Casey Laughman:

Good afternoon. I'm Casey Laughman, senior Editor for Defense News. Thank you for joining us for today's webcast, The Challenges of Government and Defense Industry Facility Security. This webcast is sponsored by Live View Technologies. Before we get started, a couple of housekeeping items. First, this webcast will be recorded and archived on defensenews.com. Second, if you would like to ask a question during the webcast, click the ask a question button on your screen and we will get to as many as time permits. My guests today are Mary Rose McCaffrey and Charlie Phalen. Mary Rose McCaffrey is former director of security for the CIA and former vice President of Security for Northrop Grumman. She has also held senior security positions across the intelligence community, Department of Defense and other government agencies. She is a member of the Board of Advisors for the Council on Intelligence Issues and is the president of the Cigna Society, a CIA retiree Association.

Charlie Phalen is the principal of CS Phalen & Associates. He has more than five decades of security experience in both government and industry, including serving as the first director of the defense, counterintelligence and security agency and director of the National Background Investigations Bureau. He also held several other senior security roles in the government and as former vice president of Corporate Security for Northrop Grumman. Mary Rose, Charlie, thank you for joining me today.

Mary Rose McCaffrey:

We're glad to be here.

Charlie Phalen:

Happy to be here. Thank you.

Casey Laughman:

Let's go ahead and get started. And Mary Rose, I'm going to direct this first question to you, but then I also want to hear from Charlie on it. And one of the big challenges of defense and defense industry facility security is compliance requirements. And with those requirements continually evolving, what are some things that security leaders should look for when they're planning to make sure their security programs are prepared to meet future requirements?

Mary Rose McCaffrey:

Thank you, Casey. So security leaders need to look for a number of things, but first they need to understand what their security requirements are. So requirements come in many forms from a security standpoint, it depends upon the customer, and the customer usually has a set of requirements. You have internal requirements in terms of company requirements, building requirements and programmatic requirements. And these requirements require the security leader to understand what those things are and what the why is for the corporation so that they make a business value to the corporation. And then in the why of that scenario, they can further inform and articulate to their leadership the value of the expense they're about to spend. in that scenario it is all driven based upon the risk and the threat. And so although the requirements are the guidance, the risk and the may raise or lower those requirements. And in each of these requirements, they have to understand before they actually write a word of a plan, what their customer wants, what their customer needs, what their company needs, and how they are going to execute in what period of time. So Charlie, you had some additional thoughts on that?

Charlie Phalen:

Sure. Mary Rose to follow on that point, articulating the why is fundamental and it's often overlooked in the rush to simply comply with the regulations. Important to understand why the customer established these rules. And two reasons lead to this. I think as you pointed out, it is easier to explain to your boss why you need to either expand or create from new countermeasures. And even more importantly, as you were developing that countermeasures program, it gives you a better sense of what the possibilities might be if you understand precisely what it is that is causing this threat and elevating this risk. It is important to keep in mind that the threat scenarios that drive these risks are sometimes old, sometimes new, and constantly evolving to the point the old attack scenarios don't just go away when new attack scenarios appear. If you look back at trying to build embassies overseas and say, Moscow in 1970s, the same challenge to protecting that construction site exists today when trying to build a construction, build a new embassy someplace else in the world here. Secondly, if you look at a crowd gathering and what that might mean in front of the embassy in Tehran in 1975, how would that have matched with the crowd gathering in front of the consulate in Benghazi 40 years later? All of this is important to keep in mind that these problems just don't go away here.

Last point on this thing. Really in order to understand this environment and this countermeasure, it is really important to build communications with your customers and more importantly with others in your business area here. There's many examples in the government and industry ecosystem about this thing. An interesting but very true fact, the CEOs of the various companies, frankly in any business area, don't go around sharing their proprietary and corporate strategies openly with their counterparts. With their competitive mates, I guess. But when you get into the security community, my experience has been over those 50 years is that the security community is more than welcome, more than willing to share threat and risk information across that spectrum because we all understand and have understood for a long, long time that we are all suffering and subject to the same level of threats and same attack scenarios. And we all have to assume the same level of risk. So we're in this together and the communications is absolutely important.

‍Casey Laughman:

And Charlie, that's a really interesting point you made there at the end that I'd like to follow up on, which is company A and company B may be competitors, so their CEOs would never dream of sharing information, but the security people talk. This is a close-knit community and it really is a common good type of thing, isn't it?

Charlie Phalen:

Absolutely. And I think it's very, very important to find those outlets to build those relationships. It's not just a one-on-one, pick up the phone and call somebody or try to hit them on a LinkedIn app or something. It is really attending the various organizational elements that have been set up and functioning for several years, whether it's ASIS or NCMS or AIA, NDI, the support communities have sessions annually or biannually where you could get together and meet people and build those relationships and make them very, very strong. And I will tell you, there are people that I've been working with literally for this 50 years that I am still working with today because of those relationships.

‍Mary Rose McCaffrey:

And one of the other things there, Casey, from a standpoint of the relationships, many in the federal space often meet monthly. It's a small group of people and they grew up together and they're now leading organizations and they meet monthly and their industry colleagues do the same thing. So this is one of those things where team sports, there's no I in team and the security professionals, one threat is a threat to all.

