CS - Summer 2021 by annexbusinessmedia

BACK TO SCHOOL

Campus security professionals discuss COVID lessons, updating pandemic plans, diversity issues, and more

Commissionaires offers a complete suite of services including threat-risk assessments, monitoring and response, mobile patrol, guarding and digital fingerprinting.

Sutton

IKEEP THE CONVERSATION GOING

There are some security topics that never leave the agenda

can say with some certainty that I don’t want to spend the rest of my life writing about COVID-19. But even if we feel like we’re done with the pandemic, it’s not quite done with us yet.

As security professionals might say, there is a path forward: a return to work and to a semblance of pre-pandemic life, provided that the risks can be mitigated and the appropriate safety precautions are taken.

Two of our columnists in this issue (Tim McCreight and Winston Stewart) have taken this topic head-on but from different perspectives. Where those perspectives converge is: let’s not forget what we’ve learned in the last 18 months. More importantly, let’s use this information to improve our lives, our teams, our communications and go above and beyond what our stakeholders and our customers expect from us.

“Mostly, I was listening and learning.”

Over the last few weeks, I’ve had ample opportunity to review some of those lessons from our brand’s perspective. Within our security team, we’ve met several times (virtually, most of the time) to review what has occurred in the last year and look towards our priorities for the months ahead. Those plans include the potential topics we want to explore — via articles, videos, webinars, etc. — and how we can plan for our own return to in-person events. Truthfully, I’m very satisfied with the way our virtual events have come together over the last 18 months (attendee feedback suggests that they largely agree) but there is no doubt that there is a huge appetite for people to meet and learn together in person.

As students prepare to return to in-person learning this fall, this also seemed like a good time to check in with campus security professionals.

Recently, I met with a group of six experts representing learning institutions across Ontario, Nova Scotia and Saskatchewan to get a sense of their COVID experiences and how they will apply those lessons not only this fall but in the years to come. During the roundtable, we discussed how their pandemic plans were put to the test in early 2020 and how they flexed over time to meet the constantly shifting terrain that is COVID-19.

We devoted the second half of our discussion to a topic that will outlive this pandemic as well as any crisis that comes our way: the security department’s role in diversity and representation. As a panel moderator, it’s usually my job to ask the questions, make sure everyone gets their turn to speak, and keep the conversation moving along. Mostly what I was doing here was listening and learning. I think discussions about Equity, Diversity and Inclusion (EDI) in the security world are really only just beginning. As one of the panelists mentioned, we’ve come a long way, but there’s still a long way to go.

So if I were to project a year into the future, yes, I expect we’ll still be reflecting on the lessons of COVID, but there are some conversations that should never end.

Reader Service

Print and digital subscription inquires or changes, please contact

Barb Adelt, Audience Development Manager

Tel: (416) 510-5184

Fax: (416) 510-6875

Email: badelt@annexbusinessmedia.com

Mail: 111 Gordon Baker Rd., Suite 400, Toronto, ON M2H 3R1

Group Publisher Paul Grossinger pgrossinger@annexbusinessmedia.com

Associate Publisher Jason Hill jhill@annexbusinessmedia.com

Editor Neil Sutton nsutton@annexbusinessmedia.com

Associate Editor Alanna Fairey afairey@annexbusinessmedia.com

Media Designer Graham Jeffrey gjeffrey@annexbusinessmedia.com

Account Coordinator

Kim Rossiter krossiter@annexbusinessmedia.com

COO Scott Jamieson sjamieson@annexbusinessmedia.com

Editorial and Sales Office 111 Gordon Baker Rd, Suite 400, Toronto, ON M2H 3R1 (416) 442-5600 • Fax (416) 442-2230 Web Site: www.canadiansecuritymag.com

Canadian Security is the key publication for professional security management in Canada, providing balanced editorial on issues relevant to end users

but at all times serves to inform and educate readers on topics relevant to their individual and collective growth and interests. Canadian Security is published four times per year by Annex Business Media.

Publication Mail Agreement #40065710

0709-3403

Advance Your Security Career through Learning

Working with top educators to deliver a practical approach to professional certification programs.

Paragon Professional Institute (PPI), with expertise in physical security and asset management training, is pleased to announce its partnership with the University of Waterloo, and collaboration with professional educators from Schulich School of Business, DeGroote School of Business, Wilfrid Laurier University, and George Brown College in creating multiple registered professional certi cation and designation programs in the security industry.

By John Petruzzi

Building your security game plan for GSX 2021

GlobalSecurity Exchange (GSX) 2021 will be perhaps the most ambitious GSX in the history of ASIS International ASIS has taken the most comprehensive event for security professionals and evolved it to the most inclusive event the industry has seen.

Thousands of security professionals from across the globe will be participating at this year’s GSX on Sept. 27-29, 2021 in Orlando, Fla., or through the GSX online digital platform.

Beginning with our digital kickoff event on Sept. 15, GSX 2021 will serve to support, nurture, connect and inform a diverse group of global security professionals with robust digital and inperson programming.

This year’s GSX means a little bit more for many of us and, as the first in-person GSX in a little over two years, will serve as the first opportunity in that time for us to reconnect in-person with many valued colleagues and friends.

GSX is community-building at its finest for the individuals who make our world a safer place to live and work. At the core of building a best-in-class online and in-person experience was a deep commitment to inclusivity, so that if someone was unable to travel to our live venue, they would still have access to this industry-leading event.

The GSX education program addresses the biggest trends, issues and challenges facing the security profession, including access control, artificial intelligence, asset protection, crisis management and business continuity, cybersecurity, drone technology, workplace violence prevention, and more.

The GSX All-Access Pass unlocks six learning theatres and more than 90 live sessions — including inspiring education sessions, expert-led tracks, exhibitor presentations, timely insights from Game Changers, and pre- and post-GSX sessions — and the ability to earn 21 CPEs. You can view the entire GSX lineup via the GSX website (GSX.org).

Keynote presentations will begin on Sept. 15 and will feature the following celebrated authors and experts.

