Trusted identities will emerge this year as the fundamental building blocks for organizations to create environments that connect people, places and things. As a company, HID Global sees increased cloud and mobile access adoption, more focus on securing the Internet of Things (IoT), and data analytics as some of the top trends that will take center stage in developing more intelligent, connected experiences this year. The user experience will be redefined by mobile, IoT and cloud technologies and deliver new capabilities for the future. There are five significant trends in 2018 that we believe will influence how organizations leverage the power of trusted identities: 

Organizations embracing the benefits of the cloud

• Increased awareness of the cloud’s ease of deployment, flexibility, connectivity options and productivity benefits will escalate adoption. Access control cloud platforms with APIs and SDKs will fuel new software solutions that expand choices for organizations to get the most out of their investments. Cloud-based card issuance will drive adoption due to its simplicity, security and cost structure, while governments increasingly investigate how printed IDs can be complemented by cloud-issued mobile citizen IDs.

• Cloud authentication and credential management will further integrate mobile devices, tokens, cards and machine-to-machine endpoints. And digital certificates in the IoT will draw upon the trusted cloud services to deliver and manage certificates across thousands of devices.

More connected devices and environments drive focus on securing the IoT  

• Digital certificates will become a core component for adding trust in the IoT by issuing unique digital IDs to printers and encoders, mobile phones, tablets, video cameras and building automation systems, plus a broader range of things like connected cars and medical devices.

• Apple iOS 11 “read” support of NFC will fuel adoption of IoT-based applications such as brand protection, customer loyalty programs and other use cases that will further drive the need to enhance security in the IoT.

Mobile access reaches tipping point for mass market adoption

• 2017 was the year mobile access went mainstream and adoption will accelerate even further in 2018. Maturity in mobile solutions and integration into other systems, coupled with mobile’s ability to enhance user convenience, improve operational efficiency and provide higher security will drive accelerated growth for mobile access and mainstream adoption.

• Card emulation, the NFC mode most coveted for mobile access control, remains reserved exclusive to Apple Pay; this leaves Bluetooth as the communication standard for cross-platform mobile access support. Still, organizations will invest in readers and other infrastructure that supports NFC and BLE to prepare for future possibilities.

Convergence of physical and digital security

• The concept of Physical Identity & Access Management (PIAM) will drive convergence of physical and digital security to a single credential, putting identity at the center of all use cases. Government, finance, energy and other regulated markets will emerge as the forerunners using these solutions for secure access to buildings, email, websites and VPN.

• New converged identity models that use cloud authentication and mobile devices are also emerging, such as the ability to verify a person’s presence at a location, mobile IDs that validate physical citizen IDs, and smart cards that authenticate users to enterprise resources.

Data analytics will drive risk-based intelligence for predictive models and new capabilities

• Devices, access control systems, IoT applications and other solutions connected to the cloud will provide robust data for advanced analytics. Insights from these analytics can be used to optimize workflow solutions and provide more seamless access for end users.

• Predictive analytics and biometrics will play a crucial role in people-centric security and address employee demands for workplaces to deliver premium, more individualized services. Analytics will also help reduce downtime in the enterprise, spur factory automation and improve compliance via condition monitoring that is based on real-time location and sensing solutions.

Samuel Asarnoj is the Senior Vice President Corporate Strategy & Business Development for HID Global. HID was a voice at The Great Conversation on March 5 & 6 in Seattle, Washington.

The physical security industry is not wired like the IT industry.  Despite the influences of IT on security there remains a bias of belief that individual manufacturers should sell a jack-of-all-trades product portfolio.  What is accepted and even expected in the IT industry – that a company should create valuable product families, which should also integrate with the rest of the products in the industry – is, instead, the anomaly in the security industry.  Perhaps it’s the lack of common integration protocols and standards but it seems like there is this hidden gravitational pull in security to ultimately default to an end-to-end portfolio from individual manufacturers. 

Why is this?

If we look back in time, the security industry is littered with numerous examples of fully end-to-end solution companies.  Legendary names have built and/or acquired product after product and over time assembled an end-to-end comprehensive solution, all sold and supported under the umbrella of a singular brand.  Never mind that many of these companies either made only a few things well, or covered up otherwise average products with excellent support: the fact remains that companies have been built and fortunes realized with this end-to-end approach.

As the security industry transitioned from analog to IP network technology, some of this has changed, and many of the successful end-to-end brands have ultimately failed in the transition.  But even today we can see striking examples of new IP technology manufacturers beginning to creep their way towards an end-to-end portfolio. 

Why is there this pull to what in the IT world is so unnatural?  Why do companies seem so insistent on polluting their one or two really good product lines with otherwise lower quality companion solutions?  What has happened to the notion of best of breed?

Clearly, one of the appealing attributes for an end-to-end portfolio is control.  The manufacturer has more control over the customers – and locked-in revenue from them -  by delivering a broad technology set of offerings.  This reduces the risk of other manufacturers’ products gaining a foothold in their client base.  This also allows the manufacturer to offer a more comprehensive product support service, bridging the various products and technologies.  And for the systems integrator, this makes quoting, procurement and commissioning easier because all roads lead back to a single manufacturer. 

This is that “one throat to choke” mentality. 

But what is ultimately better for the end user?  Do they get the best technology solutions from an end-to-end solution?  Do they get the best innovation from the combined creative expertise in the marketplace?  Is the return on investment maximized, and do they have an open road to adjusting their technology suite to meet their evolving business needs easily and economically over the long run?  Are end-to-end solutions really the best thing for customers? Or are they just a way for manufacturers to lock in their clients and system integrators to avoid looking closely at the problem and the best means to deliver a solution?

On the other hand, if an open platform approach is better, then what about the question of quoting, procurement, commissioning and support?  If the best technology, access to innovation and return on investment is rooted in open platform solutions, how can these solutions defy the gravitational pull of the security industry’s fascination with the ease and convenience of end-to-end portfolios?

If open is better, then the companies that focus on delivering best-of-breed products have a responsibility to make quoting, procurement, commissioning and support more seamless and approachable across various technology manufacturers.  Whether its common industry standards, easier integrations, coordinated marketing or cross-product support, open platform providers have the responsibility to make working with open solutions an easier and less complex experience for system integrators and end users alike. 

If we agree that end customers are best served by open solutions, best of breed and freedom of choice, then we must focus on the ease of use and experience related to the combined multi-manufacturer solution.  Those of us committed to open solutions are responsible for making them easier and more approachable.  This is the key to helping the marketplace realize the full potential of the open platform – and defying the gravitational pull of the industry bias. 

It’s time to have a great conversation around this question. To realize our full potential and deliver an exceptional value proposition, I propose an open platform with integrated best-of-breed solutions.  Are you ready to defy gravity together?

Tim Palmquist is the Vice President - Americas, Milestone Systems. He has an extensive background in management and sales in high-tech companies with 25 years of experience in the technology industry. Tim joined Milestone in 2007 as the Central Territory Sales Manager, quickly moving up to Director of Sales West US and Canada then Vice President of Sales Operations. Before coming to Milestone, Tim worked in IT sales for 14 years and healthcare administration for four years. His education includes a Bachelor of Science in Finance from Kansas State University.