Casey Laughman:

Okay. And then we actually just had an audience question pop in that I think is great given how you started off talking about the customers. So Mary Rose, I'm going to start with you, but then I want to hear from Charlie. It's a real simple question. Is the customer always right?

Mary Rose McCaffrey:

Well, the customer is always right in the statement of the question. That goes back to the relationships. So the customer is articulating to a business that I want you to build the X. And in today's environment, those are either NISPOM requirements or ICD 705 requirements. And that customer is giving that partner information based upon something they know, something they've been told or something they're just parroting out of a book. It is then responsible for the relationship to articulate what I would call common ground. So all of us have had customers who say, "I want the Cadillac," when what they really need for the threat of the environment is the Chevy. And so it is a constant negotiation. Security is not a one and done. It is not a just because I told you so. And oftentimes, particularly if it's a new customer, they're nervous and so they're going to follow the book rules. And so it is often incumbent upon the industry partner to help the customer be successful without saying you're wrong.

Charlie Phalen:

And to add to that Mary Rose, as you pointed out in introducing us Casey, we've had some time as the customer in these roles. And one of the lessons I know I learned, and I'm pretty sure Mary Rose has learned, is to shut up and listen to the people that we are giving this instruction to when they come back and ask us, does this really make any sense or they have inputs to how we think about some of these countermeasures and make this an iterative proposition rather than just simply something being thrown down from the top of a mountain somewhere in the Middle East.

Mary Rose McCaffrey:

Yeah. One of the things that a wise old mentor once told me is ... And I was young in this business. And it was one of those things, Charlie, where they said, "You know what? You're the customer, but your job is to go and listen to industry because industry is that which builds everything." And we drive requirements, but they actually help us get to success. Because the last time I looked in Washington, DC, they don't bend metal, they don't build aircraft, they don't build software. That is a partnership with industry. And the more you understand that, the more successful both parties are.

‍Casey Laughman:

Right. That's a great point. You can define all the requirements that you want, but if it's impossible for industry to meet those requirements, well then you're out of luck, aren't you?

‍Mary Rose McCaffrey:

Correct. Well, industry's going to say thank you, but no thank you.

Casey Laughman:

Right. Okay. And then Mary Rose, we talked about compliance, and I have a question about that as you go forward .you have your plans in place, you meet your compliance requirements to start, but then once you're in that ongoing operations phase, how do you make sure that you're remaining in compliance? What are some of those key warning signs to say, "Hey, we might have a compliance issue here," and then how can you address that?

Mary Rose McCaffrey:

This is always my favorite part of the business. So everybody loves the new shiny objects. They build a beautiful new facility and they have beautiful new spaces. And then a year later, no one's tested alarms, no one's tested the sensors, no one's tested with any periodicity. So operations and maintenance one, you have to do it with regularity. There are government requirements for annual assessments. There are testing requirements for sensors, alarms on a 30-day basis. The key is you have to depend upon the people running your security programs to actually do that job. So your job from an O&M standpoint is to one, understand are they doing that? Two, do they understand why they're doing that? And three, when you have what we used to call in the business a nuisance alarm, are you discounting it or are you actually investigating it? And if you are discounting it, that could lead you down a path that leads you to compliance failure.

And so think of a big campus or a big defense installation. You could have one sensor on a fence that isn't working. But if you have 10 sensors you're ignoring, you have a vulnerability that your customer is going to find. And it is always better to be forthright and tell your customer you have a problem and then come about a common solution to fix that problem versus your customer coming in. And we have all been in this situation where your customer comes in and says, "You are unsatisfactory and we are going to give you a 90-day remediation to correct your behaviors." But it becomes, again, security is everyone's responsibility. Not only the practitioners, but the programmatic people. If your program says security, you just stay in the background, leave us alone, that's never going to work well. So I have always found that it is a team sport and it is everyone's responsibility and it is always better when you have legions of people working for you to have them understand the why and when they tell you they have a problem, don't shoot the messenger. I know lots of people who have been shot along the years, myself included. At the end of the day, you can only fix what you know and if you pretend you don't know it, you're going to have a bigger problem at the back end.

Charlie Phalen:

And to add to that, Casey, again, don't wait for an external review to review your security program like waiting for the US government to show up. You got to periodically test review on your own. The barriers, the sensors, the communications. Ultimately the people who are going to be monitoring, those who are going to be responding to an event. I think you mentioned this Mary Rose, follow up on the causes of false alarms. They can be very, very annoying, but more to the point, they can and will diminish the attention span of the people and frankly, the equipment that is monitoring it and more importantly, start damaging the credibility of the intrusion detection systems that you've put and program that you've put in place here. On the other hand, if you get no alarms, if there's no alarm events, is that a good thing? I would say not necessarily. So test them to make sure they're working and they will pick up the intruders as well. There's a constant theme you're going to hear throughout all this. It's detour, detect, deny, and I would add from my earlier days, doing some law enforcement stuff, capture. You need to be on your game in all of these areas.

