INTERNATIONALTMNewsletter

SPRING 2015UNITED KINGDOM CHAPTER 208

Since it was founded in 1955, ASIS International hasgrown from a national association representing ahandful of security directors or managers from largecorporations in the eastern United States to a globalorganisation representing 38,000 security practitionersin 139 countries.

The international focus began very early, with theestablishment of the Europe chapter in 1959, which,due to steady growth, was broken apart over the yearsinto various European chapters. Today, ASIS has 95chapters outside the U.S. and a membership base thatspans 139 countries. About 28% of its membership isnon-U.S., supported by Regional Advisory Councils inEurope, Asia-Pacific, Middle East, Latin America, andAfrica. All ASIS networking groups have internationalrepresentation.

The international region with themost significant growth in 2014was Region 12A in the MiddleEast, representing Abu Dhabi,Bahrain, Doha Qatar, Dubai,Jeddah, Dhahran, and Riyadh. TheRegion saw a 14% increase inmembership during 2014.

As the world economies andsecurity challenges have becomeincreasingly global, ASIS haspositioned itself to be the leadingnonprofit association representingthe security industry worldwide.This has enabled unprecedentedcollaboration with security professionals in every cornerof the globe, all of them pursuing the same goal—theprotection of people, property, and assets. This isfacilitated by a diverse membership, including not onlythose in corporations, but also individuals from allareas of government and military, as well as theeducation community, which is preparing tomorrow’ssecurity leaders.

The ASIS Board of Directors is also representative ofthe global security community. Today, three of the 12board of directors are from outside of the U.S. In 2012,Eduard J. Emde, CPP, from the Netherlands, was thefirst non-U.S. president of ASIS.

Each year, global conferences in the Middle East,Europe, and Asia Pacific, as well as the ASIS Annual

Seminar and Exhibits in the U.S., bring together tens ofthousands of attendees to help them keep pace withthe security threats and challenges the industry faces,including the ever-evolving technology available.

One of the fastest growing areas within ASIS is in thedevelopment of national and international standardsand guidelines. Twelve standards and guidelines havebeen developed, often with input from experts in otherstandards developing organisations outside the U.S.Work is underway now on the development of the firstInternational Standards Organisation (ISO) standard.

In recent years, ASIS has translated importantdocuments such as the Protection of Assets Manualinto Spanish; five standards or guidelines also havebeen translated into Spanish.

ASIS certification programs havelong been popular worldwide, withnearly 8,000 (1,700 outside ofthe U.S.) individuals now holdingthe Certified ProtectionProfessional (CPP), theProfessional Certified Investigator(PCI), or Physical SecurityProfessional (PSP) designations.The exams are offered in morethan 250 locations outside theU.S. and Canada.

Chief security officers from aroundthe world are eligible formembership in the ASIS CSORoundtable, the private forum for

top security executives, many of them from FortuneGlobal 1000 or Fortune 1000 companies. Of its 385members, 106 are from outside the U.S., representingsecurity organisations from 20 different countries. CSOprograms have been or will soon be held in Dubai,London, Göteborg, Mexico City, Panama City, Istanbul,India, Brazil, The Hague, and Hong Kong; the groupalso has participated as partners in London, Budapest,and Berlin.

Although the global security community has been apart of ASIS from the early years, in 2002, ASISofficially changed its name to ASIS International. TheASIS Board of Directors adopted a new logo thatsymbolised inclusiveness, along with the tag line“Advancing Security Worldwide.”

Advancing Security Worldwide

ASIS NEWSLETTER OF THE YEAR – WINNER 2013, 2012, 2008 & 2003 – HONOURABLE MENTION 2011, 2006.

www.asis.org.ukSPRING 20152

CHAIRMAN’S NOTES

“I am not Charlie, I am Ahmed, the dead Muslim PoliceOfficer. Charlie ridiculed my faith and culture and Idied defending his right to do so.”

I read this sentence, which was posted on social mediashortly after the atrocities in France a few weeks ago.At first it seems slightly shocking, but actually itperfectly sums up the reality of what happened andmust serve to remind us all of the threat posed by theextremists in our midst.

The Police and Security services in the UK are facingunprecedented reductions in funding and that is notlikely to change anytime soon. Whilst we are assuredthat funding for Counter Terrorism will be ring-fenced, Ineed not remind you that we were also promised thatthere would be no reduction in frontline Policing, so itis essential that we do our bit.

As a community of security professionals we have aunique opportunity and responsibility to educate thosethat we serve or support; to understand that this wasnot a one off event in a foreign country, but actually awarning of what will probably happen here, unless weremain vigilant and prepared to combat futureattempts. Review risk assessments, businesscontinuity plans and SOPs to ensure that youremployer, client and neighbours are prepared.

This is not about business creation or jumping on thebandwagon, this is about protecting our community

from, as our Americancousins would say, a real andpresent danger.

Those of you who were ableto attend the AGM and wintermeeting in December willknow that the membershipvoted to change the way inwhich the Chapter is managed. This was a technicalchange that was recommended to the leadership byour legal advisor and will have no bearing on how theChapter operates or supports you, it was simply doneto ensure that we are fully compliant with UK law.

Lastly, I would like to thank the organisations thatsupported the Chapter throughout 2014, either throughsponsorship or by exhibiting at our meetings; withouttheir support we could not operate. As such it is withgreat pleasure that I can confirm that AxisCommunications, Frontline Security Solutions, HIDGlobal and Quantum Secure have agreed to sponsorthe Chapter in 2015. This is in addition to thenumerous exhibitors and other supporters we have forthe coming year.

I look forward to seeing as many of you as possible atour forthcoming meetings.

Best wishesAndy Williams CPP FSyI

As the reality of the threatposed by terrorism is felt byanother country, ourthoughts go to the families,friends and colleagues ofthe victims and to theFrench nation. Whilst themain responsibility for thedetection, prevention andinvestigation of theseatrocities will always fall tothe police, military,

intelligence and security services, we also realise theincreasing importance on the private security sector.

Corporate security professionals with the support ofsecurity technology and security servicesorganisations, have responsibility for the protectionof the people, property and assets in their care.They need to instil an increased security awarenessin their employees; assess the enterprise securityrisk; identify threats; ensure good practise in allareas and make best use of the technologyavailable.

It is staggering to believe that I still find securitymanagers who are prevented or at least dissuadedfrom attending security conferences, seminars;exhibitions and other events by their employers.

Quite how they are mean to learn of currentthreats; keep their skills up-to-date and develop anetwork of contacts if all they do is sit in an officeall day, I just don’t know. Since March 2014,facilitated by the ASIS UK Chapter, the ASISChapter in France, led by Chairman Eric Davoinehas been working with the UK Project Griffin Team(ASIS members Don Randall MBE and GrahamBassett) to launch Griffin in Paris. Initiatives suchas this can only increase the city’s security andreadiness to face future threats.

It is partnerships like this that demonstrate thebenefit of being part of a trusted network of fellowsecurity professionals internationally and fromexperience I know that many meaningfuldiscussions will take place and partnerships forgedwhen we all meet in Frankfurt for the ASISEuropean Conference in March.

Chairman’s Notes

Andy Williams

Mike Hurst

www.asis.org.uk SPRING 2015 3

CALENDAR

INSIDE THIS ISSUE:Chairman’s Notes 2

Diary 3

ISMI 4

Secure Card Issuance 6

2014 AGM 8

ASIS Foundation 9

Retail Security 10

Licensing of Private Investigators 12

The SMA 14

Cyber Security 16

Big Data Analytics 18

ESSENTIALINFORMATIONJOINT EDITOR – Helene Carlsson

(07802 864485).

helene.carlsson@btinternet.com

JOINT EDITOR – Mike Hurst

(0845 644 6893)

mike@hja.co.uk

ADVERTISING – Graham Bassett

(07961 123763);

graham@gbruk.com

Chapter Executive Officer – Jude

Awdry,

ASIS UK Chapter 208, PO Box 208,

Princes Risborough, HP27 0YR.

