Brady Edwards:

Let's get right into the topic of physical security. The days of physical security being only guard force door locks and CCTV is quickly coming to an end. As technology solutions continue to play a larger role in our physical security strategies, the market of available solutions also continues to grow. With so many options available, how should we evaluate potential technology solutions for our physical security programs?

Mary Rose McCaffrey:

Well, Brady, I think the first thing you have to do is understand what you have. Every physical security program has a series of tools, whether it is guards, CCTV, and you have to evaluate what you have. You have to align it to your business independent of what your business is, and then you have to see what that risk profile does for you. Many physical security programs have a lot of end of life programs and technology can help with that. Technology can enable the mission of security while allowing humans to do the other hard work. Technology also enables you to get sooner insight to a challenge, to a problem, to an end of life. And most technologies today have an ability to have what I would call a plug and play solution. You don't have to replace a static security solution, which has a lot of capital cost associated with it. Technology can enable security functions within state federal companies, but they also can enable one, the reduction of capital costs, the reduction of physical human labor. You still need that. But where everyone always struggles with that is they're uncomfortable with technology, so they have a tendency to go back to what they used previously. So physical security solutions today include an entire suite of technology solutions that you really can utilize for the betterment of both your companies as well as for your mission space.

Brady Edwards:

So if you had to give a letter grade on who prepared organizations are to handle new challenges, what would that be and what are your largest areas of concern that you have from your experience and background?

Mary Rose McCaffrey:

So I would be hard pressed to give anybody a letter grade, but I would say from my experience is that every organization has a posture that I used to say a credit and forget it. We buy a product or a suite of products or we secure a facility, a compound, a mission, and then lo and behold, we think it's going to stay as it is the day we bought it. We never pay attention to a life cycle of costs. We never pay attention to challenges in the environment, harsh environments or harder on some equipment rather than other equipment. And no one ever has what I would call a full treasury of all the money they want. So you really have to think about what is your priority, what is your program, and then how do you keep evolving against the current threat landscape, which is changing faster or as fast as most technologies can change.

So I would recommend that people look at technologies to enable and add them to the suite of your equipment and then you have a running chance of keeping up with the threat landscapes. The threat landscapes come in many different formats for many of the people on this call, whether it is threat landscapes of people coming onto your facilities, threat landscapes of your fence lines, fail threat landscapes of your cameras don't work because you didn't maintain them over time. Threat landscapes of someone wants to upset your business, whether it is whatever your business is, someone wants to upset it, or more importantly, if you're in parts of the country, you have significant growth in crime and technology can help with a lot of that. So from a standpoint of a grade that would be hard. You might have an A minus on the day you buy the equipment, but five years later you are not going to have an A. 

You have age, you have infrastructure. I would say the one thing that people can think about is think of your infrastructure as not a static infrastructure. Think of infrastructure as something that is flexible, scalable, and can evolve as the missions evolve, as the security posture evolves and as your company evolves. And that will help always keep it at a passing grade. And if you have oversight, your passing grade will keep you in business. If you have a failure, you could be put out of business that then has a cost to the business that security was the problem, but that nobody wants to hear that at the end of the day.

Brady Edwards:

I want to pull the string on something you said there. So let's say if you have competing challenges with your infrastructure or you have identified projects that a long list of projects and you get a limited amount of capital funds. How does the organization go about prioritizing what they allocate their funding towards when they have competing challenges like that?

Mary Rose McCaffrey:

So you're always going to have competing challenges and you're never going to have enough money. I would give you three recommendations. One, every company has a strategy. They have a mission for what they have to do. A security organization has a number of things it wants to do, but you need to align the biggest challenge to what you fund first. So for an example, there are companies that have to meet customer requirements and those companies need to align to that priority first or the customer will not pay your bill. Secondarily, one, you need to make sure that you include all of your stakeholders so your stakeholders are not just in the security community in today's environment. You can't do without your cyber colleagues, your program people, your money, people, you need to understand and include all your stakeholders because only then will they understand why security is an enabler, not just a cost function.

