Showing posts with label Professional Development. Show all posts
Showing posts with label Professional Development. Show all posts

Saturday, November 12, 2016

How to Pick A Legit Professional Security Certification aka How Not To Get Scammed In Ten Easy Steps!!


One of the cornerstones of any successful career is training. It's no different in security. Whether you're at a seminar or enrolled in a course, you're doing so because you want to move forward professionally. What better way to demonstrate you're prepared for the "next step" than to take a course or two and learn a new skill? Yeah, it often sounds cooler than it is. What's even worse, in my opinion, is that for many of us the price of pursuing professional development ain't cheap.

I love the American Society for Industrial Security International (ASIS). It is awesome for all-things professional development in security. It has networking, great conferences, expos, a reference library, and its own bookstore. ASIS is also host to some of the most sought-after professional certifications around the world for security. There's one catch - it's pricey. It'll run you about $400 dollars including annual dues to pursue their Physical Security Professional (PSP) certification. It's recognized even by the United States government in the SAFE Act and also has ANSI/ISO 17024 Personnel Accreditation.

ASIS isn't the only horse in the stable offering professional certifications in security. My only problem is almost none of them require the breadth of knowledge, professional recommendations, and experience levels ASIS requires. Many are purely paper-mills.

There is a professional certification body that has a horrific reputation in our industry. I've heard from numerous of their certificate holders all that was needed for their certification was a check and they received a lapel pin, t-shirt, a CD with reference materials which were mostly outdated, and a diploma. In fact, if you go to their site and attempt to pull up their "sample" certification test, you get a 404 error code. There have been a number of articles written on the founder as well.

Getting a professional certification or even getting good training from reputable people can be difficult. My advice?
  1. Ask around on security, tactical, or law enforcement forums. There are lots of forums on the Internet that cover these schools and certifications. You're not the only person who wants to grow professionally. Be careful - look for guys who have a solid reputation in the group. My favorite sources are the folks who don't have to tell you what they do every post but you have an idea.
  2. Find a mentor to ask. Seriously, if you don't have a mentor in security, you're doing your career all-kinds of wrong. Get a mentor and ask about training and certifications.
  3. Search LinkedIn. I know. I know. LinkedIn can be seen as the worst place to network. I get that which I said "search". That's right - look at the qualifications of folks who are where you want to be professionally and see what certifications they have. See if the certification passes your "sniff test". Basically, if it seems legitimate and checks out with other reputable sources, then it might just be okay. Be careful - even "legit" folks fall for the trap of easy paper-mill certifications.
  4. Investigate who recognizes certain certifications. The easiest way to spot a fake certification is to which, if any government bodies formally recognizes them. By "formally", I mean look for statutory and regulatory citations of the certifications. If they won't recognize it on "official letterhead", then already have a good idea it may be something you don't need or want. 
  5. Check to see if a certification is needed for jobs similar to a job you're wanting but on another employer's site. It sounds shadier than it sounds. Okay, it does sound a bit shady but let me explain. We're not looking for a new job - yet. We're looking to see if other employers require a certification for that position. For example, the other day I saw a job listing for a job I would give my left arm and my dog's favorite bowl for. Yes, it was that serious. That job listing had a certification I had never heard of and certainly not one I had seen on other listings. I scour the Internet and sure enough, it's really cool and legitimate certification. Psssst. If anyone knows a guy who knows a guy who can get me to a Lenel certification, I'd greatly appreciate it.
  6. Check the price tag. I hate to tell you this but security training and certification ain't cheap. Personally, I have spent well over a few thousand dollars of my own money to get certifications and training. These certifications and training have given me a "leg up" on the competition in some ways and have afforded me new skills but they did not come cheap. Most of the legitimate stuff that is out there is expensive. If you can't get your employer to pay for it (because they're either too cheap or you're not employed), then I suggest saving up and paying later. Trust me. If it's cheap and supposed to be amazingly career-enhancing, chances are it's probably not one of those things.
  7. Read and research the testimonials. A lot of places brag about having "security directors" and "officials" but often, this is just pure fluff. Wait. I misspoke - it's just a flat-out lie. I suggest you read the testimonials. I'm not saying some certification bodies don't have management and executives getting their certifications. There are some who definitely are not honest, though. Find out more about the people who laud the body - who they are professionally, do they actually exist, and whether they have a bias. You shouldn't base your decision on testimonials but they can be a key component in the process.
  8. Check the reference materials needed for the course. I love any certification that requires industry-standard texts (ahem, ASIS....That's why I love how you certify). I also like certifications that have online instruction materials as well. Most paper-mills will furnish you with a text and have you take it open-book. Nope. Kind of a red flag for me.
  9. Avoid open-book certifications. Not all open-book certifications are bad. Most are very cool. This was my preferred method of certification in the military. That said, I'm a grown-up now and employers like something that forces you to study and come away with industry-standard competence in both skill and comprehension. In other words, an open-book exam doesn't "teach" you anything.
  10. Any respectable training or certification vets its students. Any program that doesn't ask you any questions beyond your credit card is probably not the kind of place you want a certification from. ASIS has you submit references for the PSP exam and sign a "blood oath". Just kidding, ASIS. No, just the references. I know if I was going to certify a person on a skill-set that could get people killed if not applied properly, I'd want them screened beforehand so I'd know if they could handle that responsibility. Pain in the butt for us going for the certification? No doubt. Make you feel like you belong to an elite group of professionals? No doubt.