We sat down with Sara M. Smith, Research Operations Supervisor at Seattle Children’s Research, one of the nation’s top five pediatric research centers. Sara manages physical security for the campus including the lobby and operations staff.

Sara was an engaging and passionate advocate for Seattle Children’s. She is highly attuned to the vision and mission of an organization that is over 100 years old. “One of our founding promises is to care for children regardless of race, religion, gender or a family's ability to pay, and it still guides Seattle Children’s today”, said Sara. “Our patients and families are highly diverse. Therefore, my guard force is highly diverse; a fact I am highly proud of.”

Sara has extended that diversity to the vendors she contracts with. “When selecting a manufacturer, I look at their advertising. When we conduct an RFP, I look at the team they bring to the meeting. If I am setting up a relationship, then I need to be aware of the unconscious bias they may be bringing into our culture.”

For Sara, perception equals reality. “What do people perceive when they have interactions with security?”, said Sara. “Warm, welcoming environment?  When there is an issue, do they see a rapid, personal response?”

She takes personal responsibility for her own mistakes and learning in this area. “Early in my management of security here, I did not respond correctly to an incident”, said Sara. “The person I engaged interpreted my actions and demeanor as uncaring. It doesn’t matter if I, in fact, care passionately, but they do not receive it as such. That lesson has embedded itself in my cultural memory. Now, I take every interaction with a consciousness that the conversation is not simply between two people; it is about the very nature of the culture Seattle Children’s; of who we believe we are and will be.”

According to Sara, when someone approaches security with an issue, there are two problems to address. The first is whatever issue they are bringing which a technically competent officer can typically handle.  The second is – the person is often upset about whatever problem or barrier they’ve encountered.  “They had something stolen, they can’t get where they need to go and are running late, whatever the issue may be”, said Sara.  “An empathetically competent officer can handle the emotional side as well.  The truly excellent officers are going to resolve both.  Find these people.”

Sara recognizes her hard won lessons are not immediately transferrable to her people and her organization.  “Building a culture of safety and security does not happen by accident, and it certainly does not happen overnight.  It takes TIME.  It takes intentionality.  It takes consistency of message in every interaction – we are here to help keep you safe, to keep your work safe.” 

When security measures were rolled out over a decade ago at Seattle Children’s Research, there was initially some resistance.  “Many of our senior leaders are from academia”, she said. “They have a much different approach.  Colleges and Universities are highly porous – highly permeable.  Our security measures were initially seen as not supporting the collaborative environment they wished to promote.”

However, attention to the vision, mission and personnel training has helped. “When we conducted a security assessment a year ago, I was surprised and pleased to hear our staff and leaders provide a very different response.  Our security measures are now seen as valuable and necessary.  As we have grown, as our neighborhood has grown and changed, our people appreciate the steps we take to keep them safe.  The overarching culture has changed.”

To Sara, it’s the little things that make the difference. “Metrics may change minds, but it takes a personal connection to change a heart.  More than metrics, it's a relationship. Trust. Show up, every time.  Show you care. Be known, be recognized.  People are much more likely to report oddities to a friendly and familiar face.”

And, she said, once security is seen as part of the team, it can drive the larger culture.  “At Seattle Children’s, like most organizations, we have a history of silos. Working with my counterpart at the main campus, we realized that systems, like people, are best when they are collaborative. But, in many cases, security systems don’t talk to one another. For example, video management has been separated, as well as our badge control and vendor support.  As we have continued to grow, our organization has changed, and our neighborhood has changed.  The visible costs of software, hardware, and licensing, plus the invisible costs of supporting two nearly identical systems is a strain on limited resources and it no longer makes sense to run parallel systems. By partnering together – creating enterprise-wide standards, by leveraging the experience and history on both sides, by combining our systems where it makes sense to do so, we mitigate risk, optimize our response, and save the company money.”

And this collaboration also supports one of the other core value of Seattle Children’s; innovation. “As a Research Institute, we exist to innovate!”, said Sara.  “But primarily with medicine and science.  Security is also an innovator, and in powerful ways, contributing to the long-term vision, mission and values of our organization.”

There is no question that the likelihood of espionage, embezzlement, sabotage, fraud, intellectual property theft (which can include everything from trade secrets and R&D to drawings, training manuals and research and development theft from current or former employees), is a fundamental challenge to most security executives.

According to one data breach group, 80% of breaches had a root cause in employee negligence. Every year we hear that employee mistakes that lead to data theft will be a top threat to organizations. And at previous conversation forums we have heard that intellectual property theft is a national security risk.

One of the conversations we will have this year will be with Dr. Michael Gelles. Dr. Gelles is a director with Deloitte Consulting LLP Federal practice, consulting in the areas of law enforcement, intelligence, and security. He is a thought leader and widely published author on critical national security issues to include, insider threat, security processing, secure workforce, asset loss, exploitation, sabotage, and workplace violence. Previously, he served as a naval officer and the chief psychologist for the Naval Criminal Investigative Service. 

Dr. Gelles recently published a book entitled Insider Threat: Detection, Mitigation, Deterrence and Prevention. In this book, he presents a set of solutions to address the increase in cases of insider threat. It outlines a step-by-step path for developing an insider threat program within any organization, focusing on management and employee engagement, as well as ethical, legal, and privacy concerns. In addition, it includes tactics on how to collect, correlate, and visualize potential risk indicators into a seamless system for protecting an organization’s critical assets from malicious, complacent, and ignorant insiders. Insider Threat presents robust mitigation strategies that will interrupt the forward motion of a potential insider who intends to do harm to a company or its employees, as well as an understanding of supply chain risk and cyber security, as they relate to insider threat.

We caught up with Dr. Gelles and the conversation spanned a number of topics. Given the fact that Dr. Gelles has experienced The Great Conversation one of the first questions we asked is why he participates.

“The Great Conversation provides the most collaborative setting for the exchange of ideas that help reshape and augment current thinking in the field”, said Dr. Gelles.  “The professional exchange is better than any conference I have attended.”

Since The Great Conversation aggregates conversations with key leaders in the industry to help guide the forum, we asked Dr. Gelles to reflect on what he has learned this year.

“The continued integration of the physical and the logical are shaping the context in which security operates as well as how it is organized”, said Dr. Gelles.  “Security transformation to meet the evolving threat should be on everyone’s top ten list, which should include an internal risk or insider threat program.”

According to Dr. Gelles, to address this challenge a new leadership model must emerge. What will emerge? “Leaders who lead security programs will increasingly need different competencies that include a set of multidisciplinary skill sets that helps mitigate the risk from both the physical and logical threat matrices”, said Dr. Gelles.

As well, he believes the organization’s culture plays a key role. “Culture is a critical component to any risk program”, said Dr. Gelles.  “Culture risk is a phenomenon that can compromise brand and reputation as well as the protection of critical assets. A culture risk mitigation program enables an organization to insure that what they may espouse in behavior, activities, and values is more than just a collective head nod, but translates into key behaviors and employee conduct that is measured; and gaps between what people say versus what they do is mitigated through specific risk mitigation strategies that address culture and behavioral misalignment.  It helps to discern not just what we believe and say but what we actually do in protecting assets.”