And so you're never going to be able to fund it all at once. You're never going to get all the money you asked for, but go after the largest priority for the company that is aligned with that priority for the company and then work through that and update that. Much like evolving physical security threats, evolving financial requirements in every business, you may start off with a budget of I'll just use a hundred dollars because a hundred dollars is just an easy number and you think you're going to get a hundred dollars. And then lo and behold, the company priority changes and they're going to take $10 because they need some margin for one of their priorities. And then lo and behold, the cost of labor goes up and or the cost of equipment goes up so that now $90 buying power might be 80 or 70. So you really have to go to what is the number one priority. So much like when you and I were on the LVT manufacturing line yesterday, it's like a manufacturing line, but you put it in the perspective of is it green, yellow or red? And if it is red, then you address that problem first so that you don't impact the rest of the physical security program for whatever company or business you're in.

Brady Edwards:

Very good. I appreciate that. Thank you. So changes to hard and time consuming. How do you rally stakeholders and leaders around the idea that we need to adapt quickly and the environments that both of us came from sometimes move, things move slowly. So how do we get buy in on it? We need to adapt quickly and at times we need turnkey solutions.

Mary Rose McCaffrey:

So sometime first that is all about who are your stakeholders and you need to understand that and how do you educate your stakeholders? There has never been a stakeholder that I knew that wouldn't respond to the issue we had if they understood our business. Now, if security stays in the background and does not have a voice with whether it is their company policy, their company procedures, their company programs, then the companies think that security sometimes is just magic. It's not like a fairy dust, but it costs money. And so if they understand one, what you're trying to do to deter, detect and to, as I call it, stay as far left of boom as possible, they will help you in that journey. That journey can be a technology solution, but quick is a very relative term. So even if you start with a single pilot of a quicker than what you are used to, then you've begun the journey that says here's how technology can enable the company.

One, understanding what that technology can do to deter a physical security problem for any company. If they have a physical security problem, whether it's a gate runner, an explosion, a protest, a guard force that decides to have blue flu or a camera system that fails, you have to report that to a customer. Now all customers are interested in knowing that they, one, you have credibility in what you're telling them you're doing. And two, that your integrity is going to say you're not going to try to hide it. And that's where certainly in my 40 years, technology has enabled me to find a solution for either the same or the lower cost. But that being said, when you buy it, make sure you don't just buy it and forget it because you buy it. And if it evolves, evolve the technology. Can it help you in other areas?

You have physical security problems, can it help you with technology solutions for places where today you're using a human and then use those humans for something else? So stakeholders are absolutely critical. I can give you examples of both in my federal service as well as my private industry service, the stakeholders from every mission business unit knew exactly what I knew what they had to achieve, and I aligned the strategy of security to align with their mission objectives in the government. It was the same way In the government, you have a lot of responsibility in terms of what you have to do, where you have to do it, and how quickly you have to do it. And at the end of the day, if you understand what your customer is doing here, it's your company or your federal customer. But at the end of the day, if you understand what you need to do for them, you can help provide solutions and then evolve and keep up that solution set as you move through.

And I will give you one other very short example that you yourself are very familiar with. Anytime a company acquires another company, you acquire the unknown, you acquire the unknown of their physical security posture, be it terrific or maybe not so terrific. At the end of the day, you need to align that to the company it's coming into. And normally what happens is you find that stuff out when you ever run to failure and then you have to fix it accordingly. So when you think about this, you have to think about it in every aspect of your business. If you have a best case scenario in terms of an opportunity space, take what works really well, look at the technologies and then that apply that to another part of the business. How do we get to an enterprise solution for things of common? And then you can look at, okay, what are our other issues and tackle the harder ones.

There's always a solution whether you have it today or tomorrow, there is always a solution. And I've never known a boss, a congressman, a leader who said, I have a problem. And if I didn't come to 'em with a solution, they kicked me out of their office and they were right in doing that because what we're looking for in the security business is how do we solve the problem? How do we solve the problem and enable the business, not how do we identify the problem and say hand out our hands and say, give me some more money. I wouldn't hand people money if they didn't give me a solution. So I think it's really important that technology has a lot of applications in different spaces that today people have been fearful because they don't know what it does and they've not used it. And technology can really help in a lot of ways that historically we used humans or five different disparate pieces of equipment to address

‍Brady Edwards:

Technology can make people uncomfortable sometimes, right?