Mary Rose McCaffrey:

Well, and the other thing, Casey, I would just add to Charlie's point is a security professional and a program professional can never rest on their laurels. The reality is there are always new technologies, there are always new sensors and there are always programmatics of the why. Because at the end of the day, we all know because we all have technology, it breaks. It doesn't work as well as we want it to. There's something new and shiny, and you may not be able to buy it all, but you have a plan that you could buy a piece of it and just keep moving forward. You cannot rest on your laurels.

Casey Laughman:

And you mentioned something really important there, which is the importance of understanding or responding to false alarms. I'm sure every security professional has a story that goes something along the lines of, well, somebody was propping open a door because it was easier and the alarm kept going off and it got ignored, and then one day it was a big problem. So it is really about instilling that culture of, Hey, if we're getting regular false alarms, the solution is to figure out why and how we can prevent them as opposed to ignoring them, right?

Mary Rose McCaffrey:

Right. Exactly.

‍Charlie Phalen:

Correct.

Casey Laughman:

Okay. And then Charlie, I want to start with you on this question. We've talked a little bit about this, about bridging the gap between legacy systems and new technology. And a lot of times it's one of those things where, hey, we have this old system, but it still works, but you need to implement some new technology to give you a capability you didn't have before. So how can you bridge that gap so that you have your legacy systems and your new systems and they're actually working together and sharing information the way you need to?

Charlie Phalen:

So that's good question. And we all have to keep abreast of both the technical changes and the policy changes that's going to affect our existing and our near and long-term future security system strategy here. I said earlier that old doesn't go away, but I really want to emphasize that new threats, new evolving threats and new approaches to how to identify those and deal with them are absolutely critical. And understanding how that is evolving, that goes back to a great deal, to my point about establishing the relationships with both the customers and with your colleagues because collectively, you'll see this coming a lot faster. But starting from the beginning again on this, you need to assume the need to reinvest or maybe even reinvent and build upgrade costs into your security program. And you're going to have to build that into your O&M costs. Maybe even some investment piece here.

You can't just go to the boss and go to the company and say, "Give me some more funding." You need a plan. And from my experience, it is you need to make that case. You need to make that case playing it as straight as you can. You don't want the boss to come back and say, "Why are you telling me this? You think the sky is falling or something?" Unless the sky actually is falling. Rarely is that the case. You're really projecting out into the future if you're doing this correctly here. And it is important to have that ability to approach the leadership directly and be able to tell them concisely and fairly, here's what we have to deal with. Here's what the possibilities look like and here's where this technology is going and come up with a plan to get ahead of this.

‍Mary Rose McCaffrey:

Casey, I would just jump onto that because bridging legacy systems has been a challenge for as long as forever. The reality is, particularly in the last 20 years, technology continues to move at the speed of light. And oftentimes people believe that I can just do it as I built my facility. And much like a program, nobody ever buys just a single aircraft. They buy a lot of aircraft. And nobody ever builds just one satellite. They buy a lot of satellites. And the reality is is from the beginning, security professionals should be part of the programmatics. Not only for secure space requirements, secure network requirements, evolving technologies. That example of the door prop, think about in days past, those used to be vault doors that if you propped them open, you actually killed the compliance because you destroyed the rubber stripping on the bottom. So then company ABC was no longer in compliance.

So you've got to continue to bridge the knowledge of where's the program going so that you can anticipate the needs, anticipate the technology. So if there's an expansion to a program, let's try new technologies in that environment. And if you have a multi-year plan, then your leaders are going to be much more willing to say, "Okay. This new space, we're going to put this new technology in." And then Charlie will cover it a little bit later, but the integration of old and new, it's a constant question that security professionals always have to ask themselves.

Charlie Phalen:

And to your point about bridging technologies is also bridging policies as they evolve.

‍Mary Rose McCaffrey:

Correct. Correct.

Casey Laughman:

Right. Yeah. I think that really encapsulates the challenge here, which is that security is not a static thing. It's a very dynamic thing. It's something that it's constantly changing as new threats evolve and you have to be able to react and adapt to it as opposed to just saying, "Well, this is how we do security and that's it," right?

‍Charlie Phalen:

That's correct. And a collective and consistent understanding of how the evolution is taking place and why the evolution is taking place will go a long way to a more effective security program for your organization, frankly across the whole ecosystem of security. So you're all looking at this the same way rather than 53 different ways of meeting that requirement.

‍Mary Rose McCaffrey:

And are they looking at the security as a business? Because in the business it has often been looked at as a cost element. The reality is if the security practitioners don't understand the business value of what security brings to their company, it's all about branding and how do you brand the dollars of security to the company to better continue to keep a pace with the corporate mission, which ultimately keeps pace with the customer mission.

Casey Laughman:

And then we have an audience question here about legacy systems and how they require constant updating to pass audits with new technology and things like that. So Charlie, how do you ensure that those systems can do what they need to do and still pass audits?

‍Mary Rose McCaffrey:

He's going to get a Nobel Peace Prize if he gets that one right.

