Up next in 10
The Challenges of Government and Industry Facility Security
139 views
Apr 24, 2025
In this webcast, Defense News and industry experts examined the challenges of surveillance, situational awareness, rapid response in a crisis, and more.
View Video Transcript
0:00
You know that tower with cameras and the flashing lights in the parking lot of your local store
0:09
Yeah, we make that. And the technology needed to reduce crime and increase safety in your community
0:15
In fact, it's made right here in the great state of Utah. We're LVT
0:20
And the thousands of units we've deployed across the country are helping businesses increase life safety and security for their employees, customers, and communities
0:29
see it in action at lvt.com good afternoon i'm casey loffman senior editor for defense news thank you for joining us for today's
0:41
webcast the challenges of government and defense industry facility security this webcast is sponsored by liveview technologies before we get started a couple of housekeeping
0:50
items first this webcast will be recorded and archived on defensenews.com second if you would
0:56
like to ask a question during the webcast click the ask a question button on your screen and we
1:00
will get to as many as time permits my guests today are mary rose mccaffrey and charlie phelan
1:06
mary rose mccaffrey is former director of security for the cia and former vice president of security
1:11
for northrop grumman she has also held senior security positions across the intelligence community
1:16
department of defense and other government agencies she is a member of the board of
1:20
advisors for the council on intelligence issues and is the president of the cigna society a cia
1:26
retiree association. Charlie Phelan is the principal of CS Phelan and Associates. He has
1:32
more than five decades of security experience in both government and industry, including serving as
1:36
the first director of the defense counterintelligence and security agency and director of the national
1:41
background investigations bureau. He also held several other senior security roles in the
1:46
government and is former vice president of corporate security for Northrop Grumman. Mary
1:50
Rose, Charlie, thank you for joining me today. We're glad to be here. Happy to be here. Thank you
1:57
Let's go ahead and get started. And Mary Rose, I'm going to direct this first question to you
2:00
but then I also want to hear from Charlie on it. And one of the big challenges of defense and
2:06
defense and defense industry facility security is compliance requirements. And with those
2:10
requirements continually evolving, what are some things that security leaders should look for when
2:15
they're planning to make sure their security programs are prepared to meet future requirements
2:19
Thank you, Casey. So security leaders need to look for a number of things, but first they need to understand what their security requirements are. So requirements come in many forms. From a security standpoint, it depends upon the customer, and the customer usually has a set of requirements
2:38
You have internal requirements in terms of company requirements, building requirements, and programmatic requirements
2:47
And these requirements require the security leader to understand what those things are and what the why is for the corporation so that they make a business value to the corporation
2:58
And then in the why of that scenario, they can further inform and articulate to their leadership the value of the expense they're about to spend
3:10
In that scenario, it is all driven based upon the risk and the threat
3:16
And so although the requirements are the guidance, the risk and the threat may either raise or lower those requirements
3:24
And in each of these requirements, they have to understand before they actually write a word of a plan what their customer wants, what their customer needs, what their company needs, and how they are going to execute in what period of time
3:39
So, Charlie, you had some additional thoughts on that. Sure. Mayor Ristek, to follow on that point, articulating the why is fundamental, and it's often overlooked in the rush to comply with the regulations
3:51
It's important to understand why the customer established these rules, and two reasons lead to this, I think, as you pointed out
3:58
It is easier to explain to your boss why you need to either expand or create from new countermeasures
4:05
And even more importantly, as you are developing that countermeasures program, it gives you a better sense of what the possibilities might be if you understand precisely what it is that is causing this threat and elevating this risk
4:15
It's important to keep in mind that the threat scenarios that drive these risks are sometimes old, sometimes new, and constantly evolving
4:24
To the point, the old attack scenarios don't just go away when new attack scenarios appear
4:30
If you look back at trying to build embassies overseas in, say, Moscow in the 1970s
4:37
the same challenge to protecting that construction site exists today when trying to build a construction
4:43
build a new embassy someplace else in the world here. Secondly, if you look at a crowd gathering and what that might mean in front of the embassy in Tehran in 1975
4:54
how would that have matched with the crowd gathering in front of the consulate in Benghazi 40 years later
5:03
All of this is important to keep in mind that these problems just don't go away here
5:07
So last point on this thing, really, in order to understand this environment and this countermeasure, it is really important to build communications with your customers and, more importantly, with others in your business area here
5:19
There's many examples in the government and industry ecosystem about this thing
5:23
an interesting but very true fact. The CEOs of the various companies in this business
5:31
frankly, in any business area, don't go around sharing their proprietary and corporate strategies openly
5:36
with their counterparts, with their competimates, I guess. But when you get into the security community
5:44
my experience has been over those 50 years is that the security community is more than welcome
5:50
more than willing to share threat and risk information across that spectrum because we all understand and have understood for a long, long
5:57
time that we are all suffering from and subject to the same level of threats and same kind of
6:04
attack scenarios. And we all have to assume the same level of risk. So we're in this together
6:08
and the communications is absolutely important. And Charlie, that's a really interesting point
6:13
you made there at the end that I'd like to follow up on, which is, you know, company A and company
6:17
may be competitors, so their CEOs would never dream of sharing information. But the security
6:23
people talk. This is a close-knit community, and it really is a common good type of thing, isn't it
6:29
Absolutely. And I think it's very, very important to find those outlets to build those relationships
6:34
It's not just a one-on-one pick up the phone and call somebody or try to hit them on a LinkedIn
