Top down approach

The need for effective security management has never been greater. Today’s complex crime trends – allied to the evolving expectations of Government and society at large – offer ample proof of the truism of that statement. In turn, as the contribution of the security sector to the protection of our living and working environments continues to grow, so the personnel involved must be ready to meet a new breed of challenges.

All of those individuals filling security appointments in positions of seniority should be properly qualified for their role. In turn, employer organisations must always ensure they recruit experienced, educated personnel. If security managers are to reach their full potential, the business world and the general public must be forced to recognise the value of employing real professionals.

The Security Institute (TSI) was established in 1999 to build a solid foundation for today’s security specialists by promoting the achievement and recognition of professional status, as well as ‘spreading the word’ in relation to the pivotal role of security in society. In a prescient move, Bill Wyllie – current chairman of TSI – used the platform at this year’s SITO National Conference to talk about professionalism in security management (and its validation).

Wyllie’s most recent appointment was with the MBNA Bank (Europe) as first vice-president and head of security for its European operations (‘Statements of intent’, SMT, May 2005, pp26-60). Now running his own security consultancy, Wyllie told the assembled hordes at The Kassam Stadium’s Quadrangle Conference Centre that he “never ceases to be amazed” at the wide variety of security roles administered by the people he meets. “Today, I might talk to someone who investigates financial fraud, an individual who guards national institutions or someone who installs huge integrated electronic systems. Then there’ll be somebody else who practices close protection, and another whose role lies in working against counterfeiting and product tampering. The fundamental question is: What do all of us have in common that allows us to describe ourselves as ‘security professionals’?”

On the face of it, an extremely difficult question to answer, but is it?

Pinpointing the professional

“Perhaps the answer is a resounding ‘No’. There is no one common attribute, or even single body of attributes, plural, that marks out the security professional,” suggested Wyllie. “We have wide-ranging skills and experiences. We may have many academic qualifications or none. We may be ex-soldiers or policemen, ex-accountants, lawyers or surveyors, or maybe none of these. And yet, among ourselves, we know whom we trust, and we know how to identify the genuine security professional who can do the job required to a high standard. We think.”

Even if that is true, though, how does the employer, client or user identify the genuine security professional? “If there are 300 security professionals at this conference today, that necessarily means we have 300 different definitions of what it means to be a security professional. Maybe more if you count those who cannot decide,” added Wyllie, with a wry smile. “And yet we are the people on the inside. In theory, the ones who should know.”

Alas, for those people not present at the SITO National Conference – senior Boardroom figures in the private sector among them – security is predominantly viewed as little more than an arcane mystery far removed from the core business. A necessary evil mandated by Basel II or Sarbanes-Oxley. “It’s all about ‘cops in civvies’, they’ll say,” suggested Wyllie.

“That’s worth thinking about for a moment,” Wyllie opined to an attentive late morning audience. “How does our customer see us, whether that ‘customer’ is a client, the corporate employer of a global security director or a private individual using the Shopping Centre that our guarding company secures? How does the chief executive or Human Resources director of an SME or a major global undertaking select his or her chief security officer?”

There’s little doubt that the security industry is not well understood outside of its own immediate circle. The sector has taken many knocks, not least because it has existed for so long beyond the grasp of regulation, and has been bedevilled by both true and exaggerated stories of manning by criminals, inadequate performance by the unqualified and a perceived single-mindedness in pursuing narrow-minded solutions that fail to take account of corporate needs.

Making the role ‘transparent’

The Security Institute was formed to create transparency for the role of the security manager, and eradicate the misconceptions that abound. There are two central themes to the work of TSI. The first – and principal – theme lies in the duties of its Validation Board, which really is unique in the UK security field. That body takes applications for membership of the Institute, scores them on the basis of candidates’ relevant experience and qualifications and then admits individuals as Members, Associates or Fellows (or not, as the case may be). A security screening process is also carried out.

“This is an in-depth and time-consuming process but, at its conclusion,” said Wyllie, “a member of the Institute can say that his or her security professionalism has been validated, independently and objectively by his or her peers. Much of the guesswork for chief executives looking for a security manager is then taken away.”

Validation is a very difficult exercise to perfect, but there is now a groundswell of opinion that it must be undertaken. Added Wyllie: “If we do not carry out a validation exercise then who will?”

In much the same way that Security Industry Authority (SIA) regulation seeks to say to the user of security officers who it is that can reasonably be expected – and trusted – to carry out the duties of a security officer, it is every bit as important in Wyllie’s eyes to lay down an appropriate benchmark that will help chief executives and Human Resources directors to determine who is suitable for security management positions. There is a need to delineate those who can speak with authority as a security service advisor or provider.

The second main theme of the Institute’s work sits hand-in-hand with the validation of people, and is really a form of validation of training (although Wyllie was quick to point out that there is no competition or conflict of interest with SITO in this regard). Rather, it manifests itself in the publication of TSI’s annual handbook.

According to Wyllie: “The handbook is, and always will be, a work in progress. Soon, we will be moving to an online version so that it is always as current as it can possibly be. Quite simply, we aim to give details of every training course of relevance to security practitioners in the UK.”