‍Charlie Phalen:

These are not the droids you're looking for.

‍Casey Laughman:

Did I just ask the million-dollar question there, Charlie?

Charlie Phalen:

Yeah. Frankly, it is keeping up with your customers and anticipating or as they anticipate changing the rules, changing the requirements, and keeping up with the technology in the protection and countermeasures area so you understand where things are going and to the extent that you can be a part of the development of these new requirements and then feed that back into your plan for how you build your plan today. It is built for today, but you've got to build the plan, this is how are we going to deal with tomorrow. How do you become flexible for tomorrow? And the best way to do it is because you can't say today exactly what it's going to be like five years from now, but to build to that, the flexibility to be able to ... And funding frankly to be able to upgrade and keep track of things, but seeing that train coming before you suddenly get a inspection that says, "Hey, you missed the boat here." That's why it's so important to build up the relationships in a continuous understanding of what the policies and rules are looking like.

Mary Rose McCaffrey:

And then Casey, sometimes those panels are at end-of-life or 10 years beyond end-of-life. And you have to be very clear about how you tell that program and how you tell your company how to upgrade that. Sometimes you cannot keep up-to-date with panels if they are beyond end-of-life, been there, done that. And yes, it is a capital expense and it is not cheap, but you sometimes have to help develop the argument and the business plan that you can't upgrade those anymore. And you want to develop it before a customer comes in and says, "I'm not going to accept this panel any longer." So that goes part and parcel to Charlie and the plans for the future. Everything has a shelf life and panels are no different. And we've all been in environments where panels are five years beyond end-of-life and we are literally jury-rigging solutions. But there comes a point where you got to make a very conscious decision. And yes, it may have not have been planned or it may not be inexpensive, but you've got to do it. So you got to know when to say when.

‍Charlie Phalen:

So not just the O&M we've talked a lot about, but you got to build recap into the program.

Casey Laughman:

And then Charlie, one of the technologies that's getting a lot of discussion right now is of course artificial intelligence. So where do you see AI specifically know agentic AI fitting into future security in depth plans and helping to build these stronger physical security programs? What role can AI play there?

Charlie Phalen:

Good question. And of course AI itself is one of those evolving things. And what I thought I could do yesterday in versus three weeks from now, I'm not really sure all the time. But a developed and informed AI program can at least in theory, look at a facility, help build out plans both architecturally and mission-related. Review the known threat situation, what can happen in this environment as opposed to the one down the block. Provide a strategy for design implementation for a security plan, and meet with both customer and internal requirements to deter, detect and deny in whatever order we pick that stuff. But in essence, it is how to develop the building security plan and to protect the building during construction where it becomes the most ... At this point where it's probably most effective on this. And then once the facility's in operation is unlikely that you're going to get any advanced warning that there's a specific attack coming such as, Hey, they're coming at dawn, be careful.

It is important that for an AI system that you put in place for monitoring to see something precursors to an event occurring, I mentioned that before, crowds gathering whatever it may be and interpret it as far out in time and as space as is reasonably possible. And if the facility perimeter has been breached, it need to know where inside your perimeter now that intruder might exist. And finally, how does that system inform and enable an effective response capability. Not just one and done, hey, we saw somebody come to the fence line, but throughout the existence of that entire event, be able to notify and inform responders as to the whereabouts of where that threat exists right now.

‍Mary Rose McCaffrey:

So to Casey, let me just jump on the agentic AI because in this scenario, LVT has a great product that from a standpoint of a sensor package, the sensor package actually allows the sensors to identify both just the individual crowds and to inform that data to someone who can take action. So when I think about agentic AI and its ability to collate information, inform and then allow an organization to respond and I think about its use case in real scenarios of crowd control, zone of control, agentic AI has real possibility and all of AI it's going to continue to evolve. And to Charlie's point in every scenario through a life cycle of a security program, particularly a physical security program, this really becomes an opportunity space to allow visibility information and the ability to respond in a way that is not that effective and timely today. So it's phenomenal.

Casey Laughman:

And I want to follow up there by asking about some specific areas of security where AI might be useful. Some of the things that AI is really good on, it's sifting through large amounts of data. It's a pattern recognition. The same car is driving past at the same time every day, that kind of thing. So what do you see right now as those, these are the areas where AI can really help and then these are areas where it's maybe not quite ready yet and we still need to make sure that we're relying mostly on humans.

Mary Rose McCaffrey:

So I think there's a couple of areas where it is incredibly helpful and can be incredibly helpful today. So I think of in the business of today, sensors collect a lot of data and if there is an event today we do it post event. So we go back through the sensor data and we look through a lot of video and we look through a lot of data. If you had AI who could articulate I'm looking for the white car that drove past Pennsylvania Avenue 15 times in the last month, you begin to get a picture of in advance is someone casing your facility? Two, you begin to see of for agentic AI forensic capability, do you see people going to a parking lot that's three blocks from your downtown Detroit facility and they come them once a week. It's usually on a Thursday, it's usually a day of a board meeting.