‍Mary Rose McCaffrey:

Absolutely. Technology is one of those things is remember there's a whole group of professionals who grew up in one way and today you have five generations of employees in the workplace. So they all think about things differently and technology is intuitive to some and not intuitive to others. My recommendation there is always listen to the people who understand the technology because one, you'll get smarter. Two, don't be afraid of it. Don't be afraid to ask all the questions in the world because until you ask the questions, it's just going to look like a shiny rock. And that shiny rock may be able to do wonderful things, but at the end of the day, look at the shiny rock in all of the backend solutions. So if you buy a gadget, let's just say you buy a camera system and that camera system is great, but what happens to the backend?

What happens to the cyber piece of that? What happens to the upgrades of that? How do we utilize the upgrades as the system matures ages? I think of natural disasters. I've put people in harm's way in natural disasters because I didn't have a system that once the power went out, I didn't have any visibility. And at Northrop Grumman, if you had no visibility, your customers were not happy. We did get our customers to get beyond the leaving humans in place. But technology, that's a perfect example where technology can help you. Technology. There's not a company in the business that doesn't have theft, parking lot problems or protests. And so how do you address that? Technology today can address a lot of that. One you can always look at, you have insight to what are people talking about on social media? We always knew when there were going to be protests, we didn't have necessary visibility when there were going to be protests.

We always knew that we were having theft problems in parking lots that were not necessarily in the most pristine neighborhoods, but if you have the little blue Kmart label in the parking lot, one, it then takes 30 minutes for the guard to get to you. Tech technology can help you there. And so there are always things that if you get comfortable with one, you get smarter and smarter and smarter. In the federal space, had I had some of the technologies that I know are available today in harsh environments, I might've been able to keep people a whole lot safer than the things you worry about every night.

Brady Edwards:

Yeah, something you said really resonated with me that sometimes we don't find out all of our systems that we assumed were on the backup power. Once we have that power outage, we find out all the systems that we assumed and didn't test, we're on that power are all shut down. And we have that moment, we're like, well, we're in a bad spot, right?

Mary Rose McCaffrey:

Well, and what happens is people will prepare, they buy the generator, they buy the backup power. They don't necessarily connect it until the next problem. I once worked for A CEO, who was probably the smartest person I've ever met, but who was also absolutely primary responsibility was to his employees. And at the end of the day, he knew he had facilities all over the country that were not in places that survived hurricanes and earthquakes well, but he prepared for that and he prepared for that. And he quote made it very clear that it was not just a security issue, it was a company issue because companies can actually resonate to their clients that their parking lot theft or break-ins drop by x percent. It helps you recruit employees. Hurricanes occur, mother nature is going to win every time earthquakes occur. But how are you prepared for that and how do you practice for that?

And I will tell you, technology is an incredible enabler in the physical security arena for helping companies prepare. And then if you, as I call it, plan the plan, practice the plan, and then when it's time to execute, you're not all staring at each other. And your former company had that from usually August to November every year in every year. It seemed like a surprise. So it's really important to allow technology to enable not to do, I don't know anything about it, so we can't use it. Listen to your employees. They really are very smart and keep yourself smart, understand what the trades are doing, understand what the technology is doing. The materials have morphed over 40 years that the materials are pretty resilient. And then that's what the partnerships are all about. If you have a partnership with a company that is doing picket, whatever you're picking, if it is a camera system and you have a problem with the camera system in a windy scenario, so you talk to the partner and you understand it's still your responsibility, but you talk to them about how can we tweak this? And if they want to be a partner to you for a long time, will help you with that. If you have theft problems in parking lots, talk to your partner about here's where we're seeing the problems. They've dealt with it with probably other customers. And as you know, being a physical security expert, there are a lot of physical security requirements that no one ever sees.

No one ever knows about until there's a problem. And the challenge then is you've had a problem. Everybody wants to throw instruction, money and solutions at you, and you don't know how big the problem is yet. So that's why understanding enterprise solutions, scalable solutions, you can challenge yourself and then that can be updated over a period of years to adjust according to the company plan, to the government plan. Police departments are pretty good at this. Theirs is always a function of there's never enough money, but their solutions they make do with what little they have. There are parts of the federal government who don't have the right amount of money, but they make do with what they have, and that's where technology can help. Technology has evolved dramatically in the last 45 years.

