The Role of AI and Data Analytics in Modern Risk Management with Dr. Farhad Tajali

0:00

Manish:

Dr. Farhat Tejali is a physical security leader with deep expertise spanning security technology, law enforcement, cybercrime investigation, and IT infrastructure. He currently serves as the SVP global head of safety and security at Creative Artists Agency, where he leads efforts to safeguard one of the world’s top entertainment companies. His career includes key roles at Netflix, NBCUniversal, and SAG-AFTRA. And he also serves as a reserve detective with the L.A. County Sheriff Department’s Fraud and Cybercrimes Bureau. Please join me in welcoming Farhad to our Connected Intelligence podcast. Welcome, sir.

Farhad:

Hi, Manish. It’s great to be here. Thank you.

Manish:

Great to be here. Thank you for, again, making the time, my friend. Our audience would love to learn a little bit more about your background and your journey and how it got you to CAA. So maybe in just a couple of brief minutes, please share.

1:21

Farhad:

Yeah, of course. Yeah, I started in the security field many, many years ago, right out of high school. While I was looking for what I was going to do, I had a big passion for tech and I was going through my degree in information systems. But I worked in the security field, physical security field for a number of years while I was going to college. I had a lot of fun. So eventually when I finished my degree, I went to the tech side. I was a network engineer and I worked, I oversaw the whole entire tech department for SAG after credit union. But then there was a time that there was an opportunity to get back into the physical security field. And I remembered how much fun I had. And so I made the switch. So I went back from from tech over to physical security. And I’ve been on the security systems and physical security side ever since. But I don’t think anyone wakes up and says, hey, I want to be a security professional. People typically fall into it somehow. And this is my journey. And I think it’s been great and still having a lot of fun.

2:27

Manish:

I love it. Love it. Fantastic journey. Okay, our number one question, top of mind for all of our listeners, is obviously the advancement of AI. You think about modern technology, modern tools. You think about physical security, which has historically been a little bit slower evolving when it comes to modern technology. So let me paint the picture for you. Most of the companies that I speak to, they’re getting top-down mandate, right? Even from the CEO to begin adopting AI and modern technology. And then you think about their peer organizations outside of physical security leaning in. And then you even think about their own team members, perhaps off the grid, using modern technology to drive efficiencies. Yet there is some resistance and some concern and some anxiety. Maybe paint the picture from your perspective on how teams, especially your peers in physical security, could be thinking about AI.

Farhad:

Yeah, I think we’re talking about two different things with a nexus. They both have a nexus. One, the physical security space is evolving very, very rapidly. Then you have artificial intelligence and introduction of AI into a lot of our physical security tools. That compounds that speed a lot more. And then you have physical security professionals, you have security professionals in general, that are trying to catch up with both of these at the same time. But the industry itself, I think, is limited with the knowledge and the training that our security professionals need, right? So we are trying to catch up, but we’re trying to catch up with something that’s moving a lot faster. So, you know, it’s just the AI field itself. I was reading this earlier this week, there is a research by an organization called Model Evaluation and Threat Research that basically, after the research they conducted on how fast AI is moving, AI is now completing, doubling the task every seven months, right? It’s going back to 2019. The completion of very, very complex tasks are doubling every seven months. That on its own is tremendous amount of speed. And then you got everything else that’s going on with physical security and technology. It’s going to be a challenge for us, and I think it already is. The security professionals, I think, need to do a lot more, and the security industry itself needs to do a lot more to try to catch up quickly. But that is a challenge for us. I think all of us as security professionals are in the same boat.

5:12

Manish:

What are some practical applications that you’ve either directly used, encountered, read about, maybe talked to your peers about in the world of physical security with AI.