You can really begin to .... One, an event hasn't happened. You can begin to detect, inform, and make countermeasures for what you're going to do about that. Think of every company who has a board of directors meeting and for whatever reason, there are people who believe that the defense industry is not good. And so you get protesters. Being able to do something about it before it happens, that's really goodness. Being able to identify that a white car is casing five different companies and it has these attributes, those five companies, through Charlie's first point, they can all get together and say, "Okay. What are we going to work with local, state, federal, and our own companies on how to respond to this in a way that will deter before an event actually happens?" This is really goodness.

Charlie Phalen:

To add to that, what AI can do its best tool right now is to see things, come to some elementary interpretations of them, match it to other behaviors that it may have learned about already, and then better inform the responders that have to respond to whatever this anomaly looks like so that they are not just completely responding to a bell going off, but they're responding to the bell went off because this guy is doing this particular behavior in the parking lot, or this particular car is going by for the third time acting strangely. And where AI helps is focusing on that and also allowing all the extraneous activities that are happening around that are normal activities to not be something that you end up focusing on. Focus on those things that are anomalies. And the AI is a much more powerful tool, frankly, than just hopefully somebody sitting at a desk looking at stuff opening that they see what's going on.

Mary Rose McCaffrey:

Right. And it's always going to be the balance of the technology and the human. The human's going to have to do something, but the AI can inform you to give you time to do something or the agentic AI can tell the human to leave the property because you're on private property. So the sky is unlimited. It really is like every evolving technology, how smart do you make it and how smart does it make itself? And more importantly, how do you use your guardrails so that it's used for positive and not negative?

Casey Laughman:

Right. And then we actually have an audience question here about AI. So Charlie, I'll start with you, but I want to hear from Mary Rose on this one as well. Obviously, AI is only as good as the data that it's trained on and the data that it's using, so how do you make sure that that data you're collecting, how do you make sure that it's reliable and trustworthy and how do you evaluate it to make sure that your AI isn't getting some kind of bad information from all that data that's being collected?

Charlie Phalen:

Fair question and one that is not just in this particular part of the world, but AI in general as to what is it collecting and how is it spinning things around or not spinning things around. I don't have a perfectly good answer on that right now, but in this particular arena, focusing on very specific questions that you want AI to gather information against, such as identify the vehicles going by, identify behaviors that you're seeing, whether it's zigzag, people walking in front of the gate, people loitering in front of the gate, people that are not the normal flow of human or vehicle traffic. Or what else?

Mary Rose McCaffrey:

People taking pictures of your facility. And you have to train the AI. I mean, AI doesn't wake up one morning and become a genius. I mean when we look at any type of AI used in anything today, it has to be trained. So you have to come up with a set of parameters upon which you can train it and then it will self evolve to get smarter and get smarter. And you have to refine the parameters because you're right, Casey, it could be collecting know terabytes of data, but you really don't want data. I mean all that data. You want the data you need to make an informed decision.

Charlie Phalen:

But on the other hand, it's going to collect terabytes of data in order to sort that stuff through and decide. But the whole point of this is not for the machine to take its own independent action as a result of what it's seeing, but to better inform the humans who have to respond to any anomalous event that's on the perimeter.

Casey Laughman:

Right. That's a great way to put it, Charlie, and Mary Rose mentioned an example there that I think sums it up, which is okay, the AI can tell you that you have people on the sidewalk taking pictures of your building, but what the AI can't tell you is are they doing that because they're up to something or are they doing that because hey, cool building.

‍Mary Rose McCaffrey:

Correct. Well, and think about this for a military installation. You have people at the fence line. Most military installations are quite large. Because they think it's a cool military installation. Think Quantico. It's a huge Marine scenario. But are they there because they're fascinated by it or are they there because they have other reasons? And so with that information, do they come once and gone so they're on the vacation mode or do they come every two weeks or you have a different person coming every two weeks? So that's back to Charlie's point, informing so that decisions can be made based upon data, not necessarily just because a person's in front of your building. And Charlie always goes back to his time at the Hoover building. That's public street. People walking by it every day.

‍Casey Laughman:

Yeah. I mean if you just think about Washington DC and think about how often those buildings get photographed, the White House, the Capitol, the Hoover building, the Lincoln Memorial, all those things, it gets really hard to identify a pattern when you have so many people flowing through there all the time, doesn't it?

‍Charlie Phalen:

Yes. And then the other piece this allows to happen is particularly if you're in a large facility, you mentioned Quantico or pick your favorite large production facility, is if I am in the control room and I'm in charge of monitoring the activity, I've got how many screens I got to monitor here? And where AI comes in very, very useful is in being able to see all of this at once, make decisions all at once based on information that it's collecting all at once as opposed to me, the human, having to say, "What's happening there? What's happening there? What's happening there?" It makes my life a lot easier.

Casey Laughman:

And then Charlie, I want to go to you on this one. We've talked about compliance, we've talked about AI, so I'd like to sort of bridge the gap there. As we talk about compliance requirements and how they're changing over time, do you see specific AI technology opportunities there?

‍Charlie Phalen:

On compliance technology and building the technology?