Here are some legit certification and training bodies in security (PLEASE, NOTE THIS LIST ISN'T ALL-INCLUSIVE. I PROBABLY LEFT OUT YOUR FAVORITE TRAINING OR CERTIFICATION. BREATHE DEEP AND CHILL OUT):
There are other thoughts I'm sure on this. The simple truth is getting certified is no easy task and if it were easy, you wouldn't like it very much.

Tuesday, April 22, 2014

The Semantics of Security - The Great Enabler of Security Ignorance


One of the toughest and most insightful lessons I learned came during a conversation with a good military buddy about why English is such a difficult language to learn. "You never mean the things you say. You say you "love" your car in Spanish, it means you love it like family. It's as if you use the words so much they lose their actual meaning." I was a bit taken aback by this. No one had ever explained the issue of semantics so eloquently before to me.

This same thing happens in security and explains what makes it so difficult for so many professionals and lay-people to be able to comprehend it. The following are great examples:
  1. Prevention versus mitigation. Prevention is defined by Websters as "the action of stopping something from happening or arising." Mitigation is defined by Websters as "the action of reducing the severity, seriousness, or painfulness of something." The words mean something completely different from the other, yet are used interchangeably. In security, getting these two words wrong can mean the difference between a loss of life (yours or an innocent) and victory over an attacker. Having lofty goals of prevention through methods and measures seldom tested with actual bad actors, often leads to failure when they do show up. However, having sound mitigators in place should they attack, could save both life and property and result in the consequential capture of your bad actor. The decision to stop his or her actions is totally dependent upon his or her decisions and plans before and during the attack. Your measures could help persuade them not to attack but I would hardly call this prevention without more quantifiable evidence.
  2. Vulnerability assessment versus reconnaissance. A vulnerability assessment is a process which entails analyzing a client's assets to determine likely avenues of approach for attackers. It could involve talking to stakeholders, physical walkthroughs of the assets, imagery analysis, and red-team exercises. Reconnaissance is a process which entails some covert surveillance resulting in a report to the target's adversary to support a plan of attack on the target. These terms are often confused because people assume one means the other. Typically, bad actors do recon and friendly agents do vulnerability assessments. The latter could use the former as part of a red-team exercise or even as part of a walkthrough. However, the methods by which either is done are very different. Keeping this in mind prevents amateurs from thinking by doing reconnaissance, they are in some way doing a complete vulnerability assessment.
  3. Security versus protection. It grates my nerves to hear people say they are "doing security". I find most people have no true understanding of what the term means and are therefore, ill-suited for and failing miserable at the task they think they are doing. As I've discussed before, security is a mental construct wherein our protective measures are adequate enough in our minds to mitigate bad actors and their attacks to make us feel secure. It's a subjective term but more of a goal and less of an action than anything else. Protection is what we do to make the environment secure enough to assuage our fears of a possible attack.
  4. Arrested versus detained. It took me a while to get used to this. They both sound like they should mean the same thing but they do not. Ask anyone who has ever been arrested. Being arrested has an element of detention but it isn't the totality of the action. You can be detained without being arrested. While this may sound like an issue of semantics, ask your legal counsel to explain what happens in security when you confuse your ability to detain versus your arrest powers.
  5. OPSEC. OPSEC is one of the latest buzzwords to come into the modern security lexicon. Everyone believes they do it but few actually do to include me at times. Seriously, everyone on social media who is in our industry seems to have a burner cell phone number, 10 fake IDs, wall safes for their wall safes for the wall safes with their encrypted USB, uses TOR to hide from the NSA (as if), etc. The first rule of being good at operations security is to shut up about OPSEC. What's the first thing people do when they think they've done something awesome with respect to OPSEC? They tweet about it on a source they don't own with people they don't know or could vet with any realistic degree of certainty, using communication they know very little about on the Internet which was created by some of their adversaries who have actively engaged in intelligence operations here since its inception. So if so few get it, why do they think they've adequately protected themselves? See the difference between prevention and mitigation.
  6. Intelligence versus information. I often hear professionals claim they have "intelligence" on adversary, when in fact they don't. Most often they have only raw information they haven't vetted or analyzed. These colleagues suffer from the correlation paradigm where they mistakenly conclude correlating or parallel information to an event is the cause. In the analyst world, this is called "confirmation bias". You believe the information because it confirms what you believe. Intelligence is the product of taking that raw information, vetting its source, comparing and contrasting that data against previous data and assumptions, peer reviews, and a final reporting of that information with an analysis centered on critical thinking. A newspaper article in and of itself is not intelligence because it says something we already thought was true. That would be akin to treating Weekly World News' stories on aliens consulting a still-alive JFK on Elvis' newly proposed welcome-back world tour as intelligence because you're an Elvis-loving, conspiracy theorist who believes you're an alien-abductee.

