Kissinger Addresses Foreign Policy Challenges
Former U.S. Secretary of State and 1973 Nobel Peace Prize winner Henry Kissinger, a giant of Cold War diplomacy, addressed Wednesday's general session at the seminar and exhibits. He thanked attendees for their service protecting freedom but warned that today's crises abroad are only early symptoms of a growing global Islamic jihad.
"The Islamic jihad is, in a way, only at the beginning. We're just seeing the symptoms of it in one part of the world," Kissinger said of the Middle East, pointing to huge, potentially disaffected Muslim populations in India, Indonesia, and in the West.
Kissinger served as national security advisor to President Richard M. Nixon from 1969 until 1975, and simultaneously as secretary of state beginning in 1973 until 1977, the final three years under President Gerald R. Ford.
Kissinger and his North Vietnamese counterpart Le Duc Tho shared the Nobel Prize for their efforts to end the war in Southeast Asia, and in 1977 Ford awarded Kissinger the Presidential Medal of Freedom, the nation's highest civilian honor.
Kissinger's remarks focused on neighboring flashpoints in the fights against radical Islam and the spread of nuclear weapons: Iraq and Iran. Addressing the former, Kissinger restated his contention that withdrawal is a formula for disaster on a broad scale.
"When people talk about Iraq and talk about American withdrawal, they have to understand that the war we're fighting happens to be located in Iraq today, but it will not end in Iraq. It's an assault on the institutions of the region, and on the international system. It's deeply founded, and it's run by dedicated people," Kissinger said.
"If this radical element develops the idea that they defeated the Soviet Union in Afghanistan and the Americans in Iraq, that will not be the end of the process. It will be the beginning of a whole new kind of crisis ... the script for a much more serious crisis down the road."
Kissinger recalled April 30, 1975--the day Saigon fell--as the saddest of his career. He characterized the move as a series of simple decisions--decisions that he says the United States can't make in Iraq.
"This is not something that we can win by a decision to leave. We can only win it by demoralizing the terrorists and keeping them from achieving their goals and by building the leadership structures to resist them." Making a decision to leave, Kissinger said, would only produce a "temporary quiet."
Kissinger noted the failure of Iraq's elected leaders to establish a functioning government, but he expressed optimism that leaders in the region may be compelled to establish order as more of them realize that their countries, not the United States, will be the victims of a political failure in Iraq, Kissinger said.
Concerning Iran, Kissinger expressed doubts about the potential of diplomacy to stop the country's push for nuclear capability. "Nobody wants another war. But history has shown us that those who want to change the system and tell you they want to change it and who take action to change it through terrorist attacks all over the world, if they're not confronted and if it's not demonstrated to them that they cannot succeed, then you don't get a long way," Kissinger said, recalling the relative simplicity of the Cold War--an era of mutually assured destruction.
"I have read people saying that if you could contain the Soviet Union, you could contain Iran. But it is not the same thing. If Iran has nuclear weapons, four or five other countries are going to have nuclear weapons. And then nuclear material will be spread around the world, and it's bound to become available to terrorist groups.
"Some people say, 'You have to use diplomacy.' I have studied diplomacy as a professor, I have practiced diplomacy as a diplomat," Kissinger said. "I have never seen a negotiation in which you prevail by the beauty of your argument. That's a construct of academics. In the real world, you have to have incentives and penalties."
He went on to say that "those penalties, however, such as economic sanctions, often either have little effect or, if severe, harden a country's resolve."
In an exclusive interview following his speech, Kissinger told Security Management that the challenge of Iran lies in the fact that its government represents a cause more than it represents a nation of people.
Kissinger tempered his speech with an optimistic observation on the state of the nation. "We are still the strongest nation in the world, and we are still the most cohesive nation in the world, which is essential to eventual achievement of peace. Nobody is applying to emigrate to the jihadist countries. They are coming to our country because they want conditions for a better life."
His droll, academic baritone belying his sense of humor, Kissinger expressed his personal debt to members of ASIS. "This is an organization to which I personally owe a great deal, because for the last decades of my life I have needed personal security for a variety of reasons, mostly to protect me against my own staff."