6:38
app or something. It is really attending the various organizational elements that have been
6:44
set up and functioning for several years, whether it's ASIS or NCMS or AIA, NDI, the support
6:52
communities, have sessions annually or biannually where you can get together and meet people and
6:58
build those relationships and make them very, very strong. And I will tell you, there are people that
7:02
I've been working with literally for this 50 years that I'm still working with today because of those
7:06
relationships. And one of the other things there, Casey, from a standpoint of the relationships
7:11
Many in the federal space often meet monthly. It's a small group of people, and they grew up together, and they're now leading organizations
7:20
and they meet monthly. And their industry colleagues do the same thing
7:24
So this is one of those things where team sports there no I in team And security professionals you know one threat is a threat to all Okay
7:35
And then we actually just had an audience question pop in that I think is great, given how you started off talking about the customers
7:41
So, Mary Rose, I'm going to start with you, but then I want to hear from Charlie. It's a real simple question. Is the customer always right
7:48
Well, the customer is always right in the statement of the question
7:53
That goes back to the relationships. So the customer is articulating to a business that I want you to build X
8:02
And in today's environment, those are either NISPOM requirements or ICD-705 requirements
8:07
And that customer is giving that partner information based upon something they know, something they've been told, or something they're just parroting out of a book
8:18
It is then responsible for the relationship to articulate what I would call common ground
8:26
So all of us have had customers who say, I want the Cadillac when what they really need for the threat of the environment is the Chevy
8:35
And so it is a constant negotiation. Security is not a one and done
8:41
It is not a just because I told you so. And oftentimes, particularly if it's a new customer, they're nervous
8:48
And so they're going to follow the book rules. And so it is often incumbent upon the industry partner to help the customer be successful without saying you're wrong
8:59
And to add to that, Mary Rose, it's as you pointed out in introducing us, Casey, we've had some time as the customer in these roles
9:10
And one of the lessons I know I learned and I'm pretty sure Mary Rose has learned is to shut up and listen to the people that we are giving this instruction to when they come back and ask us, does this really make any sense
9:21
Or they have inputs to how we think about some of these countermeasures and make this an iterative possession rather than just simply something being thrown down from the top of a mountain somewhere in the Middle East
9:30
Yeah, one of the things that a wise old mentor once told me is, and I was young in this business, and it was one of those things, Charlie, where they said, you know what, you're the customer, but your job is to go and listen to industry, because industry is that which builds everything
9:48
And we drive requirements, but they actually help us get to success
9:53
Because the last time I looked in Washington, D.C., they don't bend metal
9:58
They don't build aircraft. They don't build software. That is a partnership with industry
10:03
And the more you understand that, the more successful both parties are
10:08
Right. That's a great point. You can define all the requirements that you want. But if it's impossible for industry to meet those requirements, well, then you're out of luck, aren't you
10:17
Correct. Well, industry is going to say thank you, but no thank you. Right
10:21
Okay. And then, you know, Mary Rose, we talked about compliance, and I have a question about that, you know, as you go forward
10:29
You know, you have your plans in place. You meet your compliance requirements to start
10:34
But then once you're in that ongoing operations phase, how do you make sure that you're remaining in compliance
10:39
What are some of those key warning signs to say, hey, we might have a compliance issue here, and then how can you address that
10:45
So this is always my favorite part of the business. So everybody loves the new shiny objects. You know, they build a beautiful new facility and they have beautiful new spaces. And then a year later, no one's tested alarms. No one's tested, you know, the sensors. No one's tested, you know, with any periodicity
11:08
So operations and maintenance, one, you have to do it with regularity
11:12
You know, there are government requirements for annual assessments. There are testing requirements for sensors, alarms on a 30-day basis
11:20
The key is you have to depend upon the people running your security programs to actually do that job
11:27
So your job from an O&M standpoint is to, one, understand are they doing that
11:33
Two, do they understand why they're doing that? And three, when you have what we used to call in the business a nuisance alarm, are you discounting it or are you actually investigating it
11:45
And if you are discounting it, that could lead you down a path that leads you to compliance failure
11:51
And so think of a huge campus on, you know, a big campus or a big defense installation
11:58
You know, you could have one sensor on a fence that isn't working
12:02
But if you have 10 sensors you're ignoring, you have a vulnerability that your customer is going to find
12:09
And it is always better to be forthright and tell your customer you have a problem and then come about a common solution to fix that problem versus your customer coming in
12:20
And we have all been in this situation where your customer comes in and says, you are unsatisfactory and we're going to give you a 90-day remediation to correct your behaviors
12:31
But it becomes, again, security is everyone's responsibility, not only the practitioners, but the programmatic people
12:39
If your program says, security, you just stay in the background, leave us alone, that's never going to work well
12:45
So I have always found that it is a team sport and it is everyone's responsibility
12:50
And it is always better when you have legions of people working for you to have them understand the why
12:59
and when they tell you they have a problem, don't shoot the messenger
13:04
I know lots of people who have been shot along the years, myself included
13:09
At the end of the day, you can only fix what you know. And if you pretend you don't know it, you're going to have a bigger problem at the back end
13:15
Yeah. And to add to that, Casey, again, don't wait for an external review to review your security program
13:23
like waiting for the U.S. government to show up. You've got to periodically test, review on your own the barriers
13:29
The sensors, the communications, ultimately the people who are going to be monitoring and those who are going to be responding to an event
13:38
I think you mentioned this, Mary Rose, follow-up on the causes of false alarms
13:43