Tel: 01494 488599;

Fax: 01494 488590;

info@asis.org.uk

PUBLISHERS – The 208 Newsletter is

published by Chapter 208 of ASIS

International.

FREQUENCY – The 208 Newsletter is

published four times per year, Spring,

Summer, Autumn & Winter – please

contact the editorial team for

deadlines.

IN GENERAL – The 208 Newsletter

welcomes articles & photographs, but

while every care is taken, cannot be

held responsible for any loss or

damage incurred while in transit or in

our possession. Please send all

material to the editors. The Newsletter

may publish articles in which the

views expressed by the author(s) are

not necessarily those of ASIS.

ISSN N0 – 1350-4045

Calendar EventsFeb-1515th - 17th ASIS 6th Middle East Security Conference &

Exhibition, Dubai

Mar-1516th-17th Total Security Summit, Stanstead 26th ASIS UK Spring Seminar27th ASIS Ireland Chapter, 21st Anniversary

celebration, Dublin28th - 31st ASIS 14th European Security Conference &

Exhibition, Frankfurt

Apr-159th ASIS UK Northern Seminar, Leeds15th - 17th Security TWENTY 15, Bristol21st-22nd Counter Terror Expo22nd - 23rd ASIS 25th New York City Security Conference &

Expo

Jun-15TBC ASIS UK Summer Seminar16th-18th IFSEC

Jul-157th Security IT Summit, London9th Security TWENTY 15, Newcastle

Sep-15TBC ASIS UK Autumn Seminar28 - 31 61st Annual Seminar and Exhibits, Anaheim,

California

Oct-1519th - 20th Total Security Summmit22nd Security Institute Annual Conference28th Security Twenty 16, Heathrow

Nov-15TBC 9th Asia-Pacific Security Forum & Exhibition

Dec-152nd - 3rd Transport Security ExpoTBC ASIS UK Winter Seminar and AGM

61th AnnualSeminar andExhibitsSeptember 28 -October 1, 2015Anaheim, USA

6th Middle EastSecurity Conference& ExhibitionFebruary 15-17,2015 Dubai, UAE

14th EuropeanSecurity Conference& ExhibitionMarch 29-31, 2015Frankfurt, Germany

25th New York CitySecurity Conference& ExpoApril 22-23,2015 New York, USA

9th Asia-PacificSecurity Forum &ExhibitionNovember 2015Singapore

www.asis.org.ukSPRING 20154

PROFESSIONAL CERTIFICATION

Worshipful Company of Security Professionals

Proudly presents a Black Tie Spring Dance Rembrandt Hotel Knightsbridge SW7

With Irie J’s DivasSaturday 28th February 2015 Reception 6.30pm for 7.15pm

Tickets are £96.00 + VATContact Peter.French@ssr-personnel.com

Charity Raffle & Auction Carriages at 12.30 am

The evening is supported by ssr-personnel.com Registered Charity No. 1088658

David Cresswell CPP PSP of ISMI Certification Ltd will againbe running the highly successful CPP (Certified ProtectionProfessional) and PSP (Physical Security Professional)preparation programmes this year and Chapter members ortheir colleagues or staff are invited to register for the great-value fee of £1250 + VAT. This includes 6 days in class (2 x 3days to minimise working week disruption), 4 months ofmarked distance learning assignments, telephone coachingsupport and access to ISMI®’s unique online library ofsecurity management resources.

Having coached hundreds of Chapter members to success,and with almost twenty candidates currently underinstruction, David is a globally recognised leader in securitymanagement certification training with many years ofrelevant experience. And the current PSP class (see imageinset) is the largest group of UK/European candidates ever toassemble in the UK to study for PSP.

The course materials are first class, extensively referencedand very well-illustrated to help you assimilate the coreconcepts. Furthermore, David’s knowledge andunderstanding of the examination subject matter and thesource materials on which the questions are based is second

to none, and he will use his experience to guide you toknowing which parts of which reference sources are mostcritical to passing the examination.

ISMI Certification Ltd’s successful formula is based on 2 x 3classroom days interspersed with 4 months distance learningand coaching support. The first session in the classroom willgive you a detailed study of the domains and likely areas oftesting and you will take away a very detailed handout pack.This is followed by a 4-month programme of supporteddistance learning to help you get to know in detail the sourcereference materials upon which the examination questionsare based. Your assimilation of the materials will beenhanced by completing set question papers which aremarked so that you can monitor your progress. The finalclassroom session will comprise extensive closed-booktesting practice in readiness for the examination, where youwill practice with up to 800 sample questions.

The programmes are conducted in a rural Worcestershirelocation, which provides a very tranquil and conduciveenvironment for study.

CPP® classroom dates are 13-15 May and 14-16 October

PSP® classroom dates are 17-19 June and 18-20 November

Contact Janet Ward at enquiries@ismi.org.uk for moredetails and a registration form or call 01386 871918 formore information.

Your Opportunity to Achieve Professional Certification inSecurity Management Begins Here

www.asis.org.uk SPRING 2015 5

IP AND NETWORK CAMERAS

IP network cameras offer superiorimages for precise accurateinformation. Costsavings can be madeas only one cable isrequired for videoand power (power overEthernet POE), negatingthe need for power outlets ateach camera location. They are easier and quicker to set up, and can offerfurther features such as remote set up or zoomfacilities via your network. With megapixel resolutionyou get far more detail for easier identification, andformats to cover larger areas of coverage for lesscameras. 

EASE OF INSTALLATION

Megapixel resolution & HDTV capabilities Intelligenceat the camera level Integrated audio and PTZ controlSecure communication Open and easy to scale Truedigital solution

Gateway for new system solutions

Lower total cost of ownership

Smart Analytics to enhance your security asmanagement tools

HDTV cameras can offer much crisper colourrendition and widescreen formats, and we can nowoffer intelligence at the camera level with the abilityto keep adding further functionality over time. Thiscan also offer more efficient monitoring of especiallylarger systems or specific areas, and relieve theburden on operators with intelligence built in such asalerts, alarming, and detection improvements. Evenspecific programs such as people counting, heatmapping and dwell time analysis can be addedamongst other unique applications.

IP cameras and networked systems allow easierintegration with other security ranges such asIntruder and Access Control systems and offer futureproof investment. Storage can even be managed viaSD cards in some cases enabling you to push thevideo required at the right time enabling less storagespace and wasted storage requirements. IP offersflexibility, scalability easily upgradable and fantasticimage quality.

For further informationcontact Frontline Security Solutions

www.fsslimited.com

Ten Reasons to switch over to IP and Network Cameras

HEAD OFFICE: Reflex House The Vale Chalfont St Peter Bucks SL9 9RZTel: +44 (0)1753 482248

LEEDS OFFICE: 1200 Century Way Thorpe Park Business Park Colton Leeds LS15 8ZATel: +44 (0)1133 221026

Email: sales@fsslimited.comfollow us at:

fsslimited

fsslimited

SECURINGTHE CITYACCESS CONTROL, CCTV, & INTRUDER DETECTION

www.fsslimited.com

www.asis.org.ukSPRING 20156

SECURE CARD ISSUANCE

Creating a “One Card”Solution for the University

Colleges and universities mustkeep their campuses safe in ascost-effective manner as ispossible. At the same time, eachschool has its own set of uniquedemands and challenges,requiring flexible systemarchitectures that satisfy today’sdemands while providing thefoundation to meet future securityneeds. HID Global’s solutions andservices for educationalinstitutions are developed from theground up to solve thesechallenges and give securityofficers the confidence that theirinfrastructure can protectstudents, staff and faculty foryears to come.

