Running the Gauntlet

Running the Gauntlet

Back to work needs to be well and good

Not long ago when visiting a colleague’s office, it was protocol to arrive early to run the gauntlet of the visitor management check-in that awaited, a process that might gladly be endured now if just for a brief return to some normalcy. Before the pandemic, many visitor management procedures were under scrutiny, with many organizations making visitor management improvements a top-level initiative. As we prepare our back-to-work efforts, visitor management will serve as the front lines for mitigating health risks in offices and facilities.

A TRUST RELATIONSHIP

Let’s take a step back. At its core, identity management helps an organization distinguish who it knows, while maintaining and improving this knowledge throughout an individual’s affiliation with the organization. When we make a new employee hire, for example, we use an I-9 or similar process by which we positively identify someone using government-issued identification. Often, background checks are in place to ensure suitability for the workplace, kickstarting a trust relationship rather than forming it organically over months and years.

Just as most organizations do not have the time to establish their employees’ identities and trustworthiness naturally, there is often less time for visitors. This is why visitor management is one of the highest-risk activities in a physical security program. The result of visitor management is an organization’s ability to routinely admit people they know the least about -- visitors who now walk among trusted employees -- as though the visitors were trusted in a similar fashion.

Prior to the pandemic, this risk was being addressed by “high assurance” visitor management systems. These systems work rapidly to establish a visitor’s identity, often before they arrive in the lobby. The day of the visit is preceded by continuous vetting and, upon arrival, the system binds a visitor to a high-assurance credential.

That credential allows for tracking of the visitor’s interaction with and passage through the access control systems also used by the employees. High assurance visitor management seeks to elevate identity management for visitors to mimic the degree of vetting that we already perform for employees. As COVID-19 vaccinations roll out and organizations form their backto- work plans, the need to balance identity management for employees and visitors has moved to center stage. Here’s why:

The word is suitability, but with a twist. In corporate identity management, suitability historically meant background checks on employees and occasionally visitors. At the most, forward-leaning enterprises and throughout the intelligence community, this is augmented with reputational data locally captured from previous interactions with a person and/ or behavioral deviations from a historical reputation baseline.

FAITH IN THE FUTURE

These are the generally accepted ways to gain confidence in suitability. It is often said that trust is faith in future performance based on past behavior, which is the way our brains are wired to trust. We listen more often to and believe in information that confirms what we want to believe.

Behavioral psychologists know this as confirmation bias. When it comes to making good security decisions, another aspect of our trust psychology works against us. The Harvard Business Review succinctly captures this in a 2009 article about rethinking trust: “Once we’ve made a decision to trust, we tend not to revisit it.”

These effects can be seen in our everyday lives right now. Our bias might lead us to believe our friends and families are at a lower risk of actively carrying COVID-19 than a coughing stranger in a store. These natural biases work against our ability to make good and repeatable security decisions, which challenges our back-to-work initiatives.

Organizations will ask their security teams to perform some degree of wellness checking on understandably anxious employees who just spent a minimum of a year and a half working from home. Employees will scrutinize security programs and back-to-work safety measures. An obvious area where a back-to-work program might falter is if an organization has different wellness requirements for employees and visitors. High assurance visitor management was designed to close the gap between the handling of employees and visitors in ways not seen by most employees. Wellness screening will now put disparities on full display.

Successful back-to-work initiatives necessarily include wellness screenings, which are the tip of the spear as we welcome people back into our spaces. However, not all wellness screening is created equal. Here are five things to consider as you move forward with your back-to-work initiatives. Pay special attention to the areas visible to your employees. Direct observation will help employees gain confidence in workplace safety.

Wellness is the new suitable. While wellness is a new dimension of suitability, it does not replace background checks. Background checks continue to be essential for higher security facilities. Wellness checking is important for every facility.

Wellness is a temporal and dynamic attribute. Wellness screenings must occur daily, as today’s results have no bearing on tomorrow. Employees we know and see in the office daily represent the identical wellness risk as a visitor we have never seen before. Wellness screenings must be done for everybody -- every day -- using the same process and same tools. If any person will be accessing any part of a facility where any of your employees might be, wellness screening must be done.

Wellness screening is for, not by humans. In any security discipline, the decision between manual security controls and investment in automated controls is expressed in two questions: Is this a repetitious activity (and inherently risks degradation over time)? What is the impact/cost of any failure of the control? Even without the bias challenges, wellness screening should not be performed manually.

Wellness screening can be efficient. Security programs have tried to make physical access and visitor management as low friction as possible and should do the same for wellness screening. Wellness screenings are here to stay, as we do not know what pandemic episodes loom in our future. If you make this necessity bearable, it won’t befall the same fate as other security initiatives that didn’t take user experience into account. A wellness screening process too cumbersome will first suffer active attempts to circumvent it, maturing to subversion and naturally concluding with abandonment.

Make wellness matter. Security programs measure the effectiveness of their security controls. If a wellness screening capability has no discernable effect, it will be both ineffective and obvious to the entire organization that it is just security theater. Demonstrating that wellness screening affects access to the facility in an automated way can generate confidence in the safety of a workplace.

An organization that implements a capability to automatically disable facility access for those who fail wellness screening (or disable access for everyone nightly) can inspire confidence with this suitability information. In this context, wellness screening is due diligence. Doing something with the knowledge gained is due care. Considering how liability has historically been apportioned in similar situations, this requires careful examination by risk, legal and human resource departments.

The best security capabilities deployed in recent times all share one quality: innovation. Systems that achieved their protective goal but brought other added value in so doing. As security practitioners, we should be looking for ways to do this. Back-to-work represents a possibly once-in-a-career opportunity to address a risk that no one has worked on before. Managing ever-changing and evolving risks is our norm. It’s up to us to make back-to-work, work well.

This article originally appeared in the April 2021 issue of Security Today.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3