They can be very, very annoying, but more to the point, they can and will diminish the attention span of the people and, frankly, the equipment that is monitoring it
13:52
And more importantly, start damaging the credibility of the intrusion detection systems and programming that you've put in place here
13:59
On the other hand, if you get no alarms, if there's no alarm events, is that a good thing
14:03
I would say not necessarily. So test them to make sure they're working and they will pick up the intruders as well
14:09
There's a constant theme you're going to hear throughout all this. It's deter, detect, deny
14:14
And I would add from my earlier days doing some law enforcement stuff, capture. You need to be on your game in all of these areas
14:21
Well, and the other thing, Casey, I would just add to Charlie's point is a security professional and a program professional can never rest on their laurels
14:30
The reality is there are always new technologies. There are always new sensors
14:34
And there are always programmatics of the why. Because at the end of the day, we all know because we all have technology, it breaks
14:42
It doesn't work as well as we want it to. There's something new and shiny
14:47
and you may not be able to buy it all, but do you have a plan that you could buy a piece of it
14:52
And just keep moving forward You cannot rest on your laurels Right and you mentioned something really important there which is the importance of understanding or responding to false alarms
15:06
I'm sure every security professional has a story that goes something along the lines
15:11
of, well, somebody was propping open a door because it was easier and the alarm kept going
15:16
off and it got ignored. And then one day it was a big problem. So it's really about instilling that culture of, hey, if we're getting regular false alarms
15:24
the solution is to figure out why and how we can prevent them as opposed to ignoring them, right
15:30
Right. Exactly. Okay. And then, Charlie, I want to start with you on this question
15:36
We've talked a little bit about this, about bridging the gap between legacy systems and new technology
15:44
And a lot of times it's one of those things where, hey, we have this old system, but it still works
15:48
But you need to implement some sort of new technology to give you a capability you didn't have before
15:54
So how can you bridge that gap so that you have your legacy systems and your new systems
15:58
and they're actually working together and sharing information the way you need to? Great. So that's a good question
16:03
And we all have to keep abreast of both the technical changes and the policy changes that's going to affect our existing
16:10
and our near and long-term future security system strategy here. I said earlier that old doesn't go away, but I really want to emphasize that new threats
16:19
new evolving threats, and new approaches to how to identify those and deal with them
16:24
are absolutely critical in understanding how that is evolving. It goes back to a great deal to my point about establishing the relationships
16:32
with both the customers and with your colleagues, because collectively you will see this coming a lot faster
16:40
But starting from the beginning again on this, you need to assume the need to reinvest or maybe even reinvent
16:45
and build upgrade costs into your security program. and you're going to have to build that into your O&M costs, maybe even some investment piece here
16:55
You can't just go to the boss and go to the company and say, give me some more funding. You need a plan
17:00
And from my experience, it is you need to make that case
17:04
You need to make that case playing it as straight as you can. You don't want the boss to come back and say, why are you telling me this
17:11
You think the sky is falling or something? Unless the sky actually is falling
17:15
Rarely is that the case. You're really projecting out into the future if you're doing this correctly here
17:19
And it is important to have that ability to approach the leadership directly and be able to tell them concisely and fairly, here's what we have to deal with
17:30
Here's what the possibilities look like. And here's where this technology is going. And come up with a plan to get ahead to this
17:38
So, Casey, I would just jump onto that because bridging legacy systems has been a challenge for as long as forever
17:47
The reality is, particularly in the last 20 years, technology continues to move at the speed of light
17:57
And oftentimes, people believe that I can just do it as I built my facility
18:05
And much like a program, nobody ever buys just a single aircraft
18:09
They buy a lot of aircraft. And nobody ever builds just one satellite
18:15
They buy a lot of satellites. And the reality is, is from the beginning, security professionals should be part of the programmatics, not only for secure space requirements, secure network requirements, evolving technologies, that example of the door prop
18:32
Think about, you know, in days past, those used to be vault doors that if you propped them open, you actually killed the compliance because you destroyed the rubber stripping on the bottom
18:50
So then company ABC was no longer in compliance. So you've got to continue to bridge the knowledge of where's the program going so that you can anticipate the needs, anticipate the technology
19:02
So if there's an expansion to a program, let's try new technologies in that environment
19:07
And if you have a multi-year plan, then your leaders are going to be much more willing to say, okay, this new space, we're going to put this new technology in
19:16
And then Charlie will cover it a little bit later, but the integration of old and new is a constant question that security professionals always have to ask themselves
19:27
And to your point about bridging technologies is also bridging policies as they evolve
19:33
Correct. Right. Yeah, that's a β I think that really kind of encapsulates the challenge here, which is that security is not a static thing
19:43
It's a very dynamic thing. It's something that's constantly changing as new threats evolve
19:47
And you have to be able to react and adapt to it as opposed to just saying, well, this is how we do security and that's it, right
19:54
That's correct. And a collective and consistent understanding of how the evolution is taking place and why the evolution is taking place will go a long way to a more effective security program for your organization, frankly, across the whole ecosystem of security
20:10
So you're all looking at this the same way rather than 53 different ways of meeting that requirement
20:15
And are they looking at the security as a business? Because in the business, it has often been looked at as a cost element
20:22
The reality is if the security practitioners don't understand the business value of what security brings to their company, it's all about branding
20:30
And how do you brand the dollars of security to the company to better continue to keep a pace with the corporate mission, which ultimately keeps pace with the customer mission
20:44
And then we have an audience question here about legacy systems and how they require constant updating to pass audits with new technology and things like that