Building the Foundation:Reader and CardTechnology

The majority of today’s institutionsstill use legacy technology thatoffers little security. As such, manyuniversities are seeing a rapidincrease in fake student ID cards.In order to solve this problem, thebest option is to migrate all theway to contactless high frequencysmart cards, which combineimproved security with theconvenience of being able to use asingle card for multipleapplications, including securedebit and payment capabilities.These smart cards can be used forsafe and secure keyless accessthroughout the campus – indorms, research facilities, as wellas departmental ID verificationand meal plan purchases. Overall,the expense of moving tocontactless smart cards isoutweighed by the long-term costsavings from improvedmanagement efficiencies.Moreover, migrating from old tonew systems using multi-

technology cards and readersneed not disrupt day-to-dayworkflows. For example,universities can retain theirexisting student ID and issue codenumbering system.

Secure Issuance: TheOther Half of the Equation

A secure and efficientprinter/encoder solution is criticalfor issuing student ID cards, even– and especially – during thebusiest periods at the beginning ofeach term. Students do not wantto stand in line for hours duringregistration, only to be told thatthey must come back tomorrow toget their badge. Equally, cardsneed not be issued every year –each card should be issued for thelife of the student’s involvementwith the institution.

Fortunately, today’s printers, cardmaterials and software deliver thehighest security by incorporatingcritical visual and logicaltechnologies for trustworthierauthentication and to help detertampering and forgery. The latestsoftware also makes it easy foradministrators to synchronise cardencoding information with thestudent enrolment database,eliminating the possibility of errorswhile simplifying future changesthat might be required.

HID Global’s FARGO® HDP®printers exemplify the benefits ofHigh Definition Printing (HDP)printing technology. Unliketraditional Direct-to-Card (DTC®)printers, HDP printers actuallyprint a high-resolution image to atransfer film, which is thenadhered to the card. This processprovides exceptional image qualityand eliminates the possibility ofprint head damage caused bydirect contact with the card’scontact chip. While someuniversity card services teams may

be nervous about printingsmartcards, it is not very differentthan printing legacy technologybased cards, with very similarworkflow processes. Secureissuance solutions should beintuitive and require little or notraining. Printers should also befield-upgradable so they can meetnew requirements, as student IDsystems’ needs change andevolve. And finally, the softwareapplication has to support multipleuses, as well as feature easy-to-use card templates that streamlinethe card creation process,including synchronising all dataused in the card.

It’s also important to consider thetrade-offs of going with a low-endprinter versus one that may costmore initially, but reducesexpenses over time. For instance,high-throughput solutions such asHID Global’s HDP8500 industrialcard printer can run operations inparallel, speeding issuance byencoding one student’s card whileprinting another. The HDP8500also supports both centralised anddistributed printing, so universitiescan pool two or more desktopunits at the card services office forlarge-volume, centralised cardruns, as well as individual units atlocations such as residence hallswhere authorised users can printand issue cards to students. Thisnot only alleviates long card pickuplines but improves studentconvenience.

In addition, students, faculty andstaff are not the only people oncampus – any university physicalaccess control system platformmust also support visitors. Propervisitor registration is one of severalimportant security safeguards thatall universities should address,and protecting campus residencehalls is of particular concern.When setting up a visitormanagement system, it is

SECURE CARD ISSUANCE – Smart Card Solutions forHigher Education by Serra Luck

www.asis.org.uk SPRING 2015 7

SECURE CARD ISSUANCE

important the right printer is selected, with theappropriate features and suitable levels of reliabilityand durability. Also, depending on the campusenvironment, it may be advantageous to specifyvandal-resistant readers.

We are also increasingly seeing visitor managementintegrated with the university’s access controlsystems to provide a completely secure solution. TheUniversity of Arizona has such a campuscolleague/visitor system in place. Guest informationthat is entered into the visitor management databaseis seamlessly passed to the card office IDmanagement system. The visitor is now eligible forcard issuance. The same campus card is issued tothe visitor with “tap and go” technology for dooraccess. When the visitor is no longer active in thesystem, the card is deactivated for keyless accessand other campus services.

Another good investment is printers with built-inprogrammers/encoders, which combine what werepreviously multiple processes into a single in-line cardpersonalisation step. With this approach, only oneautomated step is required to synchronise pre-programmed data on the card’s electronics withpersonal data printed on the outside of the card.Users simply submit a card into a desktop printerequipped with an internal smart card encoder, andthe card is personalised inside and out. This speedsissuance while eliminating the risk of human errorduring manual entry, which can lead to largenumbers of cards being thrown away. Field-upgradable units enable universities that already owna card printer to add an encoder in the field so theycan leverage smart card benefits well into the future.When they’re ready to maximise their smart cards’functionality, they’ll already have the smart issuancepart of the equation figured out.

Protecting students, staff and property is one of theuniversity’s most important responsibilities.Contactless smart card technology delivers not onlythe highest levels of security, but also the greatestefficiency and convenience. By investing in a single-credential access control system that enablesuniversities to print multi-purpose cards themselves,they are able to tailor their card distribution based ontheir own needs, while at the same providingadequate protection from outside threats.

Listen to HID Global’s webinar if you wantto learn how to create unique studentexperience on and off campus

Serra Luck, is Director - End user andConsultant Business, EMEA with HID Global

For more HID Global news, visit our Media Center, readour Industry Blog, subscribe to our RSS Feed, watch ourvideos and follow us on Facebook, LinkedIn and Twitter.

YOUR CAMPUS. CONNECTED

© 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, and the Chain Design are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.

ONE CAMPUS. ONE SOLUTION. HID Global has the world’s largest portfolio of secure, inter-operable solutions for education, providing physical and logical access control, on and off campus. Combined with a global network of technical support and authorised partners, you’re sure to get the powerful security you need today, with the flexibility you need for the future.

To find out more, visit hidglobal.com/education

www.asis.org.ukSPRING 20158

2014 AGM

2014 AGM and Winter Seminar— in pictures

Andy and speaker, Nigel Stanley

Professor Peter Neumann

Retiring Chapter Treasurer Craig Pickard was touched

by the effort made in packaging his farewell gift.

Former MP and ASIS member, Rt, Hon. Bruce George

accepting his ASIS UK Veterancertificate.

Andy Williams CPP presenting Commissioner Adrian Leppard QPM with the Chapter’s Mervyn David Award

www.asis.org.uk

TOTAL SECURITY SUMMIT

www.asis.org.uk SPRING 2015 9

Lenel to showcaseIntegrated Solutionsat IFSEC 2015Lenel Systems International, aprovider of integrated accessand video solutions, willpresent Prism, its open Internetprotocol (IP) videomanagement solution (VMS), atthe upcoming International Fireand Security Exhibition andConference (IFSEC).

Lenel Systems International, a providerof integrated access and videosolutions, will present Prism, its openInternet protocol (IP) videomanagement solution (VMS), at theupcoming International Fire andSecurity Exhibition and Conference

(IFSEC). Prism is basedon an advanced, intuitiveand operator-friendly userinterface and featuresOnGuard compatibility.Lenel is a part of UTCBuilding & IndustrialSystems, a unit of UnitedTechnologies Corp.(NYSE: UTX). Offered inthree configurations(standard, professionaland enterprise), andavailable as a stand-alone VMS orintegrated with OnGuard, Prism isscalable, flexible and reliable to meetevolving video surveillance needs.Prism fits in an enterprise videoplatform by offering customers a singleuser-friendly VMS for small to largeinstallations, whether they are usingLenel network video recorders orUltraView recording engines.