Wednesday, Sept. 15 (GSX Preview Event): Erik Qualman (Security 2030: Crossroads of Innovation and Transformation)

Monday, Sept. 27: Dan Pink (How to Make Time Your Ally, Not Your Enemy)

Tuesday, Sept. 28: Amanda Ripley (Breaking the Spell of High Conflict)

Wednesday, Sept. 29: Nadja West (Leading Through Uncertainty)

During Military & Law Enforcement Appreciation Day (MLEAD) on Sept. 29, all military, law enforcement and first responders receive free one-day admission to GSX. To learn more about MLEAD, please visit www.GSX.org/MLEAD.

ASIS has also recently revealed their GSX 2021 Game Changer sessions, taking place each day of the event. Game Changer sessions, which will also be broadcast live for the digital audience, provide multiple perspectives from thought leaders to help attendees stay informed about new and forward-looking strategies, maintain a competitive edge, and elevate expertise across their organizations.

Monday, Sept. 27: Keeping Pace with Cyber Threats: Developing a Future Focused Risk Posture

Tuesday, Sept. 28: Post-Pandemic Workplace: The Mental Health and Wellness of Employees

Wednesday, Sept. 29: From the Battle to the Board: Management Lessons from Female Military Leaders

Additionally, the in-person format of GSX 2021 will feature nearly 300 exhibitors with cutting-edge innovations, technologies, and services. GSX’s inperson host is the Orange County Convention Center in Orlando, Fla., which received the Global Biorisk Advisory Council® (GBAC) Star™ accreditation on outbreak prevention, response, and recovery. Rest assured that we are taking every precaution to safeguard your health and safety.

If you can’t join us in-person in Orlando, every attendee is valued through the GSX digital experience. From the digital kickoff event on Sept. 15, you’ll have access to on-demand content through the end of the year.

You can tune in to live-streamed events from two learning theatres during Sept. 27-29. Engage in live Q&As and speaker interviews during pre- and postencore events through the GSX platform. Access to on-demand content is available through Dec. 31.

Lastly, it is important to note that involvement in GSX directly supports the funding of scholarships for security professionals and the administration of essential industry certifications, standards, and guidelines.

So, whether you can attend in-person or remotely, GSX is the place where global security professionals convene to develop their security game plans, network and conduct commerce. For more information about GSX, please visit GSX.org. See you all at #GSX2021!

John Petruzzi is the 66th president of ASIS International (www.asisonline.org).

CyberNB and Cisco Canada partner for cyber education

Cisco Canada and Fredericton, N.B.based CyberNB, in partnership with the New Brunswick Department of Education and Early Childhood Development, have announced a new program to deliver cybersecurity skills education and training to upwards of 1,500 high school students over the next three years.

Cisco Canada president and CEO Shannon Leininger shared that the company had been in talks with CyberNB for about a year to create an opportunity for the two organizations to come together and support their goals of upskilling students with cybersecurity with the help of the New Brunswick Department of Education.

“We want more kids to be interested in STEM and to create that pipeline and really to inspire and encourage them to kind of move into some of these areas,” Leininger said in a recent interview with Canadian Security. “We believe that we’ve got skills and experience to bring in this area –– we’re always looking to build partnerships with organizations that support our goals to enhance cybersecurity skills and develop and train in the areas of it.”

CyberNB CEO Tyson Johnson described the partnership with Cisco Canada as “a perfect marriage...What we’re able to do now for the first time in Canada is deliver these programs, not just to our schools, but to any student interested within whatever school they happen to

be in, in the province on New Brunswick, which is really exciting,” Johnson said.

Leininger and Johnson said that high school students from across New Brunswick in grades nine through 12 are the target demographic for the program, which will kick off in September, and will be available in both English and French.

Using the Cisco infrastructure, students will be able to log into the program from anywhere. The courses include intro to cyber, cyber essentials and networking essentials. According to Johnson, the program includes quizzes, tests, hands-on labs and practicums.

Once the 255-hour program is completed, the students will receive the advanced Cisco Certified CyberOps associate credential, which validates the students’ skills and knowledge in security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures.

“The thing that I love about what we’re doing with CyberNB in the Government of New Brunswick is this public-private, not-for-profit partnership really does create a beautiful blueprint that we can replicate in other parts of the country,” Leininger said. “We’ll continue to do great work within that academy.”

Arguing that the skills acquired from the program are fundamental, Johnson says that the students will be able to apply the learnings from the program to whatever field they choose to go into.

“Cybersecurity is less of a vertical these days –– it’s more of a horizontal,” Johnson explained.

“These skills that these students will be learning will serve them well no matter what sector they end up going into because everything is becoming digitally enabled — and the ability to ensure digital resilience and understand what that means.”

Added Johnson: “We’re excited to see what the next year to three years holds for ramping up here in the province of New Brunswick.”

— Alanna Fairey

CALENDAR

August 16, 2021 17th Annual IAHSS Ontario Chapter Golf Challenge The Country Club Woodbridge, Ont. www.iahss.org

August 18, 2021 ASIS Toronto Chapter Golf Tournament Angus Glen Golf Club Markham, Ont. www.asistoronto.org

September 30, 2021

Regional Council of CANASA –Québec Golf Tournament Club de Golf Summerlea Vaudreuil-Dorion, Que. www.canasa.org

October 7, 2021

Canadian Security Honours Online www.canadiansecuritymag.com

October 18-20, 2021 (ISC)² Security Congress 2021 Orlando, Fla. www.isc2.org/congress

November 3-4, 2021 Sector Toronto, Ont. www.sector.ca

November 8-10, 2021 IAHSS Annual Conference and Exhibition Myrtle Beach, S.C. www.iahss.org

November 17-18, 2021 ISC East New York City, N.Y. www.isceast.com

December 1-2, 2021 Ontario Disaster & Emergency Management Conference Toronto, Ont. www.demcon.ca

December 1-3, 2021 The Buildings Show Toronto, Ont. www.pmexpo.com

December 2, 2021

Focus On Healthcare Security Online www.canadiansecuritymag.com

Shannon Leininger, Cisco Canada

Tyson Johnson, CyberNB

Paladin supervisor retires after 30-plus years

In 1987, when Robert Clarmont saw an ad in the paper for a security guard position, he made a promise to himself: if he got the job, he would stay until he retired.