Brady Edwards:

Yeah, absolutely. Very good. Thank you. So during our conversations and the time I worked with you and our prior chapter, you talked a lot about the why. So once we've established our why, what elements are necessary in crafting a sound fizzle security strategy around the why?

‍Mary Rose McCaffrey:

Well, if you don't understand, well, there's two why's. There's the why of what's the company doing and the why of what security is doing to enable the company. And so you think about it, why do you do security? You don't do it because it just says in a contract. Some people do, but they don't usually have very good security programs. Security will enable the business because security will allow the business to do things differently and challenge their customers to think about things differently. In a couple of scenarios, we asked our customers to really step on the edge of we wanted to either increase production, we wanted to increase the ability to do something in environments where if took a traditional security approach, one, the company would never deliver the product on time and on budget, but the why behind what you're doing, are you protecting people?

Are you protecting an asset? Are you protecting an operation? You got to understand that. And just because you're a security professional doesn't mean you get to say, oh, I don't really care what those engineers are doing. You got to understand what they're doing because there's always a piece of what they're doing when they're building an airplane. There's pieces of an airplane that are really critical to be protected when you're building a submarine. At one point in my life, I worked in building submarines. Submarines are a massive piece, but there's very little on a submarine that they have to protect. So you break, it's like puzzles. I'm a huge puzzle fan. So you take those thousand pieces and you say, okay, what are the ones I really have to worry about? I'm an edge guy, so I always go to the edge first, and then you begin to solve the picture for what the rest of the puzzle is.

So from a standpoint on a submarine, you always worry about certain things. And so we took that into account with the company that was building it, the customer that was building it and said, here are your top three concerns from a security standpoint, and here's how we can address that. Some of it was old fashioned physical security. I call it very generic. Some of it was technology and we took a risk. We took a very, very calculated risk. And you know what? We got those submarines built on time, on budget and on schedule, and that's what it's all about. If you don't understand what the mission of whomever your client is, you're never going to get there. So our former employee, it was really important to understand the why. There were four sectors, there were lots of different divisions, there were lots of different missions, and it really didn't matter what they were. It mattered that everybody understood why security enabled that mission, whether it was getting people to the mission to do what they needed to do, whether it was the physical security while you were in development, construction and deployment, and then it was the whole physical security while you were actually in the scenario of the o and m.

Brady Edwards:

Yeah, your puzzle analogy reminds me of security and depth, right? You start the perimeters and work in, so I appreciate that. So next one here. So most security professionals during their careers have responded to a dynamic threat situation or that was an armed intruder, active vandalism or burglary. When situations like this occur, it'll require an immediate response and also reevaluation of our physical security strategy. How can we respond on dynamic situations like this? Strengthen our security posture will still be mindful of budget constraints.

‍Mary Rose McCaffrey:

Well, I'll go back to the answer to my first question. You got to understand what your security is. There are very few companies who live in a single building, very few in today's environments. There are companies that have lots of locations and people are in operational environments that are difficult. Bad stuff's going to happen. You cannot delude yourself that you aren't going to have a protest, you aren't going to have a burglary, you aren't going to have a break in. That's not going to happen. Long time ago and far away, we were having hurricanes in Florida where they launched shuttles and had, and this was a long time ago, we had a billion dollar satellite that we had to get out of that shuttle and get to a safe place before the hurricane. Now, we literally pulled a whole lot of things out of our hats, but we got it done.

But like anything that was part of the plan for the plan and execute and then know what your plan A, your plan B and your plan C is, because first it's your why one hurricane, you can't change weather. You can't necessarily change break-ins until after the fact because you probably find out, oh, you don't have any cameras on the backside of that building. So it was a perfect opportunity. Oh, you have a perimeter search that goes every hour on the hour at 10 0 2. So all you have to do is just follow the footprints of the guy walking around the fence line to realize that just go where there aren't footprints. So there are lots of things that you have to learn continuously from your security program, and more importantly, you have to continue to articulate to your stakeholders why your security program is important. Because if they don't hear it, they're going to think that it just magically happens.

