Security Technology Executive

SEP-OCT 2017

Issue link:

Contents of this Issue


Page 22 of 69

www. • September/October 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 21 and can directly affect the image/brand of the function or worse the organization. In addition, mobile credentialing, sin- gle-sign-on and the mobile ID are poised to revamp how we recognize people in our facilities and potentially are a threat to the removal of the corporate Identification card, a staple in the resiliency awareness program. However, there are several ben- efits that these devices can provide. Blue- tooth beacons can communicate where people belong and where they don't. Done effectively, unifying a credential under a convergence model could streamline IT, physical access and even visitor manage- ment. Mobile devices could allow us to communicate and respond to incidents, and provide better situational awareness to patrons and visitors alike. Other disruptive technologies include drones, which are getting smaller and more sophisticated and we will likely see them used in a more malevolent or destructive means, beyond spray-painting a billboard in the future. Beyond drones, the "Dark Web/TOR" browser and select sites should be on the reading list of every resilience leader. Partnering with IT departments and attending DEFCON and similar conferences to obtain visibility on vulnerabilities and expected/proposed changes in the digital domain is a must. Understanding the benefits, drawbacks and vulnerabilities to these technologies is incumbent to having a voice in these discussions with stakeholders about implementing them. Some of the key benefits from understanding of disrup- tive technologies are: • Adjustment of the risks and mitiga- tion solutions/controls to demon- strate proactive thinking. • Staying ahead of regulation and com- pliance challenges. • Improving the skill-sets of in-house resilience personnel. • Contributing to the positive image of the organization. • Maximizing areas of efficiency. Knowledge/Networking/ Communication DEFCON, BlackHAT, RSA, TED, TOORCon, SchmooCon, CCC Conference, and oth- ers are great opportunities for obtaining information about technological and leadership vulnerabilities. Beyond, going to conferences, resilience leaders will start creating labs, projects to identify likely threats that could be manifested by technology. The tools, knowledge and desire of an aggressor are key aspects of the probability a threat will occur. Take the threat of "lock bumping" that was showcased across the world, and many people panicked and manufacturers and vendors rejoiced. However, for one resil- ience leader, he had been bumping keys for two years, before the media storm. He learned that there were many variables to bumping and that it was not as easy as described by the media. This knowledge helped him articulate the vulnerability to C-suite and more over identify the likeli- hood of occurrence and introduce mea- sured controls to prevent an occurrence. Beyond knowledge, a good resilience leader should also have access to and communicate key pieces of information that are available under private/public relationships and the organization's peers. Furthermore, attending these conferences, you will obtain insight into your IT col- league's challenges, and better relate to them. The key to relationships is having something in common – you may need to adapt to form those relationships. Establishing contact with the Depart- ment of Homeland Security (DHS), Homeland Security Information Network (HSIN), InfraGard, Tripwire, Overseas Advisory Council (OSAC) and other gov- ernment and non-government organiza- tions is of critical importance. A resilience leader who has established these contacts and informational resources is in a better position of communicating and filtering information to senior C-suite before con- tacted directly by law enforcement and DHS, which can have negative effects on the brand of the resilience function. Further this public/private network will afford solutions and contacts which will showcase involvement of the resiliency function to executive management. Final Thoughts So, consider this article cliff-notes on adaptation; certainly, the word limit does not afford the writer the opportunity to delve into every functional risk or related control. However, what we have done is created an awareness of an ever-changing environment. For those that take heed, they will address functional risks like any other risk and will evaluate the respective resiliency program and ascertain where there are gaps in either direct or function- al risks. A method that has been success- ful is an introspective, committee-based meeting, which evaluates specific metrics, such as staff performance, recovery, effi- ciencies and response programs. This white-board meeting is truly an excellent method to uncover opportuni- ties, risk management and potential func- tional risks to your resilience function. Depending on your organization, some vulnerabilities may be easily controlled (thus producing immediate positive out- comes), while others may be more chal- lenging. It is incumbent on a resilience leader to ascertain the degree of change an organization can tolerate. Too little change - the effects will be marginal; too much change - you could be received as a disruptor – arguably the worst thing that can happen. The competent resilience leader will walk a fine line, leading the organizational efforts of analysis, management, imple- mentation, and refinement through con- stant adaptation. For those starting a new resiliency position, the need for commu- nication, awareness, rapport and network building will be crucial. The direction of change to the functional framework will not be easy or swift, but a necessary step that should gradually occur over time and leads to adaptation that will answer the Darwinism question – Is your function the fittest in the organization? About the Author: Sean A. Ahrens, CPP, FSyl, CSC is the Securit y Market Group Leader with A ffiliated Engineers, Inc. a multi-disciplinary consulting and design firm that prov ides securit y consulting , assessment and design solutions for projects world wide. Mr. A hrens can be reached at 3 12-97 7-2857 or

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2017