THE PUBLICATION FOR PROFESSIONAL SECURITY MANAGEMENT
MEET OUR NEW VP
Introducing Danny Cipollone,
GardaWorld’s new Vice President in Ontario
After leading growth at a major North American supply chain service provider headquartered in Toronto to success, Danny joins GardaWorld and brings a wide range of expertise that will heighten our industry best practices. With his arrival comes exciting changes in our management team. His predecessor, Colleen Arnold, is transitioning to National Vice President, Customer Excellence & Innovation. She will support our national clients through customer service and focus on enhanced training and streamlining systems to provide better reporting and invoicing to our clients. Amir Atri, CPP will strengthen local operations with his +23 years in the security industry as he ful lls his new role as Regional Director – GTA, ON.
We welcome Danny and congratulate Colleen and Amir on their new roles.
Colleen Arnold
By Neil Sutton
Sutton
Alanna Fairey
Cover Image: Sandra Strangemore
By Neil Sutton
TPASS IT ALONG
CS Honours winners offer career-building advice
he switch to the world of virtual meetings has been an adjustment for all of us. But, as I wrote recently in our sister publication, SP&T News, this form of communication has enabled connections to flourish at a time when we truly need them.
Creating connections was one of the major themes explored during our recent Canadian Security Honours virtual event, held on Oct. 1.
After the event concluded, I revisited each of the award acceptance speeches to put together some thoughts for this column. Each winner indicated that community is one of the essential elements of a successful career.
“Community is one of the essential elements of a successful career.”
Josh Darby MacLellan, winner of the Emerging Leader award, said he has learned that self-reliance isn’t everything. His fierce independence and determination served him well in his university years, but the professional world operates in different ways. “I had that awakening... I soon realized that unless I wanted to make all my own mistakes and learn the hard way, I needed to draw on the experience of others,” he said. “I became very OK with asking for help.”
His advice now is to “become the best participant on a team.”
Kevin Murphy, Lifetime Achievement award winner, spent 45 years with his employer Woodbine Entertainment until his recent retirement. As he advanced in his career, those “growth opportunities were presented to me by people that I work for and with,” he said. The later stages of his career were focused less on “spreadsheets and technology” and more on “trying to do for others what was done for me, and that was to give people the opportunity to learn and grow and develop.”
Community Leader award winner Sherri Ireland described the hard work and sacrifice that is often required in order to achieve success, but she also spoke of a quality that sometimes goes overlooked in this industry: compassion. “You have to have a desire to help others. You have to have a high standard of morals and ethics. You have to have integrity,” she said.
The final speaker for the afternoon, Harold Wax, recipient of the Security Director of the Year award, thanked and acknowledged dozens of security professionals he has worked with or for during his career. He urged young professionals looking to make their mark to get involved in associations or in a volunteer capacity that showcases the profession in a positive light and allows their voices to be heard. “If there’s one thing I’ve learned, it’s that you can’t succeed without a solid team, great partnerships, and, if you are lucky, making a few good friends along the way,” said Wax.
“Free advice” is often accorded little value, but in this case, our winners have already paid the way through their collective experience. The fact that they are willing to share it for free makes it all the more remarkable and speaks to a genuine community effort to raise the profile of the security industry in Canada.
Group Publisher Paul Grossinger pgrossinger@annexbusinessmedia.com
Associate Publisher Jason Hill jhill@annexbusinessmedia.com
Editor Neil Sutton nsutton@annexbusinessmedia.com
Associate Editor Alanna Fairey afairey@annexbusinessmedia.com
Canadian
Media Designer Graham Jeffrey gjeffrey@annexbusinessmedia.com
Account Coordinator
Kim Rossiter krossiter@annexbusinessmedia.com
Circulation Manager
Shawn Arul
sarul@annexbusinessmedia.com Tel: 416-510-5181
COO
Scott Jamieson sjamieson@annexbusinessmedia.com
Canadian Security is published four times per year by Annex Business Media.
G4S helps you find them quickly. We partner with you and your team to create tailor-made security solutions for your business. We know what’s lurking out there. That’s why we use our Risk-Based Approach and focus on people, process & technology to create the best connected programs to mitigate any current or potential risk. Find the Risks at g4s.com/en-ca/hidden-risks
By ASIS Canada
ASIS Canada’s first virtual AGM a success
ASIS
Canada held its first ever virtual annual general meeting on Sept. 16, which took place shortly before the virtual Global Security Exchange (GSX+) conference, hosted by ASIS International, Sept. 21-25.
The virtual platform allowed more ASIS members to take part in the AGM than was previously possible, says Bill VanRsywyk, ASIS Senior Regional Vice President, Region 6 (Canada). “We used the ASIS International Zoom conference platform, which went smoothly and provided a means for all to take part. There were 70 registrants for the meeting — more than doubling any other AGM turnout.”
Among the agenda items on the AGM, the leadership team proposed an overhaul of the ASIS Canada website, which would enable all Canadian chapters to post and share information on their upcoming events.
The group is also looking into the
Past Award Winners:
1999 – Ron Minion, CPP
2000 – Denis O’Sullivan, CPP
2001 – Patrick Bishop, CPP
2002 – Dennis Shepp, CPP
2003 – Phill Banks, CPP
2004 – Howard Moster, CPP
2005 – David Tyson, CPP
2006 – Roger Maslen, CPP
2007 – John Rankin, CPP
2008 – Gary Vikanes, CPP
2009 – John Grady, CPP
2010 – Greg Hurd, CPP
2011 – Chris McColm, CPP
2012 – Bill Bradshaw, CPP
2013 – Geoff Frisby, PCI, CPP
2014 – Christina Duffey, CPP
2015 – Dan Popowich, CPP
2015 – Dr. Wayne Boone, CPP
2016 – Patrick Ogilvie, PSP, CPP
2017 – Parnell Lea
2018 – Marie Thibodeau
2019 – William VanRyswyk, CPP
possibility of procuring an online platform which could be used by the chapters for their own AGMs and executive elections.
A highlight of the virtual AGM was the announcement and presentation of the annual Ron Minion Award to Stéphane Veilleux, CPP.
“There are definite benefits to conducting a virtual meeting.”
According to VanRyswyk, who received the award in 2019, there were five nominations this year, representing security professionals coast to coast. A panel of three past Ron Minion Award winners was asked to independently review the nomination submissions: Dennis Shepp, CPP, Bill Bradshaw, CPP and Roger Maslen, CPP.
“All the reviewers commented on the strength and professionalism of the five entries and nominees,” says VanRyswyk.
Veilleux joined ASIS International in 1998 and earned his Certified Protection Professional (CPP) designation the same year. Veilleux is also the chair of the ASIS Montreal Chapter, a position he has held on several previous occasions.
Veilleux’s professional security career spans almost 40 years and includes positions with the Canadian Forces, Pinkerton and Pharmascience. He is currently security project manager for the House of Commons in Ottawa.
The Canadian Security Industry
— Bill VanRyswyk, ASIS Canada
Pioneer award was established in 1999 to recognize the contributions of Canadian members of ASIS International who have distinguished themselves through contributions to the growth and professionalism of the security industry. The security practitioners who initiated the award looked not only at the contributions that individuals have made to the Canadian security industry and contributions to ASIS International in Canada, but also to ASIS International globally.
Ron Minion, CPP, was the first recipient of the award in 1999 and was instrumental in bringing ASIS to Canada.
He, along with others in western Canada, worked tirelessly to establish the first Canadian ASIS Chapter in Edmonton, and then later, in Calgary. Minion passed away after a lengthy battle with ALS, and the award was renamed in his honour.
VanRsywyk says the virtual AGM was “a great success. We were fortunate that Jennie Geisner from ASIS International was able to help moderate the conference call — thank you! As much as we miss the face-to-face social aspect of GSX and the annual Region 6 AGM, there were definite benefits to conducting a virtual meeting.”
Ron Minion Award winner for 2020, Stéphane Veilleux
Veterans help to fill cybersecurity skills gap
After Jamie O’Hare joined Ernst & Young (EY Canada) over a year ago to help the Ottawa practice within EY Canada from a cybersecurity perspective, he found himself having a discussion with someone at the Department of National Defence.
“I asked her for problem that nobody could solve, and she said, ‘people,’” O’Hare recounted.
