Tuesday was a day of learning at the ASIS 59th Annual Seminar and Exhibits. Attendees had plentiful choices—session topics covered the breadth of the security industry. Ahead lies reportage on just a few of the many expert presentations that occurred at McCormick Place.
Retail Loss Prevention
Retail security professionals learned about loss prevention and ways to fight organized retail theft in a Tuesday session titled “Pressing Issues in Retail Loss Prevention.” J. J. Coughlin, vice president of law enforcement services at LoJack Supply Chain Integrity, said organized retail crime (ORC) has been growing for the past few years. He pointed out that although companies may have insurance to cover the thefts, the manufacturers will still have to replace the products and the client won’t receive what they need on time, so the crimes resonate throughout the supply chain.
Coughlin serves as director of the Supply Chain-Information Sharing and Analysis Center, which collects data on cargo theft from law enforcement and various other members. Coughlin said that the places the thefts occur might change but the main takeaway is that they tend to occur when a driver has left cargo unattended, whether that is for two minutes or two days. He also told attendees that 70 percent of cargo theft happens between Friday and Monday, so companies might need to look into upgrading weekend and downtime security.
Coughlin also demonstrated hotspot mapping, which showed that Florida is a particularly vulnerable state for cargo thefts. He noted that food is usually the most frequently stolen item.
A solution that Coughlin shared was the idea of embedded covert tracking in freight. The tracker provides visibility for the shipment throughout its trip.
Kathleen Smith, vice president of loss prevention at Safeway, discussed the retail theft issue at her store. She said the company loses about $80 million a year to ORC, with baby formula being the number one item for thieves. She said a challenge for grocery stores in preventing theft is that they’re supposed to be an open shopping experience, so the measures cannot be too obtrusive. Therefore, the store looks for solutions to slow down theft. For example, Safeway uses a cart containment system right at checkout stands to prevent those who haven’t paid from being able to take carts out of the store.
Smith noted that it is often difficult to show return on investment (ROI) with certain technologies, such as video analytics, when using it for loss prevention. However, she says she’ll partner with the marketing department or another department that wants a tool for another reason that is able to demonstrate ROI, such as in figuring out the best spots in the stores for product displays. That way, loss prevention won’t have to bear the financial burden but they’ll be able to take advantage of the technology.
Food and Agriculture Security
Seminar attendees gathered Tuesday morning to discuss the susceptibility of the food and agriculture industry. Michael Fagel, a critical infrastructure analyst with Argonne National Laboratory, presented the session titled “How Vulnerable Is Our Food and Agricultural Infrastructure?” Fagel highlighted the many ways that food can be compromised during the stages of production from farm to fork.
The threat of compromised food can occur during the production, processing, or distribution of the product; can have serious economic, health, and global impacts; and is considered a tempting target for terrorists, Fagel said. Because of this, security policies must be implemented at every level of food production and transportation. “Security has got to be just as important to your company as safety,” he said.
Fagel considers the top three nodes of vulnerability to be the product’s transportation from its raw state, when the product is sitting idle at a warehouse, and during distribution. Special attention should be paid to who has access to the product and how it is stored.
One aspect of the supply chain that is often overlooked by infrastructure analysts is the employees who come in contact with food, Fagel said. Employees can unknowingly contaminate food products, but a real danger lies in a disgruntled employee, he said. These employees know where the supply chain is weakest and how to easily contaminate bulk items.
Fagel recommended training employees to look for signs of contamination within the facility as well as employees who might have a problem with the company.
Vigilance, planning, and awareness of agroterrorism or food contamination are keys to keeping products safe and secure, Fagel said.
Crime and Loss Prevention
Attendees learned about building partnerships to fight crime in “Reducing Crime Through Community Engagement,” presented by the ASIS Crime and Loss Prevention Council. “Whatever community you’re in, you all share the same types of problems,” said Lawrence Fennelly, president of Litigation Consultants, Inc.
When embarking on a partnership, Fennelly stressed making sure that the parties agree on the point of the partnership and settle on a plan of action for the future. Some key elements of a successful partnership are effective leadership, structuring, setting goals, and building on early successes.
Fennelly extolled the potential of business and neighborhood watches and noted that they each have the same goal—reporting crime.
