Running the Gauntlet
Back to work needs to be well and good
- By Jeff Nigriny
- Apr 01, 2021
Not long ago when visiting
a colleague’s office, it was
protocol to arrive early to
run the gauntlet of the visitor
that awaited, a process that might gladly
be endured now if just for a brief return
to some normalcy. Before the pandemic,
many visitor management procedures were
under scrutiny, with many organizations
making visitor management improvements
a top-level initiative. As we prepare our
back-to-work efforts, visitor management
will serve as the front lines for mitigating
health risks in offices and facilities.
A TRUST RELATIONSHIP
Let’s take a step back. At its core, identity
management helps an organization distinguish
who it knows, while maintaining and
improving this knowledge throughout an
individual’s affiliation with the organization.
When we make a new employee hire,
for example, we use an I-9 or similar process
by which we positively identify someone
using government-issued identification. Often,
background checks are in place to ensure
suitability for the workplace, kickstarting
a trust relationship rather than forming
it organically over months and years.
Just as most organizations do not have
the time to establish their employees’ identities
and trustworthiness naturally, there is
often less time for visitors. This is why visitor
management is one of the highest-risk
activities in a physical security program. The
result of visitor management is an organization’s
ability to routinely admit people they
know the least about -- visitors who now
walk among trusted employees -- as though
the visitors were trusted in a similar fashion.
Prior to the pandemic, this risk was being
addressed by “high assurance” visitor
management systems. These systems work
rapidly to establish a visitor’s identity, often
before they arrive in the lobby. The day
of the visit is preceded by continuous vetting
and, upon arrival, the system binds a
visitor to a high-assurance credential.
That credential allows for tracking of
the visitor’s interaction with and passage
through the access control systems also
used by the employees. High assurance
visitor management seeks to elevate identity
management for visitors to mimic the
degree of vetting that we already perform
for employees. As COVID-19 vaccinations
roll out and organizations form their backto-
work plans, the need to balance identity
management for employees and visitors has
moved to center stage. Here’s why:
The word is suitability, but with a
twist. In corporate identity management,
suitability historically meant background
checks on employees and occasionally
visitors. At the most, forward-leaning
enterprises and throughout the intelligence
community, this is augmented with
reputational data locally captured from
previous interactions with a person and/
or behavioral deviations from a historical
FAITH IN THE FUTURE
These are the generally accepted ways to
gain confidence in suitability. It is often
said that trust is faith in future performance
based on past behavior, which is the
way our brains are wired to trust. We listen
more often to and believe in information
that confirms what we want to believe.
Behavioral psychologists know this as
confirmation bias. When it comes to making
good security decisions, another aspect
of our trust psychology works against us.
The Harvard Business Review succinctly
captures this in a 2009 article about rethinking
trust: “Once we’ve made a decision
to trust, we tend not to revisit it.”
These effects can be seen in our everyday
lives right now. Our bias might lead us to believe
our friends and families are at a lower
risk of actively carrying COVID-19 than a
coughing stranger in a store. These natural
biases work against our ability to make good
and repeatable security decisions, which
challenges our back-to-work initiatives.
Organizations will ask their security
teams to perform some degree of wellness
checking on understandably anxious
employees who just spent a minimum of a
year and a half working from home. Employees
will scrutinize security programs
and back-to-work safety measures. An
obvious area where a back-to-work program
might falter is if an organization has
different wellness requirements for employees
and visitors. High assurance visitor
management was designed to close the
gap between the handling of employees
and visitors in ways not seen by most employees.
Wellness screening will now put
disparities on full display.
Successful back-to-work initiatives
necessarily include wellness screenings,
which are the tip of the spear as we welcome
people back into our spaces. However,
not all wellness screening is created
equal. Here are five things to consider as
you move forward with your back-to-work
initiatives. Pay special attention to the areas
visible to your employees. Direct observation will help employees gain confidence in workplace safety.
Wellness is the new suitable. While wellness is a new dimension
of suitability, it does not replace background checks. Background
checks continue to be essential for higher security facilities. Wellness
checking is important for every facility.
Wellness is a temporal and dynamic attribute. Wellness screenings
must occur daily, as today’s results have no bearing on tomorrow.
Employees we know and see in the office daily represent
the identical wellness risk as a visitor we have never seen before.
Wellness screenings must be done for everybody -- every day -- using
the same process and same tools. If any person will be accessing
any part of a facility where any of your employees might be,
wellness screening must be done.
Wellness screening is for, not by humans. In any security discipline,
the decision between manual security controls and investment
in automated controls is expressed in two questions: Is this a repetitious
activity (and inherently risks degradation over time)? What is
the impact/cost of any failure of the control? Even without the bias
challenges, wellness screening should not be performed manually.
Wellness screening can be efficient. Security programs have tried
to make physical access and visitor management as low friction
as possible and should do the same for wellness screening. Wellness
screenings are here to stay, as we do not know what pandemic
episodes loom in our future. If you make this necessity bearable,
it won’t befall the same fate as other security initiatives that didn’t
take user experience into account. A wellness screening process too
cumbersome will first suffer active attempts to circumvent it, maturing
to subversion and naturally concluding with abandonment.
Make wellness matter. Security programs measure the effectiveness
of their security controls. If a wellness screening capability has
no discernable effect, it will be both ineffective and obvious to the
entire organization that it is just security theater. Demonstrating
that wellness screening affects access to the facility in an automated
way can generate confidence in the safety of a workplace.
An organization that implements a capability to automatically
disable facility access for those who fail wellness screening (or
disable access for everyone nightly) can inspire confidence with
this suitability information. In this context, wellness screening is
due diligence. Doing something with the knowledge gained is due
care. Considering how liability has historically been apportioned
in similar situations, this requires careful examination by risk, legal
and human resource departments.
The best security capabilities deployed in recent times all share
one quality: innovation. Systems that achieved their protective
goal but brought other added value in so doing. As security practitioners,
we should be looking for ways to do this. Back-to-work
represents a possibly once-in-a-career opportunity
to address a risk that no one has worked
on before. Managing ever-changing and evolving
risks is our norm. It’s up to us to make
back-to-work, work well.
This article originally appeared in the April 2021 issue of Security Today.