Wrong” learned that it doesn’t matter whether a security manager comes from the world of law enforcement, the military, or elsewhere—nothing substitutes for on-the-job training.
In a talk presented in conjunction with the International Foundation for Cultural Property Protection, Stevan P. Layne, CPP, discussed the various roles of an effective security manager, from leader to disciplinarian to coach.
Layne noted managers often make disciplinary mistakes. He said leaders must be fair and hear workers out, and he asked, “How can you evaluate whether someone followed the rules without hearing their side?” Layne said an oft-overused tool is suspension without pay. Although there are certain situations where such action is necessary (like during an internal investigation), Layne said when a manager relies on such disciplinary action “above all else,” workers end up terrified and often come back from the suspension just as unproductive. Layne instead advocates getting to the heart of the problem through communication and problem-solving.
Effective managers must also take an active interest in their employees, listen to them, and encourage them to advance in their own careers.
Above all, a manager must be a leader. “Are they going to follow you into battle?” asked Layne, because when a disaster or crisis hits, the environment becomes a “quasi-combat zone.” Layne suggested subjecting applicants to a stress interview, where several people with various fields of expertise spit rapid-fire questions at the interviewee to see how he or she handles it. If they become nervous in that situation, it could be a sign that they won’t be able to respond well in a true crisis later on.
Layne also emphasized that while a manager must be respected, he or she must also be open to learning from others. He said a true leader is an interested manager, “someone who doesn’t know everything but is willing to find out.”
PROTECTING THE CAMPUS
The massacre at Virginia Tech has led to widespread investment in new security technologies and the creation of new policies and procedures across college and university campuses everywhere. But few campus security stakeholders know what technologies or procedures they should select to protect their campus.
Bernard D. Gollotti, CPP, executive director of public safety for the University of the Sciences in Philadelphia and the vice chairman of ASIS International’s Philadelphia chapter, helped security practitioners sift through recommendations from recent public and private campus threat assessments during the preseminar session, “Protecting Your Campus: Selecting the Right Technologies,” on Sunday morning.
The problem with campus security after Virginia Tech, according to Gollotti, is that everyone fears the high cost, low probability events most, when more mundane things such as fires in residence halls or college students crossing busy city streets gets short thrift. “Somewhere in the next few weeks someone’s going to ask how you’ve planned for a pandemic [flu outbreak],” he said, stressing his point.
Among Gollotti’s many recommendations to campus security officials were the creation of behavioral threat assessment teams to share information on problem individuals on campus; coordination and collaboration with local, state, and federal responders; the adoption of a multilayered emergency notification system; the installation of remotely-controlled keyless locks in dormitories and classrooms; and more active monitoring of a campus’ CCTV system.
Gollotti told campus security practitioners to become well-acquainted with their respective institution’s IT department because they are the foundation of any good security system. “One day we may all be working for IT and not public safety,” he said. “They control the network,” especially necessary technologies such as IP cameras and access control systems.
Chief security officers often have a tough time persuading the executive suite of their critical importance to business. The big problem, according to John Lingle, principal consultant for the Metrus Group, is that many CSOs can’t “communicate their value in a language business executives understand.”
Lingle’s preseminar session, “Business Acumen for Security,” on Sunday morning, sought to change that. By providing security professionals with the financial fundamentals, the strategic focus, and the return-on-investment (ROI) acumen, he says security can find itself on the positive side of the bottom line.
Business executives want measurable results and those in the security field that can’t provide metrics, such as ROI, suffer. According to a 2006 Metric Group study, security departments that did not use ROI measures experienced slower budget growth and were three times more likely to suffer personnel cuts than those security groups that provided ROI metrics.
Security professionals also need to identify the various ways they provide value to a business and categorize them according to cost, Lingle says. For instance, hiring more security guards to reduce theft is often a less expensive endeavor than creating and implementing a supply chain protection program. Security professionals should also understand the concept of an opportunity cost or the realization that investing in one problem’s solution will often leave other problems unaddressed. Security professionals, therefore, must choose those security investments that will solve the problem with the greatest ROI possible.
To do this correctly, security professionals need a strategy. Lingle says CSOs should ask “What are the underlying assumptions when I spend money here rather than there?” Security professionals should assess their department’s strengths and weaknesses, determine what opportunities are available to achieve their goal, evaluate how their environment may change, and decide what they will not do because of scarce resources.
The strategy should also realistically gauge what a security professional or department can achieve. Lingle says security professionals can typically list 20 or more weaknesses of their organizations on average. His advice: “You can’t fix 20 things. Pick the three most important.”
Afterward, if a security group’s strategy fails, there are only two options as to why: “Either you had a bad strategy or you had bad execution,” Lingle told his listeners.
Security stakeholders from the private, homeland security, and defense sectors gathered for a daylong session highlighting “Public and Private Perspectives on Critical Infrastructure Protection.”
Steven D. Young, CPP, deputy director of the Department of Homeland Security’s (DHS) Infrastructure Information Collection Division, provided an overview of the decade-old federal effort to define and help protect the nation’s critical infrastructure and key resources (CI/KR), which range from bridges and highways to the nation’s financial system.
King discussed DHS’s new Homeland Infrastructure Threat and Risk Assessment Center (HITRAC), a critical new link in public-private collaboration for CI/KR protection. HITRAC’s analysts monitor intelligence from around the world to produce threat advisories tailored to domestic interests.
The HITRAC process quickly detected and addressed a disconnect between the federal government’s typical terrorism intelligence and the needs of U.S. private security, King said. After an attempted terrorist attack on an oil facility in Saudi Arabia, HITRAC flew analysts to Houston to brief U.S. oil industry security officials on the event.
At the briefing, industry officials wanted information about factors like the attackers’ clothing and vehicles and the performance of the facility’s physical security elements. Analysts, however, had focused their research on topics like attack financing and organization. HITRAC officials learned that the intelligence needs of private security are far different than those of federal counterterrorism officials, and the program has adapted its products, King said.
Paula Scalingi, a veteran government security professional and now director of the Pacific Northwest Center for Regional Disaster Resilience, also addressed the session, discussing the potential impact of a “bio-event,” whether a terrorist attack or a pandemic outbreak, on CI/KR. Continuity and resilience plans will only work during a bio-event if they are prepared on a region-wide basis, Scalingi said.
Planning efforts to sustain CI/KR during bio-events are lacking, Scalingi said, listing gaps in areas such as identification of sector interdependencies, assigning roles and responsibilities, information sharing, and IT infrastructure maintenance.
Many organizations are converging their physical and information security applications onto their main corporate network. But once these myriad applications, some of which previously ran on private networks, are conjoined, what’s the best and most effective way to run them all?
That was a central focus of a preseminar program, “Going IT: The How and Why of Putting Your Security System onto the Corporate Network.” Companies are looking to put just about everything security-related on their network, says Howard J. Belfor, CPP, regional vice president for the southern USA for ADT Advanced Integration. Applications range from e-mail programs to Internet Protocol telephony to fire alarm systems.
The program looked at some of the applications that are being integrated. It also discussed some of the ways hackers are trying to take advantage of network vulnerabilities. It then broadly discussed some cutting edge-integration systems that can help managers run all their systems in one place or on one integrated software application.