“As we all know, good cyber consists of three things: technology, process and people.”
This conversation was O’Hare’s call to action and he took on the challenge of finding a creative way to address the gap between the high demand for cyber resources and the short supply.
Through his research, O’Hare crossed paths with Tom Moore, founder and CEO of WithYouWithMe (WYWM), a company that builds talent where there are skills shortages in the technology sector and has a program specifically for veterans.
“The challenge with veterans is the under- and unemployment across the globe is exponential,” O’Hare said. “And through a few years, what they found was that combat veterans had a lot of the traits required and in common with cybersecurity.”
This is how the Cyber Workforce Enablement Program Contract came to be.
According to O’Hare, EY Canada
works with government departments to identify cyber and technology requirements of cybersecurity roles and places program graduates with complementary skills. The WYWM program trains veterans in technologybased roles that leverage existing skills, potential and aptitude testing data.
Involved with this initiative since the beginning, O’Hare said he feels great pride, because the program helps on all fronts.
“It helps people find work at the service, it helps our country, it helps globally, and it’s the right thing to do,” O’Hare reflected. “I’m just so incredibly proud that Ernst & Young and the government have been able to come together and put forth a program that just makes a lot of sense and is good for Canadians.
“[It’s] a creative way in which to solve a problem that has existed for years,” O’Hare added.
According to O’Hare, the program has proven to be a good fit — more than 1,000 veterans have participated.
“If you retrained the veterans in cyber, a lot of the skill sets are already there,” O’Hare explained. “It’s simply a different terrain.”
After opening up the program to veterans back in March, O’Hare has received positive feedback from veterans that are currently involved with WYWM.
“[The program] helps veterans find meaningful work after service,” O’Hare said. “One of the things that is really prevalent is that veterans want to ‘stay in the fight,’ and they want to continue to help Canada and they want to continue to defend. This gives them an opportunity to do that.”
While it is O’Hare’s hope that the program benefits EY Canada and helps to create a new cybersecurity workforce, his ultimate wish is that it meets the needs of veterans.
“They served their country, and they deserve meaningful work,” O’Hare said. “I want [this program] to be an option for veterans to discover something that they can find meaningful and we can maybe give back a little bit to them.”
— Alanna Fairey
CALENDAR
October 27-28, 2020
Securing New Ground Online sng.securityindustry.org
November 16-18, 2020 (ISC)² Security Congress Online www.isc2.org/Congress
November 18, 2020 ISC East Online www.isceast.com
Nov. 30 – Dec. 4, 2020 PM Expo Online www.pmexpo.com
Dec. 2-3, 2020 Security Canada Online www.securitycanada.com
December 3, 2020 Focus On Healthcare Security Online www.canadiansecuritymag.com/ virtual-events
March 23-26, 2021 ISC West Las Vegas, Nev. www.iscwest.com
IDEAS AND REALITY-MAKERS
GSX+ provides some positive affirmation that we are on the right path
I’m writing this article after GSX+ and instead of recovering from a long flight, I’m enjoying a coffee in my home office where I’ve been since the middle of March.
I experienced GSX+ virtually this year and really enjoyed the sessions and the chance to network with other professionals, and to see how far we’ve come along the risk journey.
In many of the sessions I logged into, the concepts we’ve explored in this column were discussed by the presenters and chatted about by session attendees. It gave me hope that we’ve made progress since I started writing this column and can look at security as a business enabler, identifying risks to enterprise assets and developing strategies to mitigate those risks.
discussions about risk — to our employees, our customers and to our organizations.
As we enter the final quarter of this truly unbelievable year, I want to look back on the work my amazing team did in the last part of 2019 and throughout 2020. Going to GSX always makes me nostalgic! I get to hear some amazing speakers and try to relate their sessions to what I’m experiencing.
“We created a security steering council and found a champion for our approach.”
During GSX+, I heard a great story from Max Brooks during his “Stranger than Fiction: Lessons from a Zombie Apocalypse and Beyond” session. He said that to be successful we need someone to come up with an idea, someone else to champion the concept, and then find folks who are the nuts and bolts people to help make it a reality.
I know part of this progress can be attributed to time. I’ve realized throughout my career that change takes time. I continually forget this, though, and sometimes find myself frustrated at the seemingly lack of progress. But my GSX+ experience really brought into perspective how many other like-minded security leaders have taken on the challenge to view our profession through a risk-based lens.
The Coronavirus pandemic played a part as well. I know I’m not the only security executive who’s been involved in discussions with business leaders to help create a safe environment for employees, clients and
Security has been involved in planning re-entry programs to businesses, as well as re-exit strategies should COVID-19 take hold in a specific workplace. We’ve learned so much from these sessions — the emphasis on safety and security, understanding what’s most important to the business and how we can adapt to thrive in this new normal. We’ve also had meaningful
That description so elegantly describes how I’ve managed some of the greatest teams I’ve been part of throughout my career. I’d come up with some off-the-wall idea, someone else (normally an executive) would see the vision and embrace it as our champion, then a phenomenal group of talented security folks would make it happen.
It’s how we’re revitalizing our security program at the City of Calgary. I’m such a huge proponent of the ESRM framework that we started to adopt the methodology last year. We developed and presented training sessions for our entire department and for other business units we interact with regularly. We created a security steering council and found a champion for our approach. Finally, the teams tasked with launching a technology platform and instilling ESRM into our daily tasks has been phenomenal.
It’s been hard work, with lots of twists and turns in our path to rebrand the program using ESRM. The hard work and effort is now paying off. We’re being seen — grudgingly by some — as trusted security advisors. But I can honestly say it was worth it.
Tim McCreight is the acting chief security officer for The City of Calgary (www.calgary.ca).
By Kevin Magee
FIVE LESSONS FROM 2020
COVID-19 has brought some cybersecurity challenges into sharper focus
The amount of change that has occurred in every aspect of our lives and our work over the past six months has been unprecedented.
During our first COVID-19 quarterly earnings report to Wall Street, Microsoft’s CEO, Satya Nadella, made note of this, remarking, “We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security.”
“Overnight, Zero Trust shifted from a business option to a business imperative.”
While COVID-19 didn’t bring an end to an era of obsolete network and perimeterbased security strategy, it exposed weaknesses and challenges inherent in them that have existed for quite some time now. It has also given us the opportunity to question many of the premises we have left unchallenged for far too long. Here are five lessons that 2020 has taught me about cybersecurity.
1. What it means to be resilient has changed forever
St. Bartholomew’s Hospital (Barts), founded in 1123 in London, has provided continuous patient care on the same site for longer than
any other hospital in England. It survived a financial crisis in 1539 when Henry VIII stripped the hospital of its income, the great plague of 1665, the great fire of London the following year, as well as two world wars. Through all of these catastrophes, St Bartholomew’s persevered and continued to provide patient care until May 12, 2017, when WannaCry Ransomware struck numerous hospitals across the U.K. and saw Barts cancel 2,800 appointments and operations in the interest of patient safety.
The very systems that enabled the hospital’s ability to treat patients and save lives had the unintended consequence of also making the hospital vulnerable to cyberattack and cybercriminals were able to do something that plague, fire and wars could not do over centuries.
While digital transformation may introduce new vulnerabilities, it can also make us much more resilient. Imagine if the current pandemic had struck 20 years ago? We would simply not have been able to shift large portions of the economy to work from home and to online learning for our children without disruptive technologies such as the internet and the cloud.
Our challenge therefore as security professionals is to protect our organizations from the vulnerabilities that digital transformation introduces while also leveraging these same technologies as opportunities to make our organizations much more resilient and able to respond with agility to any contingency.
2. Don’t bring a perimeter-based security strategy to a cloud fight
As defenders, we are no longer facing individual, unsophisticated attackers but organized cybercrime and nation state actors who are supported by an entire dark market industry. Attackers can now subscribe to ransomware services where tools are provided and maintained free-ofcharge. All of this is lowering the barrier for cybercriminals while simultaneously reducing
the cost of their attacks.
Defenders may temporarily operate with legacy security strategies, but this approach is difficult to sustain in this new reality. We are in an arms race against attackers and no single organization has the resources to stand alone. But there is strength in numbers. Defenders can benefit from the vast threat signals that cloud providers like Microsoft turn into operational and strategic threat intelligence. There are also opportunities for automation and orchestration at immense scale, all of which increase security while lowering costs and shifting the economics in favour of the defenders.
