Introducing TrackTik’s Impact Security Series! We sit down with influential industry leaders, get their take on the ever-evolving security landscape, their potential impact on organizations, and ways in which you can learn from their expertise. With education through thought leadership, learn about industry trends to watch and hot takes on various topics.
Founded in 1955, ASIS International is a global organization of security professionals who come together to share and acquire knowledge of the industry. CEO Peter O’Neil and Chief Global Knowledge and Learning Officer Michael Gips, CPP, joined us to discuss how globalization is impacting security risk management and how holistic approaches, which incorporate education and understanding, are crucial to dealing with new and emerging global threats.
O’Neil joined as CEO two years ago, bringing with him a lengthy background in occupational security and safety. Gips has been with ASIS International for years, first joining the organization’s publication Security Management and later signing on to offer his expertise in strategic security. Both provided insights into how ASIS International is thinking globally.
How is ASIS International connecting the global community with its offerings (such as publications, standards, guidelines, etc.)?
Gips: ASIS is well known for providing on-site, in-person training to our members, but we can’t necessarily provide that all over the world, so we are developing a virtual learning competency; we can deliver information and expertise globally via a learning management system or on our website, so we can ensure consistent quality instruction and materials around the world, and spare our attendees the cost of on-site participation. Don’t get me wrong – face to face programming is a vital part of what ASIS does and there’s no substitute for it, but going digital will go a long way towards bridging the knowledge gap at a cost-effective price point.
How is globalization shaping security for businesses and organizations?
Gips: I’d be happy to address that because that’s my forte, [laughing] and Peter can chime in when he wants.
Globalization is shaping strategy in many ways. A few examples are that security managers find themselves increasingly working with cross-national, cross-regional and cross-cultural teams. A security manager in Japan (and I happen to know this specific person), may find himself responsible for overseeing operations in China, South Korea and Singapore, and they have very different cultural norms between those countries… and expectations. Security managers increasingly need to know how to manage and lead using so-called softer skills rather than practicing security per se.
As another example of globalization, it’s making the rules of the game much more complex. You might have an American company that does almost all its business in the United States and previously only had to worry about federal laws and regulations, state laws, maybe local laws. Now if they have a single European customer, they have to worry about the GDPR (General Data Privacy Rule). If they are hiring US employees who may be from Mexico or Norway, they need to perform background checks from the appropriate jurisdictions, which is not necessarily easy (…), and so on.
Globalization is also increasing demand for local talent. A Western company in the past often deployed someone from the United States or Western Europe to oversee security at sites, like South East Asia. Peter and I were just in India and we see this transformation going on. Of course, Westerners are not more competent, but they may have more experience with company culture and management systems, and have certifications, and so on. But really, it’s more cost effective for companies to use the local talent, native to those areas. [Peter murmurs in agreement.] It can provide an additional advantage because they know the culture and business environment and they are not seen as outsiders.
What are some new risks or threats emerging thanks to globalization?
Gips: The number one thing is that we’re so interconnected via the internet, that really anyone can launch a cyber-attack against any company or any person in the world, even from places where the network infrastructure is virtually thread-bare. You know, North Korea barely has the internet and yet they can muster attacks on big organizations.
Another threat that arises from globalization is a battle over resources. You have well-developed nations scouring the four corners of the earth for dwindling resources, such as rare metals. And locals fear exploitation and plundering. This is not necessarily new; (…) but this is being exacerbated as companies increasingly cross borders in search of new resources. Even their use of precious resources – like they’re using water, that the local community needs to use… there are battles over that; that’s triggering resentment in local populations.
What new security measures are developing as a result?
Gips: There’s much more consciousness of network vulnerabilities and evolving internet exploits. A few years ago, physical security professionals did physical security; cyber security professionals worried about the cyber. But now, everyone has to worry about security holistically. (…) The internet and all things digital are infiltrating the security world. You can’t call yourself an up-to-date skilled practitioner without knowing that side of things.
And in the case of the local populations feeling exploited, as I was talking about earlier, some companies have found that it’s best to work with them and adopt an ethos of corporate social responsibility. And besides the right thing to do, that reduces the necessity for security (…).
O’Neil: The other piece I would add is that one of the areas ASIS is known for, and will become more known for as we go forward, is around standards, guidelines and certifications… and research. A profession is truly a profession when it has strong standards, strong guidelines, strong certifications, and strong research. Our ASIS Foundation is starting to get good, or get better, at identifying research opportunities for the profession. We’ve been strong in [this area] for a long time, but I think Michael and I agree and our board agrees that there’s a lot more room for growth there. With the globality of business and globality of security, we’ll look at making sure whatever standards and guidelines we develop are done on the international scale.
That’s not easy to do, right? What are some approaches to incorporating globalization into the different standards?
O’Neil: It’s not, but you have to start somewhere. (…) We’ve taken a holistic look and restructured S&G (Standards and Guidelines Commission) to allow for them to be a lot more global-leaning, global-looking than just sort of North American- (and in particular American-) centric, so there’s that piece.
The second piece is re-involving ourselves in ISO [International Security Organization] in a way that is more methodical and deliberate than perhaps we were before. That’s not to say that previous efforts were bad or wrong – that’s not my point at all. But we want to be involved a little bit more holistically (…).
The third piece is chapters. ASIS will really begin to re-double, re-triple, re-quadruple its efforts around chapters, making sure the chapter experience, which is the relatively local experience for our members, is enhanced, is stronger, is better, is different, is more, is all the things that come with that. Specifically related to standards, and guidelines and certifications for that matter, using [chapters] as a mechanism to communicate with our members at that level and make sure they understand what their international organization is doing from an international perspective that impacts the local perspective.
ASIS International is developing Enterprise Security Risk Management, a new strategy in which businesses take a holistic approach to potential risks and how they align with solutions. Why are CSOs interested in adopting ESRM?
Gips: [ESRM is] in an embryonic stage. There really are no best practices or guidelines in existence, but the board created an ESRM Commission and since then, the ESRM Commission has broken into four value streams: one has to do with education and certification, one has to do with standards and guidelines, one has to do with creating a maturity model and one has to do with branding and marketing (…).
The master plan over the next few years for the former ESRM Commission, which is now the value streams, is to embed ESRM into the DNA of ASIS. ESRM doesn’t have to come up in every sentence or in every workshop or in every article. But it’s a lens through which we can look at security issues. ESRM isn’t necessarily a be-all, end-all. We’re going to still do programs on executive protection and active shooter that don’t necessarily have to deal with ESRM, especially if you look at them individually. CSOs already practice ESRM, at least in bits or pieces; they just don’t call it by that name or put it in those terms.
What value is gained by applying ESRM?
Gips: Many CSOs perform a lot of those functions already, but not in a systematic way. When you have an ESRM approach, it puts the cards on the table and it demonstrates to executives how crucial security professionals are to their decision making and overall business functions.