20:54
So, Charlie, how do you ensure that those systems can do what they need to do and still pass audits
21:02
He's going to get a Nobel Peace Prize if he gets that one right. These are not the droids you're looking for
21:09
Did I just ask the million-dollar question there, Charlie? Yeah. Well, so it is β frankly, it is keeping up with your customers and anticipating β or as they anticipate, changing the rules, changing the requirements
21:21
and keeping up with the technology in the protection and countermeasures area
21:27
so you understand where things are going. And to the extent that you can be a part of the development of these new requirements
21:33
and then feed that back into your plan for how you build your plan today
21:41
It is built for today, but you've got to build the plan. This is how we're going to deal with tomorrow. How do you become flexible for tomorrow
21:46
And the best way to do this, because you can't say today exactly what it's going to be like five years from now
21:50
But to build into that the flexibility to be able to, and funding, frankly, to be able to upgrade and keep track of things
21:58
But seeing that train coming before you suddenly get an inspection that says, hey, you missed the boat here, that's why it's so important to build up the relationships and a continuous understanding of what the policies and rules are looking like
22:13
And then, Casey, sometimes those panels are at end of life or 10 years beyond end of life
22:18
And you have to be very clear about how you tell that program and how you tell your company how to upgrade that Sometimes you cannot keep up to date with panels if they are beyond end of life Been there done that And yes it is a capital expense and it is not cheap But you sometimes
22:38
have to help develop the argument and the business plan that you can't upgrade those anymore. And you
22:46
want to develop it before a customer comes in and says, I'm not going to accept this panel any longer
22:53
So that goes part and parcel to Charlie and the plans for the future
22:58
I mean, everything has a shelf life, and panels are no different
23:02
And we've all been in environments where panels are five years beyond end of life, and we are literally jury-rigging solutions
23:11
But there comes a point where you've got to make a very conscious decision
23:15
And yes, it may not have been planned or it may not be inexpensive, but you've got to do it
23:21
So you've got to know when to say when. So not just the O&M we've talked a lot about, but you've got to build a recap into the program
23:32
And then, Charlie, one of the technologies that's getting a lot of discussion right now is, of course, artificial intelligence
23:38
So where do you see AI, specifically agentic AI, fitting into future security in-depth plans and helping to build these stronger physical security programs
23:49
What role can AI play there? Good question. And of course, AI itself is one of those evolving things. And what I thought I could do yesterday and versus three weeks from now, I'm not really sure all the time
23:59
But a developed and informed AI program can, at least in theory, look at a facility, help build out plans, both architecturally and mission-related, review the known threat situation, sort of what can happen in this environment as opposed to the one down the block, provide a strategy for design implementation for a security plan, and meet with both customer and internal requirements to deter, detect, and deny in whatever order we pick that sort of stuff
24:26
But in essence, it is how to develop the building security plan and to protect the building during construction where it becomes the most β at this point, where it's probably most effective on this
24:40
And then once the facility is in operation, it's unlikely that you're going to get any advanced warning that there's a specific attack coming, such as, hey, they're coming at dawn, be careful
24:50
It is important that for this system that you put with an AI system that you put in place for monitoring to see something precursors to an event occurring
24:59
I mentioned that before crowds gathering, whatever it may be, and interpret it as far out in time and in space as is reasonably possible
25:07
And if the facility perimeter has been breached, it need to know where inside your perimeter now that intruder might exist
25:15
And finally, sort of how does that system inform and enable an effective response capability
25:20
Not just one and done, hey, we saw somebody come to the fence line, but throughout the existence of that entire event, be able to notify and inform responders as to the whereabouts of where that threat exists right now
25:32
So, Casey, let me just jump on the agentic AI, because in this scenario, LVT has a great product that, from a standpoint of a sensor package, the sensor package actually allows the sensors to identify both just the individual crowds and to give that data to someone
25:59
inform that data to someone who can take action. So when I think about agentic AI and its ability
26:06
to collate information in form, and then allow an organization to respond, and I think about
26:15
its use case in real scenarios of crowd control, zone of control, agentic AI has real possibility
26:24
And like all of AI, it's going to continue to evolve. And to Charlie's point, in every scenario through, you know, a life cycle of a security program, particularly a physical security program, this really becomes an opportunity space to allow, you know, visibility, information, and the ability to respond in a way that is not that effective and timely
26:54
today. So it's phenomenal. Right. And, you know, I want to follow up there by asking about, you know, some specific areas of security where AI might be useful
27:04
You know, some of the things that AI is really good on, you know, it's sifting through large amounts of data
27:08
It's pattern recognition. You know, the same car is driving past at the same time every day, that kind of thing
27:13
So what do you see right now as those, these are the areas where AI can really help
27:17
And then these are areas where it's maybe not quite ready yet, and we still need to make sure that we're relying mostly on humans
27:25
So I think there's a couple of areas where it is incredibly helpful and can be incredibly helpful today
27:31
So I think of in the business of, you know, today, sensors collect a lot of data
27:37
And if there is an event, today we do it post-event. So we go back through the sensor data, and we look through a lot of video, and we look through a lot of data
27:46
If you had AI who could articulate, I'm looking for the white car that drove past Pennsylvania Avenue 15 times in the last month, you begin to get a picture of in advance is someone casing your facility
28:04
Two, you begin to see of, you know, for, you know, agentic AI forensic capability
28:13
Do you see people going to a parking lot that's three blocks from your downtown Detroit facility
28:19
And, you know, they come once a week. It's usually on a Thursday
28:25