  7. Guard versus officer. I'm sure to stir up something here. Let me clarify: there is NOTHING wrong with being a "guard". However, traditionally, that word has gotten a bad reputation. Think "mall security guard". These guys can be awesome professionals but the title does tend to minimize the extraordinary amount of work it takes to protect the thousands of mall patrons and mall assets against a variety of threats daily. It also does little to note the authority which enables them to perform certain legal actions against those threats such as trespass advisements and in some cases, arrests. "Officer" denotes they are an extension management and not merely someone who stands a post. They represent the extent to which managers are willing to go to protect their assets and their customers.

    Recently, during a discussion with another friend from the military, I recalled a conversation about semantics with a person who worked in what was commonly referred to as the "chow hall". One day, I inquired why the name "chow hall" was such an insult to him. He explained "Do you guard planes or do you protect assets vital to national security? I don't cook chow. I cook meals which are nutritious as per my training. We're both professionals. I know people mean no harm but that term implies my food and what I do as a professional are sub-par and unworthy of a professional title, when that's not true." Vets, I hear the snickering. Stop laughing. But he had a point. One that wasn't lost on me.

    How your customers see a "guard":



    An image the term "security officer" typically conveys:

  8. OSINT versus unclassified. I'm a huge supporter of open source intelligence (OSINT). This entails gathering intelligence from a variety of non-covert channels. This could include public radio, news broadcasts, social media, etc. I have noticed this word used to excuse what I believe to be gross violations of protecting classified or sensitive information. Let me explain. I certainly understand OSINT by its nature can come from unclassified channels. However, I also realize it does not negate professionals from their responsibility not to divulge information coupled with their "insider perspective" which may be tactically advantageous to an adversary. You can observe this lack of professionalism best on social media, during a critical incident. There's seems to be a pandemic of sorts when these incidents happen which encourages its victims to feed their egos by talking endlessly about their highly sensitive "insider knowledge". I, once, observed someone who is widely considered an "expert" tweet the locations of responding forces to a major hostage situation. Another person tweeted security measures at a base they just left. Sure, none of this was classified because it came from a radio scanner and personal experience. It was, nonetheless, highly sensitive and could have placed lives at risk, if the adversary had intercepted these messages. In the physical security, once sensitive information is compromised, we only have a precious, small amount of time to deploy mitigators. As I'm often say during these events, "Don't let your ego and mouth write checks your a-- can't afford to cash with someone else's collateral."