Kissinger is currently chairman of the international consulting firm Kissinger Associates, Inc., and is the author of more than a dozen books, most recently Ending the Vietnam War: A History of America's Involvement in and Extrication from the Vietnam War.
"For me, it is a pleasure to talk to this group," Kissinger said, wrapping up his address. "You see all of this. You have to help overcome it. This is an enterprise that was imposed on us. No American would have wanted it. But ... the future of world peace, and of our children, depends on the success of the effort."
Peters Promotes Focus on Excellence
People and excellence. If Tuesday's keynote speaker, Tom Peters, had his way, these would be the only two terms in a businessperson's vocabulary. According to Peters, they are the two components every business needs for success whether it makes widgets or provides security.
"Being good at what you do is not about the toys, but about the people," said Peters. He also said what every security person must know innately: No one remembers your wins, but everyone will remember your losses. Because of this, security professionals should remember one name, Charles Darwin, and follow his iron law of nature: Be adaptive.
One issue that Peters zeroed in on was the security industry's proclivity to say "security" far too much. "You are risk managers," said Peters. Positive reinforcement is critical in business. Be positive and people will respond. Perception is everything, Peters reminded the audience.
In a business marked by terrorism, disasters, and the worst humanity can offer, security professionals must emphasize successes. "You teach people by bringing up good stories," said Peters. Security managers, like any business executive, should also remember their staff is everything. "Unearth the champions," Peters said, pointing his fingers at the audience.
"Somewhere in your organization, people are already doing things differently ... and better. To create lasting change, find these areas of positive deviance and fan the flames," said the prophet of business management. The security industry, like any business, needs to find these innovators, hiring them based on their can-do attitude, and then training them for skill.
This all goes to fulfill the prophecy of one of Peters' inspirations, Boyd Charles, who once said: "I've always believed that the purpose of the corporation is to be a blessing to the employees." In an age marked by Enron-like business scandals that treat employees and customers with contempt, Peters said that this message is more important than ever.
Putting the responsibility squarely on the shoulders of management, Peters proclaimed, "If you don't have a motivated work force, it's your failure of imagination."
Another lesson of business management Peters told the audience to remember is that their business is ultimately about teaching. "You are not responsible for security, you're responsible for teaching people how to do security."
In the end, like any business, the security industry must not be "normal," according to Peters. History doesn't remember normal people, he said. And that's because normal people don't think outside the box and get things done. And that's what business is all about.
Attendees Get Lessons, Solutions
When adapting to the constantly changing world of security challenges and threats, finding solutions can be difficult. To help attendees learn the latest, speakers in more than 155 educational sessions addressed topics ranging from food safety to due diligence. The following summaries highlight a few of the cutting-edge presentations.
Safety on the rails. Mass transportation systems, especially rail travel, have been an attractive target for terrorists since 9-11. Whether the target is a bus in Jerusalem, a tube train in London's Underground, or a passenger train in Madrid, mass transportation provides terrorists the opportunity for a spectacular attack that can rattle the public's sense of security.
Before a packed audience, Chanan Graf, the manager and director of G-Team Security and former chief of security for Israeli Railways, introduced delegates to the concept of "Security-Oriented Approach to Overall Design" as the best way to protect mass transportation systems. The approach, says Graf, allows security professionals to enhance security while providing continuous transportation services in a cost-effective manner.
Many components apply when integrating security into a system's overall design, Graf explained. Security professionals must first do a risk assessment and then build a scenario that takes into account the asset that needs protection and the adversary's tactics and weapons of choice. A vulnerability assessment should then be done to quantify the risk to the asset and then countermeasures must be devised and applied to enhance security.
To best protect public transportation and mass transit systems, Graf illustrated the security circle concept he used in Israel. The security circle is a layered approach to security. It incorporates an external security circle where armed guards trained to spot suspicious behavior monitor travelers coming into the station. Next is the inner security circle where personnel and technology, such as metal detectors and explosive detection dogs, are combined to provide another layer of deterrence to the station.
Because terrorists can also get at a train from the tracks, Graf said that tracks within 220 yards of the platform and those inside tunnels or over bridges should have intelligent CCTV systems and infrared detectors to alert people in the command center to potential terrorist activity. Graf then recounted how this approach helped sabotage terrorist attacks on railways and rail stations he managed.
