WHAT'S NORMAL IN SECURITY AWARENESS EDUCATION FOR GENERAL EMPLOYEES?

Security Director's Report (07/09) Vol. 2009, No. 7

New research on corporate security spending, administered by IOMA, indicates that firms spend a negligent amount on security awareness on a per-employee basis. It is likely that money for it will be in short supply in the near future, so implementing strategies that imbue the awareness program with the most value at the smallest cost is crucial. Some tips on getting the most bang for the buck: Standardize the program by giving it a goal, creating strategies to accomplish it, and performing regular assessments to test its effectiveness. Work toward pushing employees to embrace security as an individual responsibility. Involve senior management team members in the process, and ask them to sign off on a summary statement that the security department can use to introduce its comments. Take time to form a relationship with the audience, and devote the time and effort to making a high-quality, persuasive presentation. New hires will probably not remember every detail of the presentation, but they will cultivate an attitude relating to whether security at their new place of business is worth their attention. Deborah Russell Collins, executive director of the National Security Training Institute and former instructor of security awareness at TRW, says to that end, security's aim during new-hire orientations should be addressing employees' needs instead of inundating them with more responsibilities. Finally, give a fair presentation that underscores that all people are different and caters to a number of individual learning styles.

PROBITY, COMPETENCY AND SECURITY CONSULTING

By David Gill

The Association of Security Consultants’ chairman Roy Sutherland, his business partner Chris Roberts and I discussed the whole question of consultant licensing at IFSEC, with SMT Online’s Editor Brian Sims serving as an interested umpire.
Having listened to each other’s points of view, it’s fair to say we concluded our deliberations with a warm and friendly handshake, and then duly agreed to differ on a number of key points.
Of course, the Private Security Industry Act 2001 clearly sets out the categories to be licensed. Both Roy and Chris consider it was the legislator’s error to have included security consultants in its future plans.
While Roy and Chris are resolutely against the notion of licensing security consultants, I take a contrasting view. However, one key area where we all do agree is that the Security Industry Authority (SIA) has failed – and continues to fail – in grasping the consultant nettle.
Controlling those who would advise
In my view, there simply has to be a means of controlling those who deliver security advice. We should follow the established and widely recognised professions – among them the law and accountancy – whose overseers demand that individuals must possess a recognised certificate in order to practise.
Key elements for such professionals include formal academic qualifications (and not a reliance purely on practitioner experience), formal Continuing Professional Development (CPD) structures, professional indemnity insurance and current membership of a recognised professional body (one that’s empowered to suspend licences to practice if it deems that course of action to be necessary given certain circumstances).
Some of you will be aware that I’ve just completed a Masters degree in Security Management at Loughborough University. My chosen dissertation subject was: ‘What is a security consultant, and what controls are in place to guarantee an acceptable level of expertise?’
An integral part of the research was obtained through an online survey. This was sent out to the main UK private security membership organisations, regulatory and training bodies, academics in the field of security, end users and deliverers of security consultancy services as well as business professionals with no direct link to the security sector.
The survey questions were complied by working in collaboration with a select number of high profile security practitioners and academics, all of whom were asked to contribute one question they felt was relevant to the title of the research.
Such was the level of response to the survey (many respondents submitted more than one question) that it was impractical to include every question. However, those questions not used in the main online survey proved very useful during subsequent one-to-one interviews.
My survey attracted responses from almost 200 individuals, whereas the SIA received 89 responses from a similar consultation exercise conducted in May 2007.
Arguments to support the view
As Roy and Chris correctly pointed out in their article, the Regulator has adopted the view that says: “There is little or no evidence of risk to the public from consultants not being regulated”. By contrast, 64% of respondents to my survey disagreed with the SIA’s view, while a further 78% were of the opinion that security consultants ought to be licensed.
From my perspective there are two strong arguments supporting these majority views. First, by failing to regulate consultants, unscrupulous or simply inept operators can exploit current legislation to undertake security-related activities under the label of them being a ‘security consultant’.
Second, the public can in many instances be directly and adversely affected by poor security advice provided by an inadequately qualified individual. Obvious examples include organisations supplying goods or services to the public, such as banks, retail outlets and event organisers.
There remains widespread concern within the private sector and among law enforcement agencies that anyone – regardless of their background, experience or qualifications – can lawfully advise, specify or consult on security matters. Indeed, the overall consensus from interviewees and survey respondents was that the SIA is wrong to suspend licensing of security consultants.
The absence of security consultant licensing has created a vacuum, and presents opportunities for unsuitable individuals to exploit what is clearly a legal loophole.
Many of the respondents to my survey provided optional free text comments, deriding the SIA for its perceived feebleness, indecision and what some regarded as ineptitude caused by weak leadership and a failure to understand the sector. Strong views indeed.
We’re told it’s all about definitions
My research also exposed significant uncertainty on the issue of defining a security consultant. Indeed, for some within the UK security consulting sector reaching a consensus on defining a ‘security consultant’ is akin to discovering the sector’s ultimate Holy Grail!