And because you haven't asked for anything, they're not going to give you anything. So part of that is being part of every fiscal conversation, being part of every program conversation and knowing when you have to be the squeaky wheel in the loud voice because you don't want to be the loud voice after you've had a problem because then everyone's looking to find fault with what you did and then continue to look at your entire program. Large companies have lots of different programs, and so large companies often look at how do I quote use technology to my benefit to what's my return on investment? How can I reduce the labor hours? How do I reduce the crime scenarios? So dynamic and evolving happens all the time. You could put it to a police department in New Orleans. They had a very horrible tragedy this year, and that was a dynamic situation where the aftermath will tell you what happened and what they can correct, but you should be doing that before an event happens.

That's often why in many companies they have crisis management that often will fall under security. And that's not just to address cyber events or protest that can help you address your entire program. Do your program managers understand what will happen if you lost the alarm systems at a building that has a classified asset at it? That's a problem. Then you have to put humans on the problem. Humans are a lot more expensive than technology in the long run. Now humans are important because they have to understand what the technology is telling you, but they are not necessarily the only solution. But oftentimes my history has taught me that we put a human on the solution and then we figure that's just the solution forever, when it really isn't the solution forever. It's what I would call the, there's no panacea of one solution. It's always what's the best combination of tools in the toolbox to prepare and to continue the evolution of your security program as your corporation continues to evolve.

Brady Edwards:

How many times have you heard that it's the way we've always done it, right?

‍Mary Rose McCaffrey:

Oh, more times than I care to count and it's sort of like, that's my job. Well, no, it's everybody's job security is everyone's individual responsibility. And I could give you chapter and verse, I'd be a very wealthy woman if for every time someone said, that's not my job, that's your job. When in reality, it's everyone's job. It's no different. If you are getting a paycheck from company A, B, C, company, A, B, C expects you to understand what they're providing as their product and more importantly how they are helping their shareholders. Most companies have shareholders grow their company, and just because you're in security, you don't get to play. You don't know that.

Brady Edwards:

Yeah. Very good. Thank you. So I know during your career, and I may have been at the other end of the operation of one of these calls you received, but I know during your career you have received a call. Every security leader fears a security system at one of your sites has failed and you learned this system was end of life with no path to bring it back online. We know there is no easy button for situations like this. So how do we bridge the gap between the limitations of current infrastructure or catastrophic system failure and the completion of required upgrades that could take months or even years?

Mary Rose McCaffrey:

Well, so that's not the worst of all calls. The worst call is I used to say, and anyone who's ever known me knows between 11 and five, those phone calls are never good. The worst call is when somebody tells you there's a problem when we don't know who's alive or dead. The second worst is we have a problem and we have an alarm system. And so then it's just like all hands on deck. So first and foremost, you got to go figure out what the problem is and you got to go figure out who knew what, who shot John. It never is anyone's fault, but it's really just a function of it goes back to that accredit and forget it. They buy a fancy new system and then they think it's just going to stay fancy and new. I always tell people, equate it to a car.

How often do you replace cars? And if you replace cars every 10 years, you change the oil, you change the tires, you wash the car, had anybody actually even looked at the system and end of life systems happen all the time. You can look at the computer on, everyone has a computer and the operating systems change. I don't even know what current operating system people are working on right now, but there's always an end of life. So do you plan for that? But that's part of that whole strategy. If you don't have a security plan or strategy for whether it's your business unit, your division, you're local, your company, then there's no way you can even begin to calculate the price tag of what's important, what's not important, what's end of life, where are we going and begin to fix it because all that is is a huge set of numbers and those numbers, because you and I worked on a project where we portrayed a huge set of numbers and there happened to be some capital money that we started to cut down the risk.

All you're doing with that is really identifying things by reducing the risk to the corporation, and you're never going to get to zero because by the time you get to the lowest one, it's probably almost end of life. But you can begin to articulate why is it that you keep such things? Why is it you understand what your technical security systems look like in the federal space? Now they're looking at all the ICD 7 0 5 stuff. There are many secure spaces across industry right now that were built 50, 60 years ago. They don't currently meet standards. That being said, this is a perfect time to take a look at what do you have? So what's your data tell you today? Everybody collects data differently, but in a company, you should know what your data is telling you. What's the age, what's the systems, what's included in the systems over years?