It's usually a day of a board meeting. You can really begin to, one, an event hasn't happened
28:32
you can begin to detect, inform, and make countermeasures for what you're going to do about that
28:39
Think of every company who has a board of directors meeting, and for whatever reason
28:44
there are people who believe that the defense industry is not good
28:48
And so you get protesters. You know, being able to do something about it before it happens, that's really goodness
28:57
being able to identify that a white car is casing five different companies and it has you know these
29:05
attributes those five companies to charlie's first point they can all get together and say okay what
29:11
are we going to work with local state federal and our own companies on how to respond to this
29:19
in a way that will deter before an event actually happens. This is really goodness
29:28
To add to that, what AI can do that is best, its best tool right now is to see things
29:37
come to some elementary interpretations of them, match it to other behaviors that it may have learned about already
29:44
and then inform, better inform, the responders that have to respond to whatever this anomaly looks like
29:52
so that they are not just completely responding to a bell going off, but they're responding to the bell went off because this guy is doing this particular behavior
29:59
in the parking lot or this particular car is going by for the third time acting strangely
30:04
And where AI helps is focusing on that and also allowing all the extraneous activities
30:14
that are happening around that are normal activities to not be something that you end
30:18
up focusing on. Focus on those things that are anomalies. And AI is a much more powerful tool, frankly, than just hopefully somebody sitting at a
30:25
desk looking at stuff, hoping that they see what's going on. Right. Right. And it's always going to be the balance of the technology and the human
30:32
The human's going to have to do something, but the AI can inform you to give you time to do something
30:37
Or the agentic AI can tell the human to leave the property because you're on private property
30:43
So it is, the sky is unlimited. It really is like every evolving technology
30:49
How smart do you make it and how smart does it make itself
30:53
and more importantly, how do you use your guardrail so that it's used for positive and not negative
31:00
Right. Right, and then we actually have an audience question here about AI
31:05
So, Charlie, I'll start with you, but I want to hear from Mary Rose on this one as well. Obviously, AI is only as good as the data that it's trained on and the data that it's using
31:13
So how do you make sure that that data you're collecting, how do you make sure that it's reliable and trustworthy
31:19
and how do you evaluate it to make sure that your AI isn't getting some kind of bad information
31:24
from all that data that's being collected? Fair question. And one that is not just in this particular part of the world, but AI in general
31:34
as to what is it collecting and how is it spinning things around or not spinning things around
31:39
I don't have a perfectly good answer on that right now, But in this particular arena, focusing on very specific questions that you want AI to gather information against, such as identify the vehicles going by, identify behaviors that you're seeing, whether it's zigzag, people walking in front of the gate, people loitering in front of the gate, people that are not the normal flow of human or vehicle traffic, or what else
32:09
People taking pictures of your facility. and you have to train the AI
32:14
I mean, you know, AI doesn't wake up one morning and become a genius. You know, I mean, when we look at any type of AI
32:19
used in anything today, it has to be trained. So you have to come up with a set of parameters
32:24
upon which you can train it. And then it will self evolve to get smarter
32:32
and get smarter. And you have to refine the parameters because you're right, Casey, you could literally
32:38
it could be collecting, you know, terabytes of data. But you really don't want data
32:44
I mean, all that data. You want the data you need to make an informed decision
32:50
Right. But on the other hand, it's going to collect terabytes of data in order to sort that stuff
32:55
through and decide. Right. But the whole point of this is not for the machine to take its own independent action
33:01
as a result of what it's seen, but to better inform the humans who have to respond to any
33:07
anomalous event that's on the perimeter. Right. Right. That's a great way to put it, Charlie. And Mary Rose mentioned an example there that I think sums it up, which is, OK, the AI can tell you that you have people on the sidewalk taking pictures of your building
33:21
But what the AI can't tell you is, are they doing that because they're up to something or are they doing that because, hey, cool building
33:28
Correct. Well, and think about this for like a military installation. You have people at the fence line
33:34
You know, most military installations are quite large because they think it's a cool military installation
33:40
You know, think Quantico. You know, it's a huge marine scenario. But are they there because they're fascinated by it or are they there because they have other reasons
33:53
And so with that information, do they come once and gone? So they're on the vacation mode or do they come every two weeks or you have a different person coming every two weeks
34:04
So that's back to Charlie's point, informing so that decisions can be made based upon data, not necessarily just because a person's in front of your building
34:15
And Charlie always goes back to his time at the Hoover Building. That's public street
34:19
People walking by it every day. Yeah. Yeah, I mean, if you just think about Washington, D.C. and think about how often those buildings get photographed, you know, the White House, the Capitol, the Hoover Building, you know, the Lincoln Memorial, all those things
34:32
It gets really hard to identify a pattern when you have so many people flowing through there all the time, doesn't it
34:40
Yes. And then the other piece that allows it to happen is, particularly if you're in a large facility, you mentioned Quantico, or pick your favorite large production facility, is if I am in the control room and I'm in charge of monitoring the activity, I've got how many screens I've got to monitor here
34:54
And where AI comes in, very, very useful, is to be able to see all of this at once, make decisions all at once based on information that it's collecting all at once, as opposed to me, the humans, having to say, what's happening there, what's happening there, what's happening there
35:07
It makes my life a lot easier. And then, Charlie, I want to go to you on this one. You know, we've talked about compliance. We've talked about AI. So I'd like to sort of bridge the gap there. As we talk about, you know, compliance requirements and how they're changing over time. Do you see specific AI technology opportunities there
35:26
on the compliance technology and building the technology or yeah yeah i'm sorry i feel like i
