The changing face of the discipline, an evolving modern threat landscape and rapid technological advancements in systems drive the need for moving security from being an industry sector towards a recognised business profession. Peter Houlis charts exactly why, after 40-plus years in the sector, he felt the need to become a Chartered Security Professional
Developments in technology and the move towards IP-based solutions coupled with the growing perception that security is a business enabler rather than a grudge purchase for host organisations are – taken together – driving an ongoing requirement for better-qualified security practitioners. Indeed, as Briggs and Edwards noted in 2006: “The business of security has shifted from protecting companies from risks to being the new source of competitive advantage.”
The world has most certainly changed post-9/11. It’s now clearly evident that security is a complex and diverse subject, not to mention a constantly moving objective for businesses.
As a discipline, security can be a contributory factor towards business success but it does need to be visibly valued as a business process that’s actively championed from the very top of a given organisation.
Put simply, everyone in an organisation needs to adopt the security culture and understand its business value. Security needs to be appreciated in the same way as, for example, Health and Safety. To my mind, we can only achieve this status quo by raising the standing of the security profession.
When I first became involved in security, over 40 years ago now, crime seemed quite simple. Today, that simplicity is no longer there. Globalisation and technological advances are changing the world, the political landscape and, it must be said, the criminal menace. In turn, this is creating both business opportunities and threats, at the same time raising fear and uncertainty around the globe.
Civil unrest and conflict are now widespread. This is increasing antisocial behaviour and acts of terrorism and, as a by-product, increasing the number of criminal acts.
Of course, terrorism requires funding, often through criminal means such as major fraud, cyber crime and drugs. Think about the myriad drug users who usually fund their habit through various forms of criminality.
Profession’s role will increase
As the risk landscape becomes increasingly unpredictable due to globalisation, political instability, cost sensitivities, organised crime, pervasive regulatory compliance, technological advances and natural disasters, the importance of the role played by the security profession increases further in terms of its ability to protect people and assets.
All practitioners – from security managers and officers through to consultants, integrators and technology vendors – are encompassed by that comment. Further, the modern security professional needs to see the bigger picture and absolutely understand an organisation’s business from top to bottom.
The technical side of the industry has also changed with the introduction of IP-enabled security devices and systems. Traditional boundaries are blurring. The old barriers between security, IT and facilities are simply not there any longer. That being the case, though, as security professionals we need to understand where we fit into the bigger picture.
We have to understand what the technology – video surveillance, access control and intruder detection, etc – can do and, from a security perspective, what operational issues it might address. If we’re to add benefit to host organisations, we need to know how these elements relate to each other and then educate our clients accordingly.
The aforementioned growth in IP security and surveillance, and the developing convergence with IT, certainly provides a powerful platform for transforming our industry. However, with opportunity comes both challenge and change.
Most security companies will need to learn how to apply new equipment and solutions: servers, hubs, switches, PoE and systems, IP protocols, networks and cyber security analytics, etc. Systems are now more powerful and complex, encompassing a host of hardware, firmware and software residing on a common network and performing an array of functions. All of this is usually derived from an assortment of dedicated manufacturers, suppliers and developers.
As these systems become more bespoke, intelligent and interconnected, so a more diverse and higher degree of skill sets will be required to make these systems work correctly. We need to get to grips with convergence. In our case it’s a pretty ambiguous term, covering a multiple of operational roles and a range of security disciplines and encompassing the union of both technology and operations.
In point of fact, it’s possible to outline the phrase in terms of technology convergence and operational convergence.
Technology convergence is defined as the merging of distinct technologies and devices into a unified whole. In other words, it’s about integrating everything on a common network: communications, IT equipment, PC workstations, servers, printers, social media, BMS, data for payroll, HR, procurement and, of course, security devices. Operational convergence, on the other hand, is focused on merging the various security management disciplines, policies, procedures and risks.
Convergence isn’t a new philosophy, but it’s fair to say security is one of the last functions in an organisation to merge with standard IT equipment. As technology change expands the use of security systems – and, in particular, surveillance systems – far beyond mere security uses, so it also transforms them into an operational management tool for the business.
Beyond ‘The Security Brief’
Security professionals must gain a greater understanding of their customers’ business requirements outside of ‘The Security Brief’ such that they can develop and provide systems delivering true business benefits (in terms of ‘real-time’ visual intelligence for operational uses to maximise ROI, for example). In short, it’s about providing ‘situational awareness’. After all, ‘Information is King’ and most definitely paramount in terms of realising informed decisions.
The technical security role is now about implementing technical solutions which efficiently provide instant and relevant information, whether that be on a break-in, trespass, a Health and Safety infringement or an operational process that’s gone wrong. We need to make that information easily accessible when required and facilitate its sharing between all interested parties in the same way that has made the IT sector an all-powerful one.