The job was at Fibreco, a wood fibre export terminal in North Vancouver, which had a contract with Paladin Security. It was a promise wellkept, as Clarmont retired from Paladin earlier this year.

“Who would have thought that 34 and a half years later, I would be handing in my notice to say I was retiring?” says Clarmont.

Clarmont went through a number of interviews before he was hired, including one at president and CEO Ashley Cooper’s house, before Paladin had an office. Over the years, he held a number positions, including mobile supervisor. At the time of his retirement, Clarmont was a site supervisor at Fibreco.

“I always wanted to be a site supervisor,” said Clarmont. “Fibreco, for some reason, just liked me — the way I worked and the way I handled people and they just loved me there.”

When Clarmont started his career with Paladin, the security industry was not as advanced as it is today. Clarmont recalls the days of no two-way radios,

cell phones or high-tech gear. “It was a lot of hard work,” Clarmont stresses. “The industry has changed so much since then –– there’s a lot of high-tech equipment being used.”

Established in 1976, Paladin was still a young company at the time of Clarmont’s hiring. During the early days when the company was still trying to grow, Clarmont recounts a conversation he had with Cooper that set him on the course for his career moving forward.

I never met her in my life,” Clarmont recounts with a laugh. “I thought that was quite awesome.”

Recognizing that security is a people-oriented industry, Clarmont says that he made sure that he was always looking out for others and made a point to be kind.

“Be firm but be courteous, be kind, carry out your duties to the best of your ability, and don’t be afraid to learn.”

— Robert Clarmont, Paladin Security

“I remember Ashley telling me, ‘Robbie, we’re just starting. you’re the one that has to lead by example and for this to work,’” Clarmont recalls. “So, that’s the way it was. He told me so many times over the years, ‘Robbie, when I needed something done, I could always depend on you and you’d get it done and not only get it done, but you did it well.’”

The admiration was mutual for Clarmont, who says that Paladin as a company was the best part of his job.

“We started out with only one site,” Clarmont says. “It was an opportunity to learn how to grow, see it grow from that, from practically nothing, and see how it evolved.”

Over the years, Clarmont built a reputation for himself for his courteous and kind demeanor, so much so that when he went in to the head office to collect his last pay, his CSM called him into his office and showed Clarmont his laptop.

On the laptop was a LinkedIn post about Clarmont’s retirement that amassed over 500 likes and received plenty of positive tributes and well wishes. As he went through the comments, Clarmont saw a lot of names that he did not recognize.

“I don’t even know who that is …

“If I can make somebody happy and do my job at the same time, I’ve accomplished that,” Clarmont shares.

As for Clarmont’s retirement plans?

Like everybody else, Clarmont is hoping to take a nice vacation. “I’ve been working in the workforce for 45 years –– I deserve one good holiday,” Clarmont says with a laugh.

However, Clarmont is not closing the door on returning to Paladin to work two days a week. “I don’t even need a resumé!” he jokes.

While Cooper said at Clarmont’s retirement lunch that there will never be another Robbie, Clarmont has advice for those who want to join the security industry and build a career like he did.

“Be firm but be courteous, be kind, carry out your duties to the best of your ability, and don’t be afraid to learn,” Clarmont advises. “This is a fast-growing industry — you learn things every day. Don’t be afraid to learn, don’t be afraid to go out of your way and do that little extra something that the client wants. Go with this attitude.”

— Alanna Fairey

To watch a video interview with Robert Clarmont, visit www.canadiansecurity mag.com/videos

Robert Clarmont, Paladin Security

RHEA Group acquires Ottawa-based STSD

RHEA

Group recently acquired Ottawa-based Security Through Safe Design (STSD) to grow its physical security expertise and presence in Canada and leverage cybersecurity convergence opportunities.

Founded in 1992, RHEA Group has more than 650 employees and is based in Belgium with offices in Czech Republic, France, Germany, Italy, Luxembourg, Netherlands, Spain, the U.K., Switzerland and Canada.

With roots in space engineering, RHEA Group offers cybersecurity and physical security services to a variety of clients including critical infrastructure, real estate, government and related fields, according to company president André Sincennes.

STSD, founded in 1998, provides physical security consulting services to the transportation sector, large infrastructure projects and publicprivate partnerships (P3s).

The acquisition of STSD complements RHEA’s growth goals, said Sincennes. “One strategy of the group internationally is to try to foster a convergence of our cybersecurity capacity with our resident physical security. We see more and more, especially over the course of the last two years, a greater awareness of the physical environment with critical infrastructure, the transportation domain, the satellite domain… there are significant efficiencies and benefits to provide a combination of cyber with physical systems.”

STSD’s expertise in the rail sector is a particularly good fit, he added, and will be a boon to the company’s clientele in Europe.

“There are so many projects internationally, and in Canada and the

U.S. that are investing infrastructure dollars to either expand or develop new rail projects,” said Bill VanRyswyk, president, STSD. “There are very few organizations in Canada that have our experience and we’re going to be able to transfer that expertise into the

international market.”

RHEA’s existing Canadian footprint includes an office in Montreal and a security operations centre in Gatineau, Que. The company also acquired Ottawa-based TSI Security in 2019.

— Neil Sutton

Increase

Safety & Security

With the ANNT Hostile Vehicle Mitigation (HVM) K12 bollard a full-size, speeding vehicle is brought to a dead stop.*

• Versatile Operation: choose from fixed, removable, semi-automatic or automatic bollards.

• A Reliable Sentry: a single 275 K-rated bollard is certified to K/M standards.

• Easy to Use: operated by key fob, RFID card, keypad or smart phone.

• Blend in: with your urban landscape with brushed stainless steel or powder coated in any RAL colour.

* Just one ANNT K12 rated bollard will stop a 6,800 kg vehicle moving at 80km/h.

Bollards, 53 Armstrong Ave., Unit 1, Georgetown ON L7G 4S1 844-891-8559 info@ontariobollards.com www.ontariobollards.com

André Sincennes, RHEA Group

RESETTING EXPECTATIONS

We will face new threats as we move towards pandemic recovery

What a difference a few months can make!