"By combining OnGuard and Prismindustry-leading products with morethan 100 open access alliancepartners (OAAP), close to 100 OAAP-certified products and supporting morethan 300 third-party cameras,customers can tailor the Lenel solutionaccording to their specific securitydemands," said James Wheeler,Regional Director, Lenel UK andIreland.

As a security professional, your roleinvolves knowing how to avoid andeffectively overcome a whole raft oftechnological and practical issues, suchas Access Control, CCTV, RiskMitigation, Intruder Detection, andmuch more. However, with new securitythreats being discovered daily, when doyou really get the time to consider whatis right for your business?

Well, the Total Security Summit mayjust be the opportunity you need! Thistwo day security industry focussedevent, held on 16th and 17th March atthe Radisson Blu Hotel, LondonStansted, provides the ultimatebusiness connections experience forover 100 attendees, as well as aninspiring seminar programmepresented by these high profilespeakers:

• Ian Noble, National Fraud Investigatorat B&Q

• Mark Godsland, Safer Cyber HarmReduction Advisor at GloucestershireConstabulary

• Lisa Greenwood, Lisa GreenwoodConsultancy

• Matt Etchells-Jones, Consultant atBusiness Crime ReductionPartnerships

• John Spratt, Senior Partner, Head ofCompany Commercial at SprattEndicott Solicitors

• Matthew Phelps, Managing DirectorEaton’s Security Business

In addition to the seminar programme,attendees have the opportunity todiscuss security topics within a seriesof match-made face-to-face meetingsand unparalleled networking sessions.

According to previous attendees, TotalSecurity Summit provides “an effectiveformat for instigating new relationships”and here are more opinions from pastdelegates and suppliers:

“The TSS gave a relaxed and uniqueway to network and target specificvendors”Partnership Assurance“Well run and informative two days’excellent opportunity to understand theproducts on a one to one saves muchtime rather than booking appointmentsduring working hours” River Island

“One of the best organised events Ihave attended in a long whilethoroughly recommended” Jaguar LandRover“An excellent forum and greatenvironment for meeting suppliers ofsecurity products and services andnetworking with peers”Turner BroadcastingThe Total Security Summit is brought toyou by Forum Events which has nearly20 years of experience in organisingB2B focussed meeting opportunities.VIP delegates are able to quicklyidentify the best solutions for theirbusiness’ projects; whilst suppliers canboost sales pipelines by securing newbusiness.

Kirsty Groves, Marketing Manager atForum Events, said: “We put a lot ofwork into matchmaking, finding theright suppliers for delegates withpurchasing power. In putting peopletogether who are ready to do business,we’ve cut out so much of the time-wasting that is so often associated withsupplier procurement and newbusiness development.”

To book your place and to find outmore about the Total Security Summit,call the events team on 01992374100, email tss@forumevents.co.ukor visit the websitewww.totalsecuritysummit.events

Good business all round at the Total Security Summit

www.asis.org.ukSPRING 201510

RETAIL SECURITY

To stop or not to stop, that is the question? It's a fair cop Guv!

I don't suppose an SIA armbanded Security Guard in yourlocal shopping centre has heardthat phrase recently. The days ofthe long arm of the law with afirm hand on the shoulder of atea leaf, being enough to put ahalt to any wrong doing wouldappear to be a thing of the past.Even the Police do notcommand the same respecttheir predecessors’ did ’’back inthe good old days’’. Actually,that is a myth, there may havebeen fear, but respect went outwith National Service! The smalltime criminal fraternity are a farmore confident breed than everbefore and this makes aSecurity Guard’s job a verydifficult one.

I speak from personalexperience of course, havingspent many years chasing downshoplifters with the singleminded intention of bringingthem back with their ill gottengains in tow. As KPIs go, thiswas pretty much the only onethat mattered. There was even aleague table with the amount ofbodies hauled back and aseparate one for the stockrecovered. So who could blameus for waiting impatiently forthose immortal words to comeacross the airwaves from a plainclothes Store Detective (I’ve gota job going down!) At that point,your cup of coffee and roastdinner ended up on the ceiling,just because of the possibilitythat there may be a chaseinvolved. I know what you’rethinking . . . what a great use oftime . . . not!

How to get it wrong!

I remember one such call. Off Iwent to back my guys up, fullyexpecting it all to be over quickenough to finish my coffeewhilst it was still slightly warm.

Not the case this time, havingfound myself clinging onto acredit card fraudster, who forsome strange reason wasn'tkeen to accompany me back tothe holding room within a wellknown department store. In fact,he was so keen not to comeback with me, we ended uprolling around on the groundwith him taking a generoussized chunk out of my forearmwith his beautifully polished setof gleaming white and goldteeth. Of course I didn’t stophim on my own.......I had my everkeen but rather inept teammembers hanging on to eachother with their eyesclosed.....that was helpful! Whistall this was going on, the goodsthat had been "purchased", Iuse the term loosely, were beingdriven off by his rather attractivefemale accomplice. Now in mydefence, I was very new to therole and my team had little or notraining with how to detain asuspect correctly. You can beassured, that changed veryquickly and the policy of thisparticular company was givenfar more weight in terms of howit dealt with detaining people.

If you’re out of action,who’s protecting thestock?

So, a trip to A&E for myself andone of my Keystone Cops, all forthe recovery of a big fat zero.Admittedly, this was a comedy oferrors, one that unfortunately Iwas leading. However, how manyother incidents have there beenacross the country where wellmeaning shop staff have putthemselves in danger all for thesake of a £20 jumper. I wouldsuggest this is a dailyoccurrence. The fact is, thecurrent batch of undesirableswill be far more keen to getaway than you are to bring themback . . . after all, they are

potentially losing their liberty.So, surely this raises thequestion "what should we do?’’

Can we stop it beingstolen?

Having worked on the customerfacing side of several retailgiants as well as running theirsecurity teams, I find myselfasking this question of staff atvirtually every presentation Igive on loss prevention. Theresponse varies, but on thewhole, sales assistants want toknow that a shoplifter will bestopped, detained and thePolice called. This isunderstandable, as they are theones being made to look stupidby these bad guys. When I hearthis, I generally ask onequestion: how do we stop badpeople stealing from us?Ofcourse, there isn't a straightforward answer! That said, itdoesn't do any harm to plantseeds in the minds of those onthe front line. Shouldn't thequestion be "what is more likelyto put someone off stealing"?The fact that they could getcaught and have their libertytaken from them, or make it sodifficult to steal that they simplygo elsewhere. A few years ago,there was a study performedwith career shoplifters, askingthis exact question. "What wouldput you off stealing from aparticular store"?The majority ofthe interviewees said "knowing Ihave been seen by the salesassistant". Uniformed securityguards hardly got a mention. Ifyou think about it, you approacha customer . . . if they arehonest they are usually happy tohave been seen and are morelikely to stay in the store andspend their hard earned cash.However, a dishonest person isdoing everything not to be seen,hence the hoodies and dodgyfake police sunglasses. Of

www.asis.org.uk SPRING 2015 11

RETAIL SECURITY

course I'm type casting, butmany will agree, good oldshoplifters like to try and blendin, but don't always make agreat job of it! There are ofcourse the ones who are veryclued up and even the beststore dec has trouble spottingthem.

Deter or detain?