Farhad:

Yeah, I think one area in physical security we’re doing great is the analytics, video analytics. I think the industry has done great. A lot of the examples are identification of suspicious packages, identification of suspicious behaviors, gun detection, gunshot detection, gun recognition, long rifles, someone walking into your lobby or approaching your building, holding a firearm, I think the AI-driven video analytics is very advanced, and I think the security industry has done a great job. One area I think we’re behind is more on the access control side. There isn’t enough involvement within AI and data analytics on the access control side. There is a ton of data there, but based on my experience, access control systems are really just being used onboarding, offboarding people, you know, there’s a lot of anomalies that could be found if you really look into the data there, but that rarely is being done. That’s one area I think we can do probably a lot more. Then also on the side of connecting dots across different systems, being access control, cameras together, what are some of the dots, some of those analysis that security professionals can do. Typically, these systems are siloed, two different systems, access control versus cameras. They’re not talking to each other. There is a lot of opportunities I think on that side as well. I would even say, identifying behavioral patterns, there is a lot of organizations that receive threats through email and voicemail calls, right? Identifying patterns, who are the persons of interest? Maybe what are some of the next threats or next actions they’re going to take against your organization, given all the patterns that you have? All the incident reports that are being created, right? The incident reports has a ton of data in it. from the date and time, the pattern that the threat was actioned on, how many times they showed up at a physical site versus electronic harassment. All of those things, I think that data can be compiled and analyzed, and AI can certainly help with that.

7:33

Manish:

So Farhad, what advice would you have, and this could be all the way up to the CSO, all the way down to the analyst? You know, many of them have decades of experience, they pride themselves on that experience as it relates to human judgment. They’re in the trust but verify mode. They recognize the importance of human in the loop. But many are still quite skeptical. Many are still quite reticent about leaning into AI. What advice would you have to any of them?

Farhad:

No I think that fear that level of fear should exist because there is definitely a level of uncertainty around AI in the security field right, so as good as AI is a force multiplier for us. But it can also be a mechanism to uplift security threats and risk just like we’re using it as a tool to force multiply what we’re doing, so are the bad guys right, and I typically it’s a tool that can enable people with deception so, it can be teacher and teach violent extremists, it can help build a bomb right, doors all of those things exist. For us, we need to be cognizant of that and remember, there should always be a level of fear. I think that fear can protect us and have our eyes and ears open. But at the same time, I think there needs to be some sort of a governance. It needs to be some sort of a plan on how AI is used within any organization, specifically within the security organization, and what is going to be used for. So I think security professionals need to look at both of that, both sides when it comes to AI.

9:16

Manish:

I know you’re incredibly passionate about data and data analytics, particularly in physical security. You’ve done this exploratory study. You have a deep, deep-founded passion about this topic. Maybe tell the listeners a bit more about that and what was the genesis behind it and what’s the aha moment for you in conducting this study and the insights?

Farhad:

Yeah, so in 2021, I was completing my doctoral degree at USC. And for my dissertation, the problem of practice that I decided to use for my research was the utilization of data analytics in the field of physical security. My hypothesis was, given I had worked with many different security teams and security professionals, that data analytics wasn’t really on the forefront of what they were doing. My hypothesis was that there was a knowledge gap. I traveled around. One of the positions I had, I was in charge of implementing security metrics program and training security professionals and implementing the tool at various different teams globally. What I found was, a lot of the security providers didn’t have anything to do with it right, they were kind of stuck in the way they did things and they’re OK with that. They saw this more as a chore: now I have to use an incident management system? So now I have to document all of my incidents and tasks and dispatches? Then I have to look at a dashboard to maybe find some insights? I already know what’s going on in my atmosphere, right? So there was a lot of that. So that was my hypothesis that there is some gap, but I wasn’t sure where the gap was. Is it knowledge driven? Is it motivation? Is it because they just don’t have the resources? So I use that as my problem of practice. I did a mixed method research, both quantitative and qualitative, with the lens of education. So I used Clark and Esty’s gap analysis framework, which focuses on three things. Whenever there is a gap in any type of task, it stems from three things, either a gap in knowledge, or motivation, or organizational barriers. I focused on those three things to understand if security professionals are not using or utilizing data analytics, why is it? I’ve done a number of interviews in my research. There was a quantitative survey that was sent out. Several hundred security professionals took the survey from CSOs to VPs, directors, and managers. What I found was security professionals need more knowledge, what is called the procedural knowledge, which is the know-how. How to analyze data, and that also goes back to tool selection, data collection, data analysis. Then after the analysis, come up with insight of what you’re seeing, and then repeat that entire process all over again. Make adjustments to your program, go back to data collection again, data analysis, and then gaining the insight, and then making adjustments to your program. Procedural knowledge was one that there was a gap. Security professionals reported that more than 80% of them said, if I knew more about data analysis and the process, I would 100% do it. 20% said I have a good knowledge of what I need to do, I am collecting some sort of a data either in a spreadsheet or an incident management system and we look at the data and analyze it somehow but 80% of them said we are not. And if I knew more about it, I would definitely do it, right? So procedural knowledge was one. Another need was confidence in their ability to utilize the data, which is called self-efficacy. That also comes from that lack of knowledge. So because they don’t have the knowledge, they lack the confidence, right, to even getting started. Even the collection process or presentation of data. Also, the last thing was organizational needs or adequate resources. The part that is cultural. You need that from your leadership team to expect that, give you the tools, could be an incident management system, give you the training and the knowledge to be able to carry out that task. Part of it was that lack of adequate resources and support from the organization itself.

