Printer Friendly

Renaissance manager.


A RECENT OP-ED ARTICLE IN THE WASHINGTON POST NOTED THAT SCHOLARS and think-tank types at the Brookings and Hoover institutions, the Heritage Foundation, and the Institute for Policy Studies are making their predictions for the coming decade. In his analysis of these predictions, the writer noted that the "complexities of the present are what make the future so very uncertain."

The purpose of this article is not to predict the future. Rather, it is to share some ideas on the skills, talents, abilities, and knowledge security managers for the coming decade will need to deal with the complexities of the present so the future can be made somewhat less uncertain.

The first skill security managers will need is familiarity and ease with computers. The computer has, without a doubt, revolutionized the modern office. It has increased the productivity of office workers from clerk to CEO. But like all good inventions designed to make life easier, it has brought a number of security vulnerabilities of which security professionals must be aware.

Be aware of the automated data processing (ADP) architecture of your organization. Are all computers stand-alone systems, connected together in a local area network (LAN), or connected to a larger mainframe or host computer? What are the external connections to the system, and how and by whom are they controlled? Are unsuspecting employees in your workplace connecting to electronic bulletin boards, which are the '90s equivalent of an HIV carrier with a potential to infect and destroy our systems?

A significant number of security concerns are overlooked by management and ADP professionals in their haste to bring the benefits of automation to the workplace. Security managers of the '90s will have to be familiar enough with these concepts to anticipate the risk and security exposure of each new ADP component so they can advise management of the inherent weaknesses. Security managers cannot expect the management information services (MIS) department to consider the security implications of a system it is trying to sell to management. Instead, security managers must become "ADP threat managers" for the organization.

Security managers are usually brought in when a system is already in place and the Defense Investigative Service (DIS) is on the doorstep waiting to conduct an inspection. Security needs to be proactive in this regard and develop a good working relationship with the MIS department. That way, it can offer input on the proposed system and incorporate appropriate security measures such as password protection; file access limitations; file encryption; audit trails of users, files accessed, and times of access; and control of the introduction and copying of software. It is costly and time consuming to add these measures once the systems has been purchased and installed.

Besides the obvious concern for user clearance, output control, and security during operation and communication, other concerns exist such as vulnerabilities of certain computer hardware systems, operating systems, archiving techniques, recovery systems, and even programmer shortcuts.

One example of a programmer shortcut involved the attack on government computer networks - estimated to have infected some 6,000 terminals at as many as 500 different installations - which was attributed to a student at Cornell University named Morris. Evidence indicates the hacker gained access not by trying various passwords but through the knowledge he gained working summers at AT&T Labs with his father. The hacker discovered the UNIX operating system had a feature that allowed programmers to bypass system security by simply typing an eight-letter word, which gave immediate access to the operating system in case programmers forgot the password.

What is my suggestion to security managers of the '90s for dealing with this type of situation? Become familiar with ADP terms and concepts. But more importantly, make friends with the MIS department. Get them to share their plans with you and get them to understand security's concerns before they design and present plans for ADP architecture to top management.

ONE OF THE EASIEST WAYS TO learn ADP concepts and terms is to automate the security department. The security office of the '90s will undoubtedly be automated. Commercial integrated security management software packages are available today to assist security managers. They combine in-depth security management experience and state-of-the-art ADP capabilities. These packages deal with the three traditional major concerns of security managers: physical security, information security, and personnel security.

Most organizations have spent a significant amount of money on fences, gates, security doors, alarm systems, and access control devices. Employee pass and badge systems also are common and will probably continue to be used.

But the aspect of physical security neglected most often is the control of visitors - people who pass through extensive physical security barriers on a daily basis. All of us have gone to a secure facility. We wait interminable delays to be issued a nondescript, generic visitor badge, which is often issued by a bored or overworked-looking, minimum-wage employee who cares little about who we are, our level of clearance, or who or where we are going to visit.

