Following are 5 Key Messages about the subject taken from an article with the same heading published in 'India Safe' magazine (March 2008 issue). These are being reproduced here with the permission of the author Mr David Cresswell, MSc, CPP, PSP,MSyl whom I consider my 'guru' and friend. The article is insightful, thought provoking and relevant in the present scenario where the industry is growing by leaps and bounds.
Message 1. Get qualified to do your job.
You ought not to be managing a corporate security function based alone on past achievements or qualifications obtained in the police, military or intelligence services. While this is a good starting point, corporate security management requires more specific skill sets, and the ASIS Chief Security Officer Guideline (www.asisonline.org/guidelines/guidelineschief.pdf) is instructive in this regard. Not only is this an issue of professional credibility – only about 10% of UK security managers, for example, have a degree in anything at all – there are liability issues on the horizon and I foresee in the future litigation arising out of major loss incidents in companies that employ security managers who don’t have formal qualifications in corporate security management. For example, one new piece of legislation now enacted into UK law is the Corporate Homicide Bill.
You don’t need reminding that in the security management professional we make life-safety decisions, I can think of no other business profession where this lack of qualification is so evident in the 21st Century.
In 2007 Professor Martin Gill carried out extensive research into the perception of the security management profession (attached). This is a quote from page 52 of the report:
It was striking that even those who discussed the role of the military and law enforcement background of security personnel most often did so disparagingly, even those with this antecedence accepted that few were able to meet the level of knowledge in business that good security demanded. One interviewee argued that those who came from a police or military background not only lacked business skills and crucially a knowledge of business processes, but they were not able to sell the security function to others, and because they ‘spoke security’ rather than ‘the language of business’, they were often marginalised in high level discussions.
The problem is that there is no single universally-accepted qualification for security management. The ASIS CPP is the most widely held security management certification but I can think of no examples where it is mandatory for security managers to have either certification or a security management degree. And the situation surrounding the lack of qualification, and often regulation, of security consultants is considerably worse. In the UK, for example, literally anybody can establish themselves as a practicing security consultant with no education and no criminal record checks.
You ought not to be managing a corporate security function based alone on past achievements or qualifications obtained in the police, military or intelligence services. While this is a good starting point, corporate security management requires more specific skill sets, and the ASIS Chief Security Officer Guideline (www.asisonline.org/guidelines/guidelineschief.pdf) is instructive in this regard. Not only is this an issue of professional credibility – only about 10% of UK security managers, for example, have a degree in anything at all – there are liability issues on the horizon and I foresee in the future litigation arising out of major loss incidents in companies that employ security managers who don’t have formal qualifications in corporate security management. For example, one new piece of legislation now enacted into UK law is the Corporate Homicide Bill.
You don’t need reminding that in the security management professional we make life-safety decisions, I can think of no other business profession where this lack of qualification is so evident in the 21st Century.
In 2007 Professor Martin Gill carried out extensive research into the perception of the security management profession (attached). This is a quote from page 52 of the report:
It was striking that even those who discussed the role of the military and law enforcement background of security personnel most often did so disparagingly, even those with this antecedence accepted that few were able to meet the level of knowledge in business that good security demanded. One interviewee argued that those who came from a police or military background not only lacked business skills and crucially a knowledge of business processes, but they were not able to sell the security function to others, and because they ‘spoke security’ rather than ‘the language of business’, they were often marginalised in high level discussions.
The problem is that there is no single universally-accepted qualification for security management. The ASIS CPP is the most widely held security management certification but I can think of no examples where it is mandatory for security managers to have either certification or a security management degree. And the situation surrounding the lack of qualification, and often regulation, of security consultants is considerably worse. In the UK, for example, literally anybody can establish themselves as a practicing security consultant with no education and no criminal record checks.
Message 2. The key routes to professional development.
There are four basic professional development routes for the security executive:
Degree (Appendix C)
Professional certification (Appendix D)
Accredited training courses (Appendix E)
Attending high quality conferences such as this (ASIS Asia Pacific Conference, Singapore).