I’m writing this column during my last official night working from home. I return to my office tomorrow, taking the first steps toward our new collective normal. These past 16 months have been both frustrating and enlightening. (The viewpoint changes depending on the lens you apply.)

the organization or the role.

“We became the team to turn to for help.”

The frustration came from our initial response to the spread of COVID-19. The risks people were taking, the false science some were proclaiming — it shocked me as a security professional. In our profession, we try our best to weigh the risks against the goals our businesses are trying to achieve, but we use data, not emotion. It was really hard to see the emotional response some of us humans embraced during the early phases of the pandemic. And with every new wave, outbreak or surge, we realized how important it is to seek out experts and listen to their advice.

I’m hoping those lessons aren’t soon lost on our profession as we begin the journey back to our new normal. These first few steps will challenge us to ask difficult questions, to continually seek out the science and data, and present our risk assessments objectively to our executives. Our collective calm voice will undoubtedly be sought for our expertise on the risks we have yet to face.

The enlightening aspect of what I’ve experienced was witnessing the resilience of the security profession. I’ve seen security teams pivot from in-person training sessions to online seminars overnight. From use of force sessions, to collaborative risk assessment workshops, to Global Security Exchange (GSX) — our ability to adapt and adjust was impressive!

I’ve chatted with many security folks these past months who took on new assignments or projects with a renewed sense of pride and strength. We found more ways to contribute to our organizations. Everything from driving computer equipment to employees’ homes so they could keep working, to checking temperatures of people entering buildings. We pitched in, leaned in to the many problems, and found creative solutions to some very difficult issues. And we did it with professionalism and teamwork.

I’m worried, though, about the next phase of our recovery. As many organizations ask their employees to start returning to work, I think we need to increase our education and awareness efforts. Employees will start heading back to their offices while still working with other teams or organizations that are still working from home. We’re going to be a blend of back at work, and work from home, for the rest of this year and probably into 2022.

This space in time is when we will be more vulnerable to threats like phishing campaigns or ransomware attacks. We’re seeing the impact these cyber-attacks have on organizations, and a significant change to our workforce (like bringing workers back to the workplace) is an opportunity the cybercriminals won’t miss exploiting.

We became the team to turn to for help, regardless of

We can help with the transition to our new normal while reducing risks to our employees and organizations. We just need to view this time through an ESRM lens, with a human focus. Spend time with your communications team to develop short, targeted training messages on threats like phishing or ransomware. Review your security coverage for physical facilities and look at your controls from a new vantage point. We’ve been at home for so long, we need to look at security risks now from a different perspective.

We can do this well if we truly focus on the human elements of ESRM!

Tim McCreight is managing director, enterprise security, CP Rail (www.cpr.ca).

garda.com/pandemic-response-canada

By Winston Stewart

AFTER COVID

We can take the agility demonstrated during the crisis and make it work for us in the future

As the COVID-19 crisis begins to wind down across Canada and restrictions on business and daily life are slowly lifted by provincial governments, organizations and their leadership teams are only now beginning to take stock of the full social, economic, cultural and even lifestyle impact of the pandemic.

Most are simply happy for the opportunity to rebuild their bottom-line or get back to business as usual.

In many cases that will mean a return to the workplace with office buildings, manufacturing facilities, shopping malls and more physical locations fully reopening.

on the frontlines helping to manage these interactions in workplace settings.

Forward-thinking security firms also have an opportunity to leverage everything from their technology solutions to guard training to provide a heightened client experience that showcases the complete scope of their service offering in several key areas.

“Security solution providers should be advising on every aspect of their clients’ protection.”

At the forefront will be security professionals tasked with managing everything from ongoing safety rules to direct public engagement.

The quality of the service they provide is crucial, because for the first time in nearly a year and a half, the millions of Canadians who quickly pivoted to remote work will be returning to their morning commute and re-entering the workplace. No one knows exactly how this will play out, but we can expect a mixed bag of emotions. From relief and joy to anxiety and frustration over having to once again elbow their way on to a rush hour subway car, we’re sure to see everything from kindness to short tempers. Security professionals will be

The first is the role of the security guard as a professional problem solver. What we found throughout the pandemic is that unprecedented social distancing measures and health and safety restrictions required security teams to come up with solutions to complex challenges on the fly. There simply wasn’t time to strategize over months to determine, for example, how to fairly limit access to shared condominium amenities or to ensure that office access points (for the few facilities that remained opened) were properly managed to allow for effective distancing.

The majority of security guards and managers worked with their clients to quickly and effectively adjust while under immense pressure.

There’s no reason why our industry can’t leverage this expertise to continue helping facility owners, managers and business leaders make critical operational decisions on an ongoing basis.

Another area is risk management and mitigation. The COVID-19 crisis underscored the importance of reliably delivering reactive security services — from incident reporting to alarm response — but also the need for proactive solutions that avoid problems before they can occur. The latter helps mitigate the legal liability and financial risk that keeps facility owners and managers awake at night. But it also frees them to focus on running their facilities or businesses, leaving the security concerns to their providers. Engaged security firms can and should be doing more than placing guards at lobby desks and hoping they don’t fall asleep at some point during their shift.

The same applies on the cybersecurity

front. Physical and digital security are now intrinsically tied. Increased cyberattacks on organizations large and small throughout the pandemic reminded us that integrated security solution providers should be advising on every aspect of their clients’ protection, both online and off.

But back to that earlier point about delivering an exceptional client service experience.

“There’s no reason why our industry can’t leverage this expertise to continue helping facility owners, managers and business leaders.”

One of the major takeaways from COVID-19 was that engaged security providers have a major role in shaping the environments they’re asked to protect. A compassionate approach to health and safety rule

enforcement here, a welcoming smile on the face of a condominium concierge there — the right attitude and approach can make a huge difference to the workplace or lifestyle experience of employees and building tenants alike. Many organizations that continued to welcome clients to their facilities during the pandemic realized that security teams are often the forward face of their organization, whether they work directly for them or not. And what is it they say about not getting a second chance to make a first impression?

The point is that the positive, can-do demeanor that so many security providers

served up throughout the pandemic can be carried forward to build stronger client relationships and help ensure safety as some COVID-19 rules (think maskwearing) remain a workplace reality for the foreseeable future.