We add things, but do we ever take the old stuff out? And then more importantly, once you understand what you have, you can understand what's your first priority of correction and then work down that correction and then that, I'll just put a billion dollar problem on it. That billion dollar problem becomes a workable set of solutions and that workable set of solutions begins to ping off. And then what you have to make sure as a security expert or a physical security person, you have to tell people what you did because if you don't tell 'em how that helped them, that return to the business, save them dollars, save them people, save them time for response. They're not going to be so easy to hand out next year's excess cash for your set of priorities. So I always found that briefing, whether it was the business unit, the corporate board, my leadership in the federal space where we were in the movie script, because the movie script will always change.

You've never been to a movie where the script didn't change, but where we were in that script and what was the biggest priority, and yes, there were some years they said, yep, we'll give you the money. And some years half that money showed up and some years no money showed up. But then you figure out, okay, what am I going to do to fix the problem and something else is going to have to give? So it's all a prioritization. You have a personal budget, you manage against a personal budget. There's no security professional shouldn't manage and understand what the fiscal responsibilities of, whether it's physical security or any other cyber. Cyber is. We finally have trained a generation of people that if it looks like spam, don't click it. But it took almost 20 years to get there. So every discipline in this process is important for people to educate, educate, educate.

Brady Edwards:

Absolutely. Very good. Thank you. So kind of going back to what we just talked about, so how do security professionals develop that five-year strategy while keeping risk at the forefront?

Mary Rose McCaffrey:

So one, they got to understand what their company strategy company, high level, every company has an annual 10 k they have to roll out. Every company has a mission, vision, values. They roll out every year and they have a five-year plan. What kind of business we going after? What do we have deliverables? What's our backlog look like? Every company has that. And if you as a security professional don't know what that is for your company, the first thing you do is go onto your website and find out what that is. Then the second piece is you roll it down to the next layer and you're going to have your business units. Your business units all have a priority. They have a bogey that they've been set by their bosses as to what they have to deliver. Is that an airplane? Is that people, is that a technical security solution?

Is that an infrastructure? Whatever it is, you have a business unit demand, and in that demand there should be a program plan. And in that program plan security should be part of that program plan. And every year that program plan is going to modulate a bit. Some years your customers may want more, may want less. Yesterday we had a great opportunity to visit your manufacturing floor, and that manufacturing floor literally can modulate based upon the demand of the business and they have figured out how to modulate that while still keeping their costs stable. And so a lot of security people really don't understand money and if you don't understand the fiscal responsibility of money and how things are spent and the total cost, not just the cost of equipment or the cost of the computers or the cost of the whole suite of equipment, but really the cost of the lifecycle of the technology.

I bought more fences in my lifetime than I care to think about. And during the decades, some had some great technologies in 'em that were great sensors, but the minute a squirrel eats through it, it's not a really good sensor. There are other things that technologies cameras. I was around when cameras didn't pan tilt zoom. So the ability of you to understand and explain to your business unit how technology can help them on a manufacturing floor or in an operation and then understand what you have to recommend. You have to recommend to your boss what kind of money you want every year and what's a priority? Don't be a pig about it. As I always used to say, don't be a glutton about asking for a Cadillac when a Chevy will do. The reality is you need to understand what you have to fix immediately and that will help where you progress, move that needle in a direction. You're never going to do it all in one year. You can't physically do it all in year, but you have to understand what your business does and how you can support that business.

Brady Edwards:

And it goes back to it's also a snapshot in time. You capture all the projects that you know of. It seems there's always that surprise that comes up six months in the year that you hadn't planned on. You got to kind of adjust your plan, right?

Mary Rose McCaffrey:

Right. There's always going to be an O fit moment. There's always going to be a building you didn't realize the company was selling, and you're not always going to be privy to that. There's always going to be somebody who wants to move into a building that really isn't fit for man or beast and you have to help explain why. If they went into another building, it would be a whole lot easier and a whole lot less expensive. You put things in fiscal scenarios. It's funny how quickly people begin to listen to you because it's all coming out of their budget line.

