Government security comes with a lot of unique challenges — among them is the delicate balance of maintaining public access to buildings or government officials while retaining security.
Diplomatic Security Service Supervisory Special Agent Nicholas Porter, who is currently serving as the Senior Bureau Security Coordinator in the Executive Office of the Secretary for the U.S. Department of State, says there is a natural tension for most security professionals anytime guests are brought in to a secure building, such as the State Department’s headquarters at the Harry S. Truman building.
“I find that by understanding and learning all facets of the operations, I can facilitate a better experience for visitors who come into a building and meet with the leaders I am charged with protecting,” Porter continues. “I tell my security specialists that they are often the first line of interaction that a guest will have, and that encounter will set the stage for the visit. Hence, the security professional must be firm, yet polite, to all visitors, so that they feel welcome, secure and ready to meet with the variety of leaders we protect. We often set the tone for a visit, and that is a huge responsibility to have.”
Chief Security Officer at the National Labor Relations Board (NLRB) Raymond Hankins says the more than 50 nationwide locations in which the NLRB operates are considered open facilities providing services to the public. With that in mind, his department devises plans that afford a level of protection according to the Department of Homeland Security (DHS) Interagency Security Committee standards.
“Citizens can come and get our services, but we have to make sure that our employees are prepared just in case the situation goes bad,” Hankins says. “We do drills and simulations so that if an incident occurs, they understand what to do.”
Another way to maintain security throughout the day — and night — is utilizing a guard management system, Hankins says. Every day the NLRB system randomizes the order of touchpoints throughout the buildings and, as the security guards patrol, they touch the contacts, which is then recorded and tracked in the system.
“You know that the guards are going around and checking your vulnerable points, your stairwells, your limited lighting areas, your areas of high throughput,” Hankins says. “They’re making sure the doors work, the cameras are operational, that the stairwell doors are locked, patrolling and surveilling the area, etc. It keeps the guards accountable.”
Keeping secure with remote workers
According to recent research, 35% of workers with jobs that can be done remotely are doing so all the time, an increase from 7% prior to the COVID-19 pandemic. Having a portion of the workforce doing their jobs from home raises many challenges for security leaders when it comes to securing government networks or protecting sensitive data.
As Porter puts it, the challenges are “too many to count.”
“Home computers that all family members use, but also handle sensitive work information; always-listening smart home devices that can hear conversations; and even placement of computer screens that face a neighbor’s window — these are just a few of the many concerns out there,” he says.
“Getting early buy-in from employees that their role is to protect the organization’s data and networks, even though they are no longer sitting inside a brick-and-mortar office, is critical to achieve,” Porter says. “By giving them some simple guidance on the most common traps surrounding remote work, I’ve seen resounding successes with both protecting data as well as identifying anomalies early and reporting them promptly.”
Keeping government employees physically secure while working remotely is another hurdle, Hankins reports. More employees are working from alternative locations, so in addition to the usual cybersecurity protocols, Hankins and his team have plans in place in case a physical incident does arise.
“As more of my employees are working from home or remote locations, we have had to ensure they are aware of how to get help,” Hankins said. “It can be the SOS function on their government cellphone, dialing 911 or reaching out to Federal Protective Service.”
Where physical and cybersecurity meet
While the focus of both Hankins’ and Porter’s duties involve physical security, they agree that it is important to stay informed about emerging threats in cybersecurity as well.
Porter says that a key way to stay prepared is for physical and cybersecurity professionals to learn the basics of the other’s security realm so that they have common knowledge to enact a converged security program.
“Even though I am more of a physical security practitioner, I need to know what ‘zero trust’ means to hold a relevant conversation with my cybersecurity peers,” he continues. “There are similar examples for physical security concepts that my cybersecurity peers must be able to understand. At the higher levels of enterprise security risk management leadership, the days of burying one’s head in the sand and saying ‘I don’t need to know about physical (or cyber) security because that isn’t what I do’ are long gone. The practitioners from both sides of the security discipline must work lock-in-step to provide a holistic security program that protects the organization from all threat vectors.”
With more than three million phishing emails being sent out every day, it is easy to see why these sort of scams are an important topic of conversation for security leaders, whether in the private or government sectors.
“Employee training is critical on the types of phishing and scams being deployed, as well as sending alerts when new schemes are being used, etc. One of the methods we use at the NLRB is a monthly newsletter to all our employees wherein I highlight procedures, policies and any latest security concerns,” says Hankins.
Threats facing the industry
The threats and challenges to the government security industry are very similar to the private sector, Porter says. Topping his list are identifying or responding to insider threats, securing a remote or hybrid workforce and persistent cybersecurity threats.
“For me, the insider threat is a significant challenge, as this inherently deals with someone who’s been granted some level of access and trust to operate inside facilities or on IT systems,” Porter says. “The threat itself can range from the intentional compromise of sensitive information (i.e., classified information in government or proprietary information in the private sector), or to someone who might be experiencing a mental health crisis and want to act out in violence.”
Hankins agrees, saying the challenge is to ensure they are always prepared and that his teams execute on security plans given the continuing challenging fiscal environment.
“As we remain an open facility to the public, we also must remain vigilant and prepared,” he says.