As is often the case at GSX educational sessions, a great deal of time was focused on the future of the industry as the virtual GSX+ event rolled on during Tuesday's sessions. On the forefront of these sessions was the panel discussion, "Security 2030 and Beyond" - where expert end-users looked at where we might be in a decade. Whether it is fortunate or not, it turns out that the current crises facing the world and the United States has essentially pushed the fast-forward button on security and technology evolution, and for many experts, the future is now.
The expert panelists who spoke on the topic on Tuesday were: John Petruzzi CPP, ASIS 2020 president-elect and EVP/Head of Integrated Security solutions for G4S; Tim McCreight CPP, Chief Security Officer for the City of Calgary; and Christina Duffey CPP, 2019 ASIS president and EVP of PalAmerican Security. They were moderated by 2015 ASIS president Dave Tyson CPP, president of Apollo Information Systems.
"COVID-19 has changed everything in the last 6-7 months, not only domestically, but golbally. I'm seeing is a massive acceleration (in where we are heading)," Petruzzi said. "I think what we would have seen in 2-4 years into this decade, we are going to see over the next 6-12 months."
"This is the start of what I think we are going to see in the next 10 years plus," McCreight added. "We are going to start setting the framework and the guidelines for that in these next few months, then we're going to see some of the things change...in the security industry."
Added Duffey: "We're pushed to the limits right now in a lot of different areas, and we are certainly going to see an expansion of our convenience culture. There's not going to be a roadmap of exactly what's going to happen, but responding to situations and events, and being resilient within your organization is all going to play a key role."
The Future of Identity
The first major topic discussed was the changing roles of security when it comes to identity, which has been massively impacted by COVID - especially when it comes to virtual hiring, interviewing and onboarding. The panel questioned how to prove that the person you are speaking with in a zoom meeting is actually who they say they are, and noted that identity management technology is in a sort of catch-up phase right now to try and resolve this issue.
"Look at today, with the absolute acceleration of virtual onboarding of folks," Petruzzi said. "We are hiring talented people – from CEO down to security officers – without ever having a face-to-face connection. We are literally taking all of their credentials and all of their background information and running those things from a distance. There are obviously lessons we are learning in this rapid pace, but it's it is very concerning. Again, we are doing it at a rapid pace because the business is demanding it, but you have to set expectations. We (cannot) onboard talent the way we used to, and at the timeline that we used to and ensure we are not allowing bad actors into the environment."
As far as traditional facility access, the panelists agreed that frictionless solutions are moving to the forefront thanks to COVID. But beyond wave-to-open and mobile credentialing, Duffey said that identity verification prior to a person arriving at a facility is going to take on a much more expanded role as we move into the future. "That is going to put the onus on tenants and departments to be able to verify (identities)," she said. "We are really going to see this this touchless technology continue to grow, especially in verifying people. You won't be able just to show up and give your driver's license and be able to gain access."
Privacy Driving Technology Evolution
As Tyson said during the panel: "The battle between law enforcement and security’s need to know and an individual's privacy is going to rage for years to come."
Certainly, this battle is going to shape the security industry both now and in the future, with technologies such as facial recognition garnering daily headlines around the world. "Those who are leading security programs are going to need to keep their pulse on what's happening with privacy and identity within an organization and how to handle that information, because it's going to move so quickly that you could be left behind, and then exposures are going to exist," Duffey said. "Stay plugged into this as a professional, because it is going to move fast."
“I see nothing but increased regulation around identity, and quite frankly, the punitive approach to those that are breached on that front,” Petruzzi said. “We have seen that at a state level from a domestic perspective, and obviously on a global perspective, where countries are driving that regulation. I just see that increasing that an ever-rapid pace. I don't know how you can tell me that my facial image and my fingerprint is not considered PII (and thus would fall under these privacy regulations).”
"How do we prevent breaches of privacy and how do we monitor if someone's actually trying to attack personally identifiable information?" McCreight added. "By 2030, maybe that PII includes my face."
Enterprise Security Risk Management (ESRM)
The topic of ESRM is one that has been debated on panels like these for years at ASIS. This panel disagreed on where we stand today when it comes to this concept, with some saying we still have a long way to go before ESRM is accepted at the C level.
"There are a lot of people who have embraced ESRM and believe in it, and there is a lot of passion around it, but from a perspective of where managers today, are they really incorporating it into their programs?" Duffey asked. "I don't think we're there yet. I think that we have a lot of work to do."
"We are getting a lot of anecdotal evidence on how how beneficial the program is," McCreight added. "ESRM has been used in every organization I have worked at; we just didn't know what to call it. We are facing this a lack of communal understanding of the work that we do as security professionals, which a lot of times is based on the ESRM philosophies or frameworks. We just didn’t know what to call it."
Petruzzi again sees an acceleration on this front spurred mainly by COVID. "We have recently seen within the last 12 months, multiple Chief Security Officers elevated to a 'Chief Risk Officer' role that incorporates both financial and operational risk outside of security. These are small, medium and enterprise level organizations making this change. For that individual in each one of those situations to take a seat right at the senior level...taking that all things, all-hazards approach, both financial and operational, tells me that we are making good progress. Will we be there fully in 10 years? I'm say yes, but there is certainly a lot more work to be done."
New Career Paths in Security
The panel concluded with a discussion on the evolving careers and roles within security departments. From data analysis to drone piloting and virtual training, new technologies seem to be driving new career opportunities both today and in the future.
"We talked earlier about what kind of data we can get to make better decisions in the security space...well data scientist in the traditional security industry is a real job now," Tyson said. "Drone operations and having UAV or drone pilots; cyber and physical incident response virtual training is now being done all over the world, both in AR and VR; and behaviorists who shape AI decision making algorithms and open source investigations are all potential new careers."
“Every one of those roles I am actively recruiting for in one capacity or another,” Petruzzi said. “Again, it goes back to accelerators. We see people right now in risk operations centers looking at all hazards and understanding and leveraging the data scientists that we are hiring and putting in those locations. Another prime example is virtual trainer. Over the course of COVID, we have moved to 100% virtual training. Each of these roles are moving at a rapid pace because of the current operating environment.”
"I am looking at the value and benefit of having one of our data scientists here in the city work with my team to understand all of the data that we collect to see how to look at predicting behavior based on past data,” McCreight said. “By 2030, I may be able to start my career as a security guard or security operator, work my way into a supervisor role, then receive training as a drone operator and become a member of that team in the same security operational component – helping program robots to do the tours of the facility or flying the drone that does the perimeter checks on the fence.”
“If you look at the programs that are in our universities and colleges right now, they are certainly focusing on the technology, but it is really just having a lot of resilience in your skill sets to make sure they are transferable,” Duffey explained. “All of these positions are already there. Having skill sets to be able to transition to some of these new roles is going to is going to be key. Security professionals really need to think about what is going to be needed so they can continue to build their skill sets for the future.”
GSX+ registered attendees can check out the full panel discussion here.
Paul Rothman is Editor in Chief of Security Business magaizne (www.securitybusinessmag.com).