Casey Laughman:

Yeah. Yeah. I'm sorry. I feel like I didn't word that very well. Let me try again. As compliance requirements change, how do you see technologies such as AI helping people make sure that they're meeting those requirements and staying in compliance during ongoing operations?

Charlie Phalen:

Good point. And earlier we talked about using AI to help plan the construction, to plan the design and to plan not just a physical facility, but the whole idea of how am I going to protect this facility, what's my response look like and everything. And so it should be at that point then smart enough to know what's in your system already. And then as new requirements emerge and new threats emerge, new risks emerge, be able to plug that information into the AI and help it say, "Okay. Here's a new issue we've got to deal with here. Now what do you think?" And as AI is able to look at the existing facility, the old, and then the new requirements that you had, and understanding what those requirements are there for, this goes back to the very beginning, why do we even have these requirements at all, the AI should understand that as well as it's thinking through these things so that it can come up with some very strong and useful suggestions about how, if at all, your existing countermeasures program needs to be changed to meet these emerging requirements.

Mary Rose McCaffrey:

And it can actually worked in any phase of a program. So whether you don't even have a hole in the ground or you could do this in a commercial environment. I mean at the end of the day, although we're on security practitioners, every time a commercial company has a warehouse full of product, there's potential opportunity for AI and countermeasures to help them. Every time a company builds a new building, you have to order supplies. And historically we've seen a fair amount of activity, criminal in nature, to steal the most high value materials out of the laydown yard. AI can help expand your zone of control with your countermeasures. So it really becomes a great augmentation to your requirements and then it's different at each phase of a physical security program. Whether it's been running for 50 years or it's just starting or it's evolving, these are the kinds of technologies that can help the humans do a better job at what the humans need to do while you let the technology support the future of what you've got to protect.

Casey Laughman:

And Mary Rose, you made a great point there, which is that it's not just current projects, but it's also planning for the future. So how can technologies, and it doesn't have to be AI, but that certainly plays a role, but how can you use technology to help enhance your construction and security plans for future projects?

‍Mary Rose McCaffrey:

I think you can use technology in a lot of ways to enhance construction projects. Construction projects in the defense arena have a pretty very specific set of requirements. And I think back to the early questions you asked, Casey. It's really about what are those requirements, what is the why, and what technologies can you use to get you the best possible outcome both from a technology as well as you have to very simply protect the perimeter of your construction site, protect your lay down yards. And you have different requirements at what phase you are in construction. And then once you start putting up walls, you have other requirements. So how do you use technologies to augment human labor? Because at the end of the day, you're always going to have OSHA requirements, but technology can tell you whether all your workers are doing the right thing on the OSHA requirements. Technologies can tell you whether or not you've got a safety issue, a physical security issue. And I think that is the positive about technology in today's environment versus when Charlie and I were growing up in this business, there was technology, but it was pretty static and it was not near, as I would call it, quickly evolving as it is today. So I think technology really is going to make security practitioners smarter, more efficient, effective, and if they leverage that to their benefit, it's a win-win.

‍Charlie Phalen:

I'm not sure I can top that. You got it.

Casey Laughman:

Great. Thank you. And so I want to talk now about looking at the actual budget for security and things like that. Obviously everybody's always looking to save money. Physical security budgets get tighter, but the list of wants and needs keeps getting longer. So if a security leader comes to you and says, "Hey, I'm really struggling with this," how would you advise them to optimize their budget to meet those critical needs, and then what types of solutions should they be looking at to get the most bang for their buck?

Mary Rose McCaffrey:

So I will start, and I'll ask Charlie to tag in here because we've been in both government and industry and budgets are similar, but they're a little different between the two. But the reality is budgets are always going to ebb and flow. No one is ever going to have the budget they asked for regardless of whether you're in government and industry. That being said, go back to that first question. What is your plan? Do you have a multi-year plan for whatever you are trying to do from a security strategy? And if you have a multi-year plan, you usually have a function of capital investment and expense dollars. And expense dollars can be broken up by labor and other technologies. But at the end of the day, you're going to receive a specific amount of dollars. It is never going to be enough.

But what you've got to do is prioritize your requirements. And then when you prioritize those requirements, whether it is a capital expense or an expense expense, you build against the biggest requirements. And that's where, go back again to those partnerships. Do you understand what your program needs versus what you think would be a good thing to have and can you get partnerships? Sometimes many programs will cost share to make their program much more secure because they really believe in the value of what they're doing for their company and for their country. And then some years you just become the pariah of you cost too much. And what often happens is people discount O&M first thing, then they start cutting people, which makes O&M even harder. So really you have to balance all of that and then you have to be very clear, and Charlie and I have both been in these spaces when you have to cry uncle because you cannot build a bridge with $10 and that's just an example.

But at the end of the day, you need to be able to articulate the why and monies are going to come and go. And for my government colleagues, I mean they've been in a CR for as long as I can remember, so they haven't had the ability to spend on new projects because unfortunately if you are in a continuing resolution, you can only spend one 12th of what you spent last year. So I think it is really important that security practitioners understand the business of money and understand the business of security and why it matters. And then you begin to put the levers in your pocket, not your boss's pocket.