Since many insider threats include cyber we asked him to reflect on what he believes are the next steps for the industry ecosystem. “Cyber threats continue to be the common attack mode against business today,” said Dr. Gelles. “It is critical that the external cyber threat is integrated into a proactive and holistic view of threats to develop a security strategy against. Most importantly, move from a reactive to a proactive approach to identifying threats early and mitigating the threat whether that is an external or internal threat.”

At The Great Conversation, Dr. Gelles will be addressing internal threats and risks and advocating: “An integrated solution to mitigate risk by people who conduct business in the virtual and physical world. Prioritizing what is critical to protect and align to a prevent, detect, and respond framework, must be a part of any security strategy”.

The Great Conversation in Security 2018 was held in Seattle this past week and was a great success.  That the sponsors were able to arrange for some clear weather that highlighted spectacular views around Seattle was pretty great, too.

The 2-day conference kicked off on Monday and the topics started flowing immediately:

•    The Value of Security
•    Security Culture
•    The Mandate for IT
•    The end of ‘Silos of Excellence’
•    Intelligent Communications
•    Building Business Intelligence
•    Deep learning, AI and IA
•    Insider Threat Management
•    Realtime Threat Response
•    Who is on our campuses
•    Risk Planning and Resilience 

These sessions were facilitated by individual speakers or panelists that have demonstrated success through their own programs and initiatives.  The learnings that were transferred between presenters and attendees will be able to be immediately applied within numerous individual organizations.  Here are some of the Memorable Moments:
•    Focus on near time.
•    Employ strategic workforce planning.
•    Don’t forget your blind spot.
•    Build Security into a brand.
•    Failure defeats losers; Failure inspires winners.
•    There is no such thing as a smash-and-grab in cyber security.
•    Compliant does not equal secure.
•    Culture eats strategy.
•    Technology in and of itself does not solve problems.
•    We have a fiduciary duty to swiftly and safely coordinate the response to a verifiable threat.
•    If you try to secure everything, you won’t secure anything - planning is critical.

One would be remiss to forget two keynotes that were provided during the conference.  The first was during the Presidents Dinner on Monday night, with David McGowan, from Tiffany & Co., providing a thoughtful and moving talk on Leadership.  This was highlighted by a tie-in to Rachel’s Challenge.

The second keynote was given by Kristina Anderson, a survivor of the Virginia Tech shooting.  Again, the talk was thoughtful and moving and painted a very real picture of the job that Security is tasked with - protecting, first and foremost and even at the expense of property or possessions, the lives of people in the form of employees, visitors, contractors, students, patients, plaintiffs, defendants and on across the spectrum of those that come into our individual spheres of responsibility.

The Great Conversation in Security 2018, the conference, has come and gone, but The Great Conversation in Security must continue in our individual, corporate, industry and global efforts as we work to keep people, things and places safe.  The scope of the conversation is both wide and deep, including the tearing down of silos of people, process and technology; enormous increases in the number of networked devices and the subsequent need for intelligent agents to transform raw data into meaningful information; and, the necessity for Security to champion a fundamental shift by being the subject matter experts that work to enable the enterprise to manage security risk.

Parting Words
What would Security look like, if we could make Security look like anything we wanted it to?  If we can truly ponder this question without putting any constraints on ourselves, we might find just how transformative Security can be.  That will require a lot of great conversation, both inside and outside of Security.

Editor's Note: We historically choose to summarize The Great Conversation the week after the forum. However, we thought we would choose an attendee to have a voice and weigh in on their experience. We chose a Risk Consultant and first time attendee, Kent Howard with Integrum Security Risk Management. He can be reached at kent.howard@integrum-srm.com

Monterey Bay Aquarium has produced significant insights into the life history of sharks, sea otters, and bluefin tuna. The aquarium also was the first to exhibit a living kelp forest, and in 2004 it was the first to successfully exhibit and return to the wild a young great white shark. It is, therefore, no surprise that the Monterey Bay Aquarium desired the most innovative and state-of-the-art cameras as a key component for its security system.

The Challenge

The aquarium has a huge campus, with multiple separate properties and an average annual visitation of two million people. Until recently, the Monterey Bay Aquarium relied upon close to 60 analog cameras for its video security needs. With such a large area to cover and with so many people to monitor, this type of system proved increasingly unreliable to its growing security needs. The aquarium’s security staff also found it a major inconvenience that accessories and other parts for the system were exclusive to the original provider, limiting the security team’s options both technically and financially.

The footage from the analog cameras was monitored on monochrome screens and useful viewing of surveillance video was quite difficult at times. The quality of the images was low, and the inflexible nature of the cameras resulted in many blind spots throughout the aquarium’s large campus.

The aquarium also has some very challenging lighting situations, requiring more specialized, versatile cameras to properly capture images. “We have some difficult light levels here. The reflections of the water tanks can make certain areas lighter on camera than they are in person, or vice-versa,” stated Thomas Uretsky, Director of Security and Emergency Management for the facility.

“The system needed more flexibility, multiple views on one camera, the works”, said Uretsky. “Blind spots needed to be eliminated, and we wanted as close to a 360-degree view as possible.” Uretsky turned to a San Jose, California-based security integrator. They were tasked to research the market. Ultimately, they recommended Arecont Vision for the camera solution.

The Solution

Uretsky and the team at Monterey Bay Aquarium collaborated with Arecont Vision regarding the scope of work; where the coverage was needed, and how to best fit in into their budget. Monterey Bay Aquarium chose ExacqVision as their video management system, another solid partner to help upgrade their prior surveillance system.

 A range of different Arecont Vision cameras were ultimately deployed to serve the aquarium’s varying needs. Arecont Vision MicroDome® cameras were ideal for the ticketing area and customer lines. The series includes Wide Dynamic Range (WDR) models, which can achieve clear images across extreme lighting conditions, such as those found in some of the indoor spaces at the aquarium. MicroDome cameras have an extremely low profile and only a 4” diameter, making them ideal for discreet security surveillance. “They are small and nearly invisible to anyone who doesn’t know what they’re looking for”, said Uretsky. “The fact that they have such a small footprint makes them ideal for us in the ticketing and front entrance areas.”

Another video surveillance application at Monterey Bay Aquarium required customizable features that would simplify future changes that may occur at the aquarium, saving time and money if construction or remodeling were to occur. As well, with a concern for budget optimization, the Monterey Bay Aquarium’s Security Manager, Kevin Wright, was pleased with not only the flexibility, but also in the footprint. “The SurroundVideo Omni cameras are some of our favorites because we are getting four cameras in one. They have the most flexibility,” said Wright. “Our blind spots are much more limited, and we don’t need to use nearly as many cameras as we previously had in those areas.”  Although each camera offers four separate views, only a single PoE (Power over Ethernet) cable and a single software license is required for integration with the Exacq software, further reducing costs.

Arecont’s SurroundVideo Omni series utilizes a patented 360o track where each of its four-megapixel sensors can be moved to cover virtually any angle. Remote motorized focus simplified installation with the Omni G2. It also has the ability to interchange lenses.

 The Results

The system has performed incredibly well to date. Not only was it installed on time, but it was completed within budget.