Manish:

In your key findings, and you talked just now about procedural knowledge, but you emphasize that security teams, at least that you have found, had strong declarative knowledge and metacognitive awareness. Maybe talk a little bit more about that in the context of these physical security professionals, because I think that will then blend nicely to what you had mentioned in procedural knowledge.

Farhad:

Yeah, so on the metacognition side, security professionals in this research show that they know of data analytics and they know it can aid them. It could be aid in their day-to-day operation in their security program. So they have a good understanding of that, right? There is just a lack of taking that next step and taking the action. So when I spoke to, I did a number of interviews, when I spoke to the security professionals and even through the surveys that we had done, I can tell the knowledge is there they know of data analytics they have seen it they’ve been in probably meetings that was presented. It wasn’t them, it wasn’t their data, they know of it and they know it could be used as an asset, but they were just not using it. Again, it goes back to some of that procedural knowledge, the know-how, and then the motivation and having that organizational support to do so.

16:14

Manish:

Now you use the word confidence. That’s a really interesting word. How do you train for confidence, especially advice or guidance you’d give to security leaders to train their teams to improve their confidence?

Farhad:

Yeah, I think some of that comes from that motivational influence that I just talked about. And, you know, in my research, I call that a few things that security teams can do to aid that. Part of that is creating short-term small tasks, right? And it could be as easy as find one security metric in your program, and maybe I’m in charge of executive protection or security systems or physical security. Find that one metric and start there. A metric could be response time to medical calls or response time to any calls. Let’s focus there and let’s see if, as you’re collecting this data and analyzing it, see if there is any insight that needs to be actioned on. You don’t need to start on a full security metrics program and have 500 metrics. Let’s start with one. I think security professionals, each professional, depending on what area they’re in, they should at least have between three and five metrics that they collect the data on, and they analyze on a week-to-week basis. And they report on it, right? They report on it to your executive management team. But start with a very small task, and then provide corrective feedback. As leaders, we should give feedback. As we’re seeing the data being collected and analyzed and presented, provide that feedback to slowly kind of build that confidence and motivation that, hey, you’re doing a great job. Yeah, you may need a slight modification here, but focus the feedback on faulty strategy, not the person themselves, so they can start tweaking this strategy slowly. So I think some of that will start to build confidence over time. And that one metric would become three and four and five and so on.

Manish:

How have you seen this implemented on your own teams in your own career? You don’t have to mention any names. You don’t have to be that explicit about the metric. But how did you operationalize this within your own organizations?