3. Everyone is on a Zero Trust journey now, whether they know it or not In the first 10 days of the pandemic, it became clear that organizations who relied on traditional security methods, like on premise firewalls, were at a disadvantage. Not only did they have
>
>
>
>
>
>
>
>
HYPERNOVA CYBER PROTECTION™
trouble meeting the needs of a new remote workforce, but they were also more susceptible to COVID-19 themed threats. Overnight, Zero Trust shifted from a business option to a business imperative. This is because by treating every access attempt as if it were originating from an untrusted network, Zero Trust security is built around the users and business assets, rather than the other way around.
Organizations that were successful in making the rapid transition to most employees working remotely had invested in a Zero Trust architecture, including MFA, device management and conditional access enforcement.
4. Identity is the new line in the sand Strong authentication methods are key to defending against most cyberattacks. One simple action to prevent 99.9 per cent of attacks is to enable multi-factor authentication (MFA). Multi-factor authentication is a process in which the
system prompts a user for an additional form of identification during sign-in, such providing a fingerprint scan. With companies closing office access, we have seen a twofold increase in MFAenablement requests after the onset of the COVID-19 outbreak.
5. A security culture eats an attacker’s strategy for breakfast
When it comes to creating a successful security culture, tone from the top is what matters most. Leaders need to be fully invested and highly visible, leading table-top-exercises and modeling good security behaviours and cyber hygiene.
Ultimately, people will make mistakes but it’s how you empower them when they do that will define the success of your security culture.
Kevin Magee is the chief security and chief compliance officer for Microsoft Canada (www. microsoft.ca). Magee was the keynote speaker at CS Honours on Oct. 1.
HYPERNOVA CYBER PROTECTION™
By Tony Dong
THE HYBRID CAREER
Role transitions are not always easy, but bold choices may return longterm rewards
Acareer pivot is one of the most challenging and tenuous moments in a security professional’s working life.
It involves leaving established norms, areas of expertise, and networks to foray into unknown territory. Seasoned and experienced professionals are suddenly confronted with culture shock, a deluge of new information to assimilate, analyze and understand, and new archetypes of individuals to whom they must adapt.
The average security professional stays in their career for an extended period. The linear progression of career stages is: guard, supervisor, account manager, director of operations, vice-president, etc. For integrators, a career path might look like: technician, installation supervisor, installation manager, account manager, sales executive, business development manager, etc.
Sometimes, a soft transition occurs when security professionals leave the profession for law enforcement opportunities, or for in-house roles with various private and public agencies. The change is understandable — the skills you learn in security (protector mindset, caution, risk assessment, conflict de-escalation) are widely applicable to those roles. The culture shock is minimal and widespread networking opportunities exist to facilitate such a pivot.
Some of the more technically-minded security professionals pursue cybersecurity. The ever-looming prospect of “convergence” between physical and cybersecurity, driven by integrated security solutions entices them. Or perhaps, they see loudly publicized cybersecurity incidents and it awakens the urge in them to be at the forefront, protecting enterprises. Making this transition requires a strong educational approach beyond the traditional ASIS certifications. Certifications like the CISSP, CISM, Security+, etc. are highly desirable, as is an advanced degree in information technology, computing, or cybersecurity.
Cybersecurity is an industry where soft skills cannot make up for a deficit in technical skills. Setting yourself up for success means devoting
the necessary time, energy, and enthusiasm towards continued education.
Then there are some who wish to push the established boundaries slightly more and explore careers more distant to the security industry. These individuals pursue careers in business continuity, emergency management, and enterprise risk management. While no longer relying on the principles of sound security management, all three of the fields share common traits with regards to proactive prevention, risk management and stakeholder involvement.
Successful transitions here require the security professional to leverage their communication skills. They must become masters with regards to conveying risk-critical information to the decision-makers at the top of the corporate hierarchy. This means distilling emergency management, business continuity, and enterprise risk management best practices into recommendations that offer the executives a clear picture of how it benefits the bottom line.
To this end, the security professional must develop strong quantitative and qualitative analysis skills, understand corporate finance practices, and take a deeper dive into strategic planning. Education — whether it’s the ICS 100400 series of certifications, the CBCP designation, or a degree in enterprise risk management — is also essential. Making the transition without a solid background of empirical knowledge is fraught with risk and will only serve to underscore your relative inexperience.
No security professional should ever feel “trapped” in their chosen career path. With the necessary time and effort dedicated towards attaining the required knowledge, skills, and education, a career pivot is not only possible, but also highly rewarding. The benefit to the industry at large will come from the synthesis of security professionals with other industries, forming hybrid professionals poised to respond to the risks that the 21st century brings.
Tony Dong is manager of enterprise risk management at Securiguard Services Ltd. and a student in the Masters of Science (M.S.) Enterprise Risk Management (ERM) program at Columbia University.
How AI, ML and human ability intersect for cybersecurity
By CDW Canada and Cisco
Artificial intelligence (AI) and machine learning (ML) are relatively new technologies, but they are already playing a central role in cybersecurity. Both have transformed how cyber threats are identified and prevented, while also processing data at incredible speed and scale. Today’s organizations are readily adopting AI and ML to improve cybersecurity efficiency and effectiveness, but these capabilities are not without their implementation challenges.
AI and ML create significant value to organizations in preventing cyberattacks, as the speed and scale of modern cybersecurity threats are too large and too complex for humans alone to detect and thwart. However, organizations where people and machines work closely together extract the greatest value from these technologies. The role of AI and ML will continue to evolve, permeate, and create significant positive change for organizations on their cybersecurity journey, while still relying on human ability to model, program and dissect machine-sourced findings.
The benefits for organizations
Identifying key patterns and distilling relevant information from large data sets remains a challenge for many organizations, compounded by an inability to be proactive with existing detection-based tools. Bad actors can exploit this vulnerability by continuously changing their techniques. A significant benefit of using AL and ML is the ability to effectively mine data and identify the most pressing trends and behaviours that would otherwise be overlooked by human analysts, while doing so almost instantaneously.
“AI and ML gives the ability to find patterns and behaviours in amazing sets of data and correlation points that normally as humans we’d have a lot of trouble processing,” said Theo van Wyk, head of cybersecurity at CDW Canada.
An example of the use of AI and ML is detecting intrusions on laptops. Malware has very specific, regularly changed behaviours, which signature-based detection is unable to detect. Through the human creation of an algorithm, AI and ML are able to identify elements that would have previously gone undetected.
Why organizations should use AI and ML
AI and ML deployment should be carefully considered and used only when it adds value and improves outcomes. As working with AI and ML tools becomes more engrained in long-term strategy and everyday operations, organizations can run on increasingly large scales.
In addition, organizations can leverage AI and ML for multiple applications including embedding these tools in features for
customer use, pinpointing key information within large data sets and identifying trends that would otherwise be missed by humans. Vendors are often privy to information from different customers and verticals that can be correlated, allowing for better models and outcomes when training AI and ML.
“These technologies on the cybersecurity side are very helpful,” said TK Keanini, distinguished engineer in Cisco’s Security Business Group. “All of these analytical tools should be focused on an outcome. We may individually not know what pattern to look for but can detect new threats even if they aren’t on a list.”
Effective implementation
When looking at security orchestration and automation and response (SOAR) tools, automation tends to take precedence. As a result, orchestration often remains a common challenge. However, when working with security analysts, it is important to map out and capture processes in a workflow to first understand what actions to take based on information inputs. Once organizations understand the impacts and dependencies they want to orchestrate, they can automate with greater confidence and accuracy.
Balancing ethics
Ethics should be carefully considered when implementing AI and ML. Machines think in a binary way and cannot understand ethics, leading to potential violations of privacy or personal barriers in the pursuit of a strong cybersecurity posture.
Organizations need to promote and implement the responsible and ethical use of AI and ML tools, where they are only used for what it is intended within with the proper controls and restrictions. Simply because you can do something with the tool, does not mean you should.
Where do we go from here?
Navigating AI and ML to support cybersecurity posture can be challenging. For organizations who are interested in starting to work with these technologies, it is important to start by reading and speaking with experts, not getting overwhelmed, keeping an open mind and thinking about how these tools can advance organizational objectives.
