Ask McConnell, Get Solutions August 2024 Edition
Jim McConnell
Chief Security Officer | Chief Information Security Officer | Physical Security | Cyber Security | Metrics | Executive Protection | M&A | Supply Chain | Fraud | I mature your converged security program by 1% everyday
HOWDY - What's Up Jim?
I'll be honest, sometimes I sit down to write some long form content and wonder, Lord, I am I going to have quality and valuable content this month for my amazing network. Society and the good Lord, never fails me.
My professional heart is to provide a perspective that turns into YOUR solutions to YOUR pain points, whether it is something from my newsletters/content or a full partnership, my goal is the same. Thank you for time, sharing, and encouragement.
As always, reach out, I'm here to serve.
Industry Observations
An amazing quote around security justification discussions caught my attention "a guard role is typically a non value add security service role.". I suspect the person that made this quote was having a hard time describing the need, the scope of the "role" and likely the metrics to show the "value add". But 2024, the spectrum of justification challenges continues.
This weekend, I was at an organization's location with a medium threat profile that can switch to a high threat profile on-a-dime. This organization has been around for about 20 years and I had not been to this location in a number of years. I estimate about 1500-2000 people in the building at the time. I, like many security people (should) have my head on a swivel looking for vulnerabilities, security controls, protocols, and of course threats. As Patrick McNamara always teaches us, I am my family's executive protection leader. As I walked up and went inside and sat down, the assessment was "okay", but better than most peer organizations but maybe a 2 on a scale of 5 for maturity (after 20 years). As I was sitting down, a man, with a PTT radio, earpiece, lanyard was talking to an older lady (customer)....about guns and licensing, already odd. Their chit-chat turned into a pretty detailed laundry list of the organization's security (active assailant) protocols and a boast of how safe everyone is. Oh my, guess he didn't see me snap that "surveillance" picture.
Questions arise:
This isn't some armchair quarterback observation, this was live, this was an advance for me and my family and impacted my real-time and future preparation and response if I were to ever return.
How do you feel (responsible) vulnerability disclosure in the security industry is doing? Will the organization / CSO / CISO be offended? Some might say the cyber side has formalized this more / better and I believe that side does have some great practices. Does the other parts of security need similar standards?
I so enjoy the Erik Endress posts on the various vulnerabilities he finds, it enforces this challenge in our industry.
How do you feel (responsible) vulnerability disclosure in the security industry is doing? Will the organization / CSO / CISO be offended? Some might say the cyber side has formalized this more / better. Does the other parts of security need similar standards?
Advocacy / Lobbying for Security
There is a spectrum of opinions on the value and corruption of lobbyists, advocates, PACs, and activists. I have limited experience/opinion, but know there is a place. I think the security (converged in scope) industry is long overdue for this advocacy. I am currently trying to get the attention of my federal representative and it has not gone well. It is time for a group to step up for us?
Examples of needs from my perspective
What are yours?
Giving Back
Life challenged me this past month when I had the opportunity to serve some amazing people that some would call me insane to even consider supporting them in even a small way. But it got me thinking, what is my criteria for not wanting to serve a fellow human being? What if I know all their greatness AND all their failures? What if their failures were greater or even against me / my family? Does it change if they are asking for me to just train them or if they are bleeding in front me? Explore it in yourself. Love the quote from the Olympics commentator: "Made peace with imperfection"
Today's Action Items....Please
If you appreciate this newsletter, please share it with your network.
If your organization's security challenges resonate with any of the pain points we work with, let us know, we are here to partner with you.
If, in your network, you hear of opportunities in these pain points, l would really appreciate the referral. Welcome to discuss co-partnership, C2C, or referral fee arrangements, if needed
....Back to our regularly scheduled program....
After seeking advice on a number of areas of my business, updated my Resume Bucket List again and launched my new M&A-focused LinkedIn Newsletter, more on that later. Human nature always challenged to gather and "take-to-heart" feedback on our lives. I have found I receive and act upon it when the giver has the heart of experience and servant. Honest if I sense the feedback is coming from a heart of pride, even if good feedback, I really struggle with it. I working on the guy in the mirror daily.
Great podcast with the one and only Eric Vento, CPP, C2MEP , what a great discussion on transitioning military and law enforcement and a bunch of other topics.