The Monterey Bay Aquarium monitors the system locally, 24-hours per day. The images are viewed on a dynamic video wall in the new Security Operations Center. While most footage is viewed on-site, some cameras have been enabled with the Exacq software for remote monitoring at satellite offices. For example, holding areas for rescued sea otters can be viewed remotely by a research team.

Arecont Vision cameras have helped the aquarium’s security department in a variety of ways, one of which is increasingly common: addressing bicycle theft. Individuals will sometimes access a public recreational trail that runs along the aquarium’s main campus to steal unattended bikes parked by visitors or staff. Unlike the previous analog surveillance system, Arecont Vision’s megapixel cameras can provide the security department with good views and high-resolution images when reporting such incidents to the police department.

The project at Monterey Bay Aquarium fulfilled a vast array of surveillance requirements — indoor and outdoor scenes, large and small spaces, low- to high-lighting conditions — and Arecont Vision cameras addressed each of the challenges. The deployment of the new cameras made an impression on Uretsky and his team. One installation inspired ideas for another, and Arecont Vision helped make these potential security solutions a reality as well. The continual partnership between the aquarium, the system integrator, and Arecont Vision has resulted in an ongoing collaboration between the three entities.

“The reason we went with Arecont Vision was because it has a niche where a lot of manufacturers don’t, with its multi-view cameras”, said Uretsky. Arecont Vision pioneered the first multi-sensor megapixel panoramic cameras in the surveillance industry in 2006, and has continued to enhance their capabilities, introducing adjustable-view Omni cameras in 2014.  “These cameras have been fundamental as we systematically replace our old cameras with newer, megapixel versions. We are always improving and always adding cameras, so each time we’ve installed them we’ve been pleased.”

ABOUT ARECONT VISION
Arecont Vision is the leading manufacturer of high-performance megapixel IP cameras. Arecont Vision cameras are made in the USA. MegaVideo® and SurroundVideo® massively parallel image processing architectures are now in their 5th generation and represent a drastic departure from traditional analog and network camera designs. www.arecontvision.com. They will be available to answer questions at The Great Conversation on March 5 and 6, 2018.

ecurity of our country begins with security of private and public organizations. If the two can work together in new and innovative ways, we will be better at mitigating the risks that are rapidly evolving both locally and globally. A key to this, is ensuring technology informs our assessments, as well as our strategy and planning.

We were able to sit down with Dr. Thomas Cellucci who has had a front row seat in making this happen. Cellucci will be a key note speaker at The Great Conversation in Security in March. 

Cellucci worked at DHS for four years and served as one of its highest-visibility leaders as Chief Commercialization Officer and Senior Counselor. He helped develop a program that identified, evaluated and commercialized technologies into products or services that could meet the operational requirements of DHS’ stakeholders.

According to an article published in Government Security News (GSN), as Chief Commercialization Officer, Cellucci managed the DHS Science and Technology Directorate’s outreach efforts with the private sector and, in that capacity, made countless appearances at industry trade shows, symposia and other meetings. A tireless booster of DHS, Cellucci frequently instructed small businesses on the best ways to develop a successful business relationship with his department. “It was an honor and privilege to help develop and foster innovative public-private partnerships that have demonstrated impact for both the private and public sectors.”

Since that time, Cellucci has continued to demonstrate that he is an accomplished entrepreneur, seasoned senior executive and Board member possessing extensive corporate and VC experience across many worldwide industries. In 1999, he founded a highly successful management consulting firm, Cellucci Associates, Inc. He has authored or co-authored 25 books and over 184 articles on requirements development, commercialization, nanotechnology, laser physics, photonics, environmental disturbance control, MEMS test and measurement, and mistake-proofing processes.

Cellucci co-authored ANSI Standard Z136.5 "The Safe Use of Lasers in Educational Institutions." He has also held the rank of Professor or Lecturer at institutions like Princeton University, University of Pennsylvania, Eurasian Technological University, National Kazakh Agrarian University  and Camden Community College. 

Dr. Cellucci has been involved in many philanthropic and volunteer pursuits as well. Cellucci served as a Fellow with the Smithsonian Institution's James Smithson society for five years where he was the primary fund raiser for the Smithsonian with a special emphasis on the National Portrait Gallery's American Presidents Collection. Cellucci was involved in securing funds for portraits of two Presidents and First Ladies - President and Mrs. William Jefferson Clinton and President and Mrs. George W. Bush. Cellucci has served as a local volunteer firefighter for over 34 years and was commissioned as an Admiral in the Texas Navy by Governor Rick Perry in 2008. Cellucci served as the Commander of the 3-D ("Detect, Deter and Defend") Security Command Squadron in the State of Texas with the purpose of educating, preparing and organizing civilians across the state to assist in disaster response efforts.

Cellucci earned a PhD in Physical Chemistry from the University of Pennsylvania (1984), an MBA from Rutgers University (1991) and a BS in Chemistry from Fordham University (1980). He has also attended and lectured at executive programs at the Harvard Business School, MIT Sloan School, Kellogg School and others. He also holds the rare distinction of being an Honorary Professor at two major universities in Kazakhstan, as well as the Chairman of the Board of Trustees of two major universities.

The Interview
The Great Conversation (TGC): Why are you participating in The Great Conversation?

Cellucci: I was involved with the Great Conversation several years ago as the first Chief Commercialization Office of the USA. I am so proud of what it has become and honored to speak at this event.

TGC: What have you learned this year?

Cellucci: Company leaders need to understand potential security vulnerabilities and their impact (s) on their organization--and more importantly-- for their customers and stakeholders.

TGC: What is the most successful leadership model you have seen in our industry?

Cellucci: I was privileged to work with several Presidents of the United States and have witnessed, first-hand, several programs where the public and private sectors have joined forces to protect our citizens and property.

TGC: How will cyber threats impact the security ecosystem: (consultants, integrators, and technology vendors)?

Cellucci: Cyber threats are a reality of business and life. They present enormous business opportunities for some—and more requirements for members of the ecosystem.

TGC: Why is Enterprise Risk Management critical to the success of a client?

Cellucci: As President Eisenhower once responded to a reporter who asked him how important plans were. The President responded: “Plans are worthless, but planning is everything”.

TGC: Tell us a little bit about your presentation and why it is important.

Cellucci: There’s a difference between invention, innovation and commercialization. Commercialization yields product and services that increase a firm’s, region’s and/or country’s economic outlook. Innovation drives performance in how we manage people, process and technology. Without a knowledge of technology, innovating your people and processes will be constrained.

TGC: How does culture impact the success of the risk mitigation program?

Cellucci: Culture is everything! There are multiple examples of failed efforts because the culture was inadequate for a risk mitigation program.

Where did my tires go? And who stole them? These were the questions going through management’s head back in 2015, when a tire distribution company lost almost $2 million in inventory. During one incident alone, a former employee, who still had the burglar alarm code and was given a copy of the entrance key, walked into the building and stole $30,000 worth of tires in just seconds. How did he do that? Easy. The tire distribution company used a simple, yet not very secure method for safeguarding the hundreds of locations they have; lock and key. Worse, they had no management controls as to who had keys to which facilities at any given time. The challenge with lock and key was exasperated by the high turnover rate and the lack of standards. 