AI and ML will certainly become more embedded in our everyday lives and enable organizations to operate at an unprecedented scale. Cybersecurity should be understood as a holistic concept that requires hybrid solutions. While the barrier between machine and human may shift over time, pursuing the optimal intersection of AI, ML and human ability provides organizations with the most comprehensive line of defense against cyberattacks.
By Winston Stewart
PROTECTING THE LONE WORKER
The COVID-19 pandemic continues to test employee health and safety protocols
As the second wave of the coronavirus pandemic takes hold, employers are dusting off peakCOVID-19 health and safety protocols and preparing to implement them across their workplaces, if necessary.
Organizations that only recently welcomed employees back into their offices are wondering whether they’ll once again have to ask them to work remotely, where possible. Whether organizations will need to close their workplaces entirely during this second go-round remains to be seen. Most provincial governments are reluctant to escalate shutdown measures and companies are, for a wide variety of reasons, desperate to maintain the new status quo and eventually return to some semblance of pre-COVID normalcy. At the very least, companies that can offer work flexibility will continue to do so to help minimize worker interactions.
As such, many organizations will be operating with skeleton staffs across their workplaces. In some cases, they may only have a lone employee manning the proverbial fort. For example, businesses such as gas stations and fast food outlets are prime targets right now because they’re less busy than usual and sometimes have only one or a few employees working overnight shifts. That creates a wide variety of security challenges. Even the risk of fire or medical emergencies create potential security gaps that need to be filled when there are fewer people in a building.
A plethora of risk factors leave a lone — or small handful of — on-site employees vulnerable, and their employers exposed to significant potential civil and employment law liability. COVID-19 or not, employers still have a duty under provincial occupational health and safety legislation to do their utmost to protect employees in the workplace to the point of undue hardship. Even if you only have one employee working in a building, the obligation to account for that individual’s health, safety and security is still paramount.
The first step is to conduct a thorough risk assessment to determine how the safety and security of lone employees, or
skeleton staffs, could be compromised. Is your facility located in a relatively underpopulated area? Will your employee have significant interaction with the public (especially at night) that could make them a target? Is anything valuable kept on site — including stored data — that could make it attractive to criminals? Is the individual (or small team) trained and prepared to manage emergency situations?
Work with your security team or service provider to develop a customized list that addresses your organization’s specific operational needs and workforce characteristics. Next, develop a security strategy to protect your people (or lone employee). That might include assigning a security professional to guard the premises.
This sort of measure may seem costly, but if it ensures the protection of that person and other vital equipment or materials, it could be well worth the price tag. In most cases organizations will leverage cutting-edge technology to protect their skeleton staff. High-definition cameras (equipped with facial-recognition software, if possible), advanced biometric keypads at entry points, alarms that connect to a 24/7 monitoring station and/or local emergency services and even drones or robots, are being utilized to ensure full security coverage. Quite often organizations will employ a hybrid approach, relying on both security personnel and technology solutions.
The key point to remember is that whether we’re in the midst of a global pandemic or not, lone employees that are asked to work at a facility still require the same safeguards they and their colleagues would enjoy under normal working conditions. Ultimately, the best defence is to train employees and make them aware of the potential risks they face when working alone on the job. It can also go a long way towards protecting your organization’s bottom line by limiting liability and unnecessary risk.
So, before you ask that lone individual to return to the workplace, first think about how you plan to protect them.
Winston Stewart is the president and CEO of Wincon Security (www.wincon-security.com).
Harold Wax leads BGIS’s pandemic strategy through collaboration and preparedness
By Neil Sutton
BGIS was at least a few steps ahead of the game when the pandemic hit Canada earlier this year.
Harold Wax, the company’s senior director and chief security officer for North America, had already put a plan in place to amalgamate three of the multi-national facility management firm’s departments: corporate security, business continuity planning (BCP) and emergency response. Wax began this process in August 2019, several months before the words Coronavirus and COVID-19 would enter our collective vocabulary and certainly well before there was even a whisper of a global pandemic.
As news of the virus emerged from Asia, this plan became even more pivotal to the organization, which manages more than 200-million-sq.-ft. of real estate in North America alone. Wax was the clear choice to lead BGIS’s global crisis management COVID-19 team, a role that required the coordination of multiple efforts to provide optimal safety for staff, tenants and other stakeholders in the organization.
For his leadership during the pandemic, management of
a complex departmental integration, and in recognition of an impressive and diverse security career, Harold Wax was named Canadian Security’s 2020 Security Director of the Year by the magazine’s editorial advisory board in August.
Wax’s career is an extension of his naturally gregarious nature.
He was a paramedic in the 90s, but the shift work and a lifestyle determined by a pager didn’t really suit him, he says. So when a chance meeting led to a new opportunity, he jumped on it.
He was in downtown Toronto to see a fireworks display when he spied two men carrying sidearms get out of an unmarked vehicle.
2020 SECURITY DIRECTOR OF THE YEAR AHEAD OF THE CURVE
Curiosity took over; he approached and asked who they were. When they identified themselves as ATM technicians, “I said, ‘Are you guys hiring?’ They said, ‘Yeah, we’re always hiring,’ and they gave me a contact number,” recalls Wax.
Wax was hired on at Mississauga, Ont.-based Universal ATM Services. His second day on the job, he spotted a man, also armed, in the front office. “He was in business-casual clothing with a handgun strapped to his hip. Being curious,
SECURITY DIRECTOR OF THE YEAR
I introduced myself,” says Wax. “He was the director of corporate security.”
When the security director described his job function in more detail, “it lit a spark in me. I didn’t know this career even existed.”
From there, Wax learned the ropes, taking on any role he could at the company, from fixing ATMs to becoming a vault and lock technician to working dispatch.
“As I moved through all these roles, I think a level of trust was forming between the organization and myself.”
Wax was offered a position in the company’s security department, but with no guarantee of full-time status. He opted to leave and joined a competitor, Securicor, as an investigator.
in the ring and was hired as his replacement in 2006 — a position he held for 11 years before moving on to his current role at BGIS.
“We’ve been able to keep our team members safe and keep the operations running.”
— Harold Wax, BGIS
Wax’s Symcor years were another learning opportunity. He became an expert in cheque fraud, amassing a repository of knowledge that he was able to parlay into a part-time lecturing career. Wax shared his subject matter expertise with police and law enforcement agencies across Canada and the United States, speaking to groups that include the Toronto Police Service, RCMP, Competition Bureau of Canada, Canada Border Services Agency, U.S. Secret Service, and the U.S. Postal Inspection Service. (See sidebar on p.18 for more on Wax’s policing career.)
Wax found he had a knack for investigative interviewing. “Next thing you know, I’m catching bad guys,” he says.
As Wax advanced his security knowledge, he became more involved in professional associations such as the Canadian Society for Industrial Security (CSIS). There he met Louis Duranleau, who at the time was the chief security officer for Symcor, a cheque-processing and financial services firm that was co-founded by three of Canada’s largest banks. When he found out Duranleau was leaving the organization, Wax threw
After 11 productive years at Symcor, Wax was looking for a new challenge and joined BGIS as the organization’s first dedicated chief security officer. He says he was enticed not only by the role, but by the fact that his new employer was very keen that he continue his extra-curricular activities.
While at Symcor, Wax held the CSO role but was also responsible for the corporate emergency response function, so, now at BGIS, the idea of reorganizing three different but related departments together was familiar territory.
“I thought it was great idea, then this thing called a
his hat
Images: Sandra Strangemore
pandemic rolled in,” says Wax.
The genesis of the departmental project grew out of a necessity, says Wax. At the time, business continuity and emergency response were a joint function, which fell under the enterprise risk management department. But when it came time to hire a new manager with risk management and business continuity skills, it was tough to find a candidate who could handle both equally well, says Wax. The solution was ultimately to hire two individuals and reorganize. Business continuity and emergency response then became Wax’s departmental purview, while risk management shifted over to the CFO’s department.
Before the pandemic took centre stage, Wax says his department was looking after “normal everyday events” like hurricanes, tornados and fires. (Pandemic or not, these emergencies, of course, persist. When Canadian Security initially contacted Wax to notify him he would receive the Security Director of the Year award, he was deeply involved in tracking the possible outcomes of Hurricane Laura for his company.)