Charlie Phalen:

To that specific point about the cost factors, the technology or personnel, which is more important-

Mary Rose McCaffrey:

Got to have both.

Charlie Phalen:

It depends. Yeah. Protection program is a human business requirement, but the ability of technology to broaden the vision and extend the reach of those humans is going to ultimately drive more effective allocation and use of the personnel in the security program. And if done appropriately, it's going to reduce the distractions that often complicate a protection strategy and make the whole program far more effective. Reality is there's never going to be a zero risk. It's not a balance of either/or, technology or personnel. It's always going to be a balance of both. And that said that the evolution of technology to better inform and extend the reach of the personnel that are involved with creating or operating as protection program is absolutely essential until you get to that point where they develop the AI robot cop to go out and hit that perimeter and solve those problems.

‍Mary Rose McCaffrey:

And the AI dogs.

Casey Laughman:

Okay. Well, we have about 15 minutes left here, so if you have any questions, please go ahead and submit those. We'll get to as many as we can. I want to turn to crisis management now, and I actually want to start off with an audience question, which is about keeping your staff sharp and testing your systems. Do either of you have experience with using white hats to test your system defenses to make sure that they're in compliance or can you share some insights on how do you view testing and what do you look at and say, "Hey, this is how we should test our systems to make sure that they're doing what we need them to do."?

Mary Rose McCaffrey:

I do. Charlie, do you?

Charlie Phalen:

In different areas, I have used a white hat approach to do some of this stuff. In others, I have simply said, "Let's go out and kick this ourselves, go out and kick this can and see what happens." Sensor by sensor kind of thing.

Mary Rose McCaffrey:

So what we have done in a couple of scenarios, and this was formally in industry, we would do some white hats usually on an annual basis against what we thought was, what I would call our facilities that had the greatest opportunity for improvement. Because at the end of the day, you don't want the people who see it every day to go in and tell you what may be good or what may be bad. And we would bring in all the practitioners from every discipline. Security is another one of those that it's not just physical, it's cyber, it's people, it's policy, programmatics. And we would bring in an outside group of people of white hat capabilities to say, what does it look like to someone who knows ... They may know the discipline, but they don't know anything about the facility. And those were phenomenal. Now you also have to have endorsement to be able to do that because a lot of people are like, "That's too expensive. We're not doing it." But let me tell you, it is paid dividends that every time I've used it.

Casey Laughman:

An interesting follow-up question that comes to mind there is how do you manage the bruised egos when white hats show all the flaws in your system? How do you make sure people understand that, hey, this is not about blaming anyone or saying you're doing this wrong, it's about making sure that our security is what it needs to be?

‍Mary Rose McCaffrey:

Well, you often have to lead from the front. So you have to set the tone at the leadership. You have to go in with the local leadership and articulate why we believe this is an important thing to do. And then more importantly, you literally put it as an educational opportunity. This is not a blame game. This is an educational opportunity. Everybody has the same scenario in their personal life. You look at the same thing a hundred times and you don't see the hole in the wall. But it's one of those that this is all boats rise if everybody learns from the experience.

Charlie Phalen:

Yeah, I agree with that. I mean, as a chief security officer, this flaw that is found is my problem as much as it is anybody's and so we share the feeling bad about this without damaging people and we'll share the responsibility for fixing this and getting it back where it needs to be. And the only exception I would make is if there's some really felonious behavior on the part of one of your employees that causes this problem. That's a different issue. But we share in the responsibility and we'll work together to get it fixed. So I become part of the bruised ego.

Casey Laughman:

And Charlie, that goes back to your earlier point about building relationships and it's not just building external relationships, but it's also building internal relationships so your team trusts each other enough that when something like this happens, you as the person in charge says, "Hey, the buck stops with me." That goes a long way, doesn't it, to making people feel empowered to be a part of a team.

Charlie Phalen:

Yeah. This has never happened to me since at least in the last two weeks. When these things happen. My approach was let get with the people together and tell them, "Okay. We know what's going on. Let's get ourselves focused on the resolution of this issue and get this back to where it needs to be and focus on the future."

Casey Laughman:

Great. And then so as we talk about crisis management and developing crisis management strategies and everything like that, what are some of the key technologies that we should be leveraging when it comes to developing, implementing and carrying out a crisis management strategy?

Charlie Phalen:

Good question. One of the earliest steps one has to do in this is to assess what it is that needs to survive. I know everybody's going to say everything needs to survive, but really what will cause the operation to collapse? Probably a bad example in a parallel universe, the Sony Corporation never realized that getting their system hacked would bring them completely to their knees. But had they paid any attention to that, they might not have had half those problems that they had. But first and foremost is the ability to communicate followed by providing visibility as you're planning the response, followed by providing the visibility and to the extent that whatever just happened or is on the verge of happening, if you're lucky enough to get some advanced warning, and what and who is in place to mitigate that potential damage.