35:34
didn't word that very well let me let me try again um as as compliance requirements change uh how do
35:40
you see technologies such as ai helping people make sure that they're meeting those requirements
35:45
and staying in compliance during ongoing operations good point and uh you know earlier we talked about
35:50
using AI to help plan the construction, to plan the design, and to plan not just a physical facility
35:58
but the whole idea of how am I going to protect this facility, what's my response look like, and everything
36:02
And so it should be at that point then smart enough to know what's in your system already
36:08
And then as new requirements emerge and new threats emerge, new risks emerge
36:14
be able to plug that information into the AI and help it say
36:21
okay, here's a new issue we've got to deal with here. Now what do you think? And as AI is able to look at the existing facility
36:30
the old and then the new requirements that you had, and understanding what those requirements are there for
36:35
this goes back to the very beginning, why do we even have these requirements at all? The AI should understand that as well as it's thinking through these things
36:41
so that it can come up with some very strong and useful suggestions about how if at all your existing countermeasures program needs to be changed to meet these emerging requirements Yeah and it can actually be worked in any phase of a program
36:57
So whether you got a, you don't even have a hole in the ground, or, you know, you could do this in
37:03
a commercial environment. I mean, at the end of the day, although we're on, you know, security
37:09
practitioners. Every time, you know, a commercial company has, you know, a warehouse full of product
37:17
there's potential opportunity for AI and countermeasures to help them. Every time a company
37:24
builds a new building, you have to order supplies. And historically, we've seen a fair amount of
37:30
activity, criminal in nature, to steal the most high value materials out of the lay down yard
37:38
You know, AI can help expand, you know, expand your zone of control with your countermeasures
37:45
So it really becomes a great augmentation to your requirements. And then it's different at each phase of a physical security program, whether it's been running for 50 years or it's just starting or it's evolving
38:03
You know, these are the kinds of technologies that can help the humans do a better job, what the humans need to do while you let the technology, you know, support the future of what you've got to protect
38:20
Yeah, and Mary Rose, you made a great point there, which is that it's not just current projects, but it's also planning for the future. So how can technologies, and it doesn't have to be AI, but that certainly plays a role, but how can you use technology to help enhance your construction and security plans for future projects
38:38
So I think you can use technology in a lot of ways to enhance construction projects
38:44
You know, construction projects in the defense arena have a pretty very specific set of requirements
38:49
And I think back to the early questions you asked, Casey, it's really about, you know, what are those requirements
38:56
What is the why and what technologies can you use to get you the best possible outcome, both from a technology as well as you have to very simply protect the perimeter of your construction site, protect your lay down yards
39:14
And you have different requirements at what phase you are in construction. And then once you start putting up walls, you have other requirements
39:22
So how do you use technologies to augment human labor? Because at the end of the day, you're always going to have OSHA requirements, but technology can tell you whether all your workers are doing the right thing on the OSHA requirements
39:38
Technologies can tell you whether or not you've got a safety issue, a physical security issue
39:43
And I think that is the positive about technology in today's environment versus, you know, when Charlie and I were growing up in this business, there was technology, but it was pretty static
39:56
And it was not near as, you know, as I would call it, quickly evolving as it is today
40:03
So I think technology really is going to make security practitioners smarter, more efficient, effective, and if they leverage that to their benefit, it's a win-win
40:16
I'm not sure I can top that. You got it. Great. Thank you
40:22
And so I want to talk now about looking at the actual budget for security and things like that
40:29
Obviously, everybody's always looking to save money. You know, physical security budgets get tighter, but the list of wants and needs keeps getting longer
40:38
So if a security leader comes to you and says, hey, I'm really struggling with this, how would you advise them to optimize their budget to meet those critical needs
40:50
And then what types of solutions should they be looking at to get the most bang for their buck
40:54
so i will i will start and i'll ask charlie to you know tag in here because we've been in both
41:01
government and industry and you know budgets are similar but they're a little different between the
41:06
two you know but the reality is is budgets are always going to ebb and flow no one is ever going
41:12
to have the budget they ask for regardless of whether you're in government and industry
41:17
that being said go back to that first question what is your plan do you have a multi-year plan
41:23
for whatever you are trying to do from a security strategy. And if you have a multi-year plan
41:29
you usually have a function of capital investment and expense dollars. You know, and expense dollars can be broken up by labor and other technologies
41:38
But at the end of the day, you're going to get a set of, you know
41:43
you're going to receive a specific amount of dollars. It is never going to be enough
41:48
But what you've got to do is prioritize your requirements. And then when you prioritize those requirements, whether it is a capital expense or an expense expense, you build against the biggest requirements
42:01
And that's where, go back again to those partnerships. Do you understand what your program needs versus what you think would be a good thing to have
42:11
And can you get partnerships? Sometimes many programs will cost share to make their program much more secure because they really believe in the value of what they're doing for their company and for their country
42:30
And then some years you just become the pariah of you cost too much
42:34
And what often happens is people discount O&M first thing. Then they start cutting people, which makes O&M even harder
42:42
So really, you have to balance all of that. And then you have to be very clear. And Charlie and I have both been in these spaces when you have to cry uncle, because you cannot build a bridge with $10, you know, and that's just an example
42:58
But at the end of the day, you need to be able to articulate the why
43:03
And monies are going to come and go. And for my government colleagues, I mean, they've been in a CR for as long as I can remember