As the go-to department for BCP and emergency response, Wax and his staff were actively watching the Coronavirus as a potential threat long before it reached North America.
“We saw the Coronavirus emerging from China and it was something that we were definitely keeping tabs on,” he says. In January 2020, his business continuity manager was about to go on vacation when the situation began to escalate. “I think it was two days before she left when the Coronavirus really started hitting the radar. WHO (the World Health Organization) hadn’t declared it as a pandemic, but things were moving down that path. We started looking at our infectious disease plan and our pandemic planning.”
Wax’s group was initially prepared to wait for the official WHO declaration, “but then we figured, why are we waiting? We know it’s coming. We might as well activate now,” says Wax.
“As things started to progress and as we started to see the numbers climb in Canada and in the U.S. and the APAC (AsiaPacific) region, we made the decision at the senior executive level that I would take a global role in the COVID response, so I was named the global crisis manager.”
The watchword became flexibility. Earlier expectations of what a pandemic might look like did not meet reality, says Wax. Most pandemic plans suggest 20-25 per cent absenteeism, “but with COVID, everybody went home. So it’s great if people can work from home, but a lot of businesses, as we saw, [can’t].”
A global real estate company with a massive footprint, BGIS manages properties for the federal government, major telcos, financial institutions, oil and gas, Fortune 500 companies, and health-care facilities. “Our client base is quite large. Managing those relationships and sharing information when it comes to potential health concerns or issues is obviously paramount.”
To stay ahead of the situation, BGIS ordered mass quantities of personal protective equipment (PPE) and hand sanitizer before the full impact of the pandemic became
apparent. They were ready when clients came to them with their needs.
Wax says a medical consultant was brought on, and the pandemic team met seven days a week via conferencing sessions that could involve up to 180 people. (These meetings have since been scaled back to once a week.) In addition
A policing career
There are commonalities between policing and professional security, and numerous examples of professionals who have transitioned from one to the other, but Harold Wax has been able to maintain both.
Wax joined the Ontario Provincial Police as an auxiliary member in 1996, and has held the ranks of Constable, Sergeant, Staff Sergeant/Unit Commander, Regional Sergeant Major, and Inspector/Regional Director. He is currently assigned to the OPP’s highway safety division.
Wax’s expertise in cheque fraud from his time at Symcor has led to a prolific speaking career on the subject, and he has held seminars for policing organizations across North America, including the Lafayette Police Department in Louisiana for repeat engagements. Making the relationship official, the department commissioned Wax as a Reserve Deputy Marshal in 2016 and a Reserve Police Officer in 2019.
In 2018, Wax was awarded the Province of Ontario Auxiliary Policing Medal for Long Service and Good Conduct. In 2019, he was awarded the Sovereign’s Medal for Volunteers by the Governor General of Canada.
to mask, PPE and social distancing policies, staff were also required to complete a daily COVID-19 self-assessment app before allowed on to a BGIS property.
In some cases, shift workers with onsite jobs like maintenance and cleaning were paid to stay at home, so if a COVID case emerged on one shift, a reserve force could be called in.
For properties like data centres, groups of workers were organized such that they had zero contact during a shift change, each shift using a separate entrance and exit. “So we know we can potentially salvage 50 per cent of the workforce in that environment if we have to put some people into quarantine,” says Wax.
“We’ve been able to keep our team members safe and keep the operations running. It’s been quite successful, but it’s been a massive learning curve. I’m a firm believer when it comes to business continuity and emergency response that you have to have a playbook and you have to have plans, but you have to have the flexibility to scale those plans up and down or morph them on the threat that’s presenting itself.”
Michael Brzozowski, risk and compliance manager at Symcor, worked with Wax for seven years at the organization. He describes Wax as a master multi-tasker, ideally suited to managing the conditions created by this pandemic.
“I was always impressed with how well he manages his time. He can switch very quickly between topics and issues without even missing a beat, which allows him to be very efficient in how he works,” says Brzozowski.
“He always used to say, ‘My job is keeping the business in business.’ I think that’s what I learned from him: Don’t just be a security professional. Look at the business and see how you can apply security principles.”
“At the end of the day, his mandate is to make sure it’s business as usual,” adds Yan Proulx, national security director, BGIS, based in the company’s Ottawa office. “Making sure that nothing impedes what we are supposed to be delivering to the client and always doing it in a very safe and healthy manner.”
Proulx nominated Wax for the Security Director of the Year award, calling attention to his leadership of the company’s security department reorganization and COVID response strategy. “He’s got a lot of knowledge in different fields of security. He has a good understanding of the IT security world, the cybersecurity world, the policing world, the physical security world, investigations.”
Wax says the lessons learned as the pandemic unfolds are significant amid the onset of a second wave of the virus and the subsequent impact on building occupancy.
“This pandemic has played out quite differently than most of us had planned or tried to prepare for, but if you have that flexibility to adapt, you’ll have a greater success in making your way through it,” he says. “Again, this pandemic is evidence that adaptation is key in one’s career.”
t Harold Wax accepted his Security Director of the Year award as part of the Canadian Security Honours virtual summit, held Oct. 1.
CANADIAN SECURITY HONOURS
Canadian Security magazine recognizes three professionals who are helping to transform the industry through leadership, education and volunteerism
CANADIAN SECURITY HONOURS
Emerging Leader: Josh Darby MacLellan
Community Leader: Sherri Ireland
The third annual Canadian Security Honours event had a different look this year. Our usual lunchtime gala in Toronto became a virtual event. As is customary, we acknowledged outstanding security leaders, but they joined us via webcam rather than in-person.
Like so many meetings, conferences and seminars in recent months, CS Honours moved online by necessity, but that did not reduce the impact of the awards or the enthusiasm of the winners and their supporters. On the contrary, virtual events
Community Leader: Sherri Ireland
Sherri Ireland has found mentors in her career and been a mentor to many.
Ireland’s early interest in becoming a police officer turned to thoughts of security while she was attending Fleming College in Peterborough, Ont. “After doing research, I became more interested in the prevention side than police enforcement,” she says.
Lifetime Achievement: Kevin Murphy
allow people to visit conferences that might otherwise have been difficult or impossible to attend.
This year’s winners are: Sherri Ireland (Community Leader), Josh Darby MacLellan (Emerging Leader) and Kevin Murphy (Lifetime Achievement award). The event was supported by sponsors Axis Communications, Everbridge and GardaWorld.
If you missed the live event on Oct. 1, you can now find all the sessions available on demand at www.canadiansecuritymag.com. Award profiles by Neil Sutton
Ireland’s first job upon graduation was as a security guard at Toronto’s Royal Ontario Museum. There she met Janet Banks, the ROM’s security director, and discovered a mentor. “I had a female role model in the security industry, which was even more rare then than it is now,” says Ireland.
Ireland was promoted to security supervisor, managing a staff of 80. When Banks left the ROM to start her own business, Ireland joined her, working as a private investigator. Her next
step was a move to Intercon Security, in supervisory roles at the company’s alarm monitoring station. She became service manager in 1998, helping to take the business through the technical challenges presented by Y2K and the new millennium. She then worked with a financial services client, rolling out a large security systems upgrade in 1,400 branches across Canada.
Intercon went through a number of major transitions and corporate owners during Ireland’s tenure at the company. Intercon’s U.S. parent sold
its security divisions to ADT/Tyco. Under Tyco, Ireland took on a general manager role and was responsible for integrating SimplexGrinnell into Tyco’s fire and security business in Canada. To anyone currently working at a company transitioning through a major merger, Ireland’s recommendation is to “just absorb and learn as much as you can. It will certainly benefit you moving forward.”
Ireland left Tyco to start her own consulting business, working with a U.S.-based central station operation, and commuting back and forth from Ontario.
“After doing that, I decided I really liked working for myself,” says Ireland. She founded Security Exclusive in 2015. She holds the titles of founder and president but “I’m basically wearing three hats,” running the company as recruiting, consulting and cyberawareness training businesses.
Throughout her career, Ireland has returned to Fleming, her alma mater, repeatedly. She was invited by
Emerging Leader: Josh Darby MacLellan
For Josh Darby MacLellan, security may be a career choice, but it’s also one of the basic building blocks of human existence.
