Tuesday, May 19, 2009

Books that should be in a security manager's library

There are several books that a security manager or facility security officer should have in their possession. No professional library is complete without these valuable resources. The books provide wonderful instruction on security systems, performing risk management, structuring a security department for success and managing classified information. I’ve read each of the books and will provide reviews as follows.

Managing the Security of Classified Information and Contracts, By: Jeffrey W. Bennett ISP I’m pleased to announce the upcoming release of Managing the Security of Classified Information and Contracts from CRC Press. This book is the only one of its kind written with defense contractors in mind. The facility security officer, contracts manager, senior officers, and cleared employee roles are defined. The reader will understand how to operate in a cleared contractor environment. This is a great overview of the National Industrial Security Program Operating Manual (NISPOM) and the acquisitions process. It is also a great resource for preparing for the Industrial Security Professional (ISP) certification exam and a great companion for ISP Certification-The Industrial Security Professional Exam Manual.

Security and Loss Prevention, By Philip Purpura Excellent resource! As a Facility Security Officer for a DoD contractor company, I find it to provide multiple layers of security or "security in-depth". This book offers insight from a retail environment that is very applicable to government and contractor security. Add this to your library.

The Security Clearance Manual: How to Reduce the Time it Takes to get your Government Clearance, By; William H. Henderson This book is timely and a gem. As an FSO, I find the information very helpful for answering security clearance related questions. Mr. Henderson's experience and know how give great insight in how the investigations work and what the subjects should expect. The persons undergoing background checks now have a clearer picture of what they can do to help get faster results. I highly recommend this book both to security specialists and to those obtaining security clearances.

Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems, by Michael Khairallah This book goes into great detail about security systems without being too simplified. My security background until recently had been in safeguarding information on a team of 22 security professionals. Recently I took a new job as the head of corporate security and had to develop new security systems. Of course I hired professionals to bid on the job, but I lacked experience to really understand what I needed. I consulted some colleagues and of course went to ASIS international for recommendations.
In the process, I was pleased to have discovered Physical Security Systems Handbook. It really helped me to work with the vendors to help them understand what I needed and better understand what they recommended. This book does an excellent job of breaking down the components of the security system (ie. strike plates, crash bars, cameras, alarms and etc). It also goes into great detail to show you how to survey existing systems and improve them. In my case, we had to start from scratch and this book helped me through the process.
If you have had similar experiences or are looking for study material for the CPP, ISP or other certifications, get this book.

Effective Security Management, Fourth Edition, by Charles A. Sennewald CPP Frankly this is an excellent book that teaches the tremendous role security plays. Contrary to some corporate environments, this book teaches that security should not be run from the background. Mr. Sennewald does an excellent job of demonstrating how security should be conducted in a corporate environment. For most, the lessons taught here will involve a change in culture that is desperately needed to allow the security function at an executive level position and allow the security executive to function at all levels.
The first chapters consider the security professional and the roles, structure and environment of the security organization at all levels of a corporate structure. The rest of the book shows how to conduct security surveys and perform risk analysis. It also spends considerable time teaching security as a profession and is heavy into how leaders should lead and conduct themselves professionally. Quality work!
After many years of working in the government, I had been looking for the ultimate "how to" book of how security should be structured. This book gets it and teaches it well.

The New School of Information Security, By: Adam Shostack This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.
While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.
Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.
The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.
The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.

Body of Secrets, By: James Bamford This book is well written and an easy read of one of the most fascinating agencies of all time. Mr. Bamford has performed exhaustive research into the workings of the super-secret NSA. Personally, I have a long history as an intelligence analyst during the Cold War and reading this book brings back a lot of memories of the history and working of the world at the time.

ISP Certification-The Industrial Security Professional Exam Manual, By: Jeffrey W. Bennett ISP If you are serious about advancing in your field, get this book. Learn the secrets to becoming influential, earning credibility and studying for the ISP Certification. Secret number one, you are a technical expert and know the business of protecting classified information. Let us help you prepare for the test. Our book helps you prepare for both your career and the ISP Certification Exam.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119

Sunday, May 10, 2009

Establishing credibility as an FSO in a defense contractor

Recently, I had the opportunity to speak with a facility security officer who was ready to move on to another job. He was frustrated because he had not been able to get his senior leaders on board with the security plan. It seemed no matter what he had sent for approval, his policies were not taken seriously. Since I had only heard one side of the argument, I could not come to a conclusion about the root cause of his frustration. However, I do know that he is not alone as many FSO’s of small defense contractors face similar issues within their own companies.

Problems such as those mentioned above stem from two possible reasons in small defense contractor companies. The first is the FSO has not developed a reputation of understanding how to apply security measures to the way the company makes money. The second is that the senior officers have appointed a lover level employee to the FSO position.

Understanding how security fits into the organization is vital. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. They should present security programs in a way that makes business sense to the senior leaders. FSO’s should also understand that the security program belongs to the company and is not theirs. It is a business decision and not a personal success or failure. For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rational for change in policy, the FSO’s may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company’s business model or culture.

The second problem addresses the level of the hired or appointed FSO. Suppose the FSO does make a sensible request based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.

Consider successful security models in Fortune 500 companies. They are larger and usually part of a mature corporate structure. Even larger defense contractors fit this category. Successful companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.