In so many ways, COVID-19 has promoted a newfound appreciation for the role that good security firms have in protecting people, property and assets.

And while our industry has an important part to play in this postpandemic world, it’s incumbent on providers to provide the necessary training and managerial oversight to ensure their teams deliver on expectations.

In other words, we have an opportunity to prove ourselves more indispensable than ever. Let’s not let our clients down.

Stewart is the president and CEO of Wincon Security (www.wincon-security.com).

Winston

By Kevin Magee

THE LEADERS WE NEED

Recognizing and developing the right mix of skills is essential to organizational growth

You have probably heard that in cybersecurity we have a “skills gap.”

Given the ever-increasing degree and complexity of the global cybersecurity threat landscape, our industry has rightly prioritized and placed significant emphasis on developing a highly trained and technically-skilled workforce.

Academic and other educational organizations have risen to the challenge admirably creating new certifications, degrees, diplomas and training programs which are beginning to graduate thousands of skilled candidates for organizations to hire. Better approaches to ensuring inclusion and diversity are also widening the pool of talent entering and being embraced by our industry. All of this should be helping to close the skills gap. Except it’s not.

attention has been given to who will lead this future cybersecurity workforce and bridge the gaps between the technical and business worlds of the organization. This has created a new and perhaps even more complex and challenging skills gap — one of leadership.

“These leaders must know how to unlock potential and empower both individuals and teams.”

To make progress in these areas we will need skilled cybersecurity leaders who are able to craft and implement sound strategies to hire, integrate and develop new talent. And who can also raise our profession beyond its current technical limitations, focusing simply on mitigating cyberthreats, to address the more strategic challenges of merging cybersecurity into overall business strategy, operations and culture.

While we are making great progress addressing the numeric demands for highly skilled technical talent, wave after wave of newly trained and aspiring cybersecurity professionals are still left seeking work while countless open positions continue to go unfilled. On top of this failure to effectively bridge demand with an everexpanding supply of talent, rather than diminishing, cyberattacks appear to be increasing relentlessly in number, intensity and severity.

So, what accounts for these discrepancies? What’s missing?

In our urgency to address the technical needs of the industry, little thought and

Cyber defence of the organization requires not only technical experts with computer science and security skills, but also leaders with an understanding of strategic concepts such as digital transformation, organizational behaviour, ethics, business economics and operations management. Additionally, these leaders must know how to unlock potential and empower both individuals and teams. Acquiring and developing skills such as one-to-one coaching, negotiation and conflict management, organizational change, emotional intelligence in the workplace and managing a culturally diverse workforce will need to be prioritized by both emerging and current leaders.

More importantly, their organizations must encourage, support and enable these efforts in order to produce real results and develop effective leaders.

Not surprisingly, today the most easily distinguishable traits of a cybersecurity leader are deep technical skills and experience. However, while organizations do continue to require individuals with skills such as cloud security, encryption and threat hunting, proficiency in these areas alone should not be the yardstick by which we measure cybersecurity leaders. Yes, leaders will continue to need to be well

versed and capable in these areas and ensure that their teams are staffed with highly skilled individuals who have the capabilities and training to handle them. However, the leaders themselves need to be something different. Something beyond simply the most technically knowledgeable and experienced.

today. It’s time for boards and C-suite executives to reset their expectations of how cybersecurity is positioned and what a cybersecurity leader is.

“It’s time for boards and C-suite executives to reset their expectations.”

Organizations have generally promoted individuals to the role of chief information security officer (CISO) or other security leadership roles based primarily on their ability to perform as a technical expert. This approach was acceptable in the past when cyber-attacks were less common, complex and devastating, but it is no longer appropriate

What this means is that the best cybersecurity leaders may already exist within your technical teams and simply require more education, training and opportunities to develop their management competencies. It may also mean that a proven nontechnical leader who knows the business and organization has built trusted relationships throughout the company and has an aptitude for cybersecurity and can also transition to a cybersecurity leadership role.

The cybersecurity leader of tomorrow must be able to not only

respond to technical threats but to effectively manage teams and embed security throughout the entire organization’s operations. They must also be able to translate technical concepts into messages that engage and inform the decision-making of other senior leaders and the organization. They must act and serve as the “technical authority” on the organization’s leadership team.

But for this to happen, cybersecurity needs to be embedded across the organization. Developing the right leaders to make the function not merely effective but thrive needs to become a strategic business imperative. Only then will we begin to close the next great challenge of our industry, the leadership skills gap.

Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).

A NEW LESSON PLAN

Campus security professionals share their thoughts on pandemic response and the department’s role in promoting diversity values

It’s been said that universities and colleges are like small cities — with diverse populations, housing, buildings, retail, dining, parking and a long list of other amenities and facilities. If you live on campus, you need never leave. That changed, of course, when the pandemic hit last year. Most went home; some had to stay. And every interaction was managed with the utmost care.

Canadian Security reached out to campus security professionals to get their take on how their pandemic plans unfolded and the lessons they will carry forward as students return to school in the fall.

We also asked questions about the role the security department can play in campus engagement and the promotion of Equity, Diversity and Inclusion (EDI) values in post-secondary environments.

Roundtable participants included: Pat Patton, director of security and operations, University of Regina; Jacob MacIsaac, assistant director of campus security, Dalhousie University; Steve Bernique, Ottawa account and branch manager, GardaWorld; Kathy Branton, manager, business continuity and emergency management, Humber College; Devon Reeves, special constable,

engagement and inclusion officer, Carleton University; and Brian Mitchell, manager of campus safety and security, Appleby College. (Mitchell is also co-chair of the ASIS Toronto chapter diversity committee and teaches an EDI course at the Ontario Police College.)

The roundtable, held virtually on June 3, was sponsored by GardaWorld and presented with the support and co-operation of the Ontario Association of College and University Security Administrators (OACUSA). This conversation has been edited for concision and clarity.

Canadian Security: What was your initial reaction to the pandemic and how did your emergency plans kick in?

Kathy Branton: We actually started following [the virus] in late 2019. By early 2020 — I think by the end of February — we’d actually activated our emergency operations centre.