I have two things to say in this regard:
a. Firstly, these need not be regarded as discrete or mutually exclusive. In ARC, for example, we have pioneered the blending of training into degrees. Six weeks of training, with added pre-and post-course work, taking the total study time to 600 hours, is equivalent to just under half of a work-based learning Masters degree. Certification and training can also be blended, and we have done this successfully with out CPP and PSP preparation programmes. The next challenge is to get certification blended into degrees, and one UK university is already looking seriously at accrediting CPP as a component of its security management masters degree. I am liaising with PCB in this regard and I anticipate an announcement to the ASIS international community within the year.
b. Secondly, the growth in demand for both the CPP and PSP in the past 18 months has been nothing short of phenomenal. In the UK, Europe and Asia Pacific, as examples, the number of candidates sitting CPP and PSP has doubled in 12 months. From an average of 15 candidates annually throughout much of the past decade, UK numbers last year jumped to 36. This year we will exceed 50. Perception of CPP and PSP is shifting. It is no longer a certification for ASIS members - but is fast becoming the default certification for all senior security managers. If you are not already certified but it is on your “to do” list, do it this year, and lead the profession by example. (see attached article which appeared in UK security management press).
3. MBA or MSc?
In many of the companies with which we work security managers are expected to have highly developed generic business management skills. Thus, I suggest that an MBA may be as relevant as a security management MSc, especially if the MBA can be supported by CPP professional certification. On a recent security management course I delivered, eleven of the twenty participants either had an MBA or were studying for an MBA. Perhaps the way forward is to identify a university which is prepared to develop a security management MBA of which the CPP is an integral “specialism” element. I have recently been speaking to a number of UK universities to ask them to consider doing just this, and if you go to the main ASIS site you will see an advertisement for an on-line security MBA with the US Northeastern University.
4. No one size fits all.
The background of the security manager, be it military, police, intelligence, business or other, needs to be mapped against job descriptions to determine professional development needs. In almost all cases a CPP will be relevant, but military and police entrants may benefit also from generic business skills training, while business entrants will invariably require security management training or possibly a distance-learning security management degree prior to considering certification, which by reasons of pre-qualification would come later in their careers.
In 2006 two UK academics, Rachel Briggs and Charlie Edwards produced a groundbreaking paper entitled “The Business of Resilience” (http://www.demos.co.uk/files/thebusinessofresilience.pdf). The key message in the paper is that “the business of security has shifted from protecting companies from risks, to being the new source of competitive advantage”. The research centres on an analysis of the activities of the security functions of a number UK’s most successful companies to identify what makes them different – and better. In short the paper is about how, through diversification, you can add value to the contribution of the security function. The paper identifies as key security management functions in leading organisations:
Reputation management and regulatory compliance
Enterprise risk management
Corporate governance
Business continuity and crisis management
Infosec assurance
Corporate social responsibility and ethics
I would also be inclined to add to this list fraud risk management and due diligence, two potentially huge sources of loss if not managed properly.
Mapping this against the excellent ASIS Chief Security Officer Guideline produces some interesting professional development requirement challenges, which are not currently met in a single comprehensive programme, be it training, certification or Masters degree.
In many of the companies with which we work security managers are expected to have highly developed generic business management skills. Thus, I suggest that an MBA may be as relevant as a security management MSc, especially if the MBA can be supported by CPP professional certification. On a recent security management course I delivered, eleven of the twenty participants either had an MBA or were studying for an MBA. Perhaps the way forward is to identify a university which is prepared to develop a security management MBA of which the CPP is an integral “specialism” element. I have recently been speaking to a number of UK universities to ask them to consider doing just this, and if you go to the main ASIS site you will see an advertisement for an on-line security MBA with the US Northeastern University.
4. No one size fits all.
The background of the security manager, be it military, police, intelligence, business or other, needs to be mapped against job descriptions to determine professional development needs. In almost all cases a CPP will be relevant, but military and police entrants may benefit also from generic business skills training, while business entrants will invariably require security management training or possibly a distance-learning security management degree prior to considering certification, which by reasons of pre-qualification would come later in their careers.
In 2006 two UK academics, Rachel Briggs and Charlie Edwards produced a groundbreaking paper entitled “The Business of Resilience” (http://www.demos.co.uk/files/thebusinessofresilience.pdf). The key message in the paper is that “the business of security has shifted from protecting companies from risks, to being the new source of competitive advantage”. The research centres on an analysis of the activities of the security functions of a number UK’s most successful companies to identify what makes them different – and better. In short the paper is about how, through diversification, you can add value to the contribution of the security function. The paper identifies as key security management functions in leading organisations:
Reputation management and regulatory compliance
Enterprise risk management
Corporate governance
Business continuity and crisis management
Infosec assurance
Corporate social responsibility and ethics
I would also be inclined to add to this list fraud risk management and due diligence, two potentially huge sources of loss if not managed properly.
Mapping this against the excellent ASIS Chief Security Officer Guideline produces some interesting professional development requirement challenges, which are not currently met in a single comprehensive programme, be it training, certification or Masters degree.