Marianna Perry, CPP, training and development manager at Securitas Security Services USA, Inc., told attendees they can either be consumers of law enforcement services or partner with law enforcement. She mentioned the traditional crime triangle, in which desire and ability meet up with opportunity to create crime. Perry said the only aspect of that triangle you can control is opportunity; if you remove opportunities, crime will be reduced.
Situational crime prevention is integral in neighborhoods and businesses and Perry pointed out that it’s not about profiling, rather about reporting suspicious activity based on behavior. She said that hardening targets with heavy doors, adequate lighting, locks, and other techniques is important, but so is incorporating CPTED principles, such as maintaining property and making a distinction between public and private areas.
Perry also mentioned the “hundred percent rule;” she said just because a strategy does not work one hundred percent of the time doesn’t mean you should not use it. It does mean, however, that you should consider security in-depth and ensure that other options are making up for the percentage of time the initial strategy doesn’t work. Perry stressed rooting out the cause of the problems and not just treating the symptoms.
A panel of social-media monitoring experts discussed keys to tracking possible threats through the Web during the “Social Media Monitoring Analytics for Executive Protection and Event Security” session on Tuesday afternoon. Panelists Bryan Ware of Haystax Technology, LLC, D. C. Page of Andrews International, and Ron Brooks of Brooks Bawden LLC, each discussed their experiences in mining data from the Internet to detect potential threats to individuals and events.
Social-media monitoring companies use both computer algorithms and analytical experts to search social media content for possible threats, and Ware said these companies should focus on incorporating monitoring and analysis into a comprehensive protective portfolio. Many automated data-mining services are too broad and capture more information than can be effectively analyzed. There is so much content produced every minute that humans alone can’t keep up with it all, Ware said.
Ware spoke about the trends behind the staggering rise in social media use. The proliferation of smartphones has boosted social media because it gives marginalized groups, such as elderly or low-income people, access to the sites. This increase gives data mining programs more information to work with, but makes it much more difficult to find legitimate, important information among the millions of messages produced every day, Ware explained.
Brooks discussed the use of social media to locate threats to the supply chain, community events, and controversial organizations. Social media monitoring is often like looking for a grain of sand in oceans of data, and although analysts may want to look at every piece of data, that is not possible. That’s why it’s important to rely on targeted keyword searches, Brooks stated. However, as monitoring systems become more specific and thorough in searching for threats, it’s important to balance the need for that information with privacy concerns, he said.
One way for monitoring services to keep up with all the content is to focus on real-time monitoring and on trying to predict a person’s behavior before it escalates into an imminent threat. For example, analysts followed the social media content of a man who was planning to shoot police. They tracked when and where he bought guns, where he said he was going to commit the crime and how he was getting there, and were able to work with law enforcement to capture the man before he could execute his plan.
All three experts agreed that a combination of automated data-mining, human analysis, and targeted searches for specific keywords could make the ocean of information more manageable and help mitigate threats before they become realities.
On Tuesday, Thomas Bobkowski, director of school safety and security for Greenwich Public Schools (GPS) in Newtown, Connecticut, took part in “Lessons Learned From Sandy Hook: A CPTED Case Study of Greenwich, Connecticut” with Randy Atlas, CPP, president of Atlas Safety & Security Design, Inc.
Bobkowski said that he had taken the day off from work on December 14, 2012, when he received an alert on his phone that Sandy Hook Elementary was on lockdown. He received the message because even though his children no longer attended the school, he’d never removed himself from the lockdown notification list.
As a school security professional who had recently made changes to the school security in the GPS district, Bobkowski was curious about how they were handling a lockdown and he decided to drive over to the school to see what was going on. Five minutes later, he found himself entering an active-shooter situation and assisting local law enforcement in setting up a barrier to keep anxious parents back from the scene.
By the end of the day, 27 people, including the shooter and 20 children, were dead, and schools around the nation were changing the way they thought about school security. The ideas they were discussing were measures that GPS had already taken under Bobkowski’s direction after he attended the three-day Facility Security Design Workshop, sponsored by the ASIS Security Architecture and Engineering Council.
It is particularly important for schools to have a controllable main entrance. “The biggest fight I have with administration is where the front door is,” Atlas said. He recommends that it be near administration offices so it can be monitored by staff located there. All other doors should be locked at all times from the outside against those who may try to enter.
GPS adopted this and went one step further by standardizing all of the doors throughout the entire district and installing a patented locking system by Assa Abloy. Teachers and staff each receive a key that can lock any door in the system from the inside of a room, but can only unlock certain doors. Those who are assigned keys are not allowed to make copies. If a key is lost, it must be reported to Bobkowski.