Brady Edwards:

Yeah. Alright, thank you. Very good. So you mentioned how essential communication is developing strategy, especially when it comes to notifying stakeholders. In your experience, what's the best system for notifying the stakeholders

Mary Rose McCaffrey:

Be part of the conversation with them throughout the year? I had a former director who once said to me, you always have to have an elevator speech. If you find yourself either with a director, with a business unit, with a senator, a congressman have a 32nd elevator speech, but what do you do? And more importantly, continue those conversations. Go have lunch with someone who's not in your business. Don't eat with your buddies. If you eat lunch, go talk to somebody who doesn't understand what you do. I would say that my success over the years had been clearly trying to inform myself of other people's business and also helping them educate because your stakeholders are going to, the real key to this is you don't have to be in the room when they're making financial decisions, but if someone's going to advocate for you, then they have to understand what you do.

And so it doesn't matter whether it's somebody helping you grow up through the professional ranks or not financially, it's the same scenario. Someone's going to advocate for a program that comes up on that list and every CEO e's got a list longer than they have a checkbook Someone can advocate. You move up the list when someone else can't explain what's going on there. So I'm always a firm believer in stakeholders that has to be part of your daily communication. And then on a regular basis, whether you have a quarterly review, a monthly review, some mechanism to communicate to both your superiors and their peers because you're all in the same lineup of what has to be funded and what doesn't because it's only one finite line on them and they're going to go with the one they know most about

Brady Edwards:

Competing needs. Right.

Mary Rose McCaffrey:

It's always a competing need.

Brady Edwards:

So we have, we're going to move some questions from the audience here. So first question Mi rose, in your opinion more to the top one or two biggest risks, which companies are not focusing their resources to mitigate? In other words, what are the biggest risks companies are not currently addressing? Good question.

Mary Rose McCaffrey:

That is a great question. One or two risks. I would say probably single point failures. So instead of thinking it as whether it's an internet of things or a system of systems, many companies think that, let's say site one is good, so all the rest are good. Have you looked at all the others? And do you realize that it really becomes an internet of things? Have you coordinated with your colleagues in the cyber arena? Because all you need is somebody hacking into your sock and then you have a problem. Do you understand? I call it the push pull of every company wants everyone to be welcome and yet they want some protection. And so as I always call, it's the two-headed llama. So you got to find the balance there. But I would say the one thing is that all companies probably think their systems are better than they are, and that's not a failure on a company or not.

It really is just you got to understand what you've got and then you can address the physical gaps in that security profile. And then secondarily, like anything else, I think humans are a really important part of this. You have to develop your employees to take on the next generation of challenges, because if you do not, then you're going to get to a place where your demographics are going to be such that you have a lot of experienced leaders and they're all choosing to go hunting or beaching or whatever they decide to do. And then you have a bunch of people who don't have the wisdom of their experience. So I would say that I would lump all physical security inclusive of cyber there. You can't do one without the other in one people. I think their biggest challenge is they think the state of their security is probably maybe better than it is because they don't really look at it with any periodicity.

And then two, I would say that the second piece of this from a security standpoint is really, and this has been the challenge for years, is developing and teaching the next generation and paying it forward so that when they have whatever the topical issue is, the protests, the hurricane, the tornado, they don't have to reinvent it everywhere. Just because it didn't get invented on your watch doesn't mean that it isn't worth doing. And it's okay to agree to disagree. People have a tendency to say, well, we're going down this path, and everybody's afraid to tell the emperor has no clothes. I would hope that people would tell me that I had no clothes and that would be an ugly sight. But the emperor needs to have people around them who will say, you need to stop and course correct, and that will make every leader better.

Brady Edwards:

Yeah. The yes people, right.

Mary Rose McCaffrey:

Yeah. Well that works for a while until it doesn't.

Brady Edwards:

Yeah. So in your opinion, what is the number one emerging physical security threat or issue?