“What initially sparked my interest in security is… it is an indisputable fact that humans need security if they ever want to enjoy any kind of quality of life,” says Darby MacLellan, who points out that security is situated right above food, water and shelter in Abraham Maslow’s classic Hierarchy of Needs pyramid (above that are love, esteem and self-actualization).
“There is a huge imbalance in the security people enjoy. Too many of us don’t enjoy enough security; few of us enjoy what should be a universal standard,” he says. “Those were the kinds of principles that motivated me and drew me in.”
Darby MacLellan moved from his native U.K. to Canada in 2015 as part
Nancy Newton, the coordinator of the protection, security and investigations program, to speak to students, along with fellow professionals Lina Tsakiris, Silvia Fraser and Judy Shulga. Ireland says she was subsequently asked if she would be interested in developing a project management course. When she agreed, she was asked if she wanted to teach it.
Ireland says she was well supported by her employer at the time, Tyco, as she pursued her part-time teaching career, which continues to this day. (Ireland also filled in as interim coordinator for a year when Newton passed away in 2017 after a battle with cancer.)
“I like to work with people and I’m able to recognize their talents — sometimes they don’t even realize that they have those talents — and be able to look at opportunities for them. That’s what really motivated me to teach,” says Ireland.
Ireland is also active in security associations, currently serving as vicechair for the Toronto Chapter of ASIS
International. She also recently joined the Canadian Security Lifesaver Association, which acknowledges the incredible work that frontline security professionals do in keeping the public safe (Canadian Security is the official media partner of the CSLA). Ireland has also volunteered on several occasions with Canadian Security’s Career Expo, held annually in March, serving as a mentor to the security students who attend.
For Ireland, all of this is an affirmation that security is not only a viable career choice, but one that offers rewarding experiences and good salaries, and fosters a strong community mentality. That community has only grown stronger over the years, observes Ireland. “I know many people across Canada and the U.S. and even globally that if I needed help or had a question, I can just send an email or [make] a phone call,” she says. “People jump up to help their colleagues. That’s what I’ve really, really appreciated about this industry. We can be competitors one day and still help each other out that same day.”
of a continuing studies program while he pursued a double Master’s degree in political science, specializing in security studies.
Enrolled in the University of Waterloo’s School of International Affairs, Darby MacLellan was able to take advantage of a co-op threat intelligence analyst placement at a financial institution, which, he says, provided an ideal transition into the private sector and the world of professional security.
“It just comes down to networking ... and the desire to get more involved.”
to take his international education and corporate security experience and transition into a cybersecurity role — something that required a great deal of legwork, knowledge-gathering and networking on Darby MacLellan’s part. (Darby MacLellan describes in detail how he was able to accomplish this in his article “Meeting the cyberskills challenge,” which was published in the summer issue of Canadian Security.)
“Not having that co-op would have made my transition into the professional world far more challenging and far more daunting,” he says. “And I really do empathize with those who haven’t done a co-op or internship and are intending to embark on their career.”
Darby MacLellan’s next goal was
A big part of Darby MacLellan’s career journey is his focus on networking through volunteering for associations like ASIS International. Darby MacLellan says he was encouraged by his managers to get involved in the larger security community, particularly through ASIS involvement. His first major experience with the organization came at its annual Global
Security Exchange (GSX) conference in 2018, which was held in Las Vegas.
He joined ASIS’s Young Professionals (YP) Council and took on two roles: YP Committee Chairperson at the ASIS Toronto chapter and also Assistant Regional Vice President representing YPs across Canada. Volunteerism is all about demonstrating your level of engagement and willingness to participate, says Darby MacLellan. “They will assess your enthusiasm and ask if you’re interested,” he says, which quickly led to his dual YP roles.
“There wasn’t anything special about my approach, or unique about me… it’s something that I think anyone can do,” he adds. “It just comes down to networking and communicating and the desire to get more involved with different volunteering opportunities out there.”
Darby MacLellan also began attending (ISC)² Toronto chapter meetings about a year ago and joined
the organization’s communications committee.
The importance of networking cannot be over-emphasized, he says, since it leads to career and lifeexpanding opportunities.
The catch-22 for many young professionals comes when they try to advance their careers into managerial roles, he says. Companies looking to fill vacancies want to see candidates arrive at a job interview armed with managerial experience, but that experience often only comes from actually doing the job.
Volunteering with associations is one way to gain that valuable experience, notes Darby MacLellan. “That’s another tangible takeaway from ASIS. It allows you to have your first professional experience of managing and leading teams. I think that has huge transferable skills,” he says. “I know that when I start to apply to management positions,
I’ll be able to draw upon all of that experience.”
In addition to the professional opportunities volunteerism generates, he says he has also formed some close friendships. “I’m very grateful for that.”
Darby MacLellan was also among the first group of security professionals to earn ASIS’s Associate Protection Professional (APP) designation, which was introduced last year. His next goal is to attain the (ISC)² Certified Information Systems Security Professional (CISSP) designation.
The pandemic has put a bit of damper on Darby MacLellan’s networking and engagement, but he has adapted by taking those opportunities online. He has since moved his coffee meetings to “e-coffees,” which has its upside, he says: the coffees are cheaper and the travel-time is non-existent. “You can get a lot more done in terms of having conversations with people.”
Lifetime Achievement: Kevin Murphy
Kevin Murphy’s security career began as a part-time job at the age of 20.
He started working as a security guard in 1975 at Garden City Raceway (then a Woodbine property) in St Catharines, Ont. “I thought, maybe I’ll give it a try, and if it doesn’t work, I can go back to school,” says Murphy. Forty-five years later, Murphy recently retired from Woodbine Entertainment as the company’s director of health and safety.
After his first year as a guard, his boss asked him if he was interested in becoming a supervisor. “Every three or four years, I would change positions within the company and take on more responsibility. I never did go back to school,” says Murphy.
Murphy moved into investigations, took on a position as a division manager and other managerial roles followed. In 1987, he became the security chief for the standardbred division. In 1995, the standardbred and thoroughbred divisions merged with Murphy as senior security manager. He was appointed security director of Woodbine Entertainment in 2007.
At Woodbine, his lifestyle became an itinerant one, working at the major horseracing facilities across southern Ontario. “As a racetrack, it was like a travelling roadshow,” explains Murphy. “We’d run the races in one city for six or seven weeks, then we’d pack everything up, including the office furniture, and move to another city. At the end of that eight weeks, we’d pack up and move back. In the standardbred division, we went between St Catharines, Campbellville and Toronto. We moved six times a year.”
Within the horse-racing business, there are two major factions at play, says Murphy: the public that comes to see the racing and the racing itself. “One was the consumer side, one
was the production side, if you want to think of it in those terms,” says Murphy. “The horses, the trainers, the drivers, the owners — it’s a small community all of its own,” he says. “All the horses are stabled there; all the people are there. They travelled with you track to track.”
The challenges of the job and the relationships he was able to form through his increasing familiarity with the sport is what kept it interesting for him, says Murphy. “It’s sort of a parallel to the Leafs or the Raptors. You get involved with the athletes and get an appreciation for what they do.
was Canadian Security’s Lifetime Achievement award winner in 2019.)
Murphy joined the CSIS board in 2003, and became the organization’s chairman and president in 2006.
“The horses, the trainers, the drivers, the owners — it’s a small community all of its own.”
“We’d see each other every day and we got to build a relationship where [I could say] ‘I’m here to help you. I’m not here to tell you what you can’t do or tell you how to train your horses. If there’s anything I can do to help you out, let me know.’”
Murphy’s influence expanded outside the horse-racing community and into the broader security sphere when he joined the Canadian Society for Industrial Security in the late 1990s.
There, he met like-minded senior security leaders who were interested in professionalizing the industry and sharing best practices. Security itself was changing, says Murphy, as technology began to play a much larger role in how it was practiced.
Joining CSIS “came from a recognition that the business at Woodbine was going to change. We were going to get slots at the racetracks and we had to improve camera systems and access control and changing the way our facilities operate from eight hours a day, five days a week to a 24x7x365 operation,” says Murphy.