An ideal visitor control system has the following characteristics. As visit authorization requests (VARs) are received by mail, fax, or phone, they are routed to the desired point of contact and to security. If the VAR is approved, it is entered into the automated data base so when the visitor arrives at the visitor control center (VCC), he or she presents a photo ID, preferably with an employee or social security number. After verifying the person's identity, the VCC operator can rapidly access the VAR from the on-line computerized data base and enter the point of contact information for that particular visit.

Following this quick input, a site-specific, one-day badge is printed from a color printer attached to the computer or terminal. The person to be visited is telephoned. On receiving approval, the visitor is escorted to the office or allowed to proceed through controlled spaces, with security guards enforcing limitations on certain areas or floors.

An automated security system also has the capability to rapidly process walk-in visitors for unclassified visits. The average processing time per visitor under such an automated system is less than four minutes. Manual systems currently in use at many secure facilities take an average of 15 to 20 minutes to process a visitor.

Consider the other benefits of automating visitor control. Statistical reports can be generated on the number of visitors by category (government, contractor, foreign national, etc.); the clearance level and organization of visitors to a specific point of contact or organizational element; and hours of peak visitor flow for guard or escort scheduling. Virtually any information collected is available for reporting and statistical analysis.

To be really effective, a visitor control system can be integrated to accomplish a number of related functions such as producing VARs by storing personnel and clearance information and information on organizations with which security managers regularly do business. With such information, it would be possible to rapidly generate the VAR and transmit it by mail, fax, phone, or possibly even electronic mail with hard copy backup as needed. Inclusion of a stored video image for identification is also a possibility. The beauty of such an integrated, on-line system is that numerous additional security and administrative tasks can be rapidly produced from the data base, such as clearance rosters, phone lists, and location reports.

Another significant advantage of the integrated security management system is the capability to place notes in the VAR file on an individual, such as "Do not admit," "Hold and notify security," or "This visitor failed to turn in property or visitor badge from last visit." With such a system, it would be easy to produce an up-to-the-minute report on the clearance status and level of all organizational personnel for such purposes as determining who should have their clearance upgraded or downgraded.

VIRTUALLY ANY SECURITY MANAGER responsible for controlling classified, sensitive, financial, or proprietary information will require an automated, integrated, on-line document control system, ideally based on the use of bar code labels. Such a system will be far more advanced than data base filing programs often used today for document control.

It will be an interactive tool used by all authorized personnel engaged in document control, not merely an electronic filing box where actions are recorded after the fact. It will be written in an advanced programming application language such as PROGRESS, which will provide for portability to a number of different computer platforms and operating systems. It can become the systems standard for an organization, facility, or program and be made to run on a stand-alone PC under DOS or native Macintosh operating systems and can migrate, as needed, to multiuser XENIX systems or large-scale UNIX or VMS systems with 50 or more users and a data base of up to a million or more documents.

An automated, integrated, document-control system - which would also protect diskettes, slides, charts, and models - would enable security managers to comply better than ever with the Information Security Regulation, the Industrial Security Manual, Information Security Oversight Office Directive Number 1, and Executive Order 12356. It would obviate the kind of findings the Government Accounting Office and Congress have published about Special Access Programs at contractors like Northrop and government facilities such as the Arms Control and Disarmament Agency.

A well written program, developed by a consortium of experienced security professionals and highly skilled programmers and system analysts, can enforce compliance with applicable security directives through the computer's unflinching requirements to do it right the first time. A computer does not have bad days on which it is less vigilant in its requirement enforcement. It does not have friends for whom it bends the rules. It is not intimidated by senior members of the organization demanding that a document be processed immediately, resulting in shortcuts that violate the normal administrative processing rules.

When system users are properly trained, such compliance can be achieved, even in a think tank environment of engineers and scientists who often see security managers as an impediment to the free exchange of information. In fact, such users often see a well developed and well administered program as an advantage because documents can rapidly and accurately be located to assist them in their research.