Farhad:

Yeah, I think everything that I just talked about, I’ve seen a variation of that in some of the teams that I’ve worked in. I think it also starts with expectation of the leader. If I expect that we need to do a monthly business review, or quarterly business review. Part of that is going to be the metrics program where everyone sits in a room and all the program leaders present on their data on what happened last month and in comparison to the month before or quarter. What does that look like and what does that mean? If your unauthorized access incidents are up by 50%, why is that? Is there a faulty door? Do we need to put a sign somewhere specifically on that door? Do we need a security officer to be there? Those are things that can be gained but it starts from the leadership team expecting that building that expectation and building that time putting that time aside for everyone to be able to present their information and provide the feedback we just talked about right slowly as these QBRs and monthly business reviews are moving forward, people are going to get used to and they’ll have more confidence in presenting this information and they’re learning in the entire process, they’re constantly learning with the feedback on a monthly basis. That needs to happen. As a leader, if you’re not doing that, your team are not going to make that a priority. Their priority is going to be something else. I think as leaders, we need to make that a priority, get everyone to focus on that side of the business and part of executives want to see is data and what does that data really mean.

19:55

Manish:

And to really crystallize this for our listeners again, Farhad, don’t mention the name, but think about an individual either on your team today or in previous roles that maybe didn’t have that procedural knowledge, maybe lacked that confidence, and then you were able to train and mentor them. What were some changes that you saw in that individual where today you could say, yes, they’ve made that flip?

Farhad:

I mean, I’ve seen it in these meetings, it’s a process of the light bulb going on. I mean, as they are presenting and they’re telling a story. What I ask is, design your dashboard in a way that you’re telling a story. From the top, the pie charts and the graphs and how you’re presenting this information, present it as you’re telling a story and make your way down from top to the bottom. because you can design your dashboard in many different ways, you don’t want to jump back and forth, but start maybe from your dispatches, the number of incidents you’re getting, and then break it down by site, and then break it down by the type of incident, criminal, non-criminal, and then move down to some other information that is relevant to that, but tell your story. But I can tell when we’re in some of these meetings, as people are presenting, I can tell they’re learning things that they did not know about. They knew that on average, we’re getting 50 incidents per month. But maybe they didn’t know this 50 incident, specifically, 50% of them are this, or they are impacting a specific site, or threat-related, they’re impacting a specific two, three people that we need to pay more attention to, and design the security posture around them or for a specific office. Just making them go through this exercise helps them with understanding, okay, now this is why I’m doing it, and it goes back to increasing the utility value, this is why I’m doing it, and this is how this is going to aid me, aid my job, and I need to do more of it, so I need to pay more attention to it. It’s almost a process that you constantly have to go through and make them realize this is something that you can gain a lot of information from, and it’s going to probably help your job, make your job a lot easier.

22:10

Manish:

We agree on the importance of decision-making, but your study also uncovered resource gaps. And resource gaps could be people, process, technology. There’s a number of ways to define resources. What did you uncover in the resource gaps that exist and how could teams start to close those gaps?

Farhad:

Yeah, I think on the resources side, one thing was a cultural setting. We slightly touched on that. You need to expect this stuff and change the culture. You need to have a culture of metrics, data analytics, collection of data, and reviewing it. So that’s one. That’s the expectation from the leader, then the leader sets that culture. Number two, you’re going to have people with varying level of skills. You need to be able to assess them. Those people that need a little more training, find ways for them to get training. Security teams don’t have data scientists. You’ll be very lucky if you have something like that that you can leverage in your organization to help you build your metrics program. In absence of that, you have to have data champions. Those data champions are people within your organization, within your team. Some people love doing this stuff and they’ll catch on and this will become part of their day-to-day. Others are going to resist change, and resistance to change is very common. How do you bring those people along? Well, they need a little more attention and figure out what it is. Maybe it’s knowledge. They’re afraid to touch this because they don’t know much about it. Get them some training. There is plenty of online training. Find a professional to come to your organization and do a couple of in-person trainings. If you have data scientists in your organization, a data team, get them to come in and maybe spend a couple hours with your team. I think all of those put together builds knowledge, builds motivation, and basically those are resources. I think as leaders, we need to assess our team to see what do we need to add more resources and for whom, and be able to identify that and give them the resource setting. But not everyone is at the same level. People come with varying level of skills and they may have some more experience and may have done this at other organizations. Others are going to be, this is the first time they’re doing this. So as a leader, we need to assess all of those.