Mary Rose McCaffrey:

And the other thing I would say, Casey, is that Charlie talks about the Sony hack, but crisis management is an enterprise response. We've all worked in places where everybody thinks they got their own plan, they're ready to do it, and then there's 70 different plans and nobody knows what's going on. So the more you can as a company or as an entity, have a standardization of enterprise, what is the technology that can inform you of what's coming, whether it's a natural mother nature or the more time you have to inform, you can prepare to whether it is to get the assets out of harm's way, to get the people who are more important than any asset so that they take care of their families. We used to have a boss who was all about take care of the people and the people are going to take care of you.

And at the end of the day, hurricanes and tornadoes today and today's technology, you can actually prepare for them. So you have some time, whether it's days or it's hours, you can prepare. But do you have people, do you have a plan that people understand what their role is individually? They understand that they have contracts in place so that when the hurricane goes through, you got Server Pro or whoever it is, comes in and helps clean up the mess that you understand what your customers that if you're going to have 140 mile an hour winds, you really shouldn't have humans in harm's way like that. So you prepare to the best of your ability and then when the event actually occurs, you in essence use technologies to your benefit to inform usually your board of directors, your leadership team as to what's going on. Have we lost humans? Have we humans who are ill? Because it is all about people. And then when the event passes, it is a function of how do you prepare to get back to the job of doing your business, whatever that business is.

And it is not a one-and-done. It is a continual, do you practice that through the year? So do you have an emergency call-out system that says if you had an earthquake in California, do you have a simple one, two or three? Because what's the first thing that goes in an emergency? Usually cell phones. So that you don't want people to be trying to panic, but you also don't want them to be trying to go back to the office the next day. So there are lots of things one can use in the technology space to one, most importantly, have a common plan, a standard plan to prepare. And then when the event happens, as I used to say, when oh spit happens, you can one, have some ease of people are safe, we've moved what we can, we lived through the event, we then prepare to get people and the facility back up and running. And then the most important thing is learning from what went well and what didn't go so well, and then build it into your playbook. Every company who has a good crisis management system practices this regularly both in facility, cyber security, you name it. They practice it so that it is not a surprise to the employee who showed up yesterday or to the employee who's been there 50 years.

Charlie Phalen:

And then just one last quick thing is to take advantage of others' problems.

Mary Rose McCaffrey:

Bingo.

Charlie Phalen:

So I hinted about the Sony hack. It didn't directly affect the company I was working for at the time, but the panic amongst the IT population across the community, and frankly across the whole business community, watching how simple it was to bring Sony down created a whole lot of angst and people were really digging hard fast to try to resolve those particular weaknesses that might be in their own system and how to respond to those things.

Casey Laughman:

Yeah, that's a great point. So we have about five minutes left here. So I want to wrap this up with a big picture question. Both of you obviously have really extensive experience. You've done a lot of really high profile security roles in your careers and things like that. But what do you see ... And Charlie, let's start with you on this one. What do you see as the biggest challenges for those who are managing these large enterprise security programs and what's the best advice that you can give to them based on what you've learned during your career?

Charlie Phalen:

Okay. Quickly here, because I only have five minutes. Time, distance and the scope of your role is going to prevent you from managing everything closely and effectively at all the same time here. There may be one or two things that you need to pay careful attention to directly, but for the most part, you should hire, develop, and trust the people that you need to manage and execute this program. And don't forget to give them the tools, AI might just be one of them, that will enhance their ability to track things to make appropriate and timely and effective decisions, whether it is day-to-day actions, responding to an event or planning for bad future events. I would say one of my approaches to how to deal with that is that if I am successful at hiring and getting in place the right people to make those right decisions and get them working so it's almost an automatic, if I get hit by a bus, nobody will know that I'm even gone. Over to you.

Mary Rose McCaffrey:

I can't say any better. To Charlie's point, one, you have to lead from the front. You cannot manage a large enterprise by yourself. You have to understand what you're managing, don't delegate and forget, but you also have to trust your people to do their job. Because if you take care of your people, they will take care of you. And like everything else, it is all about relationships. And when somebody does something incorrectly, you always praise publicly and you correct privately. No one wants to be called out publicly if they did something wrong. To your previous question, Casey, this is really a team sport and large enterprises are not a lot different than small. It's just that people's roles are more consolidated. Let them do their job and if they need course correction, you help them with that. And if they do something illegal, well then you have to help them with that too.

‍Casey Laughman:

Right. And it just seems like it's been just a recurring theme throughout this entire conversation that no matter what your policies are, no matter what technology you're using, anything like that, the key to good security really is building those relationships and maintaining them, isn't it?

‍Charlie Phalen:

Absolutely.

Mary Rose McCaffrey:

Yes it is.

Charlie Phalen:

Absolutely.

Casey Laughman:

Great. All right. Well, unfortunately that's all the time we have for today. Mary Rose, Charlie, thank you so much for joining me.

Mary Rose McCaffrey:

Casey, thank you very much for having us.

Charlie Phalen:

Absolutely. Thank you.

Casey Laughman:

Please join me in thanking Mary Rose and Charlie as well as our sponsor, Live View Technologies, whose support made this webcast possible. For more information on upcoming events or to view the recording of this webcast, visit DefenseNews.com. Thank you for joining us and have a great day.