A retailer will often employuniformed security guards to actas a deterrent, and if they arestanding by the doors next tothe EAS barriers, that arguablyis a great deterrent.However,what if every sales assistantisn't just thinking about makingthat sale? What if they approachcustomers, even the shiftyones? One of two things arelikely to happen . . . the potentialshoplifter will either try and frontit out, smile and say’’no thankyou’’, or, maybe give you someattitude. Either way theynormally walk out. Ah yes, but ifyou change your policy and tryto deter every shoplifter ratherthan detaining them, will you beseen as an easy touch? In allhonesty, yes you will. However, ifyou just stop every shoplifterand that means spending timewatching them, ensuring yousee the selection, ensuring yousee them conceal the goods,ensuring they still have thegoods on them when they leavethe store; then make the arrest,leaving you vulnerable topossible violence, get them backto the store, keep a close eye onthem whilst waiting for thePolice, write statements, wait fora court date many months away,go to court which means you'renot in the store stopping moreshoplifters. The man hoursinvolved with detaining ashoplifter are hugely expensive,especially if you have to payovertime to cover you whilstyou're out giving evidence. If youare a retailer that is just doingone or the other, ask yourselvesthe question, should I stop ornot!

One size doesn’t fit all!

The way I see it, customerservice and security go hand inhand. A great Security Guard willalways give fantastic service to agenuine customer or one that isnot so genuine. As a customer,would you want to beapproached by a uniformedguard? . . . I would suggest not!Firstly, it could look like you’rebeing accused of something in avery public arena, but moreimportantly isn’t that whatretailers are paying salesassistants to do. Arguably,uniformed Security Guards onthe shop floor don’t really workfor deterring theft. They standout like a sore thumb, whichmeans eagle eyed shopliftersknow where they are. It doesn’ttake a genius to realise not tosteal when you see a uniform.So, steal something when youdon’t see a uniform. However, ifthere are no uniforms, yourguess is as good as mine who issecurity and who is a salesassistant. If you study the shopfloor from above (CCTV) as Ihave done, you will seesuspicious people leave thestore just because they havebeen acknowledged. That couldbe as subtle as a smile or a nodfrom an assistant. This of courseis a win win for retailers, asstores will be judged by testshoppers on their ability toacknowledge every customer.

Get the balance right,you’ll end up the winner!

Don’t get me wrong, if you don’tstop shoplifters anymore, youcould end up with shrink figuresthat have a very adverse affecton your bottom line. You mostdefinitely do not want to be seenas an easy touch, as that willleave you open to every localscrote paying you regular visits.As with anything, you want tohave a balance. Time spenttraining your staff to

acknowledge customers andmaking that second nature willreduce your losses and increaseyour sales, that is an absoluteguarantee. At the same time,ensure your Security Guards aredressed the same as yourassistants, that way they can dotheir job just as well but canalso give advice and greatservice.

In summary, the moreshoplifters you can deter, theless stock will walk out of thedoor. Detain when appropriate,but only when the odds are verymuch in your favour and thatmeans, do not put yourself inundue danger for the sake of afew quid. Time looking intopatterns of fraud and theft andfinding alternative ways toprotect that stock, is far more ofa proactive strategy than simplywaiting to react to incidents.After all, bottom line profit andhappy customers are what reallymatters, aren’t they?

Andy Leon is a retail managerwith a career spanning 30 yearswith names such as John Lewis,the Burton Group and B&Q. Hefound his niche within Securityand has used this, along with apassion for customer service toincrease stock availability whilstdriving down loss. His desire to

share knowledge is infectious andhe strives to raise security

awareness amongst those on thefront line every day.

www.asis.org.ukSPRING 201512

PRIVATE INVESTIGATORS

The Home SecretaryTheresa May has finallydecided that privateinvestigators will require alicence under the PrivateSecurity Industry Act 2001to take effect some time in2015. The fine details of thisproposed regulation have yet tobe released, but while we’rewaiting I thought I might sharethe following thoughts with you.Over the years there has beena great deal of difficulty inestablishing a definition of aprivate investigator and/orwhat he/she does(http://www.statewatch.org/news/2012/jul/uk-hasc-private-investigators-report.pdf). Forthe purposes of this article I’msuggesting it’s likely to be anon law-enforcement or publicauthority investigator.Section 3 of the PrivateSecurity Industry Act addressesthe offence of not having alicence when engaged in alicensable activity. “A personguilty of an offence under thissection shall be liable, onsummary conviction, toimprisonment for a term notexceeding six months or to afine not exceeding Level 5 onthe standard scale, or to both”(Section 3 (6) Private SecurityIndustry Act 2001).Now there’s nothing new inthat. Any of those companiesor individuals that have alreadyhad to comply with the Act willbe familiar with these offences.The point that I want toaddress here is around‘licensable conduct’ and whatthat looks like in the realworld.Section 3 (2) lists ten activitiesof licensable conduct. What iscommon throughout is that theconduct has to be inconnection with a contract. Ifthere isn’t a contractualagreement with the

person/organisation that thelicensable activity is beingprovided for then you don’tneed a licence. The oldchestnut of in-house securityofficers not being licensedreadily springs to mind.Contracts in English lawA contract in English lawrequires four components.There has to be an offer. Clearand unambiguous. There hasto be an acceptance of thatoffer. Clear and unambiguous.Consideration has to changehands. This does not meanmoney. Consideration is justsomething of value. It could bea service for a service. Thecontract also has to beconsidered legally bindingbetween both parties.Now consider the position ofABC plc, a large UKbank/corporation with lots ofsubsidiaries and/or associatecompanies. The investigationdepartment is part of the headoffice structure and theysupply investigative services totheir branch offices and theirsubsidiary and associatecompanies.These subsidiary and associatecompanies are separate legalentities under UK company law.(Companies Act 2006) ABC plccan sue or be sued by theirsubsidiary/associatecompanies. These individualcompanies, for reasons ofmotivation/individual corporatestructure, are independentprofit centres and theirincomes and expenditure arereflected in their annualbalance sheets. Look at anyset of balance sheets of a plccompany and you’re likely tosee reference to balances dueto and/or from subsidiary orassociated companies.I suggest that the abovescenario is very familiar withany reader who has worked fora large concern. Theseconcerns are, probably through

ignorance, running risks thatcould have consequences of afinancial, reputational andlegal nature. If these risks evermature where will the blamelie? Who owns the risk wheresecurity-related issues areconcerned?These investigative servicesare being supplied undercontract and, as such, it’s mysubmission that:• The individuals providing this

service should be required tohold a licence. Section 3(2)(b) of the Private SecurityIndustry Act 2001.

• The directors of ABC plc –the company that’s providingthese services under acontractual basis to theirassociate/subsidiarycompanies – should belicensed. Section 3 (2)(a) ofthe Private Security IndustryAct 2001. That includes thenon-executive directorswhether they have a seat inthe House of Lords or not.

• The managers of thesecompanies providing theseservices should be requiredto hold a licence. Section 3(2)(d) of the Private SecurityIndustry Act 2001.

Opening the floodgates oflitigationNow, if my submission iscorrect then the investigatoractually providing the service islikely to be committing acriminal offence and could beprosecuted. If he is he runs therisk of not being able to obtaina licence in the future becauseof the negligence of hisemployers who failed torecognise their responsibilitiesunder this legislation. Hisemployers owe him a legal dutyof care and in this scenariothey would be in breach of thatlegal duty of care.I suggest that it would requireonly one successful case forthe floodgates of litigation toopen with the likes of Liberty

Viewpoint: ‘The Licensing of Private Investigators’ – Chris Brogan

COMMANDO SPIRIT

and/or Big Brother Watchclamouring to offer theirsupport.