Such technical solutions have become embedded as a requisite facility of nearly every department in every enterprise. In fact, nearly everything we do in life today involves an element of IT. Convergence itself relies heavily on IT. It’s IT’s infrastructure upon which everything relies. Security practitioners need to make friends with their IT counterparts.
The IT sector is qualifications-driven. There are numerous academic qualifications in computing and IT up to PhD level (in computer sciences), giving the IT sector instantly recognisable professional credibility. Equally, most other business functions – accounting, book-keeping, Health and Safety management – require qualifications.
Qualifications demonstrate the holder’s ability to complete a comprehensive education, training and study programme in a given subject(s). This provides proof that an individual is knowledgeable and has a clear and demonstrable understanding of his/her chosen field. Above all, perhaps, it proves the individual concerned can learn.
Sadly, this state of affairs is something the more mature security industry has failed to achieve. Could this be, at least in part, due to a lack of professional qualifications? Fortunately, companies like Tavcom Training have filled the education gap and several of our universities are now offering security-related degree courses.
In whatever element of the security business you find yourself, to be taken seriously by your peers and other business professionals you do need to exhibit a level of knowledge and competence in a diverse range of security subjects and business skills. You also need to understand when and where expert advice can be obtained, and when specialist knowledge is required.
On the technical side, if we’re to succeed and be taken seriously by IT professionals we need to ‘talk the language’ of IT and, what’s more, prove we really understand it. This doesn’t mean we need to be experts in IT but we do need to show we’re experts in our own field.
In our sphere of expertise, we need professionals with a true and confirmed knowledge of the technology, how and where to apply it and a demonstrable awareness of how that technology sits within the overall network topography.
As stated previously, we also require a clear understanding of the clients’ business functions. We need to know more about how a given client’s business works and how we can introduce technology to deliver benefits in terms of increasing efficiencies, reducing manpower and mitigating risks, etc.
If we don’t have such knowledge to hand then we run the very real risk of ‘losing our industry’ and missing a huge opportunity for it to develop into the bargain.
If you’re in a security management role you need to understand your clients’ security problems and business objectives. Only then will you add value through security. The client needs to feel confident you really understand his or her issues.
A demonstration of understanding
This brings us neatly to my own situation. Although I already have 40 years’ experience of working with security and systems under my belt, there was a need for me to demonstrate to my company’s customers that I understand their security risks and business objectives. Hence my own personal journey of late towards Chartered Security Professional status.
In 1974, I began my career as a trainee security engineer at Security Alarms (Northern) and became a Grade 1 Fire and Security Engineer a couple of years later. At that point, I was headhunted by a national company and duly gained some fantastic general security and CCTV experience.
Come 1977, I was asked to return to Security Alarms (Northern) as a field service engineer responsible for a local region and the maintenance and servicing of a wide range of electronic security systems.
Five years later came a move to a local company and a role as engineering manager running nine engineers in the Installation and Service Department. I then established Intruder Alarms (Northern) in a partnership arrangement. The concern became a limited company and, although I served as joint managing director, the role remained one of a technical nature.
By 1992, I was able to set up my present company, 2020 Vision Systems, after a short business course at Northumbria University. We enjoy SSAIB accreditation and have gained BS 5750 as well as Safecontractor accreditation. In addition, we’ve implemented ISO 9001:2008 IQMS and ISO 14001:2004.
Route to the Register
Despite gaining a broad knowledge of security, securing against risks and running a business, I realised I had very little on paper that endorsed this knowledge and experience.
On that basis, I looked at the criteria for entry to the Register of Chartered Security Professionals. These focus on knowledge and practical skills, leadership and communications and professional commitment.
With encouragement from The Security Institute, of which I’m a member, I believed that I met the CSyP requirements.
The next step was to complete a very detailed application form with supporting evidence in terms of how I believed I met the requirements. Then, as I don’t possess a security-related degree, I was asked to complete a 10,000-word thesis on four given security subjects. I enjoyed researching and writing the thesis, although it did take some time for me to get my head around academic-style writing and Harvard referencing. Finally, I attended a rigorous and detailed interview with two assessors and an observer.
Professional qualifications and Chartered Security Professional status are the individual’s path towards earning respect from fellow business professionals in different disciplines. It’s a demonstration that a given individual can add value to his or her organisation through Best Practice in security.
In what’s now a diverse and hugely dynamic subject, continual review of security knowledge and skills through education, research and networking – in tandem with constant personal development – will be paramount in retaining and further developing both individual and collective levels of respect and recognition.
This article was first published in Risk UK at: http://www.risk-uk.com/why-professionalism-is-paramount/