Given the significant losses, the company hired a Security Manager to focus on securing its buildings and reducing theft.

The Solution

After renewing a variety of different access control systems, the Security Manager chose a cloud-based access control system, Brivo, due to its ease of use and reasonable cost. The solution, Brivo Onair® allows him to access and manage his security system from anywhere, at any time, on any device, all through a single interface. He can now:

• Issue and manage credentials via one interface

• Unlock doors remotely

• Create customized security reports

• Schedule access

• Create access groups

The tire distribution company rolled out Brivo Onair, with mobile credentials, to all 68 of its distribution centers. The company plans to triple its distribution locations over the next 5 years, so scalability also played an important factor in their choice. 

While the Security Manager manages the overall system, individual location managers also have access to the system. He conducts a training for his staff to ensure the technology is being used correctly, including on-boarding of all new employees.

The Results

Without Brivo Onair, the tire distribution company would have no controls or central management of their multi-site physical security. The direct feedback from the security executive:

“If you can control access points to the building, you can manage it. If you can manage it centrally, you have more control, and that was the point of the cloud-based access control system. I have control, visibility, and a log-to-do event reporting. If I want to see who came into the facility at a certain time, I can look at reporting features. It’s a good way to double check things.”

Another benefit that was confirmed was the ability to create groups and special schedules, such as an “openers” group for those employees who are first to enter the facilities. Center managers can run event reports to ensure whereabouts of employees. This helps build trust and accountability within the organization. 

The most meaningful result after the implementation of the cloud-based security platform is the decrease in continued losses. Due to the controls and flexibility available, the Security Manager and his team were able to significantly reduce theft by $1.8M in a single year.

Added Bonus

The tire distribution company now has the capability to integrate with their HR, alarm, and video surveillance systems. This integration will allow the team to manage all 4 of these systems from a single interface, giving the Security Manager even more control over each building’s security, while eliminating any cyber security concerns since the system incorporates strict security measures.

“Once we implemented Brivo, we’ve been able to cut our losses which is huge. I love the ease of operation, the setup is nice, and there’s a lot of integration possibilities which provides a really flexible platform.” 

About the Company

Due to the high-profile nature of the tire distribution center, the name of the company has been protected. The company’s Security Manager manages the security of 68 distribution centers across the country from New England to Hawaii and Alaska. Protecting the products and preventing losses within the company’s facilities is of highest priority.

About Brivo

Brivo is a SaaS company offering physical access control, video surveillance, and mobile credentials for commercial buildings. Currently serving over ten million users, Brivo provides a scalable and centralized security management system to its customers. Brivo is unique in offering both access control and video management in a single cloud-based platform that is available via web browser or mobile applications for anywhere, anytime management and control. Headquartered in Bethesda, MD, Brivo was founded in 1999.  Brivo Onair is a modern unified security platform that combines physical access control and video monitoring. The Brivo Onair solution is built for today’s connected business people. From unlocking doors, to recording surveillance video, to giving access permissions to new employees and contractors, Brivo offers a secure physical access control solution through the cloud. For more information about Brivo, please visit: www.brivo.com. You will be able to join them in a great conversation on March 5-6, 2018. 

We are seeing a trend for outsourcing security operations centers. But we have not seen an approach to assessing the viability of such a decision or a  "scorecard" for evaluating service vendors in this category.

We were asked to provide some ideas for The Great Conversation in Security that might provoke conversation on March 5 & 6.

The foundation of such a plan starts with SOC's availability. It should be a 24-hour Operations Center. It should be staffed at all times by highly trained security experts, intelligence analysts and surveillance professionals. that can cover an organization and its people around the world.

It should provide global personnel tracking, executive protection services, and emergency response to a wide range of potential client emergencies, including terrorist attacks, natural disasters and medical emergencies. And this team should always be available to the SOC to provide a level of responsiveness and reliability that goes beyond simple monitoring.

Let me give you an example: Within seconds of identifying intruders or unauthorized activity at a client facility, the SOC's Operations Team should be able to give intruders verbal commands through loudspeakers, initiate an audible alarm with strobe lights, contact designated client representatives or escalate the situation to local police authorities. It should leverage its Video-as-a-Service capabilities to leverage the feed to verify the alarm,

It should be able to be a vendor of choice for police authorities so they will prioritize their response over other standard, unverified burglar alarms. And by leveraging the security expertise of its risk leadership, not just an operator, the 24-hour Operations Center, and its highly trained team, should provide the confidence and performance measures that have not been available in the market today. 

What are the benefits?

If you have this foundation in your service level agreement (subject matter expertise, global reach, and technology that can see, hear, and be heard, you can eliminate the need for many of your on-site security guards.

It will provide the measures of performance and the confidence that your business or home will be monitored at all times and protected against break-ins, theft or unauthorized activity. 

Full-time, on-site guards are expensive. Burglar alarms provide no proactive security and because they are unverified and highly prone to false alarms, often result in delayed police response times. Your SOC-as-a-Service solution may address both of these problems. If you can provide just-in-time response through technology you have increased you time-to-value (the responsiveness of your promise to your people). You provide a proactive response that may prevent the full impact of the incident (you might protect a life or asset). And you can increase the response of the first-responder by ensuring they prioritize your alarm (through  proactive monitoring and real-time verification).

Global Guardian Sentry is an operating division of Global Guardian, an established provider of integrated global security solutions for organizations, individuals, and families. Global Guardian’s management team is comprised of veterans and federal law enforcement personnel, including former members of the US Army Special Forces, Delta Force, U.S. Secret Service Special Operations Division, and FBI, representing a level of operational security experience unmatched in the video monitoring industry. You can visit their site here.

On the surface, the impetus for adding Visitor Management to a site is obvious: to make it safer by tracking and processing all guests.

Today’s Visitor Management systems secure premises by screening visitors against internal and external watch lists, alerting visitors when their guests arrive and more. Simply put, a Visitor Management system “works” if it keeps unwanted guests out and ensures welcome guests leave when the allotted time is up.

Anything beyond that is a bonus, right?

Fortunately, an investment in a modern Visitor Management solution offers organizations a wealth of additional benefits beyond the main goal of increasing site safety. Consider the following:

1. The records kept by a Visitor Management system can help with complaints, accidents or compliance issues.

Many of today’s Visitor Management systems keep records of each guest who signs in, giving a facility access to this visitor data after the fact. Many organizations use this data to analyze visitor trends or identify pain points in their check-in processes to help speed things up.

However, this data can also be used to help an organization respond to a complaint, deal with the fallout from an accident and more.

Picture the following scenario:

A guest arrives at a site and signs in at 9:30 AM. The guest’s visit ends around lunch. Weeks later, a letter from an attorney arrives, stating that the guest is suffering from serious injuries after a fall in the facility parking lot. The guest claims this fall occurred at 12 PM; however, system visitor logs show that the guest didn’t sign out until 2 PM.

With this valuable visitor data, the facility is able to check its security cameras and see that the guest was, in fact, still on-site when his alleged fall occurred. This allows the facility to provide data- and visual-based evidence to counteract the claim in what would have otherwise been a “take my word for it” situation.