Automation can pay handsome dividends in the productivity of the document control center, which traditionally has been understaffed. Enhanced productivity increases the morale of the document control personnel, thereby enabling security managers to perform more tasks with greater accuracy and at a lower cost. All these features make security managers appear more efficient to senior management, which usually leads to career rewards.

This ideal, automated, on-line, integrated document control system must be easy to learn and use. In other words, it must be user friendly. Anyone should be able to learn it with a few hours of instruction by installers or trainers.

Documentation should be comprehensive and easy to understand. Ideally, the system should be similar to office word processors - menu-driven, with on-line help features and onscreen prompts. The software manufacturer should have an 800 telephone number just like many word processor manufacturers do.

Almost everyone is familiar with the phrase "garbage in, garbage out." The ideal document control software package will prevent garbage from going into the data base by requiring extensive edit checks and validating data at the point of entry. Organizational names, for example, would be entered only in a prescribed manner. This task will require some up-front work by the system administrator to ensure that all organizations are entered into a data file and that correct organizational acronyms are used by document control personnel.

For example, let's say I receive documents from both the Strategic Air Command and the Science Applications Corporation. SAC can only refer to one of these organizations or else, when I ask for a report on all documents received from SAC, I'll get both Strategic Air Command documents and Science Applications Corporation documents. When document control personnel can't

recall organizational acronyms, they should be able to hit a help key and get a list of organizations on file.

Such edit checks and validation would be extremely valuable in generating personnel security questionnaires (PSQs). When PSQs contain inaccuracies or omissions, the Defense Industrial Security Clearance Office (DISCO) returns them, costing the company time. Ideally, all PSQ forms will be transmitted electronically to DISCO.

The ideal integrated security management system would allow security managers to add different modules for visitor control, document control, PSQ preparation, vehicle registration, access control system enrollment, billet management, and guard tour management as needs and funds dictate. The integrated character of the software would require that the system work with a common data base to reduce the required disk space and eliminate the need to input new data more than once. The modular nature of the ideal software would also permit spinning off functional areas that grow so large they need to run on a separate host central processing unit.

THE USE OF BAR CODE LABELS IS essential to the software design. The bar code chosen should be Code 39 with an added check sum that ensures first-read, error-free use of a light-pen-like bar code reader. Each document and copy in the control system would then have a unique identifier. Speed and accuracy of the system will be greatly enhanced because information will only have to be entered once. Transactions can then take place by merely scanning the bar code label with a transmitter. Transmittal and destruction certificates will automatically be printed, as will regrading notices, package receipts, and mailing labels.

The system chosen will maintain a complete audit trail of all transactions and assign capabilities and functions that are individualized to each authorized user based on clearance, access, and need to know. With a common relational data base, the system administrator can rapidly change capabilities and functions by making one simple entry, which will be effective immediately.

The audit trail will be of particular value if classified material is compromised. Information will be available on each person who had custody of the information, security containers where the documents were stored, and anyone who had access to these containers. This audit trail will list the date, time, operator, and terminal for all transactions. Such information may be retained even after destruction certificate retention periods.

As mentioned earlier, automating document control will make possible an unprecedented level of compliance with security regulations. For example, consider the system's ability to invisibly and instantly check clearance, and classification, contract, program, project, compartment, and dissemination restrictions before allowing internal or external transfer. Imagine a system that verifies facility clearance and storage capability before any document is prepared for transmittal out of your facility. This is the integrated security management software that security managers of the '90s will have at their disposal.

The use of dependable bar codes on controlled items will greatly enhance security managers' ability to conduct inventories, whether they be the annual, compromise, or change of custodian type. Armed with a portable inventory unit, personnel from document control centers can go to a container; identify themselves by bar code; identify the container, which is already registered by bar code; shoot all bar-coded documents; and return the information to the main computer data base for reconciliation.