Great discussions with two private sector Chief Security Officers, one Chief Executive Officer of a large security software company, a College Professor, and a Security Professional at a Research / Think Tank on Converged Security Metrics and my book on the topic. I am so humbled to have the opportunity to help each of them integrate metrics into their programs with the book just being a reference. Need help in this area, please reach out.
Also got an opportunity, through TEEX, to do some official OSHA Safety training this week, oh my. New respect for the pure OSHA-Level Safety people. Probably got a lessons learned post in the coming days. Off to find a reputable OSHA 30. #resumebucketlist #alwayslearning
Got some upcoming classes to teach with Texas A&M Engineering Extension Service - TEEX in August in Texas and a couple of other states. Also, TEEX's Cyber Readiness Summit for 2025 is scheduled, so block it on your calendar and sign up when the time comes.
Diane, my beautiful bride, is amazing and full of wisdom, grace, puns, and love, couldn't do this thing called life without her. If you need a trusted and transparent resource for your DFW real estate needs, please reach out to Diane and let her serve your real estate needs. With all the changes in the real estate industry and market, I truly believe buyers and sellers, more than ever, need a trusted agent to support them. She is awesome and her clients love you and have great reviews/testimonies. Relocating to/from DFW, let her help!!
Our son James and his team are doing awesome with this Amazon Prep business and some exciting expansion work coming up in August and ol' Dad will be right there with him being the warehouse handyman and mom as "supervisor" and chief negoiator. The AMZ United event is going to be awesome again this year, so if you have a nexus to this tribe, get your tickets. If your organization needs some 3PL / Amazon Marketplace support, reach out to James at Marketplace Prep , love his heart to serve others in the supply chain industry.
Leadership & Governance
I had quite a number of people go through my mentoring class this past month, in fact have two sessions today as I write this. It's still amazing how some people have been told/trained into thinking that Leadership is the same as a supervisor of people. Being a supervisor requires leadership, but being a leader doesn't require you to be a supervisor. We are gifted as leaders, we just need to embrace the gift and steward it well.
Also have a big title / role / position / AOR doesn't mean that is where you lead to your fullest potential. I have learned as I get older and hopefully a tad wiser, that I desire to LEAD young professionals and maturing security organizations to a path of greater security for knowledge to pass it on again and again, not necessarily to have 10 / 100's of people under me.
Ask the Mirror: When was the last time I took some personal time off to make sure my leadership path in still going in the right direction?
Governance Update
So during my OSHA class this week, some elements of the class talked about what we in the security industry would call governance. There were some structural similarities, and some (understandable) terminology differences, but it was very interesting to see the structure of that discipline's governance structure. I can see where security and safety teams and their business clients can get confused about the two functions and their perceived overlap. I can also see where prioritization and culture can impact the maturity of security programs and safety programs. So you "own" security and safety, do you know the difference? Do you call your org security but you're primarily doing safety (dangerous)? Do you call your org safety but you're primarily doing security (dangerous)?
As I said last month, "It's 2024 people, governance shouldn't be this hard anymore." Now I have a new perspective (#ValueOfTraining) and more passionate and equipped to help clean this up for you. Hey, glad to help fix it, if you are seeing/finding the same issues in your organization.
Ask the Mirror: When was the last time I met face-to-face with the organization's primary safety or security person (if you are doing the other function)?
Metrics of the Month: The percentage of safety findings that have been evaluated to determine security control gaps
Our Solution starts with Security Governance 101 class then....yes we get more questions/requests about governance than anything else, it's hard to "put in a box", but let us help you, whether it is policy structure, roles & responsibilities, governance inventory, etc.
Problem Sets & Solution Perspectives - Ask The Mirror
Are these problems:
Here are some thoughts, but also consider where else can we help? Whether Physical Security, Cyber Security, Fraud, Executive Protection, Personnel Security, Supply Chain Security, or a combination thereof, let's work together to move you, your team, vision, and strategy forward.
Mergers and Acquisitions / Divesture Security Program Management
Thank you all SO much for the support of my new specialized newsletter on M&A Security. The feedback has been awesome and glad I made the jump for a different audience. If you have a M&A, Private Equity, Venture Capital, BizDev group or in your network/circle, please forward to them. If you haven't seen it check it out at:
For my security pros, don't worry, I keep building some M&A content on this newsletter for YOU. And as always whether for this pain point or any other of my pain points. need help, give me call.
I was talking to a client about their potential acquisition of a company and how I can help them and it was great discussion. Later we were meeting and I checked on the status and the transaction was on hold due to integration capacity issues and potential cultural conflict. It was such an educational conversation. M&A are such complex projects and so many factors can cause them to be paused, stopped, or get derailed. Make sure you are listening to you business partners and make sure you workstream is flowing at their pace, even if you can speed things along. It about CARING about the business and the relationships. Remember Close Day + 1 minute, you also own the acquired company's culture.
Our Solution starts with a simple Ideation-2-Full Integration scoping discussion. Building/maturing a program, let us refine it to soften the blow on your team and the clients aka "The Business". Got a transaction starting now, we can be on calls/onsite within 24 hours. Simple, call us, we are ready
Insider Threat
Can a security employee be(come) an insider threat? Yes, I have a number cases where I was investigating a person that was in the security department or part of a security team in a non-security department. The investigation was always a little tougher, technically and just trying to understand. We talk about holding security people (and other professions) to a "higher standard", of integrity, honesty, ethics, morals, etc. In my ethics class, I discuss the concept of finding the "Ethical Stop" and never think your own team has this all figured out. I know a certain level of "brotherhood" / "sisterhood" can come into play, but for the sake of your executive leadership, never ignore your own going down a slippery slope.
You have and always will have, an "Insider Threat" and "Insider Vulnerability" challenge in your company. Period. Full Stop. is it a priority? How do I know, remember, you hired humans.
Our Solution starts with Insider Threat 101 training including our discussion on "The Ethical Stop", then we help you start helping you determine and mitigate the gaps (People, Process, Technology, and Metrics). Call Us, let us serve you in this area
Getting a Seat at the Table (Book #3 in planning stages)
One of the advantages of my passion for being a converged security champion, is being able to serve my leadership or clients in a meeting across their spectrum of security concerns. I teach to not just "wear multiple hats" at the meetings, but also to be a great listener for the business and your peers in other departments. It a powerful value you can bring. Honestly, in every meeting, I'm may be focused on mentality, but if I care enough and I'm the only security person in the room, I need this focus. For example, after my OSHA class this past week, I have a new area that I will be a better listener for. In the countless business+security meetings I have been in, I bet the safety lead for the organization, if they exist, has probably been in 5 meetings. I am far from a safety apprentice after one (great) class, but I can at least raise the question, "Hey who is representing Safety in this meeting?" Now I think many of the concepts, pain points, challenges, and governance issues Safety teams have can be easier, yes easier, solved with the same solutions I put forth for security teams. So NOT adding safety to my list of services anytime soon, but if you "own" safety in addition to security and struggling with getting a seat at the table, let's see if I can help.
Stop "Connecting to the Business", Start "Connecting to the Humans".
Our Solution starts with determining how well your team does with a handshake. Seriously, this is about sales and marketing, internally or if you are a service provider. Then we work on your team pitch, marketing, solution communication, presentation skills, and servant attitude. There is Great ROI in getting this right.
Supply Chain Security/Fraud (Book #2 being drafted)
Boy, I blew it a couple of days ago on a Linkedin comment/post. Let me explain, I REALLY trying to think about my solutions, perspective, and comments to support "From the Church House to the White House" aka, all types, shapes, and sizes of organization. Someone (and general industry) is/was frustrated with their third party risk management (TPRM) challenges. I provided the following recommendations:
0. Make sure the enterprise has agreement on what is a supplier/vendor and which one gets a contract and how security requirements will be enforced when there isn’t a contract.
All of these make sense in general, but not all of them work a non-profit, my son's business, Ethel's Electric Services SMB. But guess what some of them might not work in the largest corporations/government agencies either. Why? Lack of leverage, financials, dependencies, laws, regulations, no relationship, no contract, no security department capacity.
As I said in my follow-up comments, I should have been more sensitive to the larger scope / broader audience, as the original poster didn't scope his comment (he didn't need to...BTW).
But could your organization implement ONE of them in August 2024 and measure the ROI, YES. Do you think you have all 8 locked down tight? How would you validate all 8 are....across the entire enterprise (whether you are 5 people or 50,000 people?
Are these 8 need but still a struggle, let's talk.
Our Solutions start with Supply Chain 101 class, to get your team and organization on the same page. Then we talk about the various "pie charts" of scope of your supply chain converged security program and see where we are bleeding and where we need to sustain great work.
Physical Security Vulnerability Discovery / CPTED
I walked into another government-owned building this past month trying to find a contact for some questions. No access control, no receptionist, no indoor cameras. I walked all over the building (two floors). I saw two cameras outdoors of unknown quality and unknown whether they were working (no power light on). I was standing at one point when an employee walked in, looked at me, and just went upstairs. The maintenance of the building was very poor also. CPTED - non-existent, Safety - limited, Security - Try Again, Personnel Awareness Training - Not Sustained. I later learned some additional information about the building that would make anyone cringe. "Facepalm" - You know the basics, 101, Level 1 CMM. Off to find the operational "owner" to hear the back story, I'm afraid, this may take awhile.
On the other side of the disclosure spectrum, I found what appears to be a zero-day in a physical security product with a 10 out of 10 CVSS score and converged security issue-to-boot, which only took me a couple of days to determine who to report it to, thanks to my LinkedIn network.
How does your organization handle physical security vulnerability disclosure management? Internal employees know who to call (anonymously)? Ethics line know how to handle? (Too small for an Ethics line?) External website with (cyber and physical) security vulnerability reporting mechanism? Have you ever tried to find your own department as an external citizen?
What does a good reporting hotline look like? Need help integrating into an existing ethics hotline? Let's talk
Our Solutions are about vulnerability discovery, and what is best way to do that in your world, let's talk. Then we work on the internal skills and technology you have, integrate measuring your program, and bring a level of transparency for better ROI and obviously, better safety and security.
领英推荐
Executive Protection Program Management (Planned Book #4)
Between the uproar over Former President Trump's assassination attempt and watching all the celebrities and athletes at the Olympics, the EP world isn't exactly boring right now.
Recently was talking to a great peer in the EP security world and we had a quick discussion about "policy" writing and got me thinking about how many EP programs have a full governance model in place, documented, audited, and with training elements. Governance is different than program management. We can help with both. Your governance model needs to not just include a RACI, but also definitions and scope, and THEN you have: Internal: policies, guidelines, procedures, requirements, recommendations, standards, etc., and then the other layers/requirements, in no particular order: Customer level, Principal/Event level, Supplier level, Legal/Insurance level, etc. I am NOT a fan of 100's of pages of "policies and procedures", just don't get me started on the dust-filled notebook. Do you just have an operation or do you also have a full governance model and program management model in place for your EP / Event Security program? No, let's talk. Or your a supplier of these services, same question.
Side bar, get out to International Protective Security Board conference this year. I am planning on being at IPSB and have a submitted a topic to speak also.
Our Solutions start with end-to-end program management RACI exercise then we work together on the life-cycle of your program, whether it is personnel, technology, operations, training, or compliance.
Security Metrics (got the Book Yet? You have, leave a review)
June, also, didn't allow much work in the book writing department, but did a class on the book/topic and got accepted for a conference to discuss the topic and love all the calls from folks asking about metrics. I'm in a writing mood here first of July so barring a blessing of some client work, I'm going to try and make a dent in some book writing.
Love, love love the challenge question from Carrie Heflin to me in a recent post:
"Would love to hear your thoughts on some of the metrics you commonly see museums tracking that aren't delivering a good return on time invested. What, if anything, should we stop tracking?" #Boom
My response was better than I probably have considered in the past:
The broad challenge I see in any organization is being too focused on stats-based security activities that ebb-in-flow with normal social or seasonal activities. I'm not against stats!!! Just balance that with metrics that we can show (to decision makers) both have an achievable milestone or end goal and the sustainment of that milestone. For example, we have 95 cameras, and 62 (65%) are End of Life/End of Service by the end of the budget year. 25 more (26%) are not patched with the latest operational and security patches. Easier to communicate the need for time, money, resources, and expertise to get all that bad "Red" in that pie chart to green.
So, I mentioned last month my Open Letter to Congress (will work for other countries) on Security Metrics . Well I have reached out to my Congressman (@michael burgess) three times, no response. I'm not a good political policy advocate. I know crazy. But I'll keep trying, any lobbyist bored and want to have some pro-bono fun?
Not doing metrics in your program only means more surprises arising in the future as part of a breach, incident, customer questions, regulatory questions, board questions, etc. Not demanding metrics from your security leader only means more surprises for you too.
Can't move the needle to kick off your metrics vision, call me.
Our Solutions start with Security Metrics 101 class then stepping through an inventory of existing security functions, security stats, and security metrics. Then work on gaps, SIPOC documentation, impact of transparency, and of course, audience delivery.
Offshore Security Risk
The DJI (Drone) challenges lately and recent work on SBOM due to the blindness of the general software threat, made me realize that "offshoring risks" are broader than I probably considered or taught in the past if I truly look at offshoring from a converged security perspective. Would a possible synonym be "foreign dependency risks"? Interesting now when we think about captive work, the supply chain, and M&A, that happens outside of HQ and at a minimum, higher-risk countries. A number of years ago when traditional offshoring was ramping up, worked with my friend Israel Vila, CISM, CCM to developed a large scale country risk comparison across >50 countries across >75 different data elements. Why isn't these comparisons commonplace in your organization's risk discussion around foreign dependency risks? Vila and I would love to come help you make it common place.
Our Solutions start with a definition and scoping exercise on outsourcing, offshoring, supply chain and then we focus on discovery and detection methodologies and along with updating your criteria on future work going offshore.
Security Operations Centers
Still on my soapbox about security 100% Remote / WFH. This time I saw 100% remote/WFH CCTV Security camera monitoring. Yes, I know very well, building a 24x7 Brick and Mortar SOC isn't trivial or cheap. But has collaboration tools gotten so good that has allowed this critical collaboration capability to be moved 100% online? Are these tools that fast, that consistent, that feature rich? Or are they distracting? How many incidents have gone undetected or delayed due to this new model? If you are (forced) into this model, have you updated your training and testing plans to challenge these "amazing collaboration tools" and their positive / negative impacts on your expectations of your SOC?
Our Solutions start with a scoping exercise of your SOC then determining the challenges (people, process, technology, supply chain, etc.) and retainers then a plan of maturity, yes including metrics and "Seat-at-the-Table" improvements.
Crisis Response
"Bang", "Breach", "Panic", "Fire", "KNR", Important/Highly Admired Person/The Brain Child Died, "Why are there three TV Satellite Trucks at our Guard Gate?" - Pick the Crisis Scream - This never seems to happen in a structured way and all parties are in the office / same conference room, just finishing up the perfect tabletop exercise.
CMT aka Crisis Management Team + Your well-documented, audited/tested, exercised, and FUNDED Crisis Management PLAN + Tools get the call and of course it is 3am on the day of your 25th wedding anniversary.
I have been so blessed to be part of all parts of crisis response, now NOT all TYPES of crisis situations, but many. I have also watched, studied, learned from quite a number of crisis responses that I have a unique nexus to that I had a behind-the-scenes knowledge that others likely didn't have.
One of the primary things missing from every plan, is the scribe that we have talked about before.
But, one of the most interesting things to see/watch/participate in is when people scramble/knee-jerk in the middle of the crisis in calling in third-party experts, usually ones they don't have in their plan. Then at the end when they are doing AAR, they realize they have the experts in-house or available third parties already vetted and ready. I happen to be one of those for several organizations. Just in the last 2 weeks, I have sat by the phone waiting for that call on two crisis events that also included two information security breaches. I'm not mad, but just know they are likely struggling and they know my capabilities but just don't have time to think to call me. Yes, I offered.
How about your plan? You have the SME list added to your plan, how often is it updated? Does it include SMEs like me or my peers or just who your insurance company wants you to use?
Our Solution starts with designing a (mock) crisis, challenging everyone at the table to accept the reality of a crisis. Whiteboard the quadrants of crisis. Talk about the areas of ownership. Then begin the circle of documentation, testing, building relationships, getting ready.
Converged Security Training Program Management
As we have talked about before, training is a program, not a start-end project. Love what Brian Jantzen just wrote up on Redefining Essential Skills for Executive Protection.
Brian's structure is excellent for ANY security role/function not just EP. Definitely going to update my training management plan to incorporate his structure, of course giving Brian ongoing credit.
I'm not great, or even good in several skills Brian talks about or their equivalent for other security domains, thus why I am always learning. One of traps that training development projects fall into, is the leader or members' focus on when they are prioritizing training is:
Wow, clear signs you need a more senior, independent person leading it in your organization with security training experts like Brian or I to help you.
Our Solution starts with the foundation of what training needs to be and grows 360 degrees (x,y,z) to develop (and hopefully fulfill some of the training) a comprehensive and defendable plan.
Gear
"Great, I have a new Family Go Bag Class for Friday, let me get everything ready for the class and update the PowerPoint"....I said to myself. I get to the class and forget a key prop. Ugh. The timeframe of the class and the content didn't suffer because I forgot this piece of gear, but it showed me that my "Do I have everything" List wasn't followed. I was complacent and needed to get my regular checks back on my calendar.
Not volunteering, especially for a reader in say India (though I would love to go back!!), but your employees would benefit so much and appreciate your focus on their well-being if you did a (or my) Family Emergency Go Bag Class. I'm so convinced of this value, if you can't afford our team doing it, if your CSO/CISO/CEO contacts me directly, I will do a FREE train-the-trainer class for them and their designate, if they promise to implement it.
Our Solutions start with our Gear Bag 101 class then a look at people, buildings, transportation gear needs and current setup then focus on ownership, maturing, sustainment, and training on the gear.
Faith & Grace & Honor - 1 Timothy 5:17
Praying for a continued and great 2024 for my clients, leads, peers, teams, our heroes, our pastors, and you and your families. If you just "need to talk", I'm a pretty good listening ear. In my entrepreneur adventure, I am learning so much about faith vs. patience vs. stewardship. Waking up everyday, I try to pray for grace, wisdom, and knowledge, BEFORE my feet hit the floor. Always a student.
Looking for a speaker for your next Men's meeting/conference on honor, grace, defining success, and/or mapping the proof of the good Lord's blessings, I would be honored to support your event.
Honor (Planned Book #5)
This month I want to honor all the leaders and mentors that lead and mentored my late father, my brother Bob and I through almost 96 of working at GTE/Verizon. If you include the ~5 years I was a contractor before my tenure, we hit 101 years onsite. Dad, Bob, and I could make a very long list, some people would be on all three lists, but ultimately we learned from all of you and appreciate all of you. We all hope we were also leaders and mentors to others around us. We worked striving for integrity and loyalty and giving back. I know all three us had our share of making people laugh and probably angered a few people but we always worked hard to honor others and protect the most critical infrastructure in the world. We had countless "firsts" that GTE/Verizon gave us rein to put our fingerprint on, with many of them still operating as we departed. Thank you all and for you all that know my Why story, Verizon peeps, never forget my Grandma Story and "Care" (Thanks again Susan).
I'm still learning how to honor all the people and experiences that the good Lord has allowed me to experience.
Interested in learning more about communicating authentic honor, I highly recommend these resources:
Ask McConnell, LLC is a Converged Security services provider, HQ in Dallas Fort Worth, Texas, USA and we believe we can help build, assess, mature, train, measure, and augment your team on the problem sets mentioned above, for clients "from the Church House to the White House". Please reach out with your challenges and let's whiteboard some options together.
Licensed, Insured, Cage Code, Credentials, DUNS, Passport, TCOLE ID, TSSC Registered, Registered in 6-7 DFW Area School Districts, and Access to "Tickets"
Have a blessed rest of your day, week, month, and exciting Summer Season. If this newsletter added value, please subscribe, comment, and share.
Please consider us for partnerships and referrals
Jim
#security #convergedsecurity #askmcconnell #ciso #cso #cybersecurity #informationsecurity #physicalsecurity #executiveprotection #fraud #audit #supplychainsecurity #securitymetrics #insiderthreat #mergersandacquisitions #offshorerisk
To have fun with LinkedIn and Google's Algorithms, I present you some random AI-generated content:
ChatGPT
Tell me a funny joke about converged security
ChatGPT
Sure, here's a joke about converged security:
Why did the cybersecurity expert bring a ladder to the data center?
Because they heard the security needed to be on a higher level!
CoPilot
Tell me a funny joke about converged security
Copilot
Why did the security guard bring a ladder to the converged security meeting?
Because he heard the threats were getting elevated! ??