Some Visitor Management systems can also be set up to record compliance information when a guest arrives. This potentially allows a facility to be cleared of any wrongdoing. 

Obviously, the ideal scenario is that a guest’s visit goes smoothly, without falls or waivers. However, it’s always better for a facility to be safe, not sorry; Visitor Management helps provide the data that makes those precautions possible.

2. Visitor Management installations can help discourage incidents before they even occur.

The benefit, discussed above, offers what one could call "after-the-fact protection": an incident occurs, and a Visitor Management system provides valuable information that informs the situation.

However, Visitor Management installations are also effective at preventing incidents from occurring in the first place.

If a guest with bad intentions arrives at a site and is looking to gain access to infiltrate the facility without permission, what would he or she prefer to see: a staffed front entrance with a sign-in system or a notebook and pen left on an unattended desk?

People with bad intentions are far less likely to target a facility that looks like it takes security seriously. Having a Visitor Management stand out as the first thing that a guest sees upon arrival is a great way to send a message that a site takes it's security seriously.

That message will be broadcast to guests and troublemakers alike, giving comfort to the guests and keeping the troublemakers at bay.

3. A Visitor Management installation has a positive impact on a guest’s perception of a facility.

When considering the impact a Visitor Management solution will have on a site, it’s important to think of things from the guest’s perspective.

A sign-in system is often a guest’s first interaction with a site, so a positive first impression is key.

Think about common sign-in systems and what they say about the facility:

●       A loose-leaf piece of paper with a pen and a sign that says “sign in below” says “we don’t really care that you’re here!”

●       An empty desk with a sign that says “please proceed to your destination” says “we don’t care about security!”

However, a Visitor Management solution allows a site to send a professional, welcoming message to all guests.

Having a visible installation shows that a site takes security (and guest safety) seriously. A staffed Visitor Management installation shows the guest that his or her time is valued and makes the guest feel welcome.

A Visitor Management installation is also a good chance to get a brand out in front of a guest for the first time, whether it’s through a logo on the sign-in screen or a short welcome video that plays before the guest can sign-in.

However the system is set up, a good Visitor Management installation is going to leave a positive impression on arriving guests and ensure that each visit starts off on the right foot.

Brady People ID is a leading manufacturer of ID and security products, as well as an industry leader in Visitor Management solutions. To learn more about about their Visitor Management solutions, including expiring visitor badges and enterprise software systems, please visit their website.

We had the opportunity to sit down with Dave Komendat, the vice president and Chief Security Officer (CSO) for The Boeing Company. He leads the Security and Fire Protection organization providing risk management services and standards to protect people, property and information across the company.

Dave first attended The Great Conversation in Security approximately six years ago and was immediately struck with the size and scope of the forum. “It was a surprise”, said Dave. “There was a community of security executives I was unaware of since I had spent most of my time with companies of the same size and scale as Boeing.”

This connection with various size companies proved rewarding. “Mid-size companies have the same challenges or greater as us”, said Dave. “And they have to address them with fewer resources. This leads them to innovation and change.”

Sharing those perspectives and approaches is difficult in any setting. “The Great Conversation is unique in its ability to tap into the challenges that are common to all levels of our profession; mid-level to senior executives”, said Dave. “The dialogue between attendees is promoted through a sense of intimacy and trust. People are engaged. And the facilitation creates an intimate and engaging atmosphere; much like a fireside chat.”

He has also been struck with the diversity in The Great Conversation. One of his past senior managers, Pam Dost, became a speaker and participant with her team and was able to engage and help other women as well.  “There is a diverse group of people from diverse backgrounds interspersed with national and international attendees”, said Dave. “So many different approaches from simple to elegant in design. And you never know who you will sit next to that might inspire an initiative in your own company.”

Dave’s team considers this a training ground for future leaders as well. “They will hear from executives other than myself”, said Dave. “CSOs like Mike Howard, Mike Mason, Steve Harrold and Randy Harrison. How they articulate their strategy will be different. Their approaches to business continuity, insider threat, physical security and technology can help prepare them for leading the next innovations at Boeing.”

Afterwards, the Boeing team will return, compile their notes and make presentations on their learnings to other leaders. “We have great conversations after the main forum as well.”

Another surprise finding in The Great Conversation was how the technology vendors have been prepared to listen intently to the problem statements from the senior executives in the room. “The Great Conversation team has prepared them to act agnostically and provide us insights into how technology can be applied”, said Dave. “And we get to share the good and bad experiences transparently. I don’t want to be on someone else’s learning curve. I need proven returns. This creates the incentive for me to knock on their door instead of the other way around.”

In March 2018, Dave will be sending another team of emerging leaders in risk, resilience and security, for what promises to be another great conversation. “The Great Conversation always seems to deliver insights into the next innovations in our industry and connect us to the people making it happen.”

The Great Conversation in Security is a two-day forum for risk, resilience and security executives and their teams. And, if it rested on that value alone, then it would be considered a success.

However, it would miss the fact that the conversations happen every week of the year, influencing how security executives lead their teams, define their programs and evaluate the technology that will drive innovation and business optimization.

One of the conversations we have been having all year long is around machine learning. Too many, this is one of those interesting subjects that will not have any bearing on their short-term goals. And that would be wrong. Most leaders need a better way to consume, analyze and report on the information they are collecting. The steps they are taking today could optimize the way they begin to “teach the machines” in the future.

And another conversation around Enterprise Risk Management with one of the thought leaders in our industry. Why not set the foundation before you build the house?

The insecurity of security was highlighted in our last conference in March. Real progress has been made since then in identifying the threats, most of which are due to a lack of business process between technology vendors, system integrators, consultants and specifiers. Now we are beginning to shape the thinking around this critical piece to the program so we can provide guidance in the future. Join the conversation on November 15 through this our monthly webinar series.

And why are technology vendors pivoting from application silos to integrated business intelligence architectures? Could we have a razor and blade model beginning to mature? The razors must be able to assure all of us that the blades are so critical that they are willing to attest to their interoperability and their security. Can this be done?

And we have had compelling discussions around leadership, change and a highly leveraged culture of safety and security. One discussion, between the executive leader of security at Nike and a principal with a risk consultancy, was featured in our last webinar. This monthly series continues November through February.

Please feel free to contact our Managing Director, Ron Worman (ron@the-sage-group.com), to share what is “front of mind” for you and your team. By adding to the conversations, you help your colleagues, your industry and your community.

"What a wonderful world"

Louis Armstrong

Our world can be complex and turbulent. Risks abound. 

But around us, are people attempting to make sense out of it, learning from each other, and creating powerful new approaches that create value for all of us; personally and professionally. 

The Great Conversation™ in Security was conceived and, later launched more than a decade ago, in response to 9/11. There were serious questions regarding our ability, as a country, and, by extension, our place of work, to leverage our people, performing roles in everyday processes using the tools we have provided them, to adequately address the serious nature of the risks that we were facing.