FSO’s in smaller DoD contractors have a unique challenge as far as the company culture and corporate structure. Perhaps the FSO was appointed from a lower management or assistant position. The management has mistakenly believed that the position is strictly administrative and is in place to request clearances and file away classified material. In other situations, these smaller companies grow larger with new contract requirements and responsibilities and work requirements grow with them. Those lower level employees are now faced with situations of growth, but their influence has not increased. The growth is happening and changes are made without their input, leaving them to play catch-up.

Look and act like senior leaders-So, how does the described security manager create influence and credibility that counts? First of all, they should observe the managers and imitate them. If management is dressed professionally, then the FSO should dress similar. If management requires professional and college education, the FSO should complete theirs.

Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.

Presenting the security program does not have to be a frustrating event. If an FSO is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.

Read more about this article and follow Jeff's other ariticles, newsletters and updates @ http://www.redbikepublishing.com/index_files/Page412.htm
Jeffrey W. Bennett is the owner of Red Bike Publishing (http://www.redbikepublishing.com). He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119

Thursday, May 7, 2009

Preparing For Security Growth in a Defense Contractor Organization

Business growth affects the entire organization. The best thing that can happen in this case is for all the employees to be actively engaged in making the company successful. Each business unit doing its part to meet deadlines, supporting the contract or performing on the contract paves the way to overall success. The worst position for any unit to be in is failing to project the growth and causing a bottleneck in production.
When a defense contractor business grows, the engaged cleared facility security officer (FSO) is prepared for that growth. The constant development and maintenance of relationships with employees and key business units allows the FSO to forecast requirements for the storage of classified material, performance of classified work and the protection of the enterprises employees, products, and capital.
Preparing for growth involves the FSO not only training and hiring security employees, but accurately calculating classified inventory storage and work performance needs. Meeting legitimate growth is another area where an FSO should be injected into strategic planning. Contract opportunities present themselves in many variations. Classified projects, new facility or alternate locations with physical security needs and an increase in classified storage or volume are all concerns an FSO should be able to address. Such growth affects the security department and such input from the FSO benefits the organization in its entirety. However, if the FSO does not have credibility or influence, they will not be prepared to project the growth and will constantly be trying to catch up with the work. Such a posture costs plenty in company overhead.
Additional contracts or change in performance measures may require additional security personnel. A sudden growth in security storage, additional cleared projects, or added facilities, may necessitate more personnel to support the increased work load. Just as the organization lists job requirements FSO such as professional growth, management potential, technical competence, and skills, the FSO consider the same traits when preparing to hire additional help. Potential security professionals should not only be U.S. citizens with security clearances, but demonstrate competence in the tasks they are asked to do and a desire to perform. They should also have the ability to grasp and teach concepts of security to help keep the security fresh in the corporate culture.
The FSO and security specialists should work toward establishing operating procedures and a job performance description. New employees can become successful faster with formalized certification training. This training could reflect the companies policies as they support NISPOM requirements and the overall enterprise culture. It should be unique to the organization and lined with milestones that eventually allow new employees to work unsupervised after demonstrating an understanding of government regulations and company policy. During the education, the new employee can enroll in government provided on-line and residence training, lessons provided by company personnel and directly under their manager’s supervision. With a good training or certification plan in place, much of the employee’s success can be measured within the first 30 days.
New opportunities for growth can manifest through additional contracts, modification or renewal of current contracts. New requirements could call for additional facilities for the storage of classified material or the performance of unique work in closed areas. Whether constructing new buildings or modifying current facilities for unique classified work, the job calls for planning, budgeting, and compliance. The FSO is critical to forecasting the unique needs and regulatory requirements.
A successful, young company may not have all the facilities in place for future growth but should be constantly preparing for solutions. For example, suppose a defense contractor needs a conference room to host classified meetings. The FSO would research the requirements and estimated costs of such a conference room and present it to the executives and senior officers at a minimum. The FSO’s presentation would cover controls necessary to eliminate unauthorized disclosure. Such controls include: limited access to the room, the conference phone capabilities, the projectors, overhead ceiling panels, doors and other areas requiring protection measures and inspections. Finally approval form the cognizant security agency is necessary once the plan was complete.
The FSO also looks into their security organization to address internal growth. They would conduct research on where the largest growth potential concerning classified holdings would arise. Some resources or tools would be the database where classified information is logged. Such information would be used for a peek at where the company is in five years at the current growth rate.
Data base research can prevent hasty and inaccurate decisions. For example, an untrained employee may assume that growth would require additional storage shelves for paper documents. However, the security department may be generating and receiving more DVD media and fewer paper products as evidenced in receipts and file data.
The entire security department or one person FSO operation would dig deep to find information. Good databases can break down inventory by year, quarter, or any other necessary date range useful for projecting future needs. Such research could help identify classified information that can be destroyed or otherwise eliminated from storage. This would free space and save on future storage and inventory costs. Such a move can save tens of thousands of dollars annually in employee and storage costs.
As a manager of a vital business department, the FSO should be credible and influential. When an FSO does save on any costs by reducing overtime, saving electricity, or finding other alternatives while remaining compliant, these cost reductions should be reported. Understanding costs, contribution and business helps the FSO to gain credibility with executives who value their input.

Read more about this article and follow Jeff's other ariticles, newsletters and updates @ http://www.redbikepublishing.com/index_files/Page412.htm
Jeffrey W. Bennett is the owner of Red Bike Publishing (http://www.redbikepublishing.com). He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119