Education and networking

Of course, TSI is also an organisation with its sights firmly trained on education and networking. Crucially, opined Wyllie, the organisation has positioned itself as “a strategic ally” of the SIA and the British Security Industry Association. “Both of these organisations are vital to the future well-being of our industry as we seek to bring professional standards into national security life,” commented Wyllie, who also mentioned ASIS International’s UK Chapter 208, SITO, the GMB and JSIC as being close allies.

“Security is a massive discipline,” stated Wyllie, “and, if it is not a core business function in many organisations, then it is at least a vital one. If security is to earn its rightful place at the Boardroom table, which is where it belongs, then its many and varied practitioners must be seen to have passed through a rigorous period of training and selection every bit as thorough as that for the financial director, the company secretary or the chief executive. We can no longer be defensive, and cry: ‘They don't understand us’, taking refuge in blaming our employers or clients for not appreciating the service that we are seeking to supply.”

Wyllie then stated with great conviction: “It is certainly not sufficient for us to think that our formal Continuing Professional Development (CPD) can ever stop until the day before we retire.”

‘Windows of Opportunity’

As a discipline and a business sector in its own right, it’s true that security is on a bit of a roll at present. Government-backed regulation and the ongoing terrorist threat are making the headlines. However, practitioners in the field would do well to remember that these are only small ‘windows of opportunity’, not wide open gateways through which one can drive – in Wyllie’s own words – “mediocre and unimaginative performance.”

At this point, Wyllie really hit home the message. “Like everything else, security will be bought on the basis of value for money. Our business is about continually demonstrating the very highest standards of professional ability and competence. And it’s about selling. Selling the role of the security director to the Board. If you cannot sell, you will struggle as a corporate security director. The world owes us nothing. There are no free rides.”

In conclusion, Wyllie stressed a hugely important point. “If the security manager fails, the organisation might fail and people may die. That is why true professionalism in security is so important, and it is this ethos which The Security Institute is seeking to promote.”

Developing managerial roles

As the managing director of ARC Training International’s Academy for Security Management, and the trainer of practitioners in over 100 countries, David Cresswell – himself a Certified Protection Professional (CPP) – is eminently well-placed to talk about the development requirements of the profession of security management, both from the perspective of the corporate security manager and that of the employer. That was indeed the focus of Cresswell’s delivery at The Kassam Stadium, the contents of which made for fascinating listening.

Cresswell divided his talk into two distinct halves. First, he examined where the UK’s security management profession sits today. Then he reviewed the core competencies required by security managers, and addressed some of the main sources of CPD.

“The security management profession in the UK is dominated by retirees from the uniformed services,” began Cresswell, who himself is no exception to that rule. “By and large they are middle-aged, Anglo-Saxon and, most likely, male. Many of them enter the profession in their 40s, and relatively few feel the need for CPD. We assume that as this has always been the case here it must therefore be the right approach. Many employers share that view and, almost by instinct, import what they view as ready-made manpower.” A pretty accurate summation, it must be said.

“From a day-to-day security management perspective, I’m sure most security managers do a very good job indeed. However, from a developmental standpoint the current status quo risks the creation of a profession that lacks a dynamic approach to CPD. A profession which is conspicuously shallow in both academic depth and qualifications when compared with other business professions. Also one which is sadly lacking in qualifications when measured against the international professional security management norm.”

In the UK the profession – encompassing in-house managers, consultants, contract guarding company managers and specifiers, etc – is, according to Cresswell, “awash with people who have no formal qualifications or training in corporate sector security management, or who do not belong to any professional security management body.”

In addition, relatively few possess a degree. “This is in spite of the fact that qualifications are readily available,” asserted Cresswell. “The situation has changed little from the landscape painted by Hearnden in 1993, when only 9% of the 138 managers he questioned said they held a degree. 17% of Hearnden’s sample held no qualification at all, not even an ‘O’ Level!”

Cresswell’s next comment was nothing if not hard-hitting. “I think it is inappropriate that we as a profession should be demanding that security officers are qualified when managers are conspicuous by their lack of qualifications. I also believe it is a matter of grave concern that, as unqualified practitioners of security management, many individuals are making life-safety decisions. In this respect, I think that employers should give serious consideration to the litigation implications associated with this.”

Can security be taught?

Conventional wisdom in the UK appears to suggest that security cannot be taught. Rather, that it is an instinct, and that those with a uniformed service background possess instincts that are better honed. Yet in the US, to quote one example, while the proportion of security managers with a services background is about the same as in the UK, there is a fundamentally different approach to CPD, and to putting managers in place who are formally qualified for their role. “Indeed,” said Cresswell, “some US companies will not countenance employing anyone in a managerial position unless they have some form of higher education qualification.”