We started with a very small group of people, including our health and safety folks, our legal representatives, security and some of the executive. By the beginning of March, we’d activated the full EOC and started to have meetings twice a week. Of

course, we shut down in March and that sent us into overdrive in terms of what our response was and what we were going to do. Luckily, just prior to all of this, we had just done a revision of our emergency plan. We had spent the previous year implementing our business continuity plan, so we had [those] in place for every faculty in every department across the institution.

I was also, at that point, in the midst of updating our pandemic plan. All of these things sort of coalesced at the same time, so it put us in a good position in order to respond to this.

RANSOMWARE ON THE RISE

With attacks increasing in frequency and severity, experts offer advice for preparing a solid defence

By Alanna Fairey

Ransomware attacks have been on the rise over the last several years, targeting businesses as well as critical infrastructure systems.

“Threat actors are attacking 24/7 –– this is a full-fledged business for them,” says Jason Conley, digital forensics examiner, Envista Forensics Ltd. “If an organization doesn’t have, for example, two-factor authentication or other security controls, eventually [threat actors] are going to get in.”

Fabian Franco, senior manager of digital forensics and incident response (DFIR), threat hunting and SOC, OpenText, says that supply chain industries and corporations that have not invested a lot of money into their cybersecurity practice and infrastructure are starting to see that it’s like “shooting fish in a barrel” for

threat actors to infiltrate.

“It’s easy pickings to go out there and find a vulnerability that may be exposed to the internet and for them to take advantage of it,” Franco says. “Part of that security posture is making sure you’re patching your systems.”

With ransomware attacks on the rise, there has been more of a concerted effort to take threats like this more seriously.

“We’ve been seeing a growing concern, which is actually surrounding what’s called the supply chain,” says Jaycee Roth, associate managing director, cyber risk, Kroll. “The idea here is understanding and knowing how your network connects to or touches other organizations, and how that information is shared or protected with other organizations.”

The implications of a ransomware attack may extend beyond the immediately affected targets.

“It goes beyond just that

organization,” says Franco. “That’s where there needs to be that investment where a company may spend a couple $100,000 up front, instead of having to spend millions on the back end and affecting the entire community outside of their one little ecosystem.”

According to Conley, while IT teams may be excellent in their ability to fix or build technology, they may not be trained in cybersecurity — which is something businesses should consider investing more heavily in.

department, they need to retain somebody at least to come give them a health check,” Conley says.

“It’s as damaging as a fire and businesses need to treat it with that level of severity because I’ve seen ransomware remediation periods go from 14-21 days before businesses get back up and operational again.”

“The idea here is understanding and knowing how your network connects to or touches other organizations.”

— Jaycee Roth, Kroll

To pay or not to pay

“Cybersecurity is a field unto itself, with various specialized training, and if an organization doesn’t invest in somebody like that inside their

A company’s decision to pay the ransomware demands is not a simple question, according to the experts.

Calling it a “sensitive topic” amongst the U.S. government, Conley also notes that the RCMP has been vocal about

deterring victims from paying the ransom.

However, he also says that “when it comes to a business decision, the CEOs are often looking at one, and I’ve seen some businesses where they would have been destroyed had they not purchased a decryption key. For others, it’s a matter of return on investment.”

Reiterating that paying the ransom is not a black and white question, Franco explains that there are a number of different reasons why a company may choose to pay a ransom and to look at the full scope of the situation.

“For example, a company that gets hit with ransomware may have others advising not to pay, but they don’t realize what’s being lost,” Franco says. “How much money are they losing overall because of a ransomware attack where they may lose $300 million?”

systems and environments.

“Now not only are all your files locked, but if you were a company that prior to November 2019 would have had backups and could have restored or could have lived without your data, you now have this threat looming over your head that an attacker has information from your environment, and they use that as an extra layer of extortion to say, ‘If you don’t pay us, we’re going to post this data,’” explains Roth.

“It’s as damaging as a fire and businesses need to treat it with that level of severity.”

— Jason Conley, Envista Forensics

There have been several notable ransomware hacks in the past year, including the Colonial Pipeline in Houston, Tex., and the meat processing company JBS, where an attack temporarily disrupted some operations in Australia, Canada and the U.S.

cybersecurity hygiene program has become a top priority.

Roth shares that the federal government will be passing Bill C-11, which enacts the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.

“We’re going to see some enhanced compliance obligation penalties, as well as revised private right of action against giving rise to class action risk and service provider obligations,” Roth explains.

“One of the obligations is going to be that if you are an organization that transfers personal information to your service provider, the service provider provides substantially the same protection to that personal information that you would be happy to provide under that act.”

Franco says that when a company pays the ransom, it may have cost them $3 million, which to them is a “no-brainer,” but then there is the bigger picture of “what about the employees that aren’t going to be able to go to work, or that are living paycheque-to-paycheque and don’t get a paycheque for two or three weeks until this is recovered?”

For Roth, if the question of having to pay was asked prior to November 2019, she would say that if a company had valid backups, they could likely avoid making a ransom payment. Or for victims that could live without the affected data or simply re-create it, they may not have to pay.

“Now, since November of 2019, a ransomware variant gained celebrity status called Maze, which is like a gang name, and they came on the scene and they introduced a new tactic called data exfiltration into their attack pattern.”

Data exfiltration, says Roth, is essentially copying files and folders out of the victim environment. The threat actors then put them into their own

In a statement published June 9 on its website, JBS USA “confirmed it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

“No organization wants their client lists or personal health information, customers credit cards released on the dark web,” Conley reasons.

“Now, of course, paying that to a criminal organization, you have no guarantees that they aren’t going to turn around and utilize that data elsewhere. But that’s another big deciding factor as to why organizations are paying out.”

Adds Conley, “[JBS] probably wanted to show that they did everything possible to avoid that exposure.”

Taking action

Recognizing that there is plenty at stake, implementing a strong

Roth adds that the penalties for this bill are quite substantial, where it can be a maximum penalty of $10 million, or three per cent of an organization’s gross global revenue and its financial year. “That’s going to be substantial for a lot of businesses and making sure that their data is protected,” Roth says of the bill, which is still waiting to be passed.

