Looking ahead to the trends in security: Q&A with ASIS President

The security industry is evolving with several new technologies and concepts entering the market. The constant change that is being witnessed demand a watchful eye from security professionals. At the recently concluded ASIS Conference in Milan, a&s Italy caught up with Thomas Langer, President of ASIS International, to learn his thoughts on what to expect from the market in the coming days and how the industry would adapt to changing trends as it goes forward.

a&s: What are the technology trends that the industry should pay extra attention to?
Langer: It’s crucial that the security discipline is part of product design work at the front end, because it’s going to end up costing a lot of money in rework and customer confidence if it fails on you, embedding it with all those technologies we know have already been corrupted. None of that is going to benefit anyone. I really think it is about security having a seat at the design table and at the innovation table so that we actually build it into the front end.

a&s: Is there any prominent tendency in terms of assets/people/information protection?
Langer: I think they are equally important and I hate to sound preachy when I say that. We have an obligation obviously for the physical perimeter and the physical safeguard of our employees but because we have borderless companies now, our propriety information, our crown jewels, extend out to wherever our employees are. What is the furthest remote point they are at, that’s where it ends. And we have to make sure that we’re designing platforms that allow them to securely do the work that they are doing and not artificially design security in and cause them to have to find ways to work around those. So you end up in a situation where somebody is at home and they can’t add a printer to their device so they mail it to an open email address, on an unsecured computer in their home, and print it out because they need to do something with it physically. So we want to make sure that as security professionals we don’t design things that make us feel better, but actually don’t support the business.

a&s: What should the security professionals learn from the recent cybersecurity attacks and is there any other emerging threat ahead?
Langer: The cyber piece is always going to be present. Wherever our information, our assets reside. Primarily right now it’s in our networks. Many of the cloud offerings have to be looked at with an eye towards “how does that satisfy what I have committed to my clients want and what I’m going to do with this information”. So to put it on a semi-secured cloud at a cost saving to you, is actually putting in jeopardy the information that you committed to protect or your own design information that could be compromised by the wrong cloud provider. Given the advancements in technology and data portability and availability (anywhere/anytime/device agnostic), we can only speculate where that data will be next. The other thing I’m concerned about is making sure we have an educational program as we bring new employees in, that they understand what it is that we need to secure. I think there is a real misconception that the younger people coming into the industry don’t know that. They do. I can’t say that I’ve encountered anyone coming into the workforce that wanted to work on company proprietary information on an unsecured device, nobody wanted to do that. Again back to what I said before, let’s make sure that what we create for security safeguards don’t force people to make bad decisions.

a&s: What is the next market driver for security companies? IoT and big data?
Langer: I want to see how our companies are going to use big data, how we are going to try to leverage that to better our own position in the corporation. I really see that being part of our role at the table, sitting with the leadership and making a decision on what we are going to use, where we are going to go and being able to secure that platform. So we need as professionals to do a better job anticipating those vulnerabilities. This is an old example but I’ve used it a number of times: nobody invented the car to make bank robbery easier. But that’s what happened in some cases. I want to make sure we have the creativity, the artistic ability to look at something and say: “How is that going to be exploited? How is somebody going to use that and turn it against us?”
 When people just innovate without securing whatever that innovation is, that isn’t finish line. They’ve actually stopped the race before they should. And they’ll end up losing market share.  I firmly believe that at some point the consumer is going to make decisions based on security.
 
Through Enterprise Security Risk Management (ESRM), ASIS is trying to help people understand that the enterprise security risk management is that holistic look at where the vulnerability is and where do those exist, throughout the organization, in functional lines and business lines. I think a lot of us do that already but I think it is going to be better to put a name around it and to set a discipline to help people become more energized about doing that properly. So insider threat has always existed, it’s just that somebody gave it a name and now has got a lot of focus, hopefully with ESRM we’re putting a name on it by actually branding it, not branding it formally but actually making it part of our offering to the community. It will get people to start thinking holistically about the security environment.
 
And people can unwittingly introduce risk into the enterprise and how much it extends beyond their authority to introduce that risk. So for the enterprise level the chief security officer with the right network can actually raise that risk at the right level and make sure the leadership understands “this is happening, this is what the risk is, these are the consequences” so they can choose to assume that risk as a leadership team, that’s what they should do and make sure they make a decision with all the facts available.
 
The Association is often seen as representing the physical security world, but that was a bygone time and era. The convergence of physical and cyber risk, is already fundamentally changing the expectations of the corporate security function. The required skillsets for security professionals are evolving accordingly. At the same time, career paths are shifting. Whereas security management used to be primarily a second career profession drawing people with military and law enforcement backgrounds, we now see newcomers entering the profession directly from university or branching out into security from other business functions. There is much we have to offer at ASIS International, from new to the profession all the way through the senior executive. So we are working to accommodate the changing needs of our members and their employers and to bringing more people into the Society.
 
a&s: What does ASIS have to offer differently?
Langer: What we have to offer is community. There are a lot of sole practitioners in the security profession that don’t know where to turn. We want to be able to create those kinds of communities. As small as the Chapter, as big as the region, as big as the globe for them to get the answers they want and to have peers that can help them to work through different problems and help crowd-source solutions for the security professionals. We do have 241 Chapters right now across the globe and 34 Councils and we represent every sector. 

a&s: What are your remarks on the Italian Chapter?
Langer: The Italian Chapter is working phenomenally here. I’ve never been here but I think the Chapter is very active. This group turning 700 people to Milan, is a proof, and to have the CEO of Microsoft Italy coming here and give that kind of presentation! It’s part of the transformation of the organization to have those kind of thought leaders in front of security professional and not just another security person talking to them. We need to take them out of their comfort zone, we need to help them think differently.

a&s: What are the missed opportunities or required solutions according to security practitioners that are represented by ASIS? 
Langer: Missed opportunities is helping a member to avoid going it alone when trying to find a solution to problem.  We want to create the local or regional network of professionals who a member can draw upon or, support.  As technology rapidly changes, exposing unthought-of vulnerabilities, we want the Society to be the resource all members can rely upon to be there for them.