43:10
So they haven't had the ability to spend on new projects because, unfortunately, if you are in a continuing resolution, you can only spend one twelfth of what you spent last year
43:22
So I think it is really important that security practitioners understand the business of money and understand the business of security and why it matters And then you begin with the levers in your pocket not your boss pocket Yeah to that specific point about the cost factors the technology or personnel which is more important
43:45
You've got to have both. It depends. Protection program is a human business requirement, but the ability of technology to broaden the vision
43:53
and extend the reach of those humans is going to ultimately drive more effective allocation
43:57
and use of the personnel in the security program. and if done appropriately, it's going to reduce the distractions that often complicate a protection strategy
44:05
and make the whole program far more effective. Reality is there's never going to be a zero risk
44:10
It's not a balance of either or technology or personnel. It's always going to be a balance of both
44:16
And that said, the evolution of technology to better inform and extend the reach of the personnel
44:22
that are involved with creating or operating this protection program is absolutely essential
44:28
until you get to that point where they developed the AI robot cop to go out and hit that perimeter
44:32
and solve those problems. And AI dogs. Okay. Well, we have about 15 minutes left here
44:41
So if you have any questions, please go ahead and submit those. We'll get to as many as we can. I want to turn to crisis management now
44:46
I actually want to start off with an audience question, which is about keeping your staff sharp
44:52
and testing your systems. Do either of you have experience with using white hats to test your system defenses to make sure that they're in compliance
45:00
Or, you know, can you share some insights on how do you view testing and what do you look at and say, hey, this is how we should test our systems to make sure that they're doing what we need them to do
45:12
I do. Charlie, do you? In different eras, I have used a white hat approach to do some of the stuff
45:19
In others, I have simply said, let's go out and kick this ourselves, go out and kick this can
45:23
and see what happens. Censor by sensor kind of thing. So what we have done in a couple of scenarios
45:31
and this was formerly an industry, we would do some white hats usually on an annual basis
45:39
against what we thought was our, what I would call our facilities
45:46
that had the greatest opportunity for improvement. Because at the end of the day
45:51
you don't want the people who see it every day to go in and tell you what may be good or what may be bad
45:58
And we would bring in all the practitioners from every discipline. Security is another one of those that it's not just physical, it's cyber, it's people, it's policy, it's programmatics
46:11
And we would bring in an outside group of people of white hat capabilities to say, what does it look like to someone who knows
46:21
They may know the discipline, but they don't know anything about the facility
46:25
And those were phenomenal. Now, you also have to have endorsement to be able to do that because a lot of people are like, that's too expensive
46:33
We're not doing it. But let me tell you, it is paid dividends every time I've used it
46:37
And, you know, an interesting follow up question that comes to mind there is, how do you manage the bruised egos when white hats show all the flaws in your system
46:48
How do you how do you make sure people understand that, hey, this is not about blaming anyone or saying you're doing this wrong
46:54
It's about making sure that our security is what it needs to be
46:59
Well, you often have to lead from the front. So you have to set the tone at the leadership
47:04
You have to go in with the local leadership and articulate why we believe this is an important thing to do
47:11
And then more importantly, you literally put it as an educational opportunity
47:15
This is not a blame game. This is an educational opportunity. You know, everybody has the same scenario in their personal life
47:25
You know, you look at the same thing 100 times and you don't see the hole in the wall
47:28
But, you know, it's one of those that this is all boats rise if everybody learns from the experience
47:35
Yeah, I agree with that. I mean, as a chief security officer, this flaw that is found is my problem as much as anybody's. And so we share the feeling bad about this and without damaging people. And we'll share the responsibility for fixing this and getting it back where it needs to be
47:54
And the only exception I would make is if there's some really felonious behavior on the part of one of your employees that caused this problem, that's a different issue
48:01
But we share in the responsibility and we will work together to get it fixed
48:06
So I become part of the bruised ego. And Charlie, that goes back to your earlier point about building relationships
48:13
And it's not just building external relationships, but it's also building internal relationships
48:18
So your team trusts each other enough that when something like this happens, you know, you as the person in charge says, hey, you know, the buck stops with me
48:25
That goes a long way, doesn't it, to making people feel empowered to be a part of a team
48:30
Yeah. And this has never happened to me since at least in the last two weeks
48:36
When these things happen, my approach was to get with the people together and tell them, OK, we know what's going on
48:42
Let's get ourselves focused on the resolution of this issue and get this back to where it needs to be and focus on the future
48:48
Great. And then, so as we talk about crisis management and developing crisis management strategies and everything like that, what are some of the key technologies that we should be leveraging when it comes to developing, implementing, and carrying out a crisis management strategy
49:05
Good question. One of the earliest steps one has to do in this is to assess what it is that needs to survive. I know everybody's going to say everything needs to survive, but really what will cause the operation to collapse
49:18
Probably a bad example in a parallel universe is the Sony corporation never realized that getting their system hacked would bring them completely to their knees
49:27
But had they paid any attention to that, they might not have had half of those problems that they had
49:31
But first and foremost is the ability to communicate, followed by providing visibility, as you're planning the response
49:41
followed by providing the visibility to the extent that whatever just happened or is on the verge of happening
49:46
if you're lucky enough to get some advanced warning, and what and who is in place to mitigate that potential damage
49:53
And the other thing I would say, Casey, is that, you know, Charlie talks about, you know, the Sony hack
49:58
but crisis management is an enterprise response. We've all worked in places where everybody thinks they got their own plan