This isn’t the first time that I’veraised this argument, albeitpreviously in relation tomanned guarding. I have onnine separate occasions raisedthese points with the SecurityIndustry Authority (SIA) atvarying levels, all the way tothe top. On the last occasionan SIA official told me that hewould look in to it and wouldcome back to me. I told himthat eight of his colleaguesover the years had told me thatsame story and they hadn’t.His forceful reply was that “hewould.” That was some timeago and I wait patiently.

Next year, private investigatorswill require a licence. Life is

tough enough for them as it is.This will be the third regime towhich they will have to submitcontrol of their activities (TheOffice of Fair Trading –Consumer Credit Act 1974 asamended by the ConsumerCredit Act 2006, theInformation Commissioner’sOffice – Data Protection Act1998 and the Security IndustryAuthority – Private SecurityIndustry Act 2001).These investigators will becompeting on an un-levelplaying field with their in-housecolleagues, I suggest thatthey’ll have little compunctionin drawing these potentialillegal activities to the attentionof the authorities and anyother bodies whose interestsmay be furthered by theserevelations.

How can you manage a risk ifyou don’t know what it is?

I hope that I’ve helped youidentify some of the risks thatyou and your organisation mayalready be running. There aremany more that could resultfrom the above scenario. Risksbreed risks.

It’s a well known legal maximthat the unforeseenconsequences of legislation faroutweigh the foreseenconsequences. This doesn’tmean that we have to beunprepared.

Chris Brogan MA LLM MIBA FSyI,

Partner, B&G Associates

020 8567 6944

www.asis.org.uk SPRING 2015 13

This year the Commando Spirit Appeal is again on a mission to raiseserious funds for the work of the Royal Marines Charitable TrustFund. The Commando Spirit Series of challenges offer participantsthe opportunity to test their mettle against true to life Royal Marinestests and we are now looking for people to sign up to show theircourage for those who risk their all.

THIS YEAR OUR CHALLENGES INCLUDE:Escape The Dunker – the underwater escape trainingThe 30-miler – Survive The Yomp in the rugged Scottish Highlands and Take The Leap – the commando abseil from iconic buildings across the UK.

FACEBOOK: http://goo.gl/za1Hc4PINTEREST: http://goo.gl/EBaoW5TWITTER: http://goo.gl/FYwG4Y

Test your limits with @CdoSpirit challenges and raise funds for @RMCTF Have you got it? http://goo.gl/j5LfwI

However you help us, you’ll becontributing to the Commando SpiritAppeal for the RMCTF, supporting RoyalMarines and their families in need.

www.asis.org.uk14

THESMA

SPRING 2015

At TheSMA (The SecurityManagement Academy) we arenot only security trainers butsecurity practitioners. As suchwe understand that it is oftendifficult to juggle work andstudy commitments; andoccasionally impossible toguarantee attendance in theclassroom, especially whenresources are stretched.

Designed with the busysecurity manager in mind,TheSMA has launched theirunique ‘Studyflex’ programmes

allowing those with busy workschedules up to twelve monthsto complete their coursethrough a combination of homestudy and a choice of coursedates and locations.

Our programmes are led byindustry renowned trainers,Barry Vincent MA, MSc, CPP,PCI, FSyI, and Bob KnightsMBE, MSc, CPP, PSP, SIRM,FSyI, who have successfullydelivered ASIS certificationprogrammes for over 5 years.

The CPP and PSP programmescommence with an initialperiod of tutor-supported self-study, with the completion ofset assignments. Barry andBob will provide full guidance,direction and support for theduration of this period.

There will then be an intensive5 day classroom and review,geared towards consolidationand testing of knowledge withfocused tutor-led revision,culminating in a full mockexam of 200 questions(conducted under examconditions). The tutor willhighlight any areas foradditional focus to equip youfor success in the examination.

These flexible programmeshave been designed to offeryou the maximum supporttowards attaining this highlevel certification. You willbenefit from the full support ofthe experienced TheSMAtraining team, its expertise inthe knowledge of thecertification syllabi, valuablerevision aids and the flexibility

to tailor the learning process tosuit your individualrequirements.

We are pleased to offer twelvemonths’ subscription to theCPP and PSP programme tonew and returning Chaptermembers for £1250 plus vat.

Subscription also includesaccess to our operationalsecurity centre for advice andmentoring, through our sistercompany Security ExchangeLimited. Security Exchangecomprises a core team ofsecurity specialists managing aworldwide panel of experiencedconsultants; and supported by24/7 multi-lingual call centresin the three principal timezones; Europe, The Americasand Asia-Pacific.

Please contact CarolineBashford, Director of Trainingat TheSMA, atcb@thesma.co.uk or call heron +44 1491 699685 to findout how TheSMA’s ‘Studyflex’programme can help youmanage your studies moreeffectively.

THESMA ANNOUNCES NEW ‘STUDYFLEX’PROGRAMME FOR ASIS CPP, PSP, PCIPREPARATION PROGRAMMES AND ACCREDITEDSECURITY MANAGEMENT COURSES

www.asis.org.uk SPRING 2015 15

SALARY STAKES

Are you keeping up in salary stakes? Peter French MBE CPP

Most HR functions cannot access thesame salary data for the security riskdiscipline that they can for most traditionalfunctions. Pay increases for most corporatesecurity functions in 2014 have increasedon average by 3.2% in the mostindustrialised countries in Europe. Goodnews is that bonus pools are increasingacross a number of sectors includingfinancial services, extractives, oil & gas,pharmaceuticals and logistics. Bonuspayments to respondents have increasedby an average 25%. Executive salariesacross many functions in 2015 will remainrelatively flat in Northern Europe, whilstsalaries in Southern Europe, which havebeen subject to reductions in the past 5years, will show increases in the comingyear.

2014 has seen Cyber security become ahot button item on most company boardmembers’ dashboards. Over 50% of CEOsconsider that they lack the expertise in-house to deal with a serious issue. With C-suite executives seeing themselves asserious stakeholders in the problem of

cyber risk most complain about the lackarticulation of the issues and subjectmatter. There are also major differences inthe way organisations deal with events, arecent CSO roundtable survey found thatless than 27% of respondents have an in-house forensic capability; over 60% had aninvestigations function, mainly throughanalysts, and less than 11% would classifythese as cyber investigators. In Europe wehave had a number of incidents wherebanking organisations’ IT spending, eventhose under regulatory oversight, has beenvery poorly invested, creating organisationsthat can be a danger to customers andshareholders. The emergence at JPMorgan that recent data hacking wascommitted through vulnerabilities in their3rd party suppliers is a key example whereorganisations would in the past be awareof their own strengths, but a layering ofsuppliers, who do not share information, iscausing quality rifts in service security.Comment from regulators is recognisingthat cost reductions programmes aredriving out experience as well as quality.

Fraud prevention, in the physical aspect, isaround robust approvals, understandinggeographic trends, criminal demographicsand the ability to respond quickly;attributes that you cannot readily see in thevirtual space.

How can you increase yourincome? You could change jobs, but is there thatmuch movement in the market? Can youchange the perception of the role that youare doing? Can you converge your role withthose who offer greater value to thecorporation? Professionals who do not haveindicators on the dash board run the risk ofbeing irrelevant to the organisation, and itthen proves difficult to demonstrate value.Those who are successful in the boardroomare those who understand and resonatefrom the corporate business environmentand credo.

SSR® Personnel incorporating ExecutiveProfiles is a dedicated recruitmentconsultancy for security risk andengineering.

EUROPEAN SECURITY HEADRegional reporting, policy implementation, promulgates corporatepolicy. Responsible for physical and information security.Budgetresponsibility £5m - £10m

NATIONAL SECURITY HEADResponsible for all physical aspects of corporate security andmaintaining standards across an estate. Budgetresponsibility £2m -£10m.