As he attended monthly meetings, Murphy says he learned from fellow professionals such as Graham Ospreay, Jim Maddin, Mike Ferguson, Martin Green and Bob Marentette. (Marentette
He also joined the Organization of Racing Investigators, an international group of security professionals working in the horse-racing industry. Most of the members are American, says Murphy, but the organization also draws membership from Canada, Australia, Ireland and Jamaica. The group has a keen focus on the integrity of the sport and takes an active role in the safety of the jockeys and drivers, says Murphy, who served a term as its chairman in 2013. Murphy has also served on advisory committees for security programs at Conestoga and Sheridan colleges.
Murphy took a medical leave of absence from Woodbine in 2018 and his colleague at Woodbine, Robin Soobramanie, took on the security director role in his absence. When Murphy returned seven months later, he was offered the position of director of health and safety and became responsible for a diversity of requirements, including food safety, fire safety and emergency management.
“My boss at the time said, ‘I would like you to take this thing on, and make people more aware,’” says Murphy. “I was tasked with building that team and building more awareness around the company to health and safety concerns.”
Now retired, Murphy says he has followed two paths: the daily responsibilities he met during his 45 years at Woodbine and the outside engagement that brought him networking opportunities, collegial relationships and the pursuit of professionalization and education for others in the security industry. “I think I had two careers,” observes Murphy. “Both were quite fulfilling.”
garda.com/pandemic-response-canada
TEARING IT UP
There’s more to managing and destroying documents than a filing cabinet and the office shredder, especially in this era of flexible work
By Alanna Fairey
Destroying a document may sound like an unproblematic process, but if not done properly, it could result in serious security breaches.
Businesses are required by law to retain confidential client, employee and company information for a specified amount of time, but many documents eventually outlive their purpose.
“Every company generates paper or digital files,” says Owen Key, director, advisory services, risk consulting, KPMG LLP. “Whether they’re emails, official records or non-official records like transitory documents — such as emails or instant messages — they have to have particular protocols or policies around destroying [them].”
— some businesses will keep the files forever.
“They were very nervous about deleting content because of what’s called legal spoliation — if they got into a legal discovery situation that if anything was deleted, they were going to have a problem,” says Safar.
“The main problem that you have to solve is to understand what the content is as soon as possible so that you can get it where it’s going, or as close to where it’s going to land for the rest of its life.”
Safar adds that the company’s OpenText Content Suite oversees the lifecycle management of information across the enterprise from capture through archiving and disposition. Among its features, the OpenText Content Suite helps to ensure information governance of both digital and physical content to adhere to retention, disposition or destruction guidelines in accordance with internal policies and external regulations.
“Working from home adds another location where information can be unintentionally leaked to outside sources.”
Mike Borromeo, vice-president of data protection for document destruction provider Shred-It, explains that holding on to confidential documents for too long puts your business at risk of a security breach and non-compliance with privacy legislation.
“How long you store business records should be determined by a retention schedule that balances each record’s usefulness with the legal requirements,” Borromeo says. ‘This schedule will depend on the type of business and the lifecycle of specific documents.”
Typically, documents are stored for about 10 years before a company destroys them. What surprises Mike Safar, senior product marketing manager of OpenText, is how many large companies have huge file shares, and departmental file shares
— Mike Borromeo, Shred-It
For its part, Shred-it uses an industrial shredding machine with a crosscut shredding technology that reduces paper to fine, confetti-like pieces, versus conventional strip-cut pieces that are more susceptible to outside reconstruction.
“From there, shredded paper is bundled and sent to a paper mill for recycling,” Borromeo explains.
In an era of advanced technologies, most companies have transitioned to the digital space and are heavily focused on cybersecurity for protection.
Boston-based Iron Mountain, an enterprise information management services company, is known for its document storage and shredding capabilities. However, in recent years, Iron Mountain made a transition as their customers began to change their behaviour.
“We moved more into the digital space and advanced towards more offerings around the cloud storage, secure offline storage and data recovery,” says Iwona Sikora, senior vice-president and general manager of Iron Mountain’s records management group. “Once we moved completely to this digital space, we have a solution around data extraction and data analytics that help to actually unlock the value of the
data for our customers.”
Even though digital documentation is on the rise, Key is of the opinion that offices will never go fully paperless.
“We’ve had a huge move towards digitization of documents and moved away from paper,” Key says. “I don’t think we’ll ever get to a paperless office, to be perfectly honest.”
While cybersecurity breaches have become a top concern, companies should still be mindful about physical documents, such as paper documents, laptop computers, and external hard drives, as they can pose similar risks and consequences to an organization if compromised, according to Borromeo.
“While the concept of a paperless office has long been talked about, the reality is that businesses still consume paper due to technical obstacles and personal preferences, such as marking up documents,” Borromeo explains. “In addition, the work-fromhome trend has risen steadily over the past decade and many were quickly thrust into remote work as a result of the COVID-19 pandemic. Working from home adds another location where information can be unintentionally leaked to outside sources.”
authentication to get into your work repositories or your cloud environments,” Key says. “However, I don’t think it’s really pushed in terms of destruction. Most companies do not have mature data and document destruction policies.”
Sikora argues that from a business perspective, COVID-19 has had an impact on document management, as people have been working from home and wanting to accelerate their digital transformation. “We have been receiving a lot of requests from our customers, where they say, ‘Can we switch the process to digital quickly?’” Sikora relates.
However, says Sikora, there was still a need for paper documents to be properly managed during the pandemic.
“Our clients are still both using paper and digital information and they are facing an increasing complexity.”
— Iwona Sikora, Iron Mountain
Risks can include potential mishandling of physical documents, such as the improper disposal of confidential information, visual theft, as well as digital threats such as an unsecured Wi-Fi connection.
“We believe that security for physical and digital documents is equally important, and businesses should continue to prioritize physical security compliance to reduce risk,” Borromeo says.
OpenText has a system in which their customers are able to track their physical documents. OpenText encourages their customers to image their documents so that they are available on demand, explains Safar.
“What’s interesting is I may have to keep the original paper, and what we can do is keep all of that in one file so that when it’s destroyed, it’s destroyed together,” Safar says. “The electronics are destroyed and the rec room is also trading the box of records that go with it at the same time, so all that’s coordinated through our records back end.”
While security breaches and cybersecurity hacks have been making the headlines during the COVID-19 pandemic, it has made little impact in terms of how businesses go about destroying their digital and physical documents.
“COVID has highlighted issues in regards to controls over working from home and using VPN, and multi-factor
“For example, when legal firms and their lawyers were working from home, they were asking us to deliver physical documents, because a lot of lawyers have to go through the paper,” Sikora explains. “They would ask us to deliver it directly to their homes…. There was a lot of change from a perspective of destroying digital documents.”
Safar has similar sentiments to Sikora, in the sense that OpenText did not have to amend the features provided, but rather the company saw a change in how customers valued their services.
When COVID-19 began, a number of OpenText’s customers began deploying laptops in the field. They turned to OpenText for their software solutions to ensure that their information was protected while on a budget.
“So the question now is, how do you capture that?
How do you deal with spoliation? Some customers might, for example, be looking at the cost of COVID-19 or they might be looking at something very simple like using our [subsidiary company] Carbonite’s software to back it up,” Safar says. “Even if the user destroys the entire laptop, or loses it, or runs over the driveway, it doesn’t matter. We are legally compliant with that.”
Sikora says that the pandemic has added a layer of complexity with this remote workforce, and companies will continue to provide services based on customer behaviours and needs for document management.
“Our clients are still both using paper and digital information and they are facing an increasing complexity, integrating and transitioning across the hybrid environment,” Sikora concludes. “We at Iron Mountain are helping those organizations to go through this transition, and providing the solution that follows them.”
On the Clock: REWIND
By Alanna Fairey
The “On the Clock” video series, which was launched earlier this year, focuses on getting to know security professionals through brief yet informative conversations. Our guests (15 and counting) have shared stories and insights from their careers and dispensed advice for career development. One of the most common questions they answered is: “How did you begin your career in the security industry?”