Stressing that good cybersecurity hygiene “has to be a living, breathing, effort,” Conley says that it should be treated with the same care that an organization would manage a disaster recovery plan or a business continuity plan.

“This should be a very active, very alive document because times are constantly changing and the technology is constantly changing,” Conley says. “Any good security program has to have layers. When organizations keep up a human firewall, they keep their employees on the ball and up to date on this; they keep their technology up to the highest standards possible and they’re doing everything they can. And with cyber insurance on top of that, I think that would put any organization in a pretty good stance for coping with the future.”

Concludes Conley: “The less companies that have to go through this, the better.”

ASSEMBLE THE DECISION-MAKERS

Security projects may require input from departments across the organization

By Jeremiah Johnston

While the COVID-19 pandemic disrupted business models around the world, the adoption of modern and cloud technologies has remained a focus. As businesses move into the pandemic’s next phase, defining a clear and updated security strategy can help instill much-needed confidence and will help ensure you protect what is important to you and your business.

A comprehensive security solution is essential to any business, has the potential to impact nearly everyone involved in the business and it is something many different people will use for years to come. So, when determining a security strategy, you should be documenting every decision as well as all aspects when it comes to the protection of your employees and business.

In the past, many organizations felt the need to keep security details confidential. While this may be true for external parties, not sharing this information internally can have devastating effects on your organization in the long term. However, involving too many decision-makers or system users could be perceived as slowing down the

process or lead to potential threats down the line.

To limit the number of people involved in the project, it’s important to include those who have a clear understanding of the company’s existing security system and those who will see the most direct impact of the implementation of the new systems. This way, you can make a more informed decision while still keeping your security solutions as secure and effective as possible.

So, it begs the question: Who should be included in the discussion about security? Let’s discuss.

CIO and the IT department

An IT department may just mean the work of one person, or it could mean a team of IT professionals spread out across the globe. Regardless, including the IT department at the table when discussing security is essential.

When implementing modern security systems like a video surveillance system or access control system, the components will likely come into contact with your data network. The IT department has a deep understanding of your data security specification as well as the new hardware and software that the

new security system may need to comply with.

In most traditional office environments, IT maintains a room that includes all of the IT equipment such as servers, cable types and network switches. With buy-in and support from your IT department, they can determine what technologies can be properly supported on the network and the amount of bandwidth that should be allotted. For example, a video system constantly receiving and recording footage will require more bandwidth than an access control system. IT professionals can promptly answer questions and share if they foresee any issues happening down the road, especially if they’re brought into the process early. When they are not included from the beginning, your company can expect a lot of delays and expensive issues that could have been otherwise avoided.

Facilities director and/or head of maintenance

Who knows your facilities better than your maintenance or facilities department? The maintenance and facilities teams have a key to every door in the building and also have access to

the blueprint of the building — they can locate every duct, pipe and conduit. Additionally, they have knowledge of exactly who has access to the building and any past physical security issues that may have occurred.

When implementing a security system, they will be able to help your security integrator find the best cable pathways and can facilitate any permit approvals needed. On the other hand, by having someone from the maintenance team be involved in the security decision from the start, they can identify when service is needed and be on the front lines in helping address and resolve those issues.

Security integrator

We all know that bringing a security integrator into the project is necessary; however, the question is, how early in the process should they be brought in?

You should involve a security

integrator from the project’s start. They can identify your company’s current security system, assess your needs and how a new solution will integrate with the existing one.

A security integrator should be excited to learn about your business and can develop the best plan to fit your company’s needs. Most likely, this isn’t their first time doing this kind of work, so they can help you prepare the best questions to ask your IT, maintenance and any other teams involved in the project.

business and only try to force their product on you, you will end up with a less than adequate result.

“Most importantly, don’t go at this alone.”

When first meeting with your security integrator, give an overview of your company’s goals and objectives. Then you can ask their help to determine the best solution. It’s vital to note that security integrators should be there to help you. If they’re unwilling to learn about your

Most importantly, don’t go at this alone. Protecting your employees and your property should be a top priority for your company, and it can be a very complicated process. That is why it’s crucial to select an integration team of key decision-makers to smooth out the planning and installation process. All of these people, who have knowledge about different aspects of the company, can come together and determine the best strategy to ensure the security and safety of your business.

Jeremiah Johnston is a systems integration security consultant at STANLEY Security (www. stanleysecurity.com).

NEW EDITION

SCHOOL SECURITY 2ND EDITION

Item #: 0323852661 $87.50

As school safety challenges continue to evolve with new daily stories surrounding security lapses, lockdowns, or violent acts taking place, this thoroughly revised edition will help explain how to make educational institutions a safer place to learn.

School Security: How to Build and Strengthen a School Safety Program, Second Edition emphasizes a proactive rather than reactive approach to school security. Readers are introduced to basic loss prevention and safety concepts, including how to communicate safety information to students and staff, how to raise security awareness, and how to prepare for emergencies. The book discusses how to positively influence student behavior, lead staff training programs, and write sound security policies.

To shop our full selection of security books go to annexbookstore.com/security

HOW CYBERSECURITY IS EVOLVING IN 2021

Joe Byrne is a regional CTO at AppDynamics, a part of Cisco (www. appdynamics.com).

Despite rapid developments in cybersecurity in recent years, some business leaders aren’t aware of security’s emerging role as a driver of innovation for the enterprise.

The security industry and its solutions have grown beyond reactive firefighting in IT, as this is an antiquated view of cybersecurity’s role in business. Now, it’s supporting digital transformation and enabling business strategy, so it should be seen as more than a cost centre.

Here are some of the interesting and notable ways cybersecurity is evolving in 2021.

DevSecOps is the modern methodology of choice

Security professionals and DevOps teams have typically worked on application development separately, in silos. Technologists and CISOs have started to notice that working this way can cause inefficiencies — the biggest being that applications become more prone to cyberattacks. To solve this, the concept of DevSecOps was created as a modern approach to app development that embeds security throughout the entire development lifecycle. Instead of waiting for an application to be built before adding security features, DevSecOps integrates built-in security capabilities from the beginning of the development process. With this new approach, a DevSecOps engineer works to make sure apps have the necessary safeguards in place before being delivered to the user. The icing on the cake? This also ensures apps are continuously secure during updates.