We needed wisdom. The notion that history, ideally, was a sequence of conversations and innovations that would ultimately supply us with that much-needed wisdom, was a foundation we built on. We then needed the ecosystem to weigh in. We needed the transparent sharing of the good, the bad and the ugly stories from the leaders who were attempting to protect the assets and lives of their organizations. We needed the service and product vendors to listen to these stories and begin to respond to the learnings. We needed products to be developed, not in response to feature requests, but in response to the unspoken needs that become visible through truly understanding the people, performing roles in their core processes.  That is what truly determined the performance measures of a risk, resilience and security program. We needed consultants who would reach out to collaborate with integrators. This would mean that integrators would want to know the 'why' behind the technology. And consultants would want to leverage integrator insights on the performance metrics of their deployments. Our industry had a fractured ecosystem. It was time to heal it.

We also knew that leadership and change management would be key disciplines in this journey. So we looked for the students of leadership to speak to us, motivate us and inspire us. We looked to practice leaders of change to enable us. And we looked to technology gurus to disrupt our old notions of how security should work. 

So welcome to this Great Conversation. We try to touch base with the best and the brightest throughout the year so we can produce in two-days, a congress of minds that shape the next evolution of security. Your voice is needed. Your work must be shared. You can change your world. Join us. 

Ron Worman, The Sage Group

From October 2017 through February 2018, we featured monthly webinars that touched on subjects we would be featuring atThe Great Conversation in Security forum on March 5 and 6 on the Seattle waterfront. 

The webinars were designed to provide some insights that we have gained since the last Great Conversation. 

The series included conversations such as:

Leadership and Change

The Security of Physical Security Systems

The 360: the Next Generation of Access

The Age of Voice and Why it Matter to the Business and Security

All of the webinars were recorded and can be found under "Videos" on The Sage Group's YouTube channel

Who can combine creativity and execution? That is the underlining question that haunts hiring managers today. They want engaged employees. And from that engagement of heart and mind, they want their creativity. They want their creativity because they want to create a highly adaptive and innovative organization. 

But they also want execution. Blocking and tackling. On time, quality performance. 

We want it all.

Clayton Christensen, a Professor of Business Administration at the Harvard Business School, is regarded as one of the world’s top experts on innovation and growth and his ideas have been widely used in industries and organizations throughout the world. A 2011 cover story in Forbes magazine noted that ‘’Everyday business leaders call him or make the pilgrimage to his office in Boston, Mass. to get advice or thank him for his ideas.’’ In 2011 in a poll of thousands of executives, consultants and business school professors, Christensen was named as the most influential business thinker in the world. 

Clay is the best-selling author of nine books and more than a hundred articles. His first book, The Innovator’s Dilemma received the Global Business Book Award as the best business book of the year (1997); and in 2011 The Economist named it as one of the six most important books about business ever written

"I don't want to overstate the case", Christiansen was quoted as saying, "I think about 40 percent of people just are not going to be good at innovating regardless of what they do. And 5 percent are born with the instinct. There are things that they do and ways that they think that are intuitive. The rest of us could learn what these innovators do if somebody would just crawl inside their brains and codify what to them is intuitive.

In a sense, that was our hope with The Innovator's DNA, that we could articulate how innovative people think. So over a period of years, we interviewed hundreds of innovators and almost 5,000 executives to identify ways of thinking that distinguish innovative people from typical executives. What we found is that innovators "think different," to borrow a slogan from Apple. And thinking differently leads them to act differently. From our research, consistent patterns emerged that led us to identify five primary discovery skills that underlie innovation: associating, observing, questioning, networking, and experimenting.

First and foremost, innovators are good at associational thinking, or simply associating. They make connections between seemingly unrelated problems and ideas and synthesize new ideas. I would frame associational thinking by asking this question: Has somebody else in the world solved a problem like this before? It turns out that most problems have been solved before by somebody in a different environment. Associating that other experience to what's going on in my world may make me look brilliant, but in reality my brilliance was in seeing that this had been solved elsewhere.

Observing and questioning go hand in glove. Innovators observe things, then question why. If you want to be an innovative person, when you see things, you have to pay attention and then wonder why."

In The Great Conversation in Security, we are always seeking the "Why" and in many cases the "Why not?". We bring a diverse group of stakeholders in our industry together to share their different perspectives and experiences. We intentionally jump start the conversation through a problem that illuminates an insight that leads to self, team and organizational discovery. 

And we take chances. In a world of data-driven analysis, sometimes we need to stop waiting for someone else to create a proof-point. As Christensen says: "I don't want to wait until somebody provides data. I need to get out there and create data."

The answers to our most pressing problems lies within and between us. Let's start a great conversation. 

A Great Conversation 2017 Monthly Speaker Review

In 2011, the International Network of Women in Emergency Management (inWEM) hosted its International Women in Homeland Security and Emergency Management Hall of Fame induction ceremony. It honored women who are pioneers and leaders in the fields of homeland security and emergency management in local, state, tribal and federal governments. Each one of the inductees were known for promoting a culture of preparedness for safer, resilient, and sustainable diverse communities.

Annie Searle, a Great Conversation in Security keynote, was one of them.

Annie’s presentation was entitled “Using Conduct Risk to Link ERM and ESRM to Organizational Value.” She began by addressing the fact that the intersection of people, processes, systems and events can ultimately elevate risk and/or financial loss. This intersection works within a values framework that ultimately is anchored by the words and actions of the leaders of the organization.

Since the intersection of risk and opportunity represents the value equation for an organization’s executives, the values framework is put to the test in the strategic planning, communication and performance management of the executive team. Actions speak louder than the values framed on a wall.

CEB, a best practices insight and technology company, used as a data source by Annie, stated that 40% of misconduct observed by employees goes unreported. Of those that are reported, only 17% will find their way to a compliance and ethics office. This is disturbing; especially when the projected costs of misconduct are $5.4M for a single privacy breach or $188 per record and 5% of annual revenue for a single instance of fraud.

If the risk is frightening, the opportunity loss is staggering. CEB reports that higher integrity companies outperform in shareholder returns by 16.2%.

Why do leaders set the tone? According to Annie, there are three causes of conduct risk:

1.           Monkey See, Monkey Do. Employees will model the tone at the top

2.           Culture. Employees practice what leaders preach

3.           Conflicts of Interest. There is a general lack of supervision and gaps in ethical controls.

Annie believes the word “tone” needs to be more understood. She cited a 2016 Ponemon Survey that described tone as “a term used to describe an organization’s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are most likely to uphold those same values. As a result, such risks as insider negligence and third-party risk are minimized.”

From this we know that employees pay close attention to the verbal and non-verbal responses of their bosses. Procedures manuals take second place.

Regarding culture, Annie cited the 2016 U.S. Financial Industry Regulatory Authority:

“While firms may have their own definition of ‘firm culture,” we use it here to refer to the set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.”                 

She then showed several corporate brands and asked the security professionals in the audience what they believed the tone at the top valued and how it influenced the culture. Many of the brands were icons of the Pacific Northwest.

Finally, with “conflicts of interest”, Annie referred to the classic Oxford Dictionary definition:

“A situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.”                 

This is where self-interest meets opportunity without attention to a values framework. She broke conflicts of interest into non-financial and financial categories. Examples of non-financial interests included career advancement, publications and reputation. Financial interests were direct and indirect.