In one incident, for example, a well-trained guard spotted a clean-shaven man approaching the station with red blotches on his face. Trained to notice that jihadists shave before an attack, to enter heaven pure, the guard prevented the man from entering. The man then went to the bus stop across the street and detonated himself, killing many people but far fewer than if he had entered the station. The example, Graf said, underscores the importance of properly trained personnel to any security approach.
IED threats. A terrorist bombing expert, along with the federal government's top bombing prevention official, presented firsthand perspectives on the threat of improvised bombs and what security managers can do to protect against them at the session titled "Improvised Explosive Device (IED) Awareness and Search Requirements in Corporate America."
Session moderator Brittain P. Mallow, a retired Army Colonel, recalled the sound of IEDs awakening him at night during deployments in Iraq and Afghanistan. "I think what most of us worry about today is those threats moving from places we used to call 'downrange' to the United States," said Mallow, now principal of SRA Touchstone Strategic Consulting in McLean, Virginia.
That is likely to happen because of terrorist intent and ease of delivery, said Ken Falke, CEO/President of the Fredericksburg, Virginia based A-T Solutions, Inc., and a retired Navy ordnance disposal specialist.
Falke pointed to an incident this month at Boston's Logan International Airport in which a woman walked through a terminal wearing a bomb-like device attached to her shirt. "A lot of people say, 'It won't happen here.' Look at Boston ... she had one on, exposed, and she went right up to the counter. It took them a while to question her. Imagine a suicide vest tucked nice and neatly under your jacket. Very difficult to detect," Falke said.
Charlie Payne, chief of the Office of Bombing Prevention in the U.S. Department of Homeland Security's (DHS) Office of Infrastructure Prevention, outlined the growing suite of programs the agency offers to protect against IED attacks.
DHS's programs include site inspections, countersurveillance training, and the Tripwire program, a Web-based portal providing law enforcement and bomb disposal units with the most current intelligence on IEDs, their constituent materials, and terrorist methods.
"The security programs that you guys are engaged in are most definitely the foundation of what you need to be doing," Payne said. "But what we don't want to see is you guys having to engage in things that require huge costs without them being focused on the right asset, protecting the right vulnerability."
"You have to find ways to increase the security of your operation, and you can't create new things for every threat that comes along. So you have to leverage what you do for existing security, existing measures that are good for countersurveillance," Payne said.
Falke, whose company contracts with DHS, described the training program's basics. "We go out and actually get the people working at your site to think like a terrorist, to think that if they were going to attack their facility, where would they park the van? Where would they shoot the video from?" Falke said.
Training programs in Washington State and Maryland led to arrests soon after local authorities completed the course. "So this course does work," Falke said.
Foreign due diligence. A modern company's most valuable assets are usually invisible, intangible, and highly mobile. These assets can be computer databases, software, patents, or the knowledge that is in an employee's head. Safeguarding these assets in a company's home country is hard enough. Protecting them in international markets, especially fast-growing countries in Asia, is far harder. The risk of losing control of these assets can also be far greater than at home.
Almost any significant business transaction has the potential to threaten a company's most valuable assets. Kevin Peterson, CPP, and principal consultant at Innovative Protection Solutions, said that as a result, "Companies need to move from a Cold War information security mentality to a comprehensive information assets protection philosophy."
Threats in the global business environ ment are becoming broader, more sophisticated, and asymmetric. Peterson said this means that security professionals need to extend their horizons and change their way of thinking if they are to effectively safeguard their companies' key assets.
"Security professionals need to get a seat at the table during--or preferably be fore--decisions are taken," said Peterson. Richard J. Heffernan, CPP, CISM, and president of consulting firm R. J. Heffernan & Associates, added that security professionals will only be invited to the table if they have valuable insights or information to contribute.
However, few companies have corporate structures set up to ensure that their due diligence, market intelligence, and security staffs work together or even talk to each other. Michael Moberly, president and founder of Knowledge Protection Strategies, said, "Our role is to be an enabler and facilitator of business transactions and not to be impediments to a transaction."