A conservative estimate is that this will save 90 percent of the time a normal, manual inventory takes. With an error rate of one in 75 trillion, bar codes are reliable, and they cannot be reproduced effectively.

The software just described represents the user needs document for the system desired by security managers of the '90s. A major industrial defense firm recently spent two years developing just such a specification.

After this software specification and a knowledge of computers, the next critical skill for security managers of the '90s will be an ability to view and articulate their functions in financial terms. Security managers must learn to speak management's language, which almost always translates to a bottom-line orientation.

Get to know your organization's market or constituency. If possible, seek to make security a profit center or your organizational element a budget line item management entity. Learn to compete with other members of the staff for a share of the organizational budget. If possible, contribute to the bottom line, either directly by providing a security service for profit or indirectly by providing cost avoidance and risk mitigation.

For security managers in the government, know enough about the budget process in your organization to have on the shelf unfunded projects that can be funded on short order with end-of-year funds, reprogramming actions, or special budget lines for productivity enhancement. For security managers in private industry, seek innovative ways to market the skills of your security office by assisting subcontractors in establishing their participation in the Defense Industrial Security Program in return for services, price breaks for your company, or direct compensation.

Few top-level corporate managers can resist an entrepreneurial scheme that contributes directly or indirectly to the bottom line. Security managers who are able to do this task will see an increase in recognition and organizational power for their share of the corporate budget dollars.

SECURITY MANAGERS OF THE '90S must have an orientation in behavioral science. Managers will have to deal with drug testing, preemployment screening, and ethics. Since such programs are often placed under the supervision of security managers, managers will be forced to deal with sensitive personnel issues of the work force as never before.

At the same time, security managers can expect to retain all their former responsibilities. Thus they will have to work smarter, rather than harder, and will need state-of-the-art tools such as the automated system described earlier. Security managers will have to be experts in security without a doubt. But the added requirements in computer and behavioral skills will make it mandatory to keep up-to-date on these topics, too.

Fortunately, a wide range of publications are available to assist security managers. Security Management, the Protection of Assets Manual - particularly its monthly bulletin, which contains short articles as well as in-depth reference material - and newsletters and periodicals of professional security and law enforcement organizations all offer a wealth of information in these fields. Security managers should read a minimum of one periodical a week.

Seminars are also significant sources of new information in these fields. Attending one seminar a quarter is a reasonable goal to establish to stay current in the field. National conventions and seminars also provide excellent opportunities to enhance professional skills.

Formal programs of instruction offer the opportunity not only to stay abreast of current security management topics but also to learn what it takes to climb the corporate ladder. In my opinion, the ultimate goal of any security professional is to attain the CPP designation. Attaining the designation is the mark of the true professional, regardless of the academic degrees attained. This process requires a mastery of the entire range of security disciplines.

In summary, security managers of the '90s will have to be renaissance men and women. They will have to master the ADP tools of the workplace and put them to work. They will have to be business oriented, whether in the private sector or government, and play the corporate game with skill and aplomb. They will have to understand people through a behavioral science orientation. They will have to be well-read in a wide range of subjects and continue their education with the goal of achieving professional recognition. Armed with these tools, security managers will be ready to face the uncertainties of the coming decade.

About the Author . . . Joseph C. Liberti, CPP, is vice president of security operations for Sector Technology in Falls Church, VA, a firm providing high tech solutions to security management problems in government and industry.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:successful security managers must be multitalented
Author:Liberti, Joseph C.
Publication:Security Management
Date:Jan 1, 1990
Previous Article:Eschew obfuscation!
Next Article:Crimes of the vault.

Related Articles
Ready for growth, but short of talent?
The Other Modernism: De Chirico and Savinio.
Proceedings of the ARMA International 47th Annual Conference (New Orleans).
In memoriam.
RadiciSpandex. (Expo in Print 2003).
The Biography of Dr. Dre.
The Pale Surface of Things (fiction).

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters