RTP PhySec

Social Networking at the Physical Security Industry's Largest Conference

2009-09-27T00:37:00.006-04:00

The big question I was asked on numerous occasions during the conference was "Is it really worthwhile for security pros to use social networking and media?"

With the amount of industry users growing, the usefulness can't help but increase. (that's my short answer)

But I invite you to read on and see if my full assessment jives with what you are seeing as well.

It would be easy for some of us to say that social networking was a great success this year at ASIS. But, it would also be easy for some to look at meet-up attendance levels and overall "group" participation and argue against that fact. The difficult thing to define here is the "success" or "irrelevance" of the overall social networking activity - and how you measure that is fairly subjective.

That's because the users of social networking fall into three distinctly different groups. Probably more than that - but for the most part, I pigeon-hole everyone into three:

The Marketing or PR Pro / Provider: This game has been revolutionized in recent years by social networking, media and similar tools that have shifted the focus off of traditional marketing avenues. So it's no surprise that security equipment and service companies have started to get on board. The reasons for it's popularity have a lot to do with opening communication channels and new dimensions of information flow and monitoring (if properly used and planned out). How well does all this relate in the physical security industry? Not nearly as well as the rest of the world but there is definitely some positive growth. It's hard to argue with the success of marketing and customer service through this method, especially when you see what some of the larger providers do with it. It's refreshing to see @firetide, @HIDGlobal, @exacq, @DMP_ALARMS, @chelsiewoods, @ProtectionOne, @pprobinson, @ProvidentMike, @RhiannaDaniels, @Futureshield_CW, @Todd_Morris, @3VR, @stevesurf and BoschSecurityUS bringing that kind of enhanced service to their customers. It's a shame, but some of the larger manufacturers/providers are running social networking accounts with little to no value whatsoever. (not listed for obvious reasons)

The News Pro:

Call it New Media, Citizen Journalism or whatever you'd like - but things are different in the world of news. Social networking has given a press pass to just about anyone who wants one. I think this is a great leveling agent in many ways, and it can sure make things interesting.

The industry is already covered well by both print and online media, and the news industry in general is embracing social networking and media as a way to connect with users and enhance the relationship all around. I've watched with great interest as editors/reporters like @Sam_Pfeifle, @BrentDirks, @Security_Mag, @Leischen and @info4security have used social networking as a powerful tool.

The End Users, Consultants and Practitioners:

This group includes not only the end users, but just about everyone else that isn't selling a product, service or reporting on it. The motivation to use social networking is more clear with the marketing and news people, but there are more reasons and a wider set of goals with this group. Since goals very greatly among users in this group, it's difficult to measure success

In conclusion, I feel that most security professionals who are using social networking for non-sales and non-news reporting reasons are starting to see value. That's because the amount of valuable resources available varies directly with the amount of other industry people out there, using the same tools. One of the key benefits of social networking is the accessibility to others in the industry at all levels. This dynamic was slowly developing over the last few years, but the conference was a shot in the arm, boosting numbers of users and everyone's effectiveness. Thanks to everyone who participated in the conversations, and helped to further this developing medium!

More Conference News

2009-09-11T21:59:00.001-04:00

A few things going on today in the social networking world for security professionals.

But, to me the coolest thing was the arrival of the social networking lanyards from Laminex.

Lanyards

As you can see, they turned out pretty well. Please note, the printed Twitter ID is the result of an iron-on transfer. If you signed up for your lanyard early enough I've got a transfer for you. Still not sure if I'll be able to iron them all on before the conference but I'll try. Also note that the lanyard to the left is modeled by my 6yo son. so unless you are under 4" tall your badge will not hang to your waist.

TweepML List

The second cool thing was the completion of the TweepML for Physical Security Professionals. This is a dynamic list of 100 security professionals on Twitter. If you enter your user ID at the end of the list, you can choose to follow all, or select specific people to follow. It would be great if TweepML would generate a RSS feed of the members twitter streams but so far I'm not seeing any way to do that easily.

Well, the only way to do it easily is through the FriendFeed Room. Unfortunately, there wasn't much interest when it was formed but maybe there will be now.

Conference Tools

Which leads me to the third cool thing. If you've ever gone to a conference where you and others were using Twitter you probably noticed how easily information was shared between everyone by the use of hashtags. Hashtags are simply putting the # sign before a word. Doing so makes it easy to search for that word and compile a list of current tweets that contain it. For instance, if I'm at a vendor booth and they are about to start a demo of their latest technology - I can send a tweet with the #asis09 hashtag in it. Everyone following that hashtag will see the message and know. This kind of communication is new and strange to many. It falls between direct person-to-group communications and general postings of information. With person-to-group the ones receiving the message are expected to respond or digest the information. Just posting the information so it's available makes it difficult for everyone. With Twitter, the information gets to everyone who wants it - and people can choose to be as interactive as they desire.

Andres Armeda has done an impressive job making this easy. We're in the process of configuring tools for social networking users to stay on top of things during the conference. The goal is to give people the resources they need to monitor what others are saying and doing without hassle. This will take the shape of a website that's streaming all conference related posts, RSS feeds that can be turned into SMS messages and even a specific twitter account you can follow to get everyone's traffic from one source.

Meetups

Still need some help in this area. It's obvious that this year's conference will not have as many large scale events as previous years. However, I'm still trying to secure some agreements with the events that will be held to arrange for at least one meetup a day. Monday is the ASIS sponsored meetup at the President's Reception - but only conference attendees have tickets to the reception unless they are purchased specifically. Since a good number of us are exhibitors, that leaves a good number out in the cold without tickets.

I'm hoping to arrange for meetups as part of larger events. For instance, if Company X is holding their event Tuesday evening, they agree to allow social networking users into the event to meetup with each other. If your company is interested in helping, please let me know. You may even be interested in hosting a small get together for Twitter, LinkedIn and Facebook users. If that's the case, you'll definitely earn a place in each of our hearts and I'm sure your investment will be returned through the solid networking value alone.

ASIS 09, Meetup and Lanyard News

2009-08-27T21:25:00.002-04:00

Two exciting developments came into shape today for social networking at the ASIS 09 conference:

1. ASIS gave the green light today to publicize the social networking meetup they will sponsor. It will be held at the President's Reception, Golden Horseshoe Saloon, 7:30-8:30 pm at Monday night at Disney Park.

"Guests can enjoy cocktails and appetizers while meeting the people in your networks and sharing a little more than 140 characters at a time!" (I have to give Peggy O'Connor at ASIS credit for that clever statement).

Now - this is very important - you must have a ticket to the reception in order to attend. If you don't, I'm sure we will be working out other meetup opportunities as part of other events but I think it's very cool of ASIS to host this one!

2. Our friends at Laminex are supplying a limited number of social networking lanyards. The idea of these lanyards is to let people who use social networking easily identify each other but not detract from the official ASIS ID badge or any company attire you may have to wear.

As you can see from my poorly constructed example, it will be a sexy, fashionable lanyard with both form and function. There is a space for your Twitter ID, but you can even use your name if you are not on Twitter. Laminex says it's possible to use iron on transfers to make the user names look slick, but that would depend on me hunched over an ironing board for hours. (Someone would have to answer to my Ortho). I'm not saying we won't end up with the slick transfers - we'll just have to figure something out.

Want one? Of course you do.

Just head over to this link and sign up.

Is your company hosting an event during the conference? I'm hoping to pull together other meetup opportunities as part of larger gatherings so let me know!

INFOSEC in the Social Networking World

2009-08-25T22:53:00.001-04:00

As strange as it may seem, it's looking more and more like there may be yet another dynamic to this social networking thing. Nothing new really, especially to the social networking community - but I can see some definite room for growth.

Working my way through the issues specific to physical security professionals, of course I ran across big picture organizational issues that should be addressed. For instance, how do you handle staff members in the organization you're protecting that violate INFOSEC rules?

I always assumed INFOSEC concerns would be addressed through the "usual" channels, but it's becoming more clear there's a problem.

Even organizations with robust INFOSEC policies and practices can have trouble when a new avenue pops up that doesn't follow the traditional information paths. The beauty of social networking is how effectively it cuts through tradition - but by doing so, it leaves behind the safeguards designed to secure sensitive info. Having that robust INFOSEC policy in place isn't enough anymore, it's the organizations with robust INFOSEC people that are keeping up in this game.

So, like many things in this field - there are pros and cons to the situation. The cons are of course sensitive information being spread out to the world by staff members who don't think before they tweet/update/etc. But the pros are hopefully a return to support behind giving security groups the resources to mold and maintain INFOSEC rather than just audit it.

How well does your organization communicate with staff (or whoever) about INFOSEC on social networking platforms? This could be something that can easily be covered by expanding current programs - or it could need much more.

Time to Start Planning for ASIS 09

2009-07-28T23:57:00.001-04:00

It's getting to be that time of year again, ASIS 2009 is just around the corner (end of September) - which is easy to remember because it's around the same time as my birthday.

Speaking of which, all I want for my birthday is some great social networking opportunities for people attending the conference. Ever since I was a little kid (in terms of my relationship with ASIS) I can remember listening to the "old men" of the industry telling stories about how valuable the conference is when it comes to networking. They would talk about how they'd strike up a conversation with a guy from St. Louis and end up with a national contract, or find a breakthrough solution over drinks with a random engineer from Phoenix.

No other organization, or event in our industry has the kind of networking power that ASIS wields - and although it's not the organization's only value - it's always a key reason anyone I talk to is involved. So a few months ago, as I started to write about social networking's value I was excited to see ASIS conduct a survey on the topic - and even form a conference blog, Twitter account, and Linked-In / Facebook pages.

Let me pull it back for a second and talk about social networking in general - for the sake of the industry's "old men". Social networking is to the computer what traditional networking is to the typewriter. I was right there next to some of you as we moved away from the typewriter and started using computers. Having the benefit of falling somewhere between the Baby Boomers and Generation Y - it was fairly easy for me to help bridge the gap and show the old guard how beneficial new technology can be. So when I started seeing the tremendous value of social networking, I felt it was time to do the same thing.

I was using Twitter at the ASIS '08 conference and ended up meeting some contacts I consider extremely valuable. In fact, there were just a handful of us doing it, and I think each of us found some value in one way or another. Even though Twitter had been around for awhile by that time, most of us were very new at the whole thing, so messages ranged from talking about industry events, to new products found, to commenting on how the Dixie-land band playing at the Pelco event played the Star Wars Cantina song.

I'm expecting this year to be different. I'm not sure exactly how different at this point, but there is much more social media activity in the physical security circles now so it will be very interesting. I've been talking to people in recent days about what their expectations are, and what is important to them when it comes to the topic. Here are some general observations - feel free to add yours in the comments, email them to me, or even dm me on Twitter.

ASIS has done a very good job stepping up to the plate with the blog, and other social networking accounts. They are posting valuable information - not just lame posts you see from other organizations like: "see you at the conference!", "did you register yet?", "only 2 more months!" It's a very difficult job at times because feedback and interest can come in waves, sometimes weeks between any worthwhile dialogue.
A Tweet-Up / LinkUp is definitely needed. There is a lot of potential here for a group or organization to step up and "own" the event giving them a valuable edge. I've watched other industries in this stage of social network use and it's always the early adopters that end up forever associated with the medium and they are the ones that are most often rewarded with product loyalty, customer feelings of inclusion and word of mouth business.
It's the users that make or break the overall effectiveness of social networking at conferences. It's important that we share news, findings and help each-other using open platform methods where anyone can tune into the discussion and join in. (as opposed to closed networks)
As well as ASIS has done so far, no-one is seeing any signs of real-time conference interaction planned. It may be to early to tell, but they are in a position to follow through and help move things in the right direction for everyone.

Another Case of Under-equipped Officers?

2009-06-11T22:05:00.001-04:00

I'll never forget a conversation I had with a German Soldier during a joint operation one day. We were talking about career options after the military, and he talked very positively about being a security officer when his enlistment was up.

I was a little baffled by his aspirations, but that was before I learned the differences between security officers in Europe and America.

We all know that Europe has a substantial head start when it comes to dealing with terrorism and how corporate security can fill a lot of gaps when it comes to protecting people and assets.

But I think we are still lagging behind far too much in how we deploy security officers, support them and still expect the world from them.

Yesterday's attack on the Holocaust Memorial Museum should be an eye opener to anyone in charge of security officer operations. Especially in locations that can serve as likely targets for religious, political or ideological reasons.

Few people know the exact details surrounding this event yet, but from most accounts it looks like a good case of security officers doing a great job. The fact that a man walked into the building shooting from the start, and everything was over in about two minutes with no civilian deaths is impressive.

The fact that one of the officers died in the process is tragic, but what's even more tragic to me is the fact that it doesn't look like the officers were issued vests.

The Huffington Post is reporting that they were not - and that the government could start providing them. To me, it's absolutely automatic for any officer carrying a gun, or screening people for weapons should have a protective vest. Unfortunately, that's the kind of thing that's too often susceptible to value engineering when the client and provider go over the nuts and bolts of the contract.

No one likes spending money these days, but it's ridiculous to place the safety of your assets, in the hands of your officers when you pay them bottom dollar and give them the bare minimum for support.

A Fresh Look at Continuity Planning

2009-04-30T22:09:00.001-04:00

There is no question that organizations should dust off their business continuity plans every few years to make sure things are covered properly. Typically this consists of a little reading, a couple meetings and a lot of pencil whipping.

This swine flu thing may or may not turn into a big deal, but either way - it's a good chance to look a little deeper at contingency plans. Not only because the real-world threat sharpens people's focus, but also because this is nothing like a natural disaster, terrorist attack or many of the other scenarios commonly used to prepare.

Over the last few days I've had to look at the protection of clinical assets in a whole new way. If you take this thing to the worst case scenario, there can be a unprecedented strain on clinical sites. Here's a few quotes from the 1918 Pandemic website :

"Confronted with a shortage of hospital beds, many local officials ordered that community centers and local schools be transformed into emergency hospitals. In some areas, the lack of doctors meant that nursing and medical students were drafted to staff these makeshift hospitals."

"As the disease spread, schools and businesses emptied. Telegraph and telephone services collapsed as operators took to their beds. Garbage went uncollected as garbage men reported sick. The mail piled up as postal carriers failed to come to work.

State and local departments of health also suffered from high absentee rates. No one was left to record the pandemic’s spread and the Public Health Service’s requests for information went unanswered.

As the bodies accumulated, funeral parlors ran out of caskets and bodies went uncollected in morgues."

Granted, our infrastructure can't be compared to the nation's infrastructure in 1918, but my point is - even though we may be much more prepared to handle this kind of thing now, there's got to be new and unforeseen factors we've never had to think about.

Our reaction to the 1976 threat was overkill by most accounts, I'm hoping we can find the happy medium if this thing blows up.

I urge you to take yourself outside the box usually ruled by disaster based contingency planning. Some of the angles I'm trying to look deeply at are:

Protecting urgent care / general practice clinics from and overflow of patients desperately seeking treatment
Protecting emergency rooms from the same
Protecting medical supplies and the logistical supply chain
Protecting pharmaceutical supplies and that logistical supply chain
Setting up field treatment sites and protecting them

PSAP Modernization & Integrator Tips

2009-04-28T13:00:00.002-04:00

PSAP Modernization and Integrator Tips

Has it been a month? Wow - even though I'm working up three or four posts I just realized there have not been any new updates. Sorry about that - I blame the economy.

One topic I'm trying to finish up on is how I recommend PSAPs (Primary Safety Answering Points) should get set up to monitor text messages, email and even provide bidirectional communication through Twitter and/or Facebook. If you have any experience or feedback for that topic - let me know .

On another note, this month's issue of Security Magazine features a cover story on Integrator Relationships where I was a contributor. Most of my input (and some of the story content it seems) came from the June 24th 08 post on Vendor / Integrator Selection Tips.

It's a topic that's very near and dear to my heart because of the time I've spent as an integrator and end user.

Why am I saying this other than shameless self-promotion?

Because in this day-and-age every expense is being looked at closely. And when you've got to sent out an RFP (Request for Price) on a project, you may be in for a shock when the client is a lot less receptive to paying more for a better integrator.

Just in the last few months I've seen major security vendors low-ball bids just to get the work, knowing full well there's no way they can make a profit. That kind of game is usually easy to explain, and dismiss. But when CFOs are tightening the screws and every expense is scrutinized, this can be a real problem.

Social Networking (and Media) for Security Professionals - Part Seven - Tie it all Together

2009-03-30T22:38:00.003-04:00

Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand.
Putt's Law

All this social networking is impressive..... There is uncanny ability to communicate in ways unheard of before, but what does that mean to your everyday life?

I think a core principle to remember is that everyone has different reasons and objectives for social networking in their life. There is no "best way" to do any of this, the trick is finding your stride and keeping on top of your priorities. That being said, it' helps to have some guidance. Below I've outlined my basic social networking / media use -- it works for me and maybe you'll get some value from it.

1. Decide your personal / professional balance.
I'll always say there is a great value to merging parts of your personal and professional life. But everyone knows there needs to be a separation point. It's important to decide what social networking mediums you'll use for each early on. Since the privacy settings on most social networking services are controllable, it's easy to filter out your private information.
I know a lot of people who use Facebook for personal use only. If that's your decision, you can either refuse all non-personal friend requests (not as offensive as it sounds, trust me) or set your account up so that all your status updates, activity, pictures, links, etc. can only be viewed by a specific group of people.
LinkedIn is purely professional, so that's a no-brainer. Twitter can be either, or both.
Here's my breakdown:

Twitter - I'm about 65% professional and 35% personal now
Facebook - around 20% professional and 80% personal
Myspace - never use, there are links to my Facebook and LinkedIn profiles the Myspace page
LinkedIn - 100% professional

2. Define your goals.
My goal for using social networking in my professional life is to share my experience, gain insight, and build a robust network of peers, clients and resources.
I share my experience through this blog, gain insight through following smart people on Twitter and build my network with all three of my core services. True, I also use Twitter to share my experience and help other security professionals, and use other blogs to learn from smart people - it's all interchangeable. My point is - it's easy to be caught up wasting time on things that are valuable on the surface, but distract you from what you should be doing. Defining your goals helps you build your daily methods of use in a way that's beneficial.

If you are a manufacturer or vendor, you can use these tools to keep your clients up to date with news and info that's useful to them. You can scan Twitter to find anyone talking about your product, and communicate with them first hand. For instance, I made a comment about a popular feed reader on twitter and one of the engineers replied, helping me fix a problem -- how's that for customer service!
Communicating with end users and consultants helps get the word out about your product or service (just to SELL all the time - people will ignore you). Give them value, and interact with them in ways that are beneficial to both.

If you are a consultant or practitioner, you can share valuable information with others and exchange dialogue on current topics. Having first hand access to manufacturers and users is a huge benefit when feeling out opinion, asking about experiences and forming your own opinion. Using these tools to build your network will definitely help broaden your resources and understanding.

If you are an end user, you can get real-time, first hand information on products, services and industry news. You can have a direct line to industry shakers and movers, discuss the topics that are real in your world.

3. Define your daily methods.
My wife may disagree, but for most accounts I think I balance my on-demand life well. It's easy to get zoned in on the blackberry when there is nothing else going on so it's important to develop ways to process all this information without letting it overtake you.

Twitter - When I'm at work, I have TweetDeck running on my laptop (I run two systems/three screens). It's segmented with columns for security people, local people, replies and direct messages. When I'm on hold, taking a break between tasks, eating a snack, etc.. I scroll through the posts to see what's up. I have Twitterberry on my phone and tend to scroll through tweets when I'm sitting in waiting rooms, stuck in traffic, or have a short amount of time with nothing pressing to do. The only alerts that I have routed to my phone (via SMS) are direct messages and specific RSS feeds made from hash tags I'm following closely.
When I post security related information, I try to keep it to interesting articles or breaking news- the kind of thing I'd find interesting or valuable if someone else posted it.
I use Twitpic a lot to post pictures I snap from my camera-phone. Most of these are either of my son, or interesting / funny things I see everyday.

Facebook - have the Facebook app installed on my blackberry and scroll through friends status messages in the same way as scroll through Twitter messages.
Since I use status messages for both professional and personal reasons, I use the Selective Twitter Status app to post to both when I want - by including "#fb" on the tweet.
I post mostly personal pics when I do, the kind that friends and family are interested in but am often surprised when a professional contact strikes up a conversation after seeing new pics.
I see Facebook as the great bridge between personal and professional life and a unique way to help enhance all my relationships.

LinkedIn - I set up my LinkedIn account in a way that would help define my professional career to people looking for information about me. I did list past employment positions, but not specific duties. You'll see many people set up their profiles just like an online resume. There is nothing wrong with that, but I just choose to keep it at the basics. If someone wants to know more about what I did in a job 15 years ago they can just ask me.

Media - I didn't get a chance to talk about the "media" part in the last segments, but I'll throw it in here for good measure. I use Picasa to share photos with both personal and professional contacts (setting up albums for specific reasons/groups) and Flickr for personal use. I use the entire Google online suite of apps for online sharing, collaboration and storage but that can be a series in itself.

To help keep up with everything,I use a lot of RSS feeds . Just about every social networking or media service provides RSS feeds, customized the way you want them. FriendFeed is the perfect social media aggregator that helps you keep up with all your friends' activities. You don't have to keep up with everyone all the time, but it's helpful to have something like FriendFeed set up with your contacts so you can use it when you want.

I recently made a FriendFeed group called Physical Security Online.
Maybe it's just me, but I believe that social networking should be an open format. You'd think that the security industry learned it's lesson with proprietary systems, but I see more and more industry specific social networks pop up. Using open services like Twitter, Facebook and LinkedIn help tie sister industries together and foster advancement and value for everyone. That doesn't happen with proprietary networks - and they make people have yet another service to stay on top of. There is nothing these closed networks can do that can't be done with the open ones. You can even have password protected groups (LinkedIn / Facebook), rooms (FriendFeed) and maintain control of the information that's public.
To me, these closed networks are either safe wading pools for people to start out in, or captive audiences for someone to cash-in on having a market segment use one service.
The Physical Security Online FriendFeed room is an open network aggragator. I run members' Twitter feeds into the group feed so there is one central RSS feed you can subscribe to and get all the groups updates. Members can post links of interest directly to the feed as well as comment on items posted by others. As an added bonus, the room is a directory of industry people and their social media accounts! You can read more about it here , and visit the room here. To join, just get your FriendFeed profile set up and add your services, than join the group.

Social Networking (and Media) for Security Professionals - Part Six - Feeds

2009-03-19T23:25:00.002-04:00

I probably should have talked about RSS Feeds before tossing the FriendFeed concept out there. Feeds themselves are everywhere, and have changed the way the web works. There's a chance you're already using them even if you don't realize it. Just about every customizable "home" or "start" page now gives you the ability to choose your content. That content is usually delivered to your page via RSS feeds.

RSS stands for Really Simple Syndication, and although it's simple overall - the possibilities are as complex as you want them to be. But basically, the RSS feed takes content from a static location (a website, blog, online photo or file storage, etc) and puts it in a form that can be subscribed to, and can be broadcast to all subscribers.

Before newspapers, you'd have to go to each source (author of each story) to get your information. Someone had the great idea to put all that information in one place, and deliver it to you every day. Can you imagine trying to keep up with situations or events by checking with every source, and then seeing a newspaper for the first time?

After that, it seems like a huge waste of time doing it the old way.

Just like now, going to websites is a huge waste of time.

So, from here you can take your feeds and have them routed to the interface of your choosing. (cut and paste the link URL) There are software feed readers, online feed readers, widgets and gadgets that can customize your content delivery in a way that works for you. I use multiple resources to get my RSS feeds that I keep up with because some of them are more important than others. Some of the content I monitor is important enough for me to be physically notified if there is something new or something that meets predetermined criteria. Other content that I care about is put in a place that i can easily go through, share with others and comment on.

Most web content is available in RSS form now. In fact, if you didn't already know about them you were probably wondering what that little orange square with the volume sign was supposed to mean. Just take a look at your favorite sites to find RSS links, not only the news sites and blogs but where ever you put your online pictures, files and just about everything else.

From a security prospective, I'd like to see access control, alarm monitoring and even video systems run RSS feeds along with their usual reporting output. That way, on the operational side you could easily take advantage of existing feed management services to get the information you need, where you need it and when. What would you rather do, install proprietary software on your Blackberry or use an existing feed reader service to handle your feeds? (don't worry - you can make RSS feeds secure with username/passwords)

FriendFeed is a service that takes all the RSS feeds published by your social networking and media sites, then aggregates them - publishing one combined feed. But that's not all, FriendFeed itself has become something of a social networking site because you can subscribe to other user's feeds through their interface. In fact, you can subscribe to a feed comprised of feeds, comprised of your friends' content. They even let you create "rooms" that can be shared with like-minded individuals. You can automatically publish feeds in that room if it fits the groups interests, or users can specifically add items the rest of the group would find interesting. That member list becomes a directory where you can find other members' other social networking account info.

That was the idea behind the Physical Security Online room in FriendFeed.

New Social Networking Directory for Security Professionals (FriendFeed)

2009-03-17T23:26:00.002-04:00

FriendFeed - Physical Security Online room

After making it to the fourth part of the Social Networking for Security Professionals series , it was clear that we needed some kind of directory. There is a pretty robust group of physical security pros that are now using social networking services, and it would be great to have a one-stop location to find them on each service.

I looked at Wikis, LinkedIn Groups, Facebook Groups and others, but I think in a lot of ways FriendFeed's Rooms feature was custom made for this kind of thing.

FriendFeed is a social media aggregator. Once you set up your account, and plug in all the social media accounts you want to share, it creates a custom "feed" for you. (Note: FriendFeed can handle almost EVERY kind of social media or network. You can have your FriendFeed include all your accounts, or just the ones you feel comfortable sharing. For instance, I share my Blog, Twitter, LinkedIn and a few others but I do not list my online photos (flickr , picasa ). ) For all intents and purposes, when we say "feed" we are referring to a RSS feed (which we will go into detail about in the next post of the series). But for our purposes now we can say that a feed is the best way to take a list of items (blog posts, tweets, status updates, posted pictures, etc) and make them available for use through other sites, services or readers. For instance, I join a lot of social networking sites that I'm not active in, and have no intention of interacting with on a daily basis. But since I can plug in the RSS feed for my blog, anyone checking out my profile at that networking site sees up to date information. I can just set it up and forget it.

What makes FriendFeed unique is that it takes all the feeds from your networks and puts them in one place. You can "friend" people just like the other networking sites but with FriendFeed, you're not just subscribing to one of their networks - you've got them all in one place. On your home page view, all your friend's feed items are posted in chronological order. Now, since many of us use services that post to multiple networks there is a lot of repetitive posts but that's normal. There are other services out there that do this kind of thing, but FriendFeed has been sort of established as the standard and in the most interoperable of the bunch.

And that's the key. Sure, we can make our own social networking sites 'till the cows come home but that would be one more network to keep up with instead of using existing networks and FriendFeed to tie it all together.

Essentially, you could just subscribe to that feed (your home view feed) in Google Reader or another feed reader and keep up with everyone across all their networks instead of one at a time. And with this Physical Security Online Room feed - you can do the same thing.

Friend Feed's Room feature is a way for like minded users to connect, share relevant information and network. We can have specific blogs or accounts post directly to that room list automatically or share specific things manually.

Right now - it's set up with the RTP PhySec blog posts to automatically run on the home feed, and the Twitter account for RTP PhySec which I run amber alert and other crime alerts through.

If you'd like your blog listed automatically, just let me know. You'll need to have a RSS feed for your blog - just get me that URL or point me to it and I'll add it.

You can also put a bookmarklet on your toolbar (or a bookmark) easily share things to that room.

When you're browsing online, and see something you'd like to share with the group you can hit that bookmark to pull up this interface:

You can choose which room to post the item to, what to call it and post a comment as well. For icing on the cake you can select an image to go with the post.

Once members of the room join up, we'll have the directory under the "members" tab. From there you can click on a member to go to their homepage (not filtered to that specific room) or their posts in the Physical Security Online room. Each members social networks are listed on their home page.

Social Networking (and Media) for Security Professionals - Part Four - LinkedIn

2009-03-16T20:49:00.004-04:00

As far as social networking sites go, I see LinkedIn as the professional hub of that universe. It may not end up being a part of your daily online life, but it should definitely serve as the constant foundation for anything business related you do online.

Think of it this way,

you may not be looking for a new job, or beating prospective clients' doors down, but in this day and age of due diligence you can bet you're being checked out. Especially in the security industry where it pays to make sure you know exactly who you are talking to in any professional exchange.

Listing details about yourself and your professional history are definitely the sore spots most security professionals have in using something like LinkedIn. We've been living under the view that we should keep information like that close to the chest, and reveal it only when necessary.

Yes, it's true, there is a certain vulnerability you expose by listing your professional history - but it's nothing you can't mitigate by carefully thinking through the extent of information you release and the context you put it in.

Overall, this contributes to my view that social networking can make the workplace and professional relationships more honest and transparent. This is beneficial to the reputable, honest professionals and an obstacle to the rest.

LinkedIn is set up like Facebook in a lot of ways - in fact - you can think of it as the Facebook of business. You enter information about yourself, and get linked to others you know or associate with. You have a home view that lets you see what all your contacts are up to, and you can interact through "Q&A", status messages, groups and other tools.

Getting started, you can post as much or as little information as you'd like to your profile. It's always a good idea (with any social networking site) to look around and get ideas from people you trust before you set up your profile completely (I probably should have mentioned that when I was talking about Facebook and Twitter).

Basically, your profile should be a thumbnail of your professional life. Someone reading your profile should be able to know about your experience, education and professional career. Some people post full-on resumes as profiles, not that I recommend that but I do suggest a brief overview.

LinkedIn gives you granular control of what you want listed on your profile, or how much information the general public can see on your "public profile".

Your "public profile" is what's visible to non-LinkedIn users or people outside your network. The way they figure out your network is anyone within 2 degrees of your contacts (a friend of a friend). To me, that's a good way to handle the basic privacy issues because it filters out people totally unrelated but still allows for some freedom in finding people you may not be directly associated with.

Also like Facebook, LinkedIn uses groups to help people with similar interests and professional fields communicate and collaborate. For instance, I belong to the ASIS International Group which has over 2,319 members. Through that group, members can ask and answer questions, post news stories (or blog posts) and even post and find jobs.

But unlike Facebook, LinkedIn gives you business related tools such as the ability to write a professional reference for someone or other members can write one for you. Some people use these like crazy and others rarely do - but the standard adage applies - you get what you receive (if you want recommendations, write them for other people). You can choose to display your references on your profile or not - even list the ones you write or not.

I use LinkedIn as my standard professional networking platform, not with almost daily interactions like Twitter or even weekly like Facebook. Although I could update my LinkedIn status along with the other two - I choose not to. Not that I have any specific reason, but I just don't see LinkedIn in that light for my own personal interactions with the service. I do look people up in LinkedIn after I meet them in conferences or other professional functions and ask them to join my network. And when I run into a situation where it would be helpful to talk to people from a specific industry, field or company it helps to look through your LinkedIn contacts.

There have been some valuable connections I've make through LinkedIn, but I'll be the first to admit I don't use all of it's tools. I think that it's the kind of thing that you should definitely join and set up for sustained use, then see where it takes you. One thing I recommend when you're setting your profile up is to use a picture. It used to be a little narcissistic to put a face shot on your resume, but that thinking is long gone. In fact, most serious job hunters have an online resume posted somewhere that's available to recruiters and LinkedIn works even better than that.

Most social and networking sites give you a way to easily direct people to your page/profile/account on their service. I didn't list this under Facebook or Twitter even though you can (click them to go there) - but I do talk about it for LinkedIn because it's a great idea to put this "badge" on your blog or website. It gives professional contacts a way to find out more about you and connect with you in more ways than they may originally think.

I've been looking into the best way for us all to share social network info with each other, and have the ability for everyone to update their own listings without resorting to a specific industry website. I checked out the groups in LinkedIn - but they don't have a very usable way for group members to add themselves to a list with categories for the different social networking accounts. Facebook has more enhanced group options but since some people would rather not use Facebook for professional networking that's out. This may end up being an open spreadsheet that I'd give members access to. If anyone has any ideas - let me know!

Here are some security professionals who use LinkedIn. There are many many more, but I only contacted specific people that I know use social networking. If you want to be added - let me know. Like I said above - soon I hope to have a more complete social networking matrix.

Brian Dean

Social Networking (and Media) for Security Professionals - Part Three - Twitter

2009-03-13T11:49:00.007-04:00

Hype is part of the online world, and Twitter has probably been hyped more than any social networking app in recent history. With a huge amount of buzz around it but a small amount of people who "get it", it was destined to be the next big thing that was (and still is) referenced in mainstream media as an example of new media that only the hip kids "get".

I hate that.

You've got to put all that hype and buzz to the side and look at Twitter for yourself to get anything out of it. And even then it's not the kind of thing that's easy to wrap your head around overnight.

One of the most repeated statements I hear about Twitter is; "at first, I thought it was pretty stupid - who cares about what I'm doing right now?" and that's exactly what I was thinking as well. But you have to think about why different groups of people may be interested in what you've got going on at any given time.

I'm not trying to write the comprehensive Twitter guide here, just documenting the same information I give my friends in the security industry when we talk about Twitter.

Friends

In a way, Twitter is about re-approaching your existing methods of communication and the ways you keep up with the people and things you care about. Currently, you have some idea what your friends are up to.

From talking on the phone to hanging out around the water cooler to email or chat, you already have SOME form of communication.

I don't know about you, but it's extremely difficult for me to take advantage of those forms of communication anymore. So - instead of each friend specifically reaching out to the other and having to replicate that effort with other friends, Twitter gives you another option.

You post what you'd like to share when it happens or when you can, and your friends receive that at a time that's convenient to them.

Professional

Just like Twitter changes the way you communicate with your friends, it can enhance the way your professional network interacts as well. Posting a quick observation on an industry topic is easy - and believe it or not people want to see it. I follow people that are movers and shakers in their respective industries and gain a lot of insight by browsing their posts. The key is to find people who either post information or are part of something that is of value to you.

I follow people from my own industry, sister industries and local industries that have nothing to do with my field. I've made valuable contacts through Twitter that would be impossible otherwise.

Local

The Raleigh - Durham area (Research Triangle Park) has a tremendous network of people who use Twitter. We've even got some folks that are superstars in the twitter-verse like @waynesutton.

In addition to all of that, there are innovative people who use Twitter among other things and come up with brilliant online ideas like 30Threads (@30THREADS ).

Use tools like the ones found on the TriangleTweetup website to search your regional area for useful groups, people and events.

Day to Day

Because Twitter is a very bare-bones concept, and relies on 3rd party apps to provide specific features that individuals want. You can spend months going through 3rd party apps to find ones that work for you, but I'll list the ones I use for you later in the post.

All the tweets (posts) from people you follow come to you in your friend's timeline in chronological order. This can be overwhelming to say the least, but your not expected to read every post. There is a way to make sure you know if someone wants you to see something specific by them putting the "@" symbol before your username. If they do that, the message will show up in your replies list. You can also filter out @/reply conversations between other people in your settings. If you want to see all replies - you see all conversations between your friends and whoever they reply to. You can choose to see only replies between friends you have or no replies at all (unless they are to you - then they go to your replies list).

Confused yet? It's not as bad as it seems.

There is also a way to share private messages with other users - if you put the letter "D" in front of the message it's treated as a direct message that only goes to the person you're sending it to. You can choose to have replies and direct messages sent to your email or even sent via SMS message to your phone. You can even choose to have specific people's tweets sent to your phone if you want, but I only recommend that in unique cases.

I usually end up posting things I find interesting, funny or could be of value to my contacts. My last three posts are about my 5 year old son walking around the house singing "Benny and the Jets" to himself, how PETA is trying to make Duke Medical Center stop serving meat to patients, and letting people know I posted last night's Part 2 of this series.

The same thing applies to all status messages - don't try to SELL products, ideas or anything else. You have to give your network value, either from a personal friendship level, professional or even valuable information about your regional area (traffic alerts, news alerts, etc).

There's nothing wrong with letting people know you have a new product, one of your products got an award, you have a new blog post or any other kind of self promotion as long as it's balanced with value and interesting to your network. But your network is also interested to know what problems you're facing as you are developing a new product or service, what you're working on and what kind of lessons you've learned in the process.

Big note here - as security industry people - everything we do online should be filtered in a way so we are not compromising our integrity. It's not cool to talk about a lunch meeting you are having with a perspective client in most cases or specifics about new technologies if there are intellectual property factors. You wouldn't want your lead engineer tweeting about how he's found a way to compress video that puts your company ahead of the pack right? Keep this kind of thing in mind and always remember that whatever you post in any kind of status message should be considered public information.

If your company supports the use of social networking and media - develop a policy to cover it and include the do's and do not's clearly. There are awesome benefits to using social networking but the dangers are very real as well.

Does some of this sound familiar? Tweets can be a lot like your FaceBook status messages, and there's no reason they can't be. There are many ways to broadcast your status message to multiple networks and I'll include my favorites in the next section.

Helper Services:

Here are some of the top reasons to use helper services for Twitter -

1. IM (or chat) style interface where you keep a little window up on your computer and see everyone's tweets.

2. Spellcheck

3. Easy icon based ways to reply to people (@), send them a direct message (D), Re-tweet their message (RT) - forwarding their tweet to your network

4. Shorten long URLs so that your posts stay under the character limit. - if you want to list a link to an article, blog post or other item the URL is usually pretty long, there are numerous services that take that link and shrink it down for you

5. Post to multiple status messages on multiple networks at the same time (same status message on Facebook, Twitter, LinkedIn, etc..)

Twirl is a nifty little app that gives you most of the features above

Tweetdeck does too - but also lets you make lists out of your network so you can organize the people you want to keep up with in categories(i.e. friends, professional, local)

Hellotxt and Ping.fm let you post to multiple networks at the same time

Bit.ly is my favorite URL shortener service - it tracks stats on your shortened URL use and even lets you post to Twitter from their page.

Selective Twitter Status is a way to update both your Twitter and FaceBook status just by using the "#fb" hashtag on your tweet.. what's that? I didn't get into hashtags yet? They are just a good way to track a topic because searching for the topic with the "#" symbol in front of it screens out the stuff you don't want.

You can find many others here

and here

Security Industry People On Twitter:

If I've missed you - let me know and I'll get an updated list out

@brachlin - Bret Rachlin

@BtheDean - Brian Dean

@CampusSecurity - Campus Security at Queen's University

@chelsiewoods - Chelsie Woods

@dremeda - Andres Armeda

@idmachines - Salvatore D'Agostino

@info4security - Anthony Hilderbrand

@RTPPhysec - This Blog's

@Sam_Pfeifle - Sam Pheifle

@SDNEditor - Rhianna Daniels

@shawnf - Shawn Flaugher (me)

@stevesurf - Steve Surfaro

@Steve_Hunt - Steve Hunt

@thesteverussell - Steve Russell

@trbuckley - Tom Buckley

Social Networking (and Media) for Security Professionals - Part Two - Facebook

2009-03-11T22:18:00.004-04:00

Introduction Continued

If you intend to use it or not, it's a good idea to join social networking sites just to "grab" your name. Social networking is all about branding yourself and believe it or not, there are people out there who try to "grab" user names for a number of reasons. If they think it would benefit their cause to spread misinformation - or even sell it to you if you want it bad enough. But mostly because you don't know if you'll end up wanting to use the service or not and it's better to stick with one user name across all services to avoid confusion. This - and many other things with social media may seem narcissistic at first but there are other reasons. In social media it's common for users to refer to one another by user names with the "@" symbol in front of it. This is because, on Twitter - it's how you let someone know you are talking to them or want them specifically to see your post or comment. If the system sees your user name with the "@" symbol in front, it labels it as a "reply" which you can set up alerts for or get forwarded to your email. Many people (myself included) set up google alerts for their user names with the "@" symbol in front of it to see when it's used anywhere online. That way - if someone comments on a flickr image, blog comment, or just about any other form and refers to you - you'll know.

In addition to the major networks I listed yesterday, there are many other helper services that make it easy to integrate social networks' features. When I say many - I mean a TON and when I say easy to integrate there are some more usable than others. I don't claim to know the best ones out there and different people like different features, but I'll try to include the helper services that apply to the networks as I go over them.

I've got some great feedback after yesterday's post and thank everyone who contacted me.

As I suspected, my security contacts gladly share their user names to some networks but would rather not broadcast others. Most of us have networks we use for more of one side of our lives than the other and it's tricky to balance it all. For instance, I gladly share my LinkedIn info with anyone who wants it but I'm a lot more selective with Facebook. So don't be surprised if there's not a long list (or any) security related Facebook users listed after that section.

Facebook:

I consider this one of the most influential social networking sites out there. Facebook has the power to reunite people with friends from the past - or unite people that have never met in more ways than ever before. But, it also has the power to let people find you and possibly peek into your life from afar who you'd rather not have anything to do with.

The great thing about Facebook when it comes to security is that it's set up in specific "networks". There are basic networks for regional users - but it's the specific company and school networks that bring the feature to life. For instance, you can join the Harvard University network if you have a "Harvard.edu" email address and can answer an email to that address to prove it.

Information that you share can be filtered to a very specific level - so you can share more personal information with your specific corporate or academic network and basic information with your regional network. But even with all this filtering, it's a good idea to be careful not to post information that can be used against you, and since you have no control over what some people may do with images you post - even if they are your friends - try not to have licence plate numbers, house numbers or other sensitive info included.

A feature from Facebook that's replicated across the board with other social networking sites is the home page concept. When you go to your home page, you see all the activity from the people you have "friend-ed" (to be a "friend" both of you must agree to "friend" each other).

Although there are a lot of fluff-apps available for Facebook, you don't have to participate in them if you don't want to and no-one holds it against you. For instance - a friend may "throw a snowball" at you and you can have a "snowball fight" if you agree to install that specific "snowball fight" app to your profile. Most of it is harmless fun.

Another Facebook feature that is a key part of most other social networks is the status message. You can update your status message with whatever you are doing or want your friends to know, and they see it whenever they go to their home page or browse friend's status messages over a mobile device. You can update your status message from anywhere, which makes it an ideal way to broadcast information to people you care about. This used by some to broadcast every detail of their life, some constantly use it as a sales tool. I suggest posting status messages that you think people who care about you would enjoy knowing or should know.

Personally, Facebook bridges the gap for me and encompasses both my personal and professional life. It's the fastest way for me to share things I think are important with the people I care about and I can easily filter who can see what. My personal friends have to put up with my status messages updated about the security industry and my professional friends have to put up with updates about my son, but if any of them get tired of it they can "see less" of my status updates on their home pages. But you'd be surprised how many times professional contacts grab me after meetings or stop by to talk about personal topics (from what they have seen on one of my status messages). Or even personal friends who find the professional information they get useful at some point in their career. Take note if you are in the market to develop business: If you manage to post professional info on your status messages without your friends tuning you out - eventually they will run across need for your services or know someone who they'd like to refer you to. I don't have to tell you that personal references sometimes net the best business relationships.

If you are involved in higher education or even high school education, Facebook is a must. But one word of caution on this and all social media - no-one likes someone that uses social media as an obvious sales tool with no personal interactions. That could mean selling a product - or an idea - no matter how important that idea is to you. Take note if you try to keep students safe: If you are constantly using Facebook to preach safety and security to students - you won't get very far. But if you provide useful security information to the students (or staff members) like crime alerts or post useful articles that they can visit it can be extremely effective. In fact - students have even expressed to me that they'd use a Facebook app that would give them crime alerts and let them submit reports of suspicious activity through Facebook. This already exists for some institutions with varying degrees of success. (Spotcrime , GMP Updates )

Wish there was a way to hype up your cause or business on Facebook without pissing everyone off? There is - "Pages" and "Groups" are there to let you get the word out and offer other users the availability to subscribe to updates you post to the "Page" or "Group" so they get your real time updates that way.

In conclusion, I definitely suggest using Facebook. Just be careful about it and proceed slowly, finding how it will work best for you. There's no harm in building a network of both personal and professional clients as long as you are not trying to use it to convince anyone of anything.

Helper Services:

Since the Status Message is such an integral part of social networking, many Helper Services have sprung up to help you post to multiple networks from one place. For instance, if you use Facebook, Twitter and other networks and would like to use the same status message to update each, you can use a service like Ping.fm or HelloTxt,

You can even filter messages based on network groups you set up. That way if you've got networks you use for personal or professional reasons only - you can update status messages for each group separately.

Social Networking (and Media) for Security Professionals - Part One

2009-03-10T21:17:00.003-04:00

There is an inherent conflict between physical security concepts and the basic theme of most social networking services. For the average user the conflict is minimal, but for security professionals it can feel almost unnatural to share information about ourselves in that kind of medium.

Facebook, LinkedIn, Twitter and other services are amazing tools for social and professional networking. But, like most tools the benefit you get out of them has a lot to do with what you put into them. That includes a degree of personal information, and for many - an uncomfortable trip into the uncharted waters between your personal and professional life.

In a lot of ways, this is the same difficult learning process people over the age of 30 are going through as "friend lists" start shifting from mostly personal relationships and a few professional friends to a more balanced mix of personal and professional contacts. At some point, they have to find the happy medium where they can get the valuable benefits of being candid - without risking safety or professional status.

Looking at this from a global perspective, I think social media, networking and Web 2.0 in general could bring about an important change in the corporate landscape. People will learn how to fuse professional and personal relationships in ways that were unheard of before. The end result should be refreshing honesty and candor bleeding into what most people consider a huge rift between the two worlds.

In the security field, we are constantly warning people about publishing sensitive information that can be used against them. We've all seen cases of cyber-stalking and harassment but worry about more serious crimes against our clients/staff/friends. Of course there are security features available and privacy partitions between what you'd like to be public and private information. But since most people don't understand how these things work, they are not always used property - and sometimes not at all.

I've pulled together some observations on a few of the popular mediums. Being a shade-tree sociologist and old-school technology geek I've checked into many of the services out there. Being a security professional, I've applied that point of view to hopefully come up with information that's useful to other security professionals. Starting with Facebook, I soon realized there is no way to cover everything in one post (at least one that can be absorbed in one sitting). So, this will be a multi-part piece so I can focus on each piece and drill down on the good stuff. It also gives readers a chance to chime in with any thoughts or requests for specific networks or services.

And as a bonus, I've reached out to my contacts in the security industry who participate in social media to ask if they would mind if I listed their accounts as part of this total series. Hopefully, after I cover a service I will be able to list some security professionals who use it as well. If you'd like to be listed, let me know.

If all goes well, it should look like this:

Part #2 - Facebook and Myspace

Part #3 - Twitter

Part #4 - LinkedIn

Part #5 - Social Media and Cloud Computing

Another Activist Firebombing, UCLA Stepping Up Protection

2009-03-10T11:00:00.002-04:00

On the heels of some significant progress, we are reminded that the danger is still out there.

Just a few weeks ago, activists were arrested for their roles in incidents against UC Berkeley and UC Santa Cruz researchers.

Just a few days ago (March 7th), a vehicle owned by a UCLA professor and neuroscientist was firebombed outside his residence. There were no injuries reported, but the Animal Liberation Front (ALF) calmed responsibility for the attack on their website March 7th.

The LA Times is reporting that a Joint Terrorism Task Force will be investigating the incident, made up of the FBI, LAPD, LAFD, UCPD and the ATF.

I'm hoping that the momentum started by the February arrests is used to swiftly investigate last weekend's firebombing and the responsible parties are arrested.

UCLA is offering a $25,000 reward for information leading to the arrest an conviction of anyone involved, that brings the combined total to $445,000 (including funds put up by others in the joint task force).

That is a great measure by the university, and certainly helps to bring information in - but I'm also relieved to hear of other measures the school is putting in place as well.

The Daily Bruin is reporting that the increased protective measures include the UCPD organizing patrols in the neighborhoods of targeted researchers, security officers placed at some of the researchers' homes and enhanced security systems. Just to be clear, that article was published on the 2nd and this most recent firebombing occurred on the 7th.

A lot of educational institutions are slow to take these kinds of steps because it's difficult to standardize as-needed protection. Universities can make a lot of enemies for many different reasons, especially if they promote ground breaking research or support controversial ideas.

In a perfect world, the dangers faced by researchers, professors and other fixtures of higher education would be mitigated across the board by comprehensive security policies and protective measures. But unfortunately, the higher education environment is usually ultra sensitive to any security measure, and is easily frustrated with what they see as roadblocks to the free exchange of thought and ideas.

It's the terrible nature of our profession, to sometimes only see progress and support for what we recommend in the wake of tragedy. It took shootings like the Virgina Tech and Columbine for many people to take the active shooter threat seriously, and although the dangers faced by researchers is a much more specific case all-together, a lot of the same obstacles to progress apply. I applaud the UCLA administration for taking these steps.

The Usual Suspects

2009-03-04T10:56:00.000-05:00

It's common for me to talk to clinical staff about how they handle unauthorized access to their wards. Unfortunately, one of the most common phrases I hear is: "we question anyone who looks out of place".

Now granted - you should approach people who look out of place, but clinical staff members need to understand how dangerously inadequate that line of thinking is.

Case in point? - The recent infant abduction in Santa Barbara.

Turns out that the abductor was dressed like a nurse, or nursing student and fit very well into what anyone would expect a normal staff member to look like. The infant's mother even handed the child over to the abductor - thinking there was nothing out of the ordinary.

Leianna Arzate is the suspect in question, and to me - would not raise any eyebrows whatsoever in a pediatric ward, especially if she was dressed like a nurse.

I'm not familiar with how the Santa Barbara Cottage Hospital handles security policy and procedure, but there are a few no-brainer ways to significantly mitigate the threat of infant abductions and help staff members keep tabs on who is where in the wards.

Visible ID badges should be a standard in any clinical environment. They allow anyone to quickly verify someone's name/image/title and other information just by looking at an ID badge displayed over waist level.

Color coded ID holders, scrubs or other items of equipment are a great way to help staff sort out who is who quickly. You can give your pediatric staff one unique style of scrubs (that can't be found "off the shelf") and make it difficult for someone to look just like everyone else. You can also issue ID lanyards of a specific color or style for the same reason. With a little creativity you can come up with a system that's difficult for an outsider to detect but still effective for staff members to use everyday.

It should go without saying - but a strong visitor access control policy should be the cornerstone of any security plan in this environment. If you're controlling entry to the space, categorizing visitors and making them easy to identify - you're setting the groundwork for every other tool that can be added or tweaked to achieve the best fit for your staff.

Just skimming the surface here, but I felt it would be a good thing to share. I'm always writing / working on this kind of topic so feel free to let me know if it's something you'd like to see more of.

Four Arrested, Suspected in Attacks of UC Researchers

2009-02-21T14:27:00.001-05:00

Whenever I get messages from Americans for Medical Progress (AMP), I start to cringe. Don't get me wrong, I fully support the AMP and would count them among the few organizations / associations that I truly value my relationship with.
That being said - whenever I get a message from them around 7am on a Saturday - I know it's not the weekly newsletter.

On occasion the news is good - as in this morning's message about how Mercury News is reporting the apprehension of four individuals in connection with recent attacks on researchers.

Here's an overview of information leading up to this point:

The arrests stem from a series of threatening incidents beginning in October 2007:

On Sunday, October 21, 2007 a group of approximately twenty people, including Mr. Buddenberg, Mr. Pope, and Ms. Stumpo, demonstrated outside a University of California Berkeley professor’s personal residence in El Cerrito, California. The group, some wearing bandanas to hide their faces, trespassed on his front yard, chanted slogans, and accused him of being a murderer because of his use of animals in research. The professor told police he was afraid, and felt harassed and intimidated by the extremists.

On Sunday, January 27, 2008, a group of approximately eleven individuals, including Mr. Buddenberg, Mr. Pope, Ms. Stumpo, and Ms. Khajavi, demonstrated outside the private residences of several University of California Berkeley researchers over the course of the day. At each residence, extremists dressed generally in all black clothing and wearing bandanas to hide their faces marched, chanted, and chalked defamatory comments on the public sidewalks in front of the residences. One of the researchers informed authorities he had been previously harassed and the incident had caused him to fear for his health and safety.

On February 24, 2008, five to six individuals including Mr. Pope, Ms. Stumpo, and Ms. Khajavi, attempted to forcibly enter the private home of a University of California researcher in Santa Cruz. When her husband opened the door, a struggle ensued and he was hit by an object. As the individuals fled, one yelled, “We’re gonna get you.” The professor and her husband both told the FBI they were terrified by the incident.

On July 29, 2008, a stack of flyers titled "Murderers and torturers alive & well in Santa Cruz July 2008 edition" was found at the Café Pergolesi in Santa Cruz. The fliers listed the names, addresses, and telephone numbers of several University of California researchers and stated “animal abusers everywhere beware we know where you live we know where you work we will never back down until you end your abuse.” The investigation connected Mr. Buddenberg, Mr. Pope, and Ms. Stumpo to the production and distribution of the fliers. Distribution of the fliers preceded two firebomb attacks outside researchers’ Santa Cruz homes, both of which are still under investigation by the FBI.

The Animal Enterprise Terrorism Act (Title 18 U.S.C. § 43) states that whoever uses or causes to be used any facility of interstate commerce for the purpose of damaging or interfering with the operations of an animal enterprise, and in connection with such purpose, intentionally places a person in reasonable fear of death or serious bodily injury to that person or an immediate family member, or conspires or attempts to do so, by a course of conduct involving threats, acts of vandalism, property damage, criminal trespass, harassment, or intimidation, shall be imprisoned for not more than five years.

Simplicity

2009-02-03T21:32:00.001-05:00

In the middle of all this technology - it's refreshing to see a simple, low tech solution to a major problem.

Sliding glass doors are common in apartments, so it's no surprise to see them as part of residential living spaces on college campuses that are modeled after apartment complexes.

But unfortunately, students have a hard time making sure they are secure when they leave - or go to bed at night.

To make matters worse, older door frames and track systems make it pretty easy to lift the sliding glass panel off the track - even if there's something in place to prevent the door from opening.

You could spend a huge chunk of money replacing the door tracks, or, if you're lucky enough to have a gifted facilities group - you can spend under a dollar each.

Today I checked out a proposed solution to that problem. A washer screwed into the top part of the door that prevents it from being raised any higher then the side of the washer protrudes from the door's edge.

Who's Going to Answer the Call?

2008-12-07T01:14:00.002-05:00

I skimmed the surface of Help Phone use a few weeks back. Since then, I've had to dive into a few more specific issues that I think may be beneficial to share.

Aside from the issues you have to wrestle with when it comes to ADA compliance, equipment maintenance/testing and proper deployment - the single largest factor to success I think is your monitoring and response set-up. This can be as simple as ringing to your security console or dispatch (if you're lucky enough to have one) or it could be as complicated as contract alarm monitoring with cascading ring-down plans.

With Help Phones, you are giving everyone in physical proximity the option to interact with the device and communicate directly

with someone who should be able to help them if it's needed. If you've got a security operations center that monitors these phones, you already have a good base to make sure you can handle the phones successfully. Problems grow quickly once you try to use Help Phones in public spaces that are monitored by municipal police departments, 911 call centers, operators or security monitoring companies. That is - if you can get the municipal agencies to monitor them in the first place.

On one hand, they are just like a pay phone. Even though you don't see pay phones much anymore, at one time they were thrown across the landscape and all of them dialed 911 without requiring payment. That is exactly why I'm confused by the way I'm seeing 911 call centers stonewall the idea of monitoring Help Phones. I know it's been a few years since pay phones were everywhere, but I can't imagine the call center's configuration changing that drastically. With the increase in new technologies such as VoIP and GIS integration - I know analog systems are getting dusty but they should still work. In the meantime, when we are waiting for municipal 911 centers to decide if they will accept help phones there are handfuls of parking garages, lots and jogging trails who's help phones are covered up with plastic bags.

I think most security practitioners assumed it was a given for the municipal 911 centers to monitor the phones based on historical use of pay phones. Conflicts in technology are always possible (and that's what is referenced for this post ) - but it's fairly easy to overcome that problem so I can't buy that as an excuse. I just think the call centers are falling into the same "municipal thinking process" that's all too familiar.

Solution? Hopefully call centers get on board quickly. In my mind they should be looking past voice communication technology anyway and start looking into SMS, Text Messaging, Twitter and other communication methods as the next level so this should be old news.

But - if I were in the security monitoring business I'd definitely look into providing Help Phone monitoring services. It's not the best solution, but if you've got solid methods of coordination with local law enforcement and security forces there should be no reason it can't be done.

Healthcare Security Roundtable

2008-12-04T14:36:00.002-05:00

Security Magazine and SDM (both products of BNP Media) published their "Solutions by Market" segment last month on healthcare security. I was part of the roundtable discussion that was used for The Best Medicine article.

All and all, I think many good topics were covered. If you are involved in healthcare security I'd definitely check it out. They did cut out a few chunks of my statements in the written article which I think make me sound a bit on the rambling / mumbling side but I've been butchered much more in the past!

Big thanks to everyone who's contacted me with comments and congratulatory wishes - I enjoy participating in things like this when I hear that it's useful to others.

The Dipshit Factor

2008-12-02T20:43:00.000-05:00

Even though last weeks botched attempt to firebomb a UCLA researcher's vehicle barely made headlines, I think it's worth looking at.

Botched attempts are nothing new, and there are numerous reasons activists get it wrong- ranging from bad information to pure incompetence. And you can bet that as soon as it's reported that they made a mistake, they accuse the targeted organization of lying. But I think I was a little surprised at the nature of the group claiming responsibility and the language they used in their "communique".

"Students and Workers for the Liberation of UCLA Primate Center" sounds like a respectable enough organization on the surface. Names like that give the general public the impression that the activists are legitimate crusaders for a valid cause. But when you mix reckless destruction in the name of activism with inexperience and incompetence it's a disaster waiting to happen. I think this is a perfect example of how faulty the thinking is behind these groups and illustrates how some of the people who scream about researchers with irresponsible practices are even more irresponsible themselves.

My point in all this has a lot less to do with the right and wrong behind the topic - and a lot more to do with reminding people to consider the "dipshit factor".

On The Topic of Emergency Phones

2008-11-22T00:15:00.004-05:00

On the surface, it's pretty straightforward.

Emergency phone is mounted in a parking lot, if someone needs it - they press a button and talk to the security staff inside. If they don't say anything, security checks out the area with cameras or sends a patrol to investigate.

But when you look more closely at emergency phones, you can soon get lost in a maze of confusing topics. They are expensive, difficult to install correctly (to ADA standards) and can be huge liabilities if they are not working.

Even though you'd probably be surprised how seldom emergency phones are used, they remain a constant fixture around schools, hospitals and large corporate campuses. I've taken a close look at statistics over the last few years, and it's amazing how many times people who need help walk or run past help phones and end up calling the police on their cell phone later.

Yet - just try suggesting that you remove the emergency phones - or deny a frightened staff member (or student's) request to add one to that dark corner of the parking lot and you're in for a fight. People like safety nets, but the amazing thing about emergency phones is that as safety nets will catch you when falling - you have no choice. You have a choice with the emergency phone, and most people choose not to use them. I think the reason people care so much about them is a combination of:

A: a lack of self awareness and general unfamiliarity with how they would respond to that kind of situation

B: the desire to make sure fellow staff members are safe and have a means to ask for help if they need it

Here are a few things to consider when it comes to emergency phones:

Are you using them the same way, consistently across your property or just putting them where people say they need them?
Are they ADA compliant? (not just the equipment, but the mounting - base - etc..)
Who answers them? It should NOT be a staff operator or maintenance section. Instant communication with security or police is needed.
It's also risky to have them answered at a remote central station unless a robust communication and response plan is developed.
Who responds to them? How do they know which phone to respond to if the person can't or won't talk?
How are they being tested and maintained?
Are you training your people to use them if they need help?

2 Great Articles

2008-11-13T22:45:00.001-05:00

After what seems like a very long time without seeing many interesting stories in the industry media - out of the blue I've come across two this week that I think deserve mention.

Michael Conn has a piece in the LA Times where he uses that mainstream vehicle to deliver some stern words against animal rights activists who resort to violence and terrorist tactics.
His book goes much further into the topic but I think this article does a great job of getting the point across.

And our friend Steve Hunt is interviewed in Networkworld.com
It's refreshing to hear someone as passionate about the future of the industry as Steve is. I think he's spot on about how the large physical security providers are out of touch with the end users - and how most integrators are just fueling the problem by basically taking orders for equipment and bolting it in. The only thing I'd like to add to that assessment is how the problem is compounded by the flood of sales reps jumping off the IT market ship on to the physical security barge.

I've been away from writing too long myself because of workload issues but I'm trying to get back into the swing of things.

Product and Service Highlights from ASIS

2008-09-23T21:13:00.004-04:00

Nothing that I would consider earth-shattering from this year's ASIS conference, but there were some impressive showings:

First off -

I've always been a big fan on Smiths Detection - especially the x-ray machines. But they have fitted trucks now with the technology they are famous for- so now you can drive up to vehicles, containers, or just about anything and scan it. Of course there are legal and privacy considerations but if you are screening large items / vehicles in multiple locations and need a highly mobile solution - check them out.
(PS - it's very expensive)

They also carry some slick portable explosive detection units

Sagem Morpho continues to impress in the biometrics market.
I think people are starting to realize that if you're ready to grow out of your first generation of biometric solutions, you need to graduate to the next level of technology and Sagen Morpho will be waiting for you.

HID is pushing the total identity and logical access angle pretty hard now, and with their Omnikey line (and others) - they are on the right track.

Imagine using your iClass card to gain access to your parking garage, building and then computer. For users of shared workspaces (clinical, etc) this is a great option.

The naviGO server keeps it all running and they have a nifty tag line as well "Just as you do not expect your employees to become locksmiths to open a door, they should not need to become security experts to authenticate to computer systems".

I won't even get into the edge devices HID have released recently - that deserves it's own post.

How many integrators did you see represent the way Niscayah did? I think they are just what the industry needs. It seems like all the global providers are married to a specific system or product line. If they are totally independent - more often than not they are only one or two branch locations covering a region.

Securitas gobbled up all the winning integrators they could at first, bundled everyone into "Securitas Systems" and now they have broken free and become their own company. You get local service - backed by hundreds of experts around the globe. If you are running into a problem, chances are they have a project manager who has recently run into the same thing and can help. Niscayah can draw on that experience base as well as leverage their size in the product pricing game. They have recently started offering managed systems hosted offsite (access control, video, intrusion, etc..) very smart.

Now, I have first hand experience with some of these products/services but my experience with others is limited to the ASIS trade floor. The newer products I've mentioned here look to be winners, but until I'm able to demo them myself (wink wink - nudge nudge) I'll reserve whatever seal of approval I can offer. Feel free to let me know if you have any feedback on anything listed! I understand that you may not want to use the comment section below but I'd like to share your experiences - even anonymously.