He warned that many business deals, from a licensing agreement to a full blown acquisition, place a company's assets at risk. This is because "in a very significant percentage of business deals, intellectual property is being bought, transferred, or sold in some way."
There is a danger that once the transaction is completed, the new rightful owner of these assets may not be able to exercise full use, control, or even ownership over them due to legal, technological, or risk management issues.
These weaknesses become all the more critical in tempting new markets, especially in Asia. Often, government agencies or government-owned enterprises are actively engaged in appropriating assets.
Heffernan said enhanced due diligence becomes essential when entering new markets. Companies typically entrust due diligence to their outside legal counsel. Unfortunately, law firms are not usually equipped to go beyond box-checking exercises. They rarely delve into the background of potential partners or investigate a company's corporate history or ownership structure.
Enhanced due diligence can sometimes reveal unwanted deal-breaking information. But it is always better to prevent a problem than to accept the high financial and reputational costs of a botched deal.
Child safety. A team from Nevada's Primm Valley Casino Resorts led a session on raising awareness of child predators and pedophiles and preventing child abuse, assault, or abduction in the workplace.
Michael Burke, CPP, CPE, vice president of security for Terrible's Casino Resorts, said his organization was prompted to do more after a horrifying incident on the Primm Valley Resort property ten years ago when a young child was killed in a rest room adjacent to an arcade. The murderer was caught, and the resort has since put together a training program to help staff members recognize suspicious behavior and react to any possible abuse or abduction.
Cara Welk, who serves as chief of security at Primm Valley's Buffalo Bill's Resort & Casino, said although most child predators are white men, they can be any age, race, or gender. "Don't get into the narrow field of vision; it could be anyone in this room right now."
Staff must always have a suspicious outlook, said Welk, and a key deterrent is to make eye contact and maintain a visible presence to visitors. She said that just like a would-be bank robber, the potential predator is aware they are being watched. "That's the last thing they want," says Welk, adding, "They will not stick around."
One of the warning signs Welk advised people to look for is an adult who is in an area where children tend to be present but with no obvious reason or activity. Welk also recommended stalling tactics for dealing with a potential predator and child, such as having staff engage the child in conversation.
Welk said Primm Valley's procedures were based in part on Code Adam, a list of protocols for missing child situations. Code Adam was named after Adam Walsh, a young boy who was abducted from a Florida shopping mall in 1981 and later found murdered.
One policy in a potential abduction situation is to get as much of a description of the child as possible, all the way down to the shoes. The speakers pointed out that predators often will change a child's clothing but not the shoes. The rules also call for a photograph and information to be distributed to staff. Law enforcement is called, either if the parent requests it or if a certain amount of time has passed.
Michael Underwood, Terrible's chief of investigations and emergency management, recommended that security managers fit a program to their organization. He stressed the importance of assessing the unique vulnerabilities of the property, pointing out "There are predators out there researching your facilities."
Underwood noted that several resources are available online, such as the National Center for Missing and Exploited Children. "The tools are there," he said, but people need to be trained repeatedly in order to reinforce the message.
Food safety. The session titled "Agriculture and Food-borne Bioterrorism: Facilitating Effective Prevention, Mitigation, Response and Recovery" provided attendees with a firsthand account of the investigation into last year's E. coli outbreak and offered practical advice on how to avoid such an incident or limit the effects once one occurs.
Michael Steinle, a project manager with consulting firm Tetra Tech EM Inc., personally investigated the first of two deadly 2006 outbreaks tied to spinach grown in central California. While the exact cause of the outbreak he investigated was never pinpointed, Steinle and his colleagues ruled out foul play. They instead blamed accidental contamination from fecal matter, either from feral animals that roam free among the fields or from workers who, deprived of access to portable toilets, have no choice but to relieve themselves in the fields. The problem was likely compounded by static groundwater, which gave the fouled water time to invade the plants themselves via their roots.
"But it was impossible to narrow it to any one thing. The scope of the investigation was very difficult," said Steinle, chair of the ASIS International Council on Agriculture and Food Security.
The E. coli contamination reappeared weeks later in shredded lettuce grown in the same region for national fast food chains.
It is believed that only three people were killed by the two E. coli outbreaks. But Steinle illustrated the financial impact, which was compounded by a blanket FDA recall--the only productwide recall in the agency's history.
A troubling statistic: it took 34 days from the first report to completion of Steinle's investigation. In the event of contamination in a calculated terror attack, many more would have died during that lag time.
While some solutions for the leafy greens problem were obvious, such as the provision of toilet facilities and fencing to keep out wild animals, firms across the food industry can take further measures, said speaker Michael Fagel, CEM (Certified Emergency Manager), consultant, and also a member of the Agriculture and Food Security Council.
Companies that want to avoid claims need to start with the basics: personnel security and access controls; they must also address supply chain validation--testing suppliers and shippers, even those with trusted relationships.
Companies along supply chains and their regulatory and public health counterparts must open up regular lines of communication and be candid about possible problems so that they may be solved early and quickly. "You must open up those partnerships now, before an incident occurs, or we're going to keep making the same mistakes," Fagel said.
Avoiding lawsuits. It's a simple equation that Las Vegas nightclubs are familiar with: Alcohol plus a few misunderstandings can equal violence. Such incidents can easily lead to lawsuits if nightclub owners aren't careful, warned Alan Zajic, CPP. Zajic is a gaming security consultant and the vice chair of the ASIS International Council on Gaming and Wagering.
Zajic's session addressed how security professionals can solve problems before they arise for nightclubs by outlining best practices that should be followed. He started the session by showing attendees what can go horrifically wrong if nightclubs do not have the right security management practices.
In 1942, a revolving door that jammed at the Cocoanut Grove nightclub in Boston was responsible for killing 192 people when a fire broke out. Zajic also cited a more recent example of an incident when a pyrotechnics show went wrong during a concert killing 95 people in West Warwick, Rhode Island, at the Station Night Club.
Many security problems for nightclub owners are their own fault, according to Zajic, and arise at the door. The first mistake many nightclubs make is hiring "a 500-pound gorilla" to screen customers, he said. Nightclub owners still want to intimidate their guests before they enter. This is a mistake, Zajic stated. "You don't want to project the image you have steroid-driven goons" guarding the club.
Nightclubs should also allow their security staff to accept tips, but if security personnel take a bribe, such as 5100 to look the other way when a fake ID is presented to them, they should be immediately fired.
Another potential problem that can be solved at the door is having security monitor head counts. Overcrowding can lead to fights and deadly bottlenecks at the door if an incident arises that requires an evacuation.
There's another entrance security staff should monitor: the entrance to the bathroom. Bathrooms are havens for illegal drugs and sex that can lead to nightmarish problems if nightclubs don't watch out, said Zajic.
Another issue discussed was how nightclubs should handle fights. His advice: Kick out any and all offenders. As for undesirables, he recommended that the establishment keep a list of people it does not want admitted. With regard to hiring practices at clubs, Zajic prefers proprietary security to contract security.
Trash intelligence. If you're like most people, or many organizations, you don't give much thought to your trash once it's tossed in a bin or placed on the curb. But garbage can say a lot about the person or organization disposing of it. While individuals can run the risk of identity theft, corporations can face threats ranging from financial fraud to corporate espionage.
Such risks were described in a session on trash intelligence, presented by Wesley Latchford, a U.S. Navy lieutenant commander currently assigned to U.S. Strategic Command's new Global Innovation and Strategy Center in Omaha, Nebraska. He also described some key ways people and organizations can protect themselves.
At the individual level, criminals are most likely to target things such as credit card and bank statements, Social Security numbers, and insurance forms. In addition, items such as periodical descriptions can help criminals profile a potential victim. Investment publications can label a target as moneyed, for instance, or religion-related publications can tip off a robber that a family could be absent on certain days. Latchford said many more people should invest in cross-cutting shredders.
Organizations that have more informational assets that need to be protected should take a broader defensive approach, he said. In protecting disposable assets, businesses should use principles from operational security, or OPSEC, said Latchford, which can apply to protecting a broad array of informational assets. One of its main tenets is that adversaries build a picture of a potential target by putting together smaller bits of information, like solving a puzzle.
OPSEC involves five interdependent steps. The first involves identifying the most critical information. The second involves threat analysis, which can include identifying potential adversaries and analyzing ways they might try to glean information. In the third phase, potential vulnerabilities are identified.
Throughout the OPSEC process, it is critical to continually evaluate security as if through the eyes of an enemy or thief. "We can spend a lot of time protecting things a corporate spy has no interest in," said Latchford.
The last step involves implementing countermeasures, such as shredding. "These should be instituted by rank in order to protect the biggest vulnerabilities first," he said.
Organizations should develop policies on the use of shredders across an organization and in individual departments, Latchford said. He also recommended that companies develop policies on the disposal of technological equipment, which can involve hard drives, USB devices, or CD ROMs.
Organizations that are not destroying such devices themselves should look for assistance from reputable outside parties, he said. All companies' policies should be reinforced with communications such as e-mail and flyers, he added.
Benefits of convergence. Converging IT and physical security can be challenging, but it can also significantly help companies deal with issues such as workflow, compliance, and the bottom line.
That was the central message of a panel discussion on the subject. It began with a general discussion on convergence and concluded with several physical and information technology professionals describing their own experiences.
Convergence consists of four main components, according to Laurie Aaron, senior director of strategic sales for Quantum Secure, Inc., and a founding member of the Open Security Exchange, a convergence-promoting nonprofit. The first involves identifying business drivers. These can include cost control, compliance, security enhancement, and business continuity. "At the end of the day, convergence is about how security can contribute to shareholder value," she said.
The other three parts reflect a company's implementation stage, she said. They include strategic milestones, tactical milestones, and operational milestones.
For Baxter Healthcare in Cherry Hill, New Jersey, there were a host of reasons it wanted to converge areas such as its physical identity management a few years ago. One involved workflow. "Staff would sometimes have to walk for a while, get a form signed and taken care of, and then take the form to someone else for approval," said Security Manager Derrick Wright.
Wright says one key to successful convergence involved taking stock of different business managers' needs. "It was really important to get out of the office," he said. "We wanted to make changes within the context of the business." He said he then made a plan with other physical and IT security staff. The company implemented changes in stages. "We used the Japanese concept of 'kazan,'" he said, which refers to making continuous incremental improvement.
The work appears to have paid off. Wright said the process has led to annual savings of about $163,000. Costs have been reduced through compliance automation, streamlined access control, and greater employee productivity. The company has also been able to generate additional business by marketing its strength in areas such as compliance, security, and business continuity.
Crisis planning. The most important part in an organization's decision to evacuate or shelter in place during an emergency is having a plan already in place and reaching out to the right entities, according to Ron Hobbs, CPP, security coordinator for Per Mar Security Service.
Hobbs helped attendees learn the right way to plan by recounting his own experience in November 2005 when a tornado was forecast during an afternoon football game at Iowa State University in Ames, Iowa. Once the tornado was forecast to come its way, the school started to monitor the storm using the National Weather Service. All the affected entities gathered together for a multijurisdictional meeting to review roles and responsibilities if the tornado did barrel into Ames.
During the meeting, the groups out lined two disaster scenarios; they prepared flyers and public announcements for the fans tailgating before the game and inside the stadium. They then arranged for special equipment to be delivered for triage if disaster struck.
As game time drew near, Iowa State and its partners still weren't sure whether or not the tornado would touch down, so they opened the stadium's gates.
Suddenly two storms merged 20 miles away and were tracked approaching Ames. Immediately, officers were notified to make the planned announcements and additional cars were readied to help the evacuation effort if needed.
Once the tornado warning was sounded for the area, PA announcements told fans to evacuate to the university's nearby basketball stadium. Approximately 11,000 fans sheltered in place.
Although the tornado did touch down, damage was slight, the stadium was reopened, and nearly 80,000 fans were able to enjoy the game, thanks in part to the planning and vigilance of Iowa State and its surrounding public safety entities.
An entirely different type of planning has led year after year to unparalleled educational excellence at the ASIS Annual Seminar and Exhibits. The highlights above give only a small sample of the information available to attendees. If you've never had the experience, mark your calendar today for next year's event on September 15 through 18 in Atlanta.