Cresswell firmly believes that the fate of the security management profession is very much in its own hands. “If we sit back and accept the status quo, we risk being seen as guarding managers. At best, the managers of physical security. In many organisations it will be individuals like the information security professionals who will command the best salaries. Already often earning at least 50% higher salaries than traditional security managers, we are now beginning to see examples in some companies where the chief information security officer is, in effect, the corporate director of security. This doesn’t surprise me, as far too many security managers know much too little about IT security in order to make a valid contribution to what is now a critical area of business dependency.”

A contentious point, but one well worth airing. This sort of issue cannot be avoided.

Perceptions of the role

To back up his assertions, Cresswell turned to some short, snappy quotes from academics and authors. “Security managers tend to be mature, retired people with a military or police background. They are unlikely to have benefited from education at university level” (Dr Giovanni Manunta, former head of the security management MSc programme at the Royal Military College, Shrivenham)... “Security staff in many organisations have often come from the uniformed services where the focus is on reacting to events rather than any preventative risk management work. They have a limited background in the risk management field at the outset, while their formal development is patchy” (a quote from Professor G Chivers, former head of the security management MA programme at Loughborough University).

Returning briefly to the theme of IT as an example of where the skills gap is widest, Cresswell stressed that the threats to business continuity – and to the security of business-sensitive information – are “colossal” and, in most cases, significantly outweigh those of terrorism, staff theft and burglary, etc.

“However, as a profession, security management is mostly choosing not to involve itself with information and IT-based security issues,” said Cresswell.

Looking at future directions

“There are many other such areas that we need to permeate,” continued Cresswell. “Take vetting, for example. Or rather, in this country at least, the lack of it. Combine the lack of vetting of IT contractors with the threat of information theft and you have a pretty potent risk. Cases of IT contractors being inserted into companies specifically to steal information are disturbingly common in the UK. Often, they will succeed in their aims because the company security manager has remained in his or her comfort zone, and is either unaware of the problem or simply doesn’t have the necessary skills sets to deal with it.”

So what is the necessary future direction for the profession of security management? Cresswell feels that “far too many” security managers are relying on old skills sets “that may not be appropriate” for the modern, high tech threat environment. “There are ten basic skills sets which today’s manager needs: risk management and loss prevention skills, data collation and analysis skills, technical skills, security programme management and crime prevention skills, crisis and business management skills, interpersonal skills and investigative skills.” Here’s an explanation...

• risk management skills: the ability to analyse and quantify risk using standard models, and to select mitigative strategies
• loss prevention skills: security surveying, stock accounting, operational understanding, Health and Safety and fire safety
• data collation and analysis: the ability to collect and analyse data, and then convert it into intelligence for risk forecasting
• technical skills: the application of cost-effective solutions that will deliver a quantifiable return on investment... and the need to understand IT and IT security issues
• programme management skills: in line with the corporate vision, the overriding need to include all key assets (information, travelling members of staff, etc)
• crime prevention skills: a thorough understanding of criminal motivation, criminal methods and the application of crime prevention theories
• crisis management skills: crisis management co-ordination, business continuity planning, disaster recovery planning, etc
• business management skills: finance, business administration, evaluating tenders, managing projects and change, etc
• interpersonal skills: relationship building, leadership, influencing skills, negotiation, presentation and listening skills
• investigative skills: scenes of crime and evidence, interviewing and report writing skills

Blueprint for security directors

Cresswell then cited ASIS International’s Chief Security Officer Guidelines as “a roadmap for security professionals to assume greater stature in their organisations”. The key skills required Stateside focus on an executive management and leadership ability, the need for being a subject matter expert and creative problem solver, a relationship manager, strategist, risk manager and corporate governance team member all rolled into one.

According to Cresswell’s statistics, 13% of ASIS’ UK members have passed the Certified Protection Professional (CPP) examinations. “This equates to about 1% of all security managers in the UK,” continued Cresswell. “A rather low figure, given that the pass rate has consistently been in excess of 80% if you were to examine the statistics on a global basis.”

Many UK managers have offered reasons as to why they have chosen not to sit the CPP. Some say it’s “too American”. Some “don’t have the time”. There might also be a fear of failure. A distance learning MSc requires between 10 and 15 weeks’ work over a two-year period. It is arguable that the CPP carries the same credibility – at least within the profession – for much less work.

“If sufficiently active, training can be the most intensive and effective form of learning,” said Cresswell. “It must be flexible enough to change in accordance with the latest threats to business, and in relation to developments across the discipline of security management. It’s imperative that training is always supported by the host organisation’s aims and objectives. Training on its own is not enough, though. It demands to be married with workplace-based academic study so that managers have an opportunity to earn post-graduate academic awards up to and including an MSc.”

Such a concept has been pioneered by Middlesex University for some time now in relation to other professions, and has been shown to work well – providing access to higher educational qualifications where no such access had existed.

The remit of today’s security manager extends far beyond mere asset protection. This is one of the reasons why there is some disagreement on where security management lies... is it a part of risk management, a branch of criminology or a division of business management? It is a business process firmly in the public eye. “That is why managers should strive to obtain a recognised ‘civilian’ qualification in security management, to assist their CPD and help raise the image of the profession as a whole,” concluded Cresswell.