  9. Active shooter versus mass killing. The best way to explain this is simply stating not every active shooter kills anyone and not every mass killing involves a gun. Yet, whether because of politics or hype, professionals and laymen still confuse these two. This may seem meaningless until you realize how information is gathered to study these two distinct events and the influence those studies have on policy.
  10. Security theater versus threat mitigation. Look, folks, as professionals, we realize not every threat is going to attack us. We also get some of our measures are extreme. I'm certainly NOT trying to justify any abuses of authority or trust. That being said, just because you don't see the "boogey-man" doesn't mean he's not there. Does this mean security should have authority to do cavity searches on everyone? No. But it doesn't mean because that's extreme that someone isn't trying to do you harm. Do some threats get blown out of proportion? You bet. A vigilant public and other professionals are awesome checks against overreach, though. As every threat isn't realistic, every threat mitigator isn't security theater. We'd all do well keeping this in mind.
There are a load of others I would add but I feel as though this list does a great job of illustrating the power of words in our industry. Please use them carefully. If you have more, let me know.

Monday, August 12, 2013

The Rules: 10 Things Every Entry-level Security Person Needs to Know & Every Pro Forgets


There are principles which are inherently the same no matter what discipline of security you practice. Although, for some reason, some of us tend to forget them to our detriment. I blame 99.9% of all practitioner -caused security failures on this. What's worse is that rookies aren't the only one's who miss them. A lot of these issues come from pros who should know better. Like everything else, we need a refresher.

  1. Our business is about risk. This profession isn't just about assigning widgets to fix people's security issues. We deal with asking and solving really tough questions the end-user is often scared to address or doesn't know exist. If you're just selling a product to meet a quota or performing a security function to satisfy a job description, you're wrong. Start by asking the client about the resources he's protecting and what he's willing to do to protect it. Next, ask him if it's worth protecting. Most people believe EVERYTHING needs security. Precious time and resources are sometimes wasted defending something no one cares about to include the bad guys.
  2. Security is a state of mind; not an objective. Do you know how many of us believe the mythology that tells us we can attain security as if it were quantitative? Of course you do. An entire industry is built around this ridiculous premise. Nothing is 100% secure - ever! It can't be. There's always a vulnerability. I'm not saying not to bother with security. I'm just asking you to consider what it is you're trying to do and to consider if you and the client have realistic goals.
  3. Know your tools. I'm surprised by the number of practitioners who know so little about the tools that are available to protect their assets. People have this problematic tendency to learn from vendors about the tools offered but fail to educate themselves. Venture to some trade shows. Join ASIS. Ask around the Internet. Become a sponge. Too many of us are bricks. There aren't enough of us taking in knowledge in order to give knowledge back.
  4. Know your limitations. Face it, there are some problems you can't fix. Seriously. If you can't do the job, be honest. Say you can't and find someone else who can. You'll keep your integrity and impress the client more by being honest. You'll also develop a good rapport with trusted colleagues you refer. Trust me this is a good thing. After the referral, tag along. Be that sponge I mentioned previously.
  5. Define your goals. When I was a supervisor in the Air Force, I can't tell you how many of my troops' professional failings came from forgeting this simple step. Look, no one likes writing goals except for those insanely productive people who live inside Lifehacker.  But what's the harm in sitting down and mapping out your weaknesses, what you can to do to fix them, and assigning a goal to reach them? Absolutely nothing. So get started.