5. Convergence.
Finally, the new buzzword in security management is convergence (see attached handout). Convergence has different meanings but in this context I am referring to two interpretations of the word.
a. Firstly, traditional physical security systems are migrating to TCP/IP platforms. In other words, CCTV, access control systems, and asset management systems are becoming computerised. A networked IP CCTV system, for example, is in effect a computer network.
b. Secondly, threats are converging. Organised criminals and terrorists are increasingly being attracted by the prospect of attacking you via your IT systems.
This might take the form of:
- A major theft – recently, a bank in London narrowly averted the theft of $400 million dollars.
- An extortion attack in which an attacker remotely locks up your critical client-interface IT systems and demands millions of dollars. Banks, gambling sites and pornography sites have all been victims of cyber extortion. In the past year the perpetrator profile of a hacker has shifted from young amateurs to organised criminal gangs.
- And now the focus of hackers, criminal and terrorists, has turned to utilities. In at least one case attackers have caused a power outage affecting multiple cities, and in another caused a water utility to release sewage into clean water. With 80% of CNI typically in private sector hands, and the IT SCADA systems that control critical processes in these industries often inherently vulnerable to a misoperative attack, a future disaster from this source is almost inevitable.
Converged threats require a converged response, with security managers intellectually equipped to manage the response. The UK’s Security Service MI5 recognises this challenge and last year established the Centre for the Protection of National Infrastructure (weblink – Appendix F), in which IT security and physical security skill sets have converged into one agency.
Clearly, therefore, there is a strong case for security professionals of the future to be trained, or educated, to manage these threats, which, perhaps, means formal training and qualifications in IT and information security.
Finally, the new buzzword in security management is convergence (see attached handout). Convergence has different meanings but in this context I am referring to two interpretations of the word.
a. Firstly, traditional physical security systems are migrating to TCP/IP platforms. In other words, CCTV, access control systems, and asset management systems are becoming computerised. A networked IP CCTV system, for example, is in effect a computer network.
b. Secondly, threats are converging. Organised criminals and terrorists are increasingly being attracted by the prospect of attacking you via your IT systems.
This might take the form of:
- A major theft – recently, a bank in London narrowly averted the theft of $400 million dollars.
- An extortion attack in which an attacker remotely locks up your critical client-interface IT systems and demands millions of dollars. Banks, gambling sites and pornography sites have all been victims of cyber extortion. In the past year the perpetrator profile of a hacker has shifted from young amateurs to organised criminal gangs.
- And now the focus of hackers, criminal and terrorists, has turned to utilities. In at least one case attackers have caused a power outage affecting multiple cities, and in another caused a water utility to release sewage into clean water. With 80% of CNI typically in private sector hands, and the IT SCADA systems that control critical processes in these industries often inherently vulnerable to a misoperative attack, a future disaster from this source is almost inevitable.
Converged threats require a converged response, with security managers intellectually equipped to manage the response. The UK’s Security Service MI5 recognises this challenge and last year established the Centre for the Protection of National Infrastructure (weblink – Appendix F), in which IT security and physical security skill sets have converged into one agency.
Clearly, therefore, there is a strong case for security professionals of the future to be trained, or educated, to manage these threats, which, perhaps, means formal training and qualifications in IT and information security.
ABOUT THE AUTHOR
David Cresswell is a well-known international figure in security management training, having trained security managers from over 100 countries. As MD of the ARC Training International Academy for Security Management, he developed and introduced the concept of postgraduate university-accredited security management training courses for the international security profession.
Within the ASIS UK Chapter he is Chairman of the Professional Development Committee, responsible for CPP and PSP certifications in the UK, and a member of the Education Subcommittee of the ASIS European Advisory Council. In 2008 he received the Power of Certification Gold Award from the ASIS Professional Certification Board.
David is a Director of The Security Institute, and a member of the Institute’s Academic and Validation Boards. He is responsible for the development of security management best practice and is chairman of the Institute’s Working Group on the Corporate Response to Terrorism.
David is active in academic circles in his capacity as an associate tutor at the criminology faculties of both Middlesex and Leicester Universities, and liaises with a number of other UK universities on accreditation initiatives. His current project is to formally accredit the CPP as a postgraduate award.
David holds the CPP and PSP certifications and has an MSc in Security and Risk Management from Leicester University. His dissertation, examining the validity of formal risk analysis methodologies to assess the risk to businesses posed by terrorism, won the Imbert Prize for best security dissertation of the year 2007.
NOTE : Read the full article and another titled "Unprecedented growth in Demand for ASIS Professional Certifications in Security Management" by the same author in the latest issue of 'India Safe'.