REGIONAL INVESTIGATOR &DUE DILIGENCE MANAGERSupply chain management implementing corporate procedures.

SENIOR INVESTIGATORResponsibility for more than one country’s operations. Active acrossall security breaches, due diligence, product diversion, counterfeitand auditing functions for the corporation.

MAIN HQ SITE SECURITY MANAGERPhysical and information protection, proactive, local policyimplementation and development. Budget responsibility £2m -£5m+.

www.asis.org.ukSPRING 201316

CYBER SECURITY

(Cyber) Security: where does it fit in Michael Porter’s ‘Value chain’? - Alan Jenkins

One of the biggest challenges facingthe security community (whetherpractitioner, vendor or service provider)has been how to convince the businessleadership of the value of anyinvestment into its security effort,whether it is protecting infrastructure,people or – more topical, perhaps –information and particularly intellectualcapital, eg R&D outputs, on whichfuture business revenue is dependent.The lack of a quantifiable ‘value-add’from security outputs has frequentlyled, for example, to physical securitybeing seen as a secondary activity ofFacilities Management, while HRfrequently resists any suggestion that itshould own the background checking ofstaff, despite the overlap with the on-boarding process, and IT is oftenoutsourced with too little regard tosecurity provisions. This lack ofperceived value from security is despiteits having been identified as one of thePrinciples of War by such luminaries asSun Tzu, von Clausewitz and Liddell-Hart. Most recently, the 2011 edition ofBritish Defence Doctrine categorisesSecurity as:

“ . . . balancing the likelihood of lossagainst achieving objectives. Itdemands managing risk, protectinghigh-value assets and resilience.Security does not imply undue cautionor avoiding all risks, for bold action isessential to success. Neither does itdemand over-committing our resourcesto guard against every threat orpossibility, thereby diminishing relativefighting power.”

In the same document, it definescyberspace as

“ . . . the interdependent network ofinformation technology infrastructures -including the Internet,telecommunications networks,computer systems, as well asembedded processors and controllers -and the data therein within theinformation environment. As the worldis increasingly interconnected with anassociated growth in the use ofcyberspace, (the UK’s) ability to operate

in cyberspace is vital to nationalinterest and enables (UK) nationalsecurity, prosperity and way of life.Defence is increasingly dependentupon cyberspace and can expectadversaries to exploit this dependence.The UK government assesses the cyberthreats to its interests and mitigatesthese through resilience measures,awareness and rusted partnerships.Activities in cyberspace are an essentialelement of our routine business andare fundamental to planning andconducting operations.”

Both can be translated into thecommercial realm with very littlechange required, whether yourenterprise is in the business-to-business or business-to-consumerspace, it is likely that both the Internetand Intranet play a large part in theday-day operations of most businesses.Any disruption, whether from aninternal or external source, is likely tohave a negative impact on businessoutputs, with an attendant cost and,often, reputational damage also.Increasingly, it is the latter that isgetting the attention of Board members- both Executive and Non-Executive -and other stakeholders, includingShareholders, Market analysts andpartners up and down the SupplyChain, not to mention nationalgovernments, legislatures andregulators. However, much of this

attention is on reducing risk asopposed to adding value and is,therefore, a secondary driver forbusiness where the primary driver isthat of growth and, where applicable,adding shareholder value.

So, where does security fit in ourbusiness models and respectivecommercial strategies? It could beargued that, all too often, security is anafter-thought for business, a ‘reluctant’spend and almost invariably a ‘costcentre’, coming off the bottom-line withlittle or no contribution to the top-line.Given that it is almost universallyacknowledged that security must usethe language of business when seekingto make the case for furtherinvestment, who can we cite in supportof our pitch, whether in the elevator orthe Board Room? The list is not longand therein, perhaps, lays our greatestweakness – the value of security isneither recognised nor appreciated bythe business until, perhaps, it is toolate . . .

In his 1985 publication ‘CompetitiveAdvantage: Creating and SustainingSuperior Performance’, HarvardBusiness School’s Professor MichaelPorter introduced the value chain as atool for developing a competitiveadvantage. This seminal work hasinfluenced many MBA students since itsintroduction and thereby been reflectedin many business strategies since.

www.asis.org.uk SPRING 2013 17

CYBER SECURITY

Topics include:

Sharing of value chain activities amongbusiness units.

Using value chain analysis to developlow-cost and differentiation strategies.

Interrelationships between value chainsof different industry segments.

Applying the value chain to understandthe role of technology in competitiveadvantage.

Porter concludes by considering theimplications for offensive and defensivecompetitive strategy, including how toidentify vulnerabilities and initiate anattack on the industry leader –something which should be ofparticular interest to security. SeeFigure 1 on previous page.

The goal of these ‘Primary Activities’ isto create value that exceeds the cost ofproviding the product or service, thusgenerating a profit margin. Any or all ofthese primary activities may be vital indeveloping a competitive advantage butit should be remembered that theylikely vary by industrial sector and arebest considered at the business unitlevel. For example, logistics activitiesare critical for a provider of distributionservices, and service activities may bethe key focus for a business offering on-site maintenance contracts for officeequipment.

Porter went onto identify four genericcategories of ‘Support Activities’, thedetails of which are industry-specificand frequently conducted at thecorporate rather than business unitlevel:

1.Procurement - the function ofpurchasing the raw materials andother inputs used in the value-creating activities.

2.Technology Development - includesresearch and development, processautomation, and other technologydevelopment used to support thevalue-chain activities.

3.Human Resource Management - theactivities associated with recruiting,development, and compensation ofemployees.

4.Business Infrastructure - includesactivities such as finance, legal,quality management, etc.

These ‘Support Activities’ are oftenviewed as "overhead" but somebusinesses have successfully usedthem to develop a competitiveadvantage, e.g. to develop a costadvantage through innovativemanagement of information systems.

Your attention is drawn – if needed - tothe absence of any mention of securityas either a Primary or Support Activityand therein lays the rub.

We, the security community, frequentlytalk about security as being a horizontalactivity cutting across pretty much allbusiness activities but does anyoneelse recognise this supporting activityas being critical to success? Despite itsmerits, the idea of security convergencehas struggled to gain widespreadtraction perhaps because its value-addhas been less than clear. It seems thatPorter did not consider it worthy of suchrecognition, unlike Quality Managementfor example, so is it any wonder thatour business leaders view ourcontribution in a similar fashion? It fallsto us, then, to better argue our case forincreased ‘value-add’ recognition if weare to support business growth andchange the still widely-held view thatsecurity exists to get in the way and say‘No’. We need to analyse the myriadways in which security supports atleast, if not enables, the business tosucceed – ‘Value Chain Analysis’ with afocus on security.

In order to better understand theactivities leading to a competitiveadvantage and hence value-add, Porterbegins with the generic value chain andthen goes onto identify the relevantbusiness-specific activities. Processflows are mapped and these flows usedto isolate the individual value-creatingactivities. Once the discrete activitiesare defined, linkages between activitiesshould be identified. A linkage exists ifthe performance or cost of one activityaffects that of another. Competitiveadvantage is obtained by optimisingand co-ordinating linked activities tomaximise both efficiency andeffectiveness. The business’ valuechain should link to the value chains ofupstream suppliers and downstreambuyers. The result is a larger stream ofactivities known as the value system.

The development of a competitiveadvantage depends not only on thebusiness-specific value chain but alsoon the value system of which thebusiness is a part. This also links tocurrent enterprise security thinking withrespect to the supply chain as morethan one primary supplier has beencompromised by upstream contributorsin respective supply chains.

This is a topic that merits moredevelopment than is possible in this‘starter-for-10’ article.