Mary Rose McCaffrey:

People not understanding the capabilities of the backend of physical security systems, both the good and the bad. So I would say think of a lot of technologies and I think of technologies that I've used over the years and we bought the technologies and then we thought somebody else would take care of the backend and then the backend's got compromised. It's understanding the whole life cycle of a system. So I would say the biggest physical security threat is the speed and the dynamics of the change of one, the technologies, the tenure to solution and the responsibility of the leaders in the security business to stay on top of that because you're not serving your companies as well as could, and you need to be okay to be a voice in that environment.

Brady Edwards:

Okay, very good. So what are some technologies not widely accepted currently that could be used in cost effectively securing classified spaces?

Mary Rose McCaffrey:

There's probably a laundry list. I would say probably the biggest challenge in classified spaces in terms of technology is that the classified spaces doesn't matter who they are, have what I would call their preferred products list or their, and they're oftentimes somewhat delayed from some of the technology solutions that are out there because they haven't gone through the lifecycle testing of the customer requirements. If there would be a way to shorten that gap, I think you could find a lot of technology solutions that could help in the classified space arena that today are not being utilized because could go back to that whole fear factor. Everything in a classified space has to be disconnected. Well, does it? I'm asking the rhetorical question, and you can disconnect through technology. You have to assure you're disconnecting, but you can disconnect. So I think if I had one area, there are parts of the federal community that really do a lot of the testing on things.

And so there are some who are moving at accelerated paces, and that's fantastic because innovation creativity has to be done or we're going to fall behind the power curve. But I think it could be done faster, and I think that there could be some pilots of let's try it. Worst case scenario, do it at a lower level of classification. The reason things are classified is the risk to national security. So go at the lower level of classification, lower level of risk, give it a whirl, see what happens. The world isn't going to, you got backup solutions and you got humans, so you can probably accept that risk. But I'm not in the government anymore, so I will not pretend to say I have all the answers.

Brady Edwards:

Alright, one more. So how do we plan for risk? That comes with changing environments based on known or unknowns, such as changing government focus. That never happens, right? Particularly those that are radical are complete reversals and direction.

Mary Rose McCaffrey:

So what I would say about how do you prepare for risks, that goes back to the original. This country and everybody in it has been through political seasons. Isis, you go back 25 years, 26 years ago, people did not know about homegrown terrorists. They've always been there. It's really go back to what is your company's mission. If you are a defense contractor, there are a lot of people who don't want you to do what you do, but strength and deterrence are good things. Two, if you are a technologist, you're always going to want to protect your technology to stay ahead of your competitors. If you are in a part of the country that has had a lot of challenges and they don't like one side or the other of a political spectrum, the key there is plan for both scenarios. It is all about risk management.

It is all about crisis management. It's going to have a different label, whether it's isis, whether it's change the posture, or it's going to change as a company, you have to do your business, you have to do your job, keep your head low, but also understand that you could have a cyber attack if people have been in this business long enough, they remember when the Koreans went after Sony and they shut down Sony. So it's all important. It's just got a different name, but it's understanding what you have. If you don't understand what's in your own little walls of your business and all your employees because your employees add risk to your business, then potentially that's where I'd start. And then I wouldn't worry about trying to solve the waterfront of issues. The issues are always going to be there, but the United States as a democracy has survived for 248 years. Let's hope we get another 248 more. There are going to be politicians coming and going, and it doesn't matter what side of the aisle on the priorities are going to change, but what companies do and deliver is critical to moving this country in the direction we want it to go.

Brady Edwards:

Very good. One more. Okay. So this is a good one. So what is your greatest fizzle security success?

Mary Rose McCaffrey:

I don't think there's one I, I would say it was probably a federal example, and it was sadly one of those moments where someone did get hurt, but we were able to create a physical security deterrent that didn't look like what I would call fences, guards, and gates. And because it was in an environment where we couldn't have fences, guards, and gates, but we were able to have a physical security deterrent. That was one of those things that left field problem, someone got hurt. And so it really became, we found a solution outside of what I call the traditional mechanisms. And those solutions provided the same, if not greater security to the people who actually had to work in that facility. Got out of our comfort zone a little bit. We got way out of our comfort zone. My bosses were having a cow, but we got through it.

Brady Edwards:

Very good. Well, thank you Mayor Rose, this has been a pleasure.

Mary Rose McCaffrey:

Appreciate your time today. Well, Brady, thank you very much and I thank everybody who dialed in.