In a 2012 report by Labaton Sucharow, a law firm that prosecutes precedent-setting class and direct actions, recovering billions of dollars on behalf of defrauded consumers and investors, where they interviewed 500 financial professionals from the U.S. and U.K., they found that 22-25% believed they needed to behave illegally or unethically to get ahead. 16% would commit a crime like insider trading if they believed they could get away with it. 94% would report misconduct if it could be done anonymously, protected their job, and they could receive a monetary award. Annie’s point, without an actionable governing values framework, and a culture of reporting misbehavior, misconduct will likely occur.

To reduce conduct risk, Annie recommends the following:

• Review the corporate values/vision statements

  • Create a statement of values that points to desirable behavior, not a marketing slogan.

• Create/review the code of conduct

  • Put a real communications program in place, with storytelling around behavior.

• Incentivize employees to do the right thing

  • Recognize when employees and teams do the right thing. Protect individuals from retaliation.

• Build a fraud and misconduct plan

  • Train employees on how to report misconduct or fraud.

• Create your own whistleblower program

  • Guarantee anonymity, employee protection and a monetary award. Self-report without retaliation.

• Ask your senior leaders to reinforce ethical conduct with their own performance

  • Walk the talk. “I was wrong.” And/or “Thanks for your insight.”

Please feel free to reserve your seat for The Great Conversation in Security here

When Carol Fox, the Vice President of Strategic Initiatives of RIMS, the risk management society™, presented at The Great Conversation in Security this year, she was addressing security program executives from multiple industries and disciplines. Each of these programs has implemented a process for identifying risk. But as Carol pointed out, identifying risks and identifying gaps in performance are two different things that achieve different outcomes.

We see Security Risk Management Services (SRMS) providers as a bridge between the risk assessment and the gap analysis. As Carol suggests, an SRMS provider would use risk assessments to identify, analyze and evaluate the uncertainties to objectives and outcomes of an organization. With this as a foundation, they can then begin to create a 360-degree view of the risk, which can include the line of business “risk owners” and the culture of risk inside the organization. But it would not stop there. SRMS vendors can then deploy their technology and business process expertise to truly understand the gaps in performance. How do people perform their roles within their core processes using technology? This is where breakthroughs and innovations occur.

Carol’s presentation is summarized in an article she wrote for the RIMS organization which we have provided by link below.

Recognizing the Gaps in Gap Analysis

By Carol Fox, Vice President of Strategic Initiatives of RIMS, the risk management society™,

When used in the right context and for the right reasons, gap analysis can do just what it is intended to: identify areas—usually from the perspective of process, abilities, competence, time and performance—where moving from a current state to a desired future state would be both beneficial and prudent. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”

Read More

“Risk Intelligence is probably one of the most important of the core elements which must be established when building a successful and effective governance, risk and compliance (GRC) program”, said Lynn Mattice, Managing Director of Mattice and Associates, a keynote speaker at The Great Conversation in Security – 2017.

According to Mattice, Risk Intelligence is often confused with Business Intelligence. They have similarities. Business Intelligence is often applied to data mining within company databases. It is used to drive competitive intelligence, customer relationships, and supply change behavior.

Risk Intelligence is more expansive. There are risks, threats and hazards within the environments an organization operates. They must be extrapolated from external and internal data. If mined and understood, they can clarify opportunities for value generation as well.

Most security executives are challenged with developing a Risk Intelligence program. Government agencies will often speak about collaboration, but most will not share timely and vital information that could make the difference in formulating strategic risk programs.

Mattice suggests that the evolution of an intelligence program start with an assessment of the culture. This will become an essential data point in determining the value path that a leader should take. One of the cultural data points is leadership at the top. Mattice often acts as the advisor to the leader encouraging collaboration and a deliberate assessment of the data and the subsequent actions that must be taken.

Analysts must be hired or strategically contracted to help with the data analysis.

With this foundation in place, the next step is to act as an informed advisor to the business leaders. This will provide a rich layer of requirements that are aligned with how the company operates and generates value. Risks to people, processes, assets and markets are omnipresent. The role of the advisor is to help the business leaders quantify, manage and persistently manage those risks. Alignment with the leader’s business and market intelligence team is critical. Your eyes will interpret the data differently and provide valuable insights.

The bottom line is an attitude and capabilities adjustment is in order before the security executive’s team can provide trusted and valuable advice to business leaders. This evolution is necessary to ensure the budget spend is strategically aligned with the objective of running a valuable organization. Failure translates to brand and value dilution at the worst.  At the best, your contribution creates opportunities that will help guide the future of the organization.

And, according to Mattice, that is the future of Security.

Lynn Mattice is Managing Director of Mattice and Associates, a management consulting firm and trusted advisor assisting enterprises in navigating a world full of risks. Developing Risk Intelligence Programs for clients is one of the services provided by Mattice & Associates.

On March 6 and 7, executive risk, resilience and security leaders from around the United States and the world, convened with one expressed purpose: to influence innovation and change in the profession and the industry. The leaders were not only executive security officers and their teams, but also their ecosystem of current and future vendors such as risk consultants, security risk management services providers, system integrators and technology vendors. This supported one of the core themes of The Great Conversation in Security™; to raise the standard of performance and value for the entire ecosystem with the end goal of protecting our communities, organizations and our countries.

The Great Conversation took place at the Bell Harbor International Conference Center on the Seattle waterfront with close to 300 registered attendees.

The two-day forum was organized around a collective experience of keynotes and panels with interactive digital polling preceded by video interviews that were conducted before the forum focused on the themes of the presentations.  As well, time was set aside for breakouts around critical communication issues in and around the “campus”: the descriptor we use to define the space by which we organize, communicate, educate and work with employees, visitors, contractors and vendors. Finally, several organizations took part in a collective case study involving the identification of their problem, the mustering of experience around the problem, and the scorecard by which they evaluated potential solutions.

Over the next few months we will be publishing stories from these practitioners and thought leaders as they challenge the status quo and continue the conversation throughout the year.

The first profile is about the leadership challenge issued by Mike Mason, CSO of Verizon. Mike’s opening address was fitting for this conversation community since the innovations and changes we are considering will demand bold, courageous and disciplined leaders with highly engaged and motivated teams.

The threat is significant, but not obvious. The biggest threat we have is not developing an engaged workforce. It is one of our greatest strengths if we are successful. It leverages the combined intelligence, persistence and commitment of a unified team. If we fail, we will keep mining our legacy of discouragement, cynicism, lack of motivation and, what Thoreau described as people leading “lives of quiet desperation”. Mike provided transparent moments where he failed as a leader, faced his failure and overcame it through a deep and evidential caring of one human being to another.

Today, one of Mike’s key performance indicators, is sending an “atta boy” twice a week to one of his hundreds of employees around the world. He now hires, trains and measures around relationship; the platform for any organizational measurement or goal.

After his keynote, he then made one of his most important statements about leadership. He positioned himself in the front row for the rest of the conference, actively listening, engaging, and taking copious notes. We are leaders of our families, friends and our employees, rarely through words, but through our actions. He was modeling the art and discipline of learning. He was not outside the auditorium chatting or doing email. He had committed to the act of learning through his sacrifice of time and the limitation of distractions.

At the end, you could say he was the wisest person in the room.