24:33

Manish:

Now, this next question is painting vision for the future, and you could either answer this from your personal hope and aspiration of where this industry heads, or it could be just a prediction of what you think might happen. But let’s pick a time horizon five years from now. As you think about the two topics we talked about today, AI and data analytics, how do those converge and what’s that optimized future that you’re hoping for or that you believe the industry needs to be at within five years?

Farhad:

Yeah, I think part of that is building and training our security teams to be a well-rounded security professional, right? Technology is a big, big part of what we do. It doesn’t matter what side of security and safety you’re on, what program you’re in or you’re leading, technology is big, is going to be, and it is now a big part of that. What are you doing as a security professional to move you along that path, right, and train yourself as a professional? Doctors are board certified and they go through training all the time. Are we doing that as security professionals or just because you came from a law enforcement background? Or you were in security at one point, you’re a security professional forever, but you don’t need to take any more training because you know security and you know how to apprehend criminals or investigate a case. I think part of that is that self-recognition that we all need to continue our journey in training and the latest technology and how that technology being AI or analytics, how can that help us in our profession to make our teams better, do things faster, better, and cheaper. Part of that, I think, in the next five years, my expectation would be at least for the great people that I work with is, move yourself along that path and get that training, and I’ll be happy to support you in any way I can. But I want to see people progressing and moving toward that path that they are very familiar with technology, at least on the security side. They understand how security systems work, different applications, access control, incident management systems, mass communication systems. Those are not things for specific people to implement. Everyone would need to have a good basic level of knowledge. So they understand it. They know how it works. and they can also speak to it. I think a lot more training is needed for security professionals. I call on organizations like ASIS to create programs and certifications for security professionals to go through. But really, those certifications should be focused on technology, use of tech, systems, applications, and AI so we can start developing the next generation of security professionals who should be very well-rounded, they understand the security landscape really well, but they also get the tech side. You don’t need to bring someone in to translate the tech for you. You as a security professional understand the tech side as well.

27:42

Manish:

Very well framed. One last very simple question for our listeners. What’s a very simple, practical first step that security teams can take tomorrow?

Farhad:

They should take a look at their environment and start counting stuff. Count the number of alarms you’re getting and count the number of incidents that you’re seeing. Start putting that down somewhere. It could be as simple as a spreadsheet. Start looking in and start being surgical into your operation. What is going on? What do these numbers mean? Look at your badging operation or parking, service request, calls for service, dispatch, incidents, investigation. Collect these in some form, do not collect them on a piece of paper, but at least put them down somewhere, if you don’t have an incident management system, you don’t have an Ontic, that’s fine, but at least put them down somewhere, maybe on a spreadsheet and start looking at this information. That is something everyone can do, it’s basic. Keep track of what’s hitting your desk and what’s hitting your department and start from there. Then focus on training. I think there is a ton of training online through YouTube, a lot of these organizations, LinkedIn, some of the universities are offering free training on data analytics and metrics. People should be taking advantage of that. I think we have access to so much more information now compared to five, 10, 15, 20 years ago. A lot of stuff is readily available. We just need to invest the time to move the needle, right? And I think that’s what security professionals should do.

29:19

Manish:

As is tradition with our podcast, Farhad, we end with one final question that we’d like to ask you is what does Connected Intelligence mean to you?

Farhad:

Yeah, it’s a great question. We have in our environments as security professionals, we have access to a ton of information, a ton of data, right? Part of the challenge is making sense and then connecting those together, right? As a program, what are all of these things mean, right? From calls for service to video analytics to access control, how do we create a system, an ecosystem where these things can be analyzed and they touch each other at some point so we can paint a bigger picture of our program, right? So integration is one part, maybe access control systems and video systems, integration of your incident management system with your visitor management system and your employment workday system. You can see and look at what are some of those triggers that you should be looking at and your team should be paying attention to. But a lot of those things can be connected so you can get more insight and more information. Systems shouldn’t remain in silos. I think we can all think about what else can we integrate? What are some of these data points they need to touch each other? and connect so we can gain more information and insight from it.

Manish:

Farhad, great conversation today. Thank you for joining us on our Connected Intelligence Podcast.

Farhad:

It’s been a pleasure. Thank you.