This article first appeared in Risk UKMagazine

http://en.wikipedia.org/wiki/Principles_of_war

JDP 01 (Ed 5) UK Defence Doctrine

Porter, Michael E. (1985). CompetitiveAdvantage. Free Press. ISBN 0-684-84146-0.

http://www.quickmba.com/strategy/value-chain/

'Alan has accrued some 25 years’ experience in all

facets of security, law enforcement and, latterly,

information assurance andsecurity risk management, with

increasing focus on 'value-at-risk';having served for some 17

years as a Royal Air Force Policeofficer. He has held 3 CSO/CISO

positions since 2008, most recently at Babcock InternationalGroup, where he was their firstCISO and latterly Group Security Co-ordinator also. He is the UKChapter Lead of Convergence

and Cyber Security.

www.asis.org.ukSPRING 201318

DATA ANALYTICS

Benefits of Big Data Analytics in Security – helping Proactivity and Value creation

– Dr Vibhor Gupta PhDEnterprise security at mostorganisations is tasked to deal with allaspects of threats and risks which arisedue to nature of their business,geopolitical situation andsocioeconomic conditions. Given thespate of recent incidents globally, a lotof attention is drawn towards cybersecurity. However, as mostorganisations recognise, this attentionis not limited to only the cyber side ofsecurity but all elements, which relateto protection of information and peopleat their organisation.

So, for instance,

Policies around access to critical areas(physical or virtual) are defined,implemented and monitored moretightly

To reduce the probability of ‘insiderthreat’, organisations are includingmeasures to vet and audit eachindividual person (or logical account)who have requested or already haveaccess to these critical areas

Boundaries of these physical or logicalareas are finely defined taking intoaccount local operations and industryregulations

All aspects of security such as cyber,data, people, assets and site are beinglooked at from a holistic perspectivewith reference to the core businessobjectives

In addition to this, Securitydepartments are becoming (orincreasingly intending to be) moreproactive to identify risks and threatsas opposed to being reactive to issueswhich might have already impactedtheir organisation’s business, peopleand/or reputation. In this interest,various tools and technologies aredeployed to capture data across theaforementioned areas. And with mostof these technologies now connected tothe network, it’s becoming relativelyeasier to integrate them as it offers acost effective alternative to managevarious operations which otherwise are

divided across different people andsystems.

Given the wealth of data which securitydepartments are capturing throughtheir various activities or systems, theyare using it in novel ways to identify andresolve risks (exceptions) whichotherwise would go unnoticed till theymanifest into issues. The principles ofthese novel approaches are seldomclassified into ‘Security Intelligence’and ‘Behavioural Analytics’. To share afew examples:

A global bank comprising of a largeworkforce (>150K people) and over100 sites across the world was keen toidentify instances where their peoplewere ‘remote’ logging into their ITsystems despite being (physically)inside their premises. Such exceptionsrelate to possible duplication of anidentity record, which is a seriousthreat. As the bank discovered, the‘best’ (cheap, quick and replicable) wayfor them to approach this was to applysimple principles of data integrationand visualisation across their baselogical and physical access controlsystems. By doing so, the security teamwas notified of any such exceptions inreal time. This allowed for an instantinvestigation and helped the bankmitigate their risk significantly

A fortune 500 organisation had multiplereported cases of expensive equipmentstolen from different buildings aroundthe main campus area. They suspectedthe thefts were occurring after hoursbut analysis of access records from theirphysical access control systems alonewasn’t very helpful. They had hundredsof people working late at that site on aregular basis so they were unable toidentify a manageable number ofsuspects. But, by applying analyticalintelligence to an integrated set of timeand attendance data; and physicalaccess data, they were able to resolvethis.

They first defined a ‘usual’ behaviour of an individual and groups of

individuals, i.e. which areas they accessthe most and at what times.

Then they looked for exceptions, i.e. ifcertain individuals or groups accessedcertain areas at times, which felloutside their ‘usual’ behaviour.

By doing this analysis, a singleemployee stood out and his accesspattern also coincided with the thefts.The next time the employee entered anew area after his normal hours, theSecurity Operations team was notified,following which a guard was sent toinspect the building. The thief wascaught red-handed. This approach notonly helped them resolve a mystery butalso provided them with a strategy toprevent similar activities in the future.

A highly secure Research andDevelopment organisation spentenormously each year to performbackground checks for every personaccessing their campus. Reduction oftheir security budget led them tochange their policy such that theydecided to perform ‘risk assessments’on each individual and they re-ranchecks only on those who representedthe highest risk. However, this simplyled to a cut in the frequency of checksand raised their risk significantly. So itwas critical they re-defined the way inwhich they derived their ‘riskassessments’.

They started by factoring eachindividual’s level of access, the timethey had been with the organisationand the time since they last wentthrough a background check. Thisinformation was coupled with theirknown ‘behaviour’ (which areas theyaccess frequently and at what times) tocompute a ‘Risk Score’. Backgroundchecks were mandated for individualswith a high Risk Score and those whoshowed a sudden increase in theiroverall Risk Score. This helped a greatdeal in maintaining their high securitylevels (no issues reported since) whilstreducing their operational cost byapproximately 85%.

www.asis.org.uk SPRING 2013 19

DATA ANALYTICS

There are several other use cases,which highlight the benefits and valueswhich security departments are creatingusing the principles of ‘SecurityIntelligence’ and ‘Big Data Analytics’. Tooutline a few,

Site utilisation metrics – to what degreeis a site being used?

Key performance indicators – how wellare the security operational teams doingbased on their service level agreements.

Impact analysis in case of changes suchas change of security policies or existingtechnologies such as access cards andaccess control systems.

Supporting the green agenda byreducing the energy usage in areaswhich are not used heavily based on thedata analysed.

However, all great ideas require asuccessful execution (implementation)for their ‘greatness’ to be recognised.During this study we learnt of thefollowing tenets, which were key tosuccessfully achieving the above:

Identify the use cases, which should beaddressed through the endeavours of

‘Security Intelligence’ or ‘Big Data’. Basethese on the experiences of knownrisks, threats and exceptions.

Look for extensible solutions that cancontribute to the bigger picture if thatshould become necessary. Scalabilityand extensibility are easily achievedwhen out of the box solutions aredeployed as opposed to customisedones. This helps organisations protecttheir investment as such solutions canbe geared to handle changes of otherthird party systems or businessprocesses.

Partner with systems vendors thatspecialise in the security vertical andconnect to applicable systems (such asAccess control, logical human resourcesystems, security devices) in a non-customised/ non-bespoke manner.

Avoid generic “Big Data” solutions fromvendors that don’t understand security.Domain knowledge is very importantgiven that one size doesn’t fit all.Domain knowledge coupled withreference-able experience of a solutionprovider implied cheaper, shorter andscalable implementation.

With the above it’s evident that securitydepartments globally are recognisingthe opportunity to be a businessenabler and are aligning theirobjectives so their organisations canrun efficiently. This is a welcomedeviation from the traditional view ofsecurity being a reactive andinvestigative team only which wasunfairly labelled as a ‘cost centre’.

Just when you thought you knew it all, the security industry raises the bar even higher to deal with new challenges, new threats, new opportunities. ASIS is the place to step up your game in 2015.

For more than six decades, we’ve helped advance security’s evolution by providing a global stage for the discussion and exchange of future-focused ideas, innovations, and solutions. From disruptive technologies to examples of visionary leadership, professionals across the industry spectrum experience it all here, 24/7 security in one place, at one time.

Make plans now to evolve at ASIS 2015, the world’s most influential security event.

www.securityexpo.org

Dr Vibhor is the ASIS UKChapterTechnology Lead and can bereached at vg@asis.org.uk