Bobkowski also recommended that vehicles should be disallowed from parking next to school buildings. “We’ve had a situation where a car was on fire and now the building is on fire too,” he said.
Most importantly, Atlas and Bobkowksi suggested schools need to be zealous about updating security policies.
CSOs Share Career Strategies
Continuing his education and reaching out to others to build relationships are just some of the tools that have helped Microsoft CSO Mike Howard and others earn senior industry positions and continue to move up, he said in a standing-room only session on Tuesday morning.
“The journey doesn’t end because I’m still learning,” Howard explained alongside his fellow presenters, Tyson Johnson, CPP, BrightPlanet’s head of business development, and Don Knox, CPP, Caterpillar’s security risk and analysis manager in “Your Path to the Top: CSOs Discuss Career Paths.”
The session was sponsored by the CSO Roundtable and gave attendees a unique chance to hear about how professionals in the security industry made their way up the executive ladder and to learn how they can do the same.
Howard said he “took a big leap” in the early 2000s by moving to Microsoft after 22 years with the CIA and previously serving in law enforcement in Oakland, California. In making the transition from the government to the corporate sector, Howard has embraced learning about aspects outside of security that can help him with his career goals. One of those learning experiences was a short stint in human resources where he learned about building relationships with people and the importance of mentoring, Howard explained.
Some were critical of his decision to put his security career on hold, but Howard said he felt the experience of learning more about human resources has benefitted his work at Microsoft, particularly in learning how human resources works and how to interact with people outside of his own department.
Being able to build connections with others and use those connections for networking is greatly important, especially for young professionals, Howard said, and it is something he continues to do. “I’ve tried to consciously belong to other organizations...to reach as many folks as I can because I’m trying to learn as much as I can,” he said, explaining that he’s joined organizations, such as ASIS, and made efforts to always be available to those looking for mentors in the security industry.
Johnson echoed Howard’s sentiments, describing a mentor he had who kept him from “drowning” when he first moved into executive management from a subject-matter expert position at TD Bank.
Initially, Johnson said he was taking on too much responsibility and felt like he was sinking because he was having trouble transitioning into the new position. One day, his phone rang and an employee from the senior ranks on the retail side offered to mentor him. They began meeting weekly and worked their way through Managing Management Time: Who’s Got the Monkey? by William Oncken, helping Johnson learn to manage his time and the value of prioritization.
In the book, Oncken uses the example of management having a monkey on its back. If the manager takes on too much, or takes responsibility for too many monkeys, he won’t be able to feed them all and will starve himself—meaning his job performance will suffer. Instead, managers need to learn to prioritize their time to accomplish tasks and be successful.
This is especially important for professionals to understand because of the current economic environment, Howard said. “We’re all in this world of reduced resources and time constraints, so prioritization is important,” he explained. “You can’t do more with less, you just have to do the most important things first.”
Oncken’s book and his mentor also taught Johnson the importance of building relationships with people—even the ones who are difficult to get along with—a skill that he recommended that attendees develop as well.
“Take initiative. Go meet these people and make it your mission to increase dialogue with those people,” he suggested, adding that by helping to improve those relationships now, problems can be prevented in the future.
TODAY’S CSO ROUNDTABLE SESSIONS
10:00 am - 11:30 a.m.
The World in 2025: The Future of Business, Technology, and the Workforce—and What that Means to Security: Business, academic, and security thought-leaders in this interactive session look into the future and get a first look at new research on this topic conducted by ASIS International and Apollo Group.
11:00 am - 12:00 pm
The Evolution of the CSO Standard: Security professionals discuss the process and explore the rationale and feedback that led to the recertification of the Chief Security Officer Organizational Standard, a reference, guide, tool, and benchmark for practitioners and organizations.
1:45 pm - 3:00 pm
Evacuation from Libya, Attack in Algeria: Lessons Learned and OSAC’s Role: James Snyder of ConocoPhillips and David Schnorbus of Overseas Security Advisory Council (OSAC) discuss the attack on a gas field in Algeria in January and OSAC’s role.
3:30 pm - 4:30 pm
Open Source Intelligence: Taming Big Data: Security professionals from BrightPlanet discuss case studies and provide recommendations for taming and exploiting big data to harvest, analyze, and then harness useful intelligence from data available on the Internet.