50:07
they're ready to do it, and then there's 70 different plans, and nobody knows what's going on
50:12
So the more you can as a company or as an entity have a standardization of enterprise what is the technology that can inform you of what coming whether it you know a natural you know mother nature nature or you know the more you time you have to inform you can prepare to whether it is to get the assets out of harm way
50:38
to get people who are more important than any asset, you know, so that they take care of their
50:44
families. We used to have a boss who was all about take care of the people and the people are going
50:50
and take care of you. And at the end of the day, you know, hurricanes and tornadoes today
50:55
today's technology, you can actually prepare for them. So you have some time, whether it's days or
51:01
it's hours, you can prepare. But do you have people, do you have a plan that people understand
51:07
what their role is individually? They understand that they have contracts in place so that when
51:12
the hurricane goes through, you got Server Pro or whoever it is comes in and helps clean up the mess
51:17
that you understand with your customers that if you're going to have 140 mile an hour winds
51:23
you really shouldn't have humans in harm's way like that. And then, so you prepare to the best of your ability
51:29
And then when the event actually occurs, you, in essence, use technologies to your benefit
51:35
to inform usually your board of directors, your leadership team as to what's going on
51:43
Do we have any, have we lost humans? Have we humans who are ill? Because it is all about people. And then when the event passes, it is a function of how do you prepare to get back to the job of doing your business, whatever that business is. And it is not a one and done. It is a continual. Do you practice that through the year
52:05
So, you know, do you have an emergency call-out system that says, if you had an earthquake in California, do you have a simple one, two, or three
52:14
Because what's the first thing that goes in an emergency? Usually cell phones, so that you don't want people to be trying to panic, but you also don't want them to be trying to go back to the office the next day
52:25
So there are lots of things one can use in the technology space to, one, most importantly, have a common plan, a standard plan to prepare
52:36
And then when the event happens, as I used to say, when O-Spit happens, you know, you can, one, have some ease of people are safe
52:45
We've moved what we can. We live through the event. We then prepare to get people and the facility back up and running
52:53
And then the most important thing is learning from what went well and what didn't go so well, and then build it into your playbook
53:02
Every company who has a good crisis management system practices this regularly, both in, you know, facility, cyber security, you name it
53:13
They practice it so that it is not a surprise to the employee who showed up yesterday or to the employee who's been there 50 years
53:20
And then just one last quick thing, and this is to take advantage of others' problems
53:25
Bingo. So I hinted about the Sony hack. It didn't directly affect the company I was working for at the time, but the panic amongst the IT population across the community and, frankly, across the whole business community, watching how simple it was to bring Sony down created a whole lot of angst, and people were really digging hard fast to try to resolve those particular weaknesses that might be in their own system and how to respond to those things
53:50
Yeah, that's a great point. So we have about five minutes left here. So I want to wrap this up with kind of a big picture question. Both of you obviously have really extensive experience. You've done a lot of really high profile security roles in your careers and things like that
54:08
But what do you see, and Charlie, let's start with you on this one
54:13
What do you see as the biggest challenges for those who are managing these large enterprise security programs
54:19
And what's the best advice that you can give to them based on what you've learned during your career
54:24
Okay, quickly here, because I only have five minutes. Time, distance, and the scope of your role is going to prevent you from managing everything closely and effectively at all the same time here
54:36
There may be one or two things that you need to pay careful attention to directly, but for the most part, you should hire, develop, and trust the people that you need to manage and execute this program
54:47
And don't forget to give them the tools, AI might just be one of them, that will enhance their ability to track things, to make appropriate and timely and effective decisions, whether it is day-to-day actions, responding to an event, or planning for a better future events
55:00
I would say one of my approaches to how to deal with that is that if I am successful at hiring and getting in place the right people to make those right decisions and get them working, so it's almost an automatic
55:22
If I get hit by a bus, nobody will know that I'm even gone. Over to you
55:29
I can't say any better. You know, to Charlie's point, one, you have to lead from the front
55:35
You cannot manage a large enterprise by yourself. You have to understand what you're managing
55:41
Don't delegate and forget. But you also have to trust your people to do their job because if you take care of your people, they will take care of you
55:49
And like everything else, it is all about relationships. And when somebody does something incorrectly, you always praise publicly and you correct privately
56:00
You know, no one wants to be called out publicly if they did something wrong
56:04
To your previous question, Casey, this is really a team sport. And, you know, large enterprises are not a lot different than small
56:14
It's just that people's roles are more consolidated. Let them do their job
56:19
And if they need course correction, you help them with that. And if they do something illegal, well, then you have to help them with that, too
56:26
Right. And, you know, it just seems like it's been just a recurring theme throughout this entire conversation that, you know, no matter what your policies are, no matter what technology you're using, anything like that, the key to good security really is building those relationships and maintaining them, isn't it
56:41
Absolutely. Absolutely. Great. All right. Well, unfortunately, that's all the time we have for today. Mary Rose, Charlie, thank you so much for joining me
56:50
Casey, thank you very much for having us. Absolutely. Thank you. Please join me in thanking Mary Rose and Charlie, as well as our sponsor, Live View Technologies, whose support made this webcast possible
57:00
For more information on upcoming events or to view the recording of this webcast, visit defensenews.com
57:07
Thank you for joining us and have a great day
#Aerospace & Defense
#Computer Security
#Hacking & Cracking
#Law Enforcement
#Network Security
#news
#Public Safety
#Security Products & Services