    This can and should also be applied to security projects. Define what the project is, what the client's expectations are, determine how you can meet them, and then set goals in order to meet each objective. It's simple but few people do it. Failing to do it guarantees you'll lose an opportunity to work on future projects. 
  6. Know your terrain. Do you really understand the security environment? I'm not just talking about the threat. So often, we ignore the internal and external impacts of our measures which undermine our ability to properly protect these assets. For example, in many businesses, there is a key exchange. If you need access to a secure area, you have to leave a badge to receive a key into the area. This seems like a perfectly harmless idea, until users grow tired of giving up their badges and the person conducting the exchange is increasingly wary of having to do it. Security lapses occur as the "inconvenience" outweighs the security concerns. Don't believe me? Three words - Transportation Security Administration. Learn the terrain and figure out what will work the smoothest.
  7. Education begins with exposure. My take on security education is simple - you don't know what you need to know because you're not out there asking the right people. I know some people may be scratching their heads at that. But it's the truth. So many of us are ignorant of the threat, the tools, and the terrain because we haven't taken the steps to "get smart" about them.
  8. Befriend your enemy. I'm not telling you to "friend request" al-Shabab on Facebook or chat with MS-13 members on Twitter. What I'm suggesting is that you not only read up on their operations but try to get some basic understanding of their collective psychology. Learn how they conduct target selection, who they work with, how they recruit, their tools, etc. This will not only give you an idea as to how to build a better security plan but it will also enable you to ensure it's both comprehensive and adaptive.
  9. Everyone has a sales pitch. My first venture into private security was interesting, to say the least. I learned a lot from that gig. One of the lessons that stood out the most was to always be on the lookout for the sale pitch. Learning your client's pitch will enable you to ensure how you protect his resources won't effect his "bottom-line". Would be it a good idea to have dome cameras installed over tables at restaurants? Of course not. What most restaurants sell, in addition to food, is a friendly environment where you can dine among friends. A dome camera over your table robs you of that, thus killing the restaurant's sale pitch. I've never seen that happen but it does illustrate how quickly we can lose the client's respect and business by forgetting they have a business to run as well. 
  10. Vigilance is demanded. When I wrote the first draft of this article, I originally wrote "vigilance is expected." That was a HUGE mistake. Why? Because "expected" means you accept a margin of failure. In this business, apathy is where all good security measures go to die. I recognize the fine line between hyper-vigilance and vigilance. Certainly, there needs to be a balance. Just remember, at the end of the day, when there is a breach, you'll be forced to address why you violated this most sacred of security "rules". If you're a supervisor, your vision of how your people practice their profession should have this rule at the forefront. Julius Ceasar had a special patrol he conducted before battle to catch wayward soldiers sleep on their post. The maximum and usual penalty? Death. While the consequences aren't quite as dire as this in the real world at times, complacency will destroy our ability to adequately protect the client and their resources. This is a compromise we can't afford to allow - EVER.

Wednesday, December 7, 2011

FREE Training: Ever wanted to learn how to be a locksmith?



Who like FREE training?  I know I do.  So every time I find FREE training, you better believe I'm going and I'm posting it for all eyes on this site.  The Society of Professional Locksmiths is offering FREE locksmith training for beginners.

Who are they? And what's this FREE training all about? According to their site,
"It is a professional organization that embraces all levels of skill and expertise. Through education and support, the Society provides its members the skills needed to succeed.
That FREE training I mentioned earlier is called the "Locksmith Training Program" which "consists of 12 chapters of "core knowledge" all locksmiths are expected to learn and considered to be manadtory."

To find out more click here.

Thursday, December 1, 2011

FREE CCTV Training

Closed circuit television systems are in just about every corner of the globe and monitor a huge portion of our lives.  It has been argued, since their inception, we allow them greater access to us than most people we know intimately.  If you have anything to do with security, these cameras and the software which accompany can also be part of your daily work life.   Often times, in security, it is difficult finding free online training on any particular topic especially the fundamentals of CCTV systems.  

Thankfully, the folks at IP Video Market Info were kind of enough to create a blog post which contains hyperlinks to 
"series of videos from Pelco that provide strong coverage of these fundamentals (note: you can download the videos from Pelco's site as well).
The focus of this series is on traditional CCTV.  To complement this, you should read guides on IP video surveillance. Two in-depth guides are available - Axis's Technical Guide to Network Video and Vivotek's IP Video Surveillance Handbook.
Finally, review our tutorials directory for dozens of resources introducing video surveillance and our free Video Surveillance Book."
Did I mention this was FREE training?  Who doesn't like "free" anything particularly when its offered by the guys behind the machines?  What a great starting point to learn more about these systems and how to operate, install, and manage them.