Observability and application security are integrating to simplify vulnerability management

The accelerated digital transformation of the past year created a need to navigate the growing tech sprawl of legacy and cloud technologies. Using a full-stack observability platform, enterprises can cut through the noise and stay ahead of slowdowns, issues or security threats. This enables all teams to have the same visibility into the business impact of enterprise applications.

The caveat is most observability platforms available don’t offer capabilities for identifying, managing, and fixing security issues. Yet organizations are realizing the importance of security when implementing an application observability tool and are now looking for this type of offering. Cue the rise of the full-stack observability platform with business context and application security built-in. This integrated solution is better able to keep business and customer assets safe, enabling better experiences for both customers and employees.

Board members are becoming directly engaged with cybersecurity

The technological advancement of digital tools is not the only factor at play in the growing role of cybersecurity. In addition to embracing modern solutions and encouraging collaboration between departments, board-level members of enterprises are looking to be better

informed on security strategy. This creates an important opportunity for CISOs. They can now create reporting methods that demonstrate the value of cybersecurity to the business.

Cybersecurity risk quantification is a growing trend that assigns a dollar value to probabilities of future losses from cybersecurity breaches. For those using the latest tools and strategies effectively, they’ll be able to make a compelling case for the important role of cybersecurity in supporting their overall business strategy.

Embrace cybersecurity for all it can offer

A modern approach to cybersecurity leverages better, newer methodologies for application development and combines observability and application security into a single solution. It also shows a positive return on investment to prove the important connection between cybersecurity and a great customer experience.

Yet, as enterprises and their technology teams continue to digitally transform, both technology sprawl and data sprawl will increase complexity for the business. This means the old approach of including cybersecurity as an afterthought isn’t going to cut it. Protecting the entire digital business needs to become a core value.

Business leaders who embrace this sooner rather than later will reap the benefits of holistic digital transformation across the enterprise.

Acoustic localization

Databuoy

A real-time gunshot detection and localization system like Shotpoint automates the emergency response process, reducing response times. Shotpoint’s acousticbased sensor technology can listen for and trigger on life safety events and gunshots. Acoustic sensor networks can compute an accurate location of the source of the sound using the angle-of-arrival (AoA) and time-of-arrival (ToA) data obtained from a network of sensors that all detect the signal. Shotpoint can deliver localized video, send safety alerts, and notify first responders with digital floorplans and accurate data of the shooter, including weapon caliber. www.databuoycorp.com

Shallow foundation bollard

Delta Scientific

Delta Scientific announces the successful testing of its Model DSC635, a single shallow foundation bollard design that stops and destroys a 15,000 (6.804 kg) pound test truck with less than two feet (0.6 m) of static penetration and 6.14 feet (1.87 m) of dynamic penetration. The simulated bomb load remained intact and contained on the truck bed. The test vehicle weighed 15,000 pounds (6,804 kg) and was traveling over 50 miles per hour (80.5 kpm). The front wheels were pushed back behind the cab and the engine ended up on the passenger side of the seat. The truck was stopped and completely disabled. The DSC635 bollard has a height of 44 inches (111 cm) and a diameter of 15.75 inches (40 cm) with a cover. Delta’s bollards can be furnished with an array of decorative covers to enhance the look and match the aesthetic of the surrounding structures. These covers include stainless steel, powder coated aluminum and fiberglass with custom styling and painting also available. www.deltascientific.com

Anti-tailgating

Alcatraz AI

The Alcatraz AI Rock solution detects tailgating by identifying, in real-time, an individual as he or she approaches an entrance and identifies whether the individual has been authenticated. If an unauthorized user follows an authenticated user through a door, the solution will identify that user as a tailgater, and an alert is sent and logged into the access control system, along with a still picture of the unauthorized person. To prevent tailgating, the solution can be configured to send an alert to the access control system in the form of a unique credential that can only give access to authorized users. In this way, it can provide data on tailgating hotspots. www.alcatraz.ai

AD INDEX

Concussive force recognition

3xLOGIC

This gunshot detection solution features a dry contact that allows it to be integrated into existing security systems. Rather than utilizing microphones, infrared sensors, or complex analytics, the self-contained device relies on concussive force recognition sensors to detect gunshots. When a gun is fired, the bullet creates a shockwave as it exits the barrel of the gun and travels through the air. This shockwave creates a unique concussive force that the 3xLOGIC solution is able to detect. With a detection radius of 75 feet and 360-degree coverage, offering 15,000 cubic feet of coverage per device, the solution minimizes the number of gunshot detection sensors required. The gunshot detection solution offers ceiling and wall mount options.

www.3xlogic.com

POE perimeter solution

Southwest Microwave

Southwest Microwave has expanded its suite of IP-based Power over Ethernet (POE) intelligent perimeter intrusion detection solutions with the INTREPID MicroPoint-POE-S Fence Detection System. Suited for fence applications with cut-or-climb intrusion risks, MicroPoint-POE-S employs proprietary digital signal processing algorithms to precisely locate intrusion attempts to within 1.1 m (3.6 ft.) while ignoring harmless disturbances caused by wind, rain or vehicle traffic. MicroPoint-POE-S couples MicroPoint fence sensor performance with secure TCP/IP network integration via a single Ethernet cable for power and data transmission.

www.southwestmicrowave.com

Intrusion detection

Senstar

The Senstar LM100 perimeter intrusion detection and deterrence system uses wireless self-healing mesh communication network technology to relay intrusion information enabling the system to operate in a coordinated fashion. When networked, the LM100 reports intrusion attempt locations to the site’s security management system to enable a directed response. Optimized for use with camera surveillance systems, the Senstar LM100 provides localized, uniform lighting along the fence line. Uniform coverage lets cameras operate with a higher dynamic range, ensuring objects and people are illuminated while avoiding the generation of dark silhouettes in front of bright backgrounds. www.senstar.com

GSX IS YOUR BEST PLAY

If security is an endless game of offense and defense, the stakes have never been higher. New risks require new rules of engagement. Your next move? Registering for GSX—where security management professionals from every industry and sector discover winning strategies for return-to-work, asset protection, crisis management, and more.