Too close for comfort

As the dust begins to settle on the last 12 months or so of licensing security operatives in the private sector, warning signs are already beginning to appear on the road ahead.

Those signs are unsettling to say the least, some of them highlighting the debilitating implications of designing training competencies by committee. In terms of formulating the scope of training and qualifications – and the vetting of approved training organisations – expriences in the close protection sector offer grave cause for concern.

Let me return to the design of training for licences a little later on. My principal area of discussion relates to the wider implications of regulating and licensing security consultants and, more specifically, the scope of what may be deemed to be ‘licensable activity’.

We all know that the development of licensing for this sector has been pushed back to the end of next year. This is likely to be an optimistic estimate but, if my concerns hold credence, that’s no bad thing at all.

If we were to work backwards from a licensed security officer being deployed on site, we will eventually reach a point where the ground becomes less firm and uncertainty creeps in as to whether or not we are in fact within licensable territory. Clearly, the duties carried out by such officers in the private sector constitute licensable activity, but they didn’t appear as if by magic. Security officers are deployed as a consequence of concerns raised about the security of a range of assets at risk from an increasingly wide variety of threats.

Rarely will security personnel operate in isolation from a series of different, contributing security issues, be they systems or physical security solutions-related (or perhaps procedure-specific to the site in question). Equally, these other attributes relevant to the security effort did not materialise out of thin air. Hopefully, they were the product of a well-devised security strategy whose protagonists concluded that a judicious mix of many options was right for the protection of the site.

When is the mix ever right?

That said, experience tells me seldom is the mix of security solutions the product of a cohesive strategy. Rather, it is an ad hoc response to the installation of electronic systems, the use of personnel, procedures and physical protection measures.

Assuming that a written policy is in place, we need to know the reasoning behind it. The security strategy document should be realised from the conclusions and recommendations outlined during the security audit, which would have highlighted both the positives and negatives of the prevailing security operation. However, that audit is practically worthless if not informed by – and following on directly from – the risk assessment. That is the genesis of the whole process.

Analysing threats, both external and internal, arising from nature or the effects of man... Identifying assets at risk, and the threats to which they would be vulnerable... Assessing the risks that would flow from a specific threat to a specific asset... Establishing probability and consequence... Prioritising for a range of risk management options. The risk assessment sets the scene for EVERYTHING that follows.

Working back the way we have come, the security audit now sets out – in great detail – to establish how the current levels of security personnel, procedures, physical security measures and electronic systems are either helping or hindering the management of identified and prioritised risks.

It’s not my intention to teach security professionals how to suck eggs here. Far from it. Rather, it’s my bold attempt to set the scene that will allow a hugely important question to be asked: “What part of this extensive, complex and sophisticated process is intended to be or indeed should be – a licensable activity in the eyes of the Security Industry Authority (SIA)?”

One assumes that if a security consultant carries out a security audit, this procedure is likely to fall within the statutory remit of regulation. What is not so clear-cut is the activity involved in completing a risk assessment. Branching out from the risk assessment into various specific areas – crisis and contingency management spring to mind here – muddies the waters still further.

Business continuity management

Is it the SIA’s intention to include such work as being a licensable activity? If the Regulator adopts this attitude, there will surely be an outcry from the business continuity management consultants for whom crisis planning is an integral part of their business impact analysis (not to mention subsequent planning procedures).

Security consultants must join forces as one and oppose any arbitrary decisions that may be foisted upon them by the Regulator at some point in the not-too-distant future

On the flip side of the coin, if the SIA doesn’t include crisis and continuity management then the poor old security consultant is likely to be faced by a serious identity crisis wherein half of their day is spent carrying out licensable activities and the other half not.

That’s just the beginning... Proprietary information security has been something of a ‘football’ that’s often kicked around the corporate environment by the IT Department, Human Resources, the Facilities Management Department and the Security Department. If one looks toward the information security standard BS 7799, the traditional security issues surrounding manpower procedures, access management, security systems and physical protection have an obvious role to play. However, will the whole process require a licensed practitioner to carry it out?

The potential scope of a security consultant’s licence is vast. Truthfully, we can but scratch the surface in a journal article such as this. For example, we haven’t yet considered the depth of technical knowledge required of a security consultant in relation to, say, CCTV in all of its manifestations.

Or should a consultant have a good working knowledge but also be extremely skilled and adept at piecing together a comprehensive operational requirement so as to negate the lure of the ‘box shifters’ being able to determine the scope and nature of a security systems installation?

Returning to the subject of statutory training, this can only really happen when national standards have been established and, thereafter, the core competencies developed to underpin all training delivery. My concerns here arise from the close protection experience. Unlike door supervision and security guarding, there was no recognised national training or standards in place for close protection personnel prior to legislation. Standards and training competencies had to be established.

In a democratic society that means by committee and, in any community with strong-minded individuals, everyone has to ‘push’ their own view.

Multi-tasking isn’t the answer

Included in the required close protection knowledge are the licensing laws and drugs legislation, and control and restraint for the physical intervention! When relevant individuals are taken to task over this we discover that these inclusions were not made on the basis that they have a part to play in close protection operations. As the close protection licence is ‘superior’, it allows operatives to work on night club doors or in the security sector, too. That’s why they need to know about drug abuse and the licensing laws, as well as how to ‘disable’ someone’s arm!

Security consultants simply cannot allow the same imperatives to shape training competencies that are not role-related as much as they are licence-dictated.

There are further problems to note in relation to training delivery, all of them arising from the close protection experience. The first is the lack of vetting of training providers by the nominated Awarding Bodies. There are now 50-plus approved Training Centres able to deliver the statutory 150 hours of close protection training. In other words, many more than existed prior to licensing, although the majority of them are staffed by individuals with little or no operational experience of close protection as a discipline. Importantly, training manuals were not ‘mapped’ against the core competencies by two of the Awarding Bodies in accordance with the Rules of Engagement.

Meanwhile, many would contend that the examination leading to the close protection licence verges on the banal. Experienced operatives are finishing the ‘test’ in 15 or 20 minutes. It has been said that anyone with a good degree of common sense and a modicum of intelligence could be hauled in off the street and made to sit the examination and they would achieve a pass mark. What’s the point of that, then? Can someone let me know?

Policing of training delivery

All of this cannot afford to happen with licences for security consultants. If the Regulator is guilty of anything it is the lack of policing of training delivery, and a desire to be goal-oriented (wanting to hit the desired numbers of licences issued rather than concentrate on quality). The SIA merely wishes to demonstrate how many people have fallen under its regulatory wing (and to do so on a regular basis).

Security consultants simply must join forces as one and oppose any arbitrary decisions that may be foisted upon them by the Regulator at some point in the not-too-distant future.