Feel free to check out the rest of the article and training they have available at:
http://ipvideomarket.info/report/cctv_introduction_training_video 

SURVEY: Career Progression in the Security Industry

As of late, I've become curious as to how one moves up the corporate security ladder.  In the military, it was quite simple - you took a test and did well on your performance evaluations.  I have become curious how different that is in the private sector so I've decided to ask professionals such as yourselves. Please take a few minutes to answer my survey.  I'll publish the results in a week or so once I have gotten replies back.  Feel free to comment below if you would like to further share your thoughts.



Create your free online surveys with SurveyMonkey, the world's leading questionnaire tool.

Friday, November 25, 2011

Do You Have Everything You Need to Earn Your PSP Certification from ASIS?



If you're a seasoned security professional, you're probably aware that the Physical Security Professional certification awarded by the American Society of Industrial Security, Inc. is one of the most sought after security certifications.  It takes a lot of work and experience to earn this certification.  It should.  It is the only certification of its kind that affords SAFETY Act liability protection.  What does this mean?  Loosely translated, according to ASIS, it "gives ASIS board-certified professionals, their employers, and their customers immediate protection from lawsuits involving ASIS certification and the ASIS certification process that arise out of an act of terrorism.  Not only does it limit the types of liability claims that can be brought against a certificant, but it also entitles the certificant to immediate dismissal of those specific types of claims."  As I embark on the journey to attain mine, I have decided to include a list of items all of those interested in learning more.

ELIGIBILITY:

Education:
An earned Bachelor's degree or higher from an accredited institution of higher education Work
Experience:
Four (4) years of progressive physical-security experience. OR Education:
An earned High School Diploma, GED equivalent or Associate's degree Work Experience:
Six (6) years of progressive physical security experience The applicant must not have been convicted of any criminal offense that would reflect negatively on the security profession, ASIS, or the certification program. All ASIS programs comply with the Americans with Disabilities Act. All ASIS programs are non-discriminatory. Eligibility for PSP® certification and recertification is denied only when an applicant does not meet relevant security-related criteria, when an applicant has violated the PSP® Code of Professional Responsibility, or when an applicant has committed an act that would reflect negatively on ASIS and the PSP® program.
Definition of Terms


  • "Physical Security" means the various physical measures designed to safeguard personnel, property, and information.
  • "Experience" means that the individual has been personally engaged in the physical security field on a full-time basis, or as his or her primary duty. Included is:
    1. Experience as a security practitioner in the protection of assets in the public or private sector
    2. Experience with companies, associations, government, or other organizations furnishing services or equipment, including consulting firms, provided the duties and responsibilities substantively relate to physical security.
    3. Experience as a full-time educator on the faculty of an accredited educational institution provided the responsibilities for courses and other duties relate primarily to knowledge areas pertinent to the operation of physical security program in the public or private sectors.
  • Successful Completion of Exam An examination is required for all applicants who meet the experience and education criteria. Candidates must pass the examination to achieve the PSP® designation.
    MATERIALS:

    You'll need the following books and guides.  I've read the risk and analysis text and was pleased with its readability.  The topic wasn't as "sexy" as the physical security texts but it was still easy to comprehend.  I've scanned over some of the other books and the appear to be easy to read as well.  When I was in the military, these were excellent references for me.

    1. Design and Evaluation of Physical Protection Systems, Second Edition
    2. Effective Physical Security, Third Edition
    3. Introduction to Security, Eighth Edition
    4. Risk Analysis and the Security Survey, Fourth Edition
    5. ASIS Facilities Physical Security Measures Guideline (2009 edition)
    6.  Implementing Physical Protection Systems: A Practical Guide
    7.  ASIS Business Continuity Guideline: A Practial Approach
    You'll need to fill out the application and set a date for when you're ready to test.  There a few reasons I like the certification process.

    1. You're vetted based on your experience and not just knowledge.
    2. You get multiple chances to retest.
    3. It's a computer-based test.

    All in all, this means you can't simply "buy your way in".  Most of the people I've met with the certification were very knowledgeable and experienced.  Here's a link to the application and its handbook.




    About Us