Sean Spence, director of enterprise corporate security, Sobeys
I basically started out as a security guard, and I worked the beat late nights, wearing the uniform while I was in university. I wasn’t sure what kind of career path I wanted to take and initially I got into HR. I didn’t really like HR too much, and I think the security bug was tugging away at me. So, I decided to join the military, where I enlisted as an officer. I had [an] awesome experience in the military and I learned a lot about leadership. I also think that’s where I really learned the fundamental principles of
security. Because when you really think about it, a lot of the principles we have in corporate security really are rooted [in] the military. The military has been doing this stuff for thousands of years and so they’ve learned over that time to adopt what works, and [leave out] what doesn’t work. After I left the military, I wanted to continue on with my security career. I upgraded my education and I got a master’s degree, and then found my way into corporate security. I haven’t looked back since.
Carmela Demkiw, senior director of corporate security services, Rogers Communications
My background is in law enforcement. Back in 2002, I joined the TD Bank right when debit card and credit card fraud was just taking off. I moved up through different ranks and managerial positions and ended up as an executive at TD Bank, working in the investigative field. I ended up leaving TD Bank to join Rogers Communications for the opportunity to build a corporate security team. They currently have four different teams under different disciplines and brought them under all one umbrella together and we have a great team now.
CANADA’S LARGEST VIRTUAL SECURITY SHOW
SECURITY CANADA 2020
December 2 & 3, 2020
Discover the latest innovations in the security industry and network with professionals from across Canada in our live, face-to-face, mask-free booths, attendee lounges, and education sessions. Using our virtual platform’s Zoom-based networking and private meeting tools, you’ll learn from industry-leading keynote speakers and expert panels, reconnect with old friends, and stay on top of the latest security technologies and trends.
Robert Hastings, director of global security strategy, Manulife
I began in the industry in the late 90s as part of a high school co-op. It seemed at the time to be an interesting way to pick up a couple of credits, but very quickly, it became a good fit for me — enough so that my bosses offered me a position and so I was licensed as a security guard. I very distinctly remember showing up my very first day in my guard uniform and complete with clip-on tie, and I felt very important about myself. I took my first post at the vehicle access control gate for a manufacturing facility, signing in cars. I think if you whispered in my ear at that point that I’d still be doing this 20-plus years later, I’m not certain I’d have believed you.
Robin Soobramanie,
director of security operations, Woodbine Entertainment
I started in the security industry back in 1987. I had just finished Grade 13 at the time. I wanted to join the Toronto Police [but] my eyes were not good and I couldn’t get on. At the time, my dad worked at the old Greenwood racetrack in distant Toronto. He went to his boss and said, “You know, my son’s hanging around the house. He’s got to get out of the house and needs some kind of job,” so I got hired on in security.
Sloane Newton, national security officer, finance, Canadian Grain Commission
Back in 2002, I was a finance officer with the Department of Justice, and an opportunity came up for a role in accommodations and security. It piqued my interest, so I took the chance and I made the adjustment and went over to that role. That’s where I think I found my passion for security. I became involved with business continuity management, physical security, personnel security and security awareness.
I was there for about five years and then I took an
opportunity with a different department at the Canada Border Services Agency... In addition to the previous functions in security, I also took on and learned threat risk assessments and investigations. I was there for about three years, and then an opportunity came up to advance in my career, so I made a move to a different department to real property and contracting. I wasn’t there for very long before I realized how much I actually did miss security. In 2011, I had a chance to come back to the security industry and the position that I’m in now.
Marti Katsiaras, global manager, public safety and physical security, ADP I started off just out of university ... doing loss prevention. I enjoyed it thoroughly. I lasted within loss prevention for just shy of 10 years. I really climbed the ladder while I was there, starting from floor walking to working credit card frauds, internal investigations and then moved up to a task force that dealt with major claims for the retail store that I was working at. From there, I jumped to a totally different platform within security. It was the acquiring side of credit card fraud, and I was there for a number of years. Now I’m with ADP, with the global security organization. I’m very proud to be working for such an amazing company. And now I’m in public safety, physical security and protection.
Michael Allen, chief security officer, corporate security,
Manulife
Many years ago, I was doing your typical student jobs — a myriad of really exciting things. Some friends had given me the opportunity to throw on one of those security t-shirts and go to some concerts and local little festivals and events, and get to experience the limelight. It was very intriguing to someone who’s young. When I came of age to get a security licence, a friend helped me get on with this company, and it was an exciting start. I found myself in the first few months, going from a factory, to a nice condominium, to a securitycleared site, to a major shopping centre and I did some loss prevention. That was a very exciting introduction into the industry for me.
Mobile-ready reader
Camden Door Controls
Camden Door Controls introduces a mobile-ready reader based on RFID technology that combines Bluetooth Low Energy (BLE) and contactless smart card technologies. In operation, it’s capable of reading data stored on a contactless smartcard credential via high frequency. In addition, it can also read data from a mobile credential stored in a smartphone’s wallet app via BLE technology — without physical contact — and then pass the data obtained to the physical access control system. CV-7600 readers are also compatible with MIFARE prox. cards and fobs. This feature allows system managers the ability to assign the best/preferred type of credential for each system user. www.camdencontrols.com
Fiberoptic sensor
Senstar
Cloud-based intrusion detection
Vanderbilt Industries
SPC Connect is a remotely managed, cloud-based, intrusion detection solution. This latest version, 3.0, includes an entirely reworked user interface and focuses on more intuitive user operations. Through this release, collected information is now visible to the installer and enables them to have an overview of the installed SPC systems out in the field. Dashboard widgets like a geographical site map with status information from individual panels or a multisite status widget show the overall status information from all connected SPC panels. A new centralized operations menu allows the installer to more intuitively navigate a specific operation more quickly.
www.vanderbiltindustries.com
Senstar has introduced enhancements to its FiberPatrol FP1150 fiber optic intrusion detection sensor. Originally designed for fence applications and offering intrusion detection coverage up to 10 km (6.2 mi) per processor, the FP1150 can now detect intrusions up to 80 km (49.7 mi) per processor for fence, wall-top and buried applications, and up to 100 km (62.1 mi) for pipeline and data conduit Third-Party Interference (TPI) detection. As well, to simplify planning and budgetary processes, Senstar has implemented a per-meter licensing model, allowing customers to license only the sensor coverage distance they require, but with the option to add additional coverage at any time. Other enhancements to the FiberPatrol FP1150 include upgraded processing specifications (CPU, memory), software support for redundant sensor units, and sensor unit versions for backwards compatibility. www.senstar.com
POE intrusion detection
Southwest Microwave
Southwest Microwave has expanded its suite of IP-based Power over Ethernet (POE) intelligent perimeter intrusion detection solutions with the INTREPID MicroPointPOE-S Fence Detection System. Suited for fence applications with cut-or-climb intrusion risks, MicroPoint-POE-S employs proprietary digital signal processing algorithms to precisely locate intrusion attempts to within 1.1 m (3.6 ft.) while ignoring harmless disturbances caused by wind, rain or vehicle traffic. MicroPoint-POE-S couples MicroPoint fence sensor performance with secure TCP/IP network integration via a single Ethernet cable for power and data transmission. www.southwestmicrowave.com
AD INDEX
Antimicrobial technology
SALTO Systems
SALTO Systems, and BioCote have added antimicrobial technology to the new SALTO Neo Cylinder Range. The new SALTO Neo Cylinder is a compact smart door lock cylinder equipped with wireless access control design technology. It is designed to provide smarter building management and can be installed on doors where fitting an electronic escutcheon is not normally possible or required, including standard doors, server racks, gates, cabinets, electric switches, sliding doors, and more. BioCote is an antimicrobial agent that contains silver-ions which are engineered to provide continuous, built-in protection on SALTO product surfaces and hardware devices. It works by binding with microbes and damaging their cells in a number of ways, disrupt-ing their normal functions and preventing them from reproducing.
www.saltosystems.com
Face mask detection
Intelligent Security Systems
The SecurOS Face Mask Detection (FMD) solution is designed to help organizations safely and quickly restore, maintain and further protect operations. SecurOS FMD automatically detects when an individual attempts to enter a facility without wearing a face mask where required and alerts administrators. ISS FMD is built using advanced neural network-based algorithms to deliver high accuracy with real-time detection, and works with any camera, using off-the-shelf computers, while eliminating the need for any special GPU cards. issivs.com/COVIDresponse
Commissionaires offers a complete suite of services including threat-risk assessments, guarding, mobile patrol, digital fingerprinting and cyber security solutions.