While defining the term ‘security’ was to a large extent not overly problematic, by contrast attempting to define the term ‘consultant’ was particularly difficult. It also exposed a fundamental problem, in that most traditional definitions merely refer to consultants as those engaged in a specific area of medicine.
However, Wikipedia lists a number of unusual – some might say bizarre – types of consultant but, you’ve guessed it, there’s no mention of a ‘security consultant’. Other than medicine, as a general rule the term ‘consultant’ tends to be associated with a person having expertise in a specific subject – not a generalist.
So would it not make life a little easier when it comes to trying to define what a security consultant is to actually drop the word consultant and replace it with either advisor or practitioner?
The average text book on security will list numerous specialist areas such as access control, biometrics, policy and procedures, crisis management, IT security, risk assessments and so on. Take the person who sells CCTV systems. Often, they will market themselves as a security consultant, but what is the extent of their knowledge and qualifications aside from technological specifics related to products or systems?
What does this CCTV security consultant know about the vetting of staff and prospective trading partners, risk management, employment law and the importance of the privacy laws (most notably the Human Rights Act)? The list is endless, and those of us involved in the delivery of security consultancy services know it.
Core skills and knowledge pinpointed
I believe core skills and knowledge should be identified by the SIA, in conjunction with the leading industry sector bodies (in particular The Security Institute and the Association of Security Consultants). The aim must be to identify a ‘general security practitioner’ – or, if you prefer, a ‘general security advisor’ – qualification and seek to amend the Act accordingly.
As is the case with the ASC, which presently has 80 members on its books, The Security Institute promotes the raising of standards across the wide spectrum of security disciplines. The Institute has made it clear it aims to seek Chartered status but, in order to achieve this goal, the Privy Council has indicated current membership will need to triple to 3,000 (and 75% of that cohort must hold a first level degree or equivalent).
We have some way to go, but with The Security Institute’s introduction of a new category of membership for students, together with mentoring opportunities and the Institute’s Certificate and Diploma in Security Management (delivered by Perpetuity Training), the tanker is turning in the right direction.
Emboldened by the Institute’s example, I very much hope that smaller specialist groups will look to become a part of a constellation of security professionals, and that the SIA reconsiders its position on the issue of consultants such that the existing legal loophole may be closed.
Licensed to practise: how might it happen?
How would someone become licensed to practise as a general security practitioner or general security advisor? Based on my own experience of over 30 years, supplemented by this latest and very extensive research, I believe the key requirements are:
a security consultant (advisor/practitioner) qualification set at a minimum of Level 4
adherence to a formalised CPD framework
membership of a recognised body (such as The Security Institute or the ASC) that has a strict validation process
a Code of Ethics and disciplinary procedures that include the power to suspend or revoke a licence to practise
In the Australian state of New South Wales, co-regulation has been adopted with their equivalent of the SIA devolving inter alia inspection powers to the main sector membership body. This system reportedly works very well indeed.
I believe we can learn from other sectors, and not just from the engineering model proposed by Roy and Chris. The answer is to select the best and most appropriate elements from a number of other entities.
The approach adopted by the Centre for the Protection of National Infrastructure (CPNI), which operates a register of qualified security professionals (interestingly managed by the Institute of Chartered Engineers), is one good example. The CPNI has identified core areas of expertise aligned with experience, appropriate qualifications and CPD which differentiate members of its Register as being either a specialist security advisor or general security advisor.
There are also lessons to be learned from the way in which accountants and lawyers qualify – a system whereby trainees follow a prescribed course covering the essential elements of the subject followed by examination and, thereafter, a two-year work experience period played out under supervision. It’s only after the completion of this supervisory period that the lawyer or accountant is eligible to provide advice to clients.
An unmanageable and unrealistic goal
Attempting to include the myriad of ancillary security disciplines such as CCTV specifiers and electronic counter-measures operatives (‘bug’ detecting) within regulatory controls is unmanageable and unrealistic. Their exclusion would greatly simplify attempts to define a security consultant (or general security advisor/practitioner).
Ancillary service providers would be required to meet agreed industry standards and Codes of Practice, but without the need to be licensed. Accountability of the service provider in a specific trade or expertise would be the responsibility of the licensed general security practitioner.
For example, CPNI registrants can in certain circumstances engage others on their behalf if they are satisfied the contractor possesses the relevant competency and experience, with the registered advisor being responsible for the sub-contracted party.
By engaging a ‘cowboy’, the registrant runs the risk of being removed from the CPNI register and disqualified from tendering for public sector contracts – a powerful reason to ensure sub-contractors are competent and fit for purpose.
Roy and Chris believe security consultants stand “shoulder to shoulder” alongside Chartered bodies such as surveyors, engineers, accountants, architects and so on. I disagree. We need to bring our sector into the 21st Century if security consultancy (and indeed the various specialist services that fall under the security industry umbrella) is to be considered a recognised and highly respected profession.
Probity and competency must be shown
If we want to be taken seriously, probity and competency have to be demonstrated, not assumed. Like it or not, this industry does not have the same status as the established professions. The requisite professional frameworks are not yet in place.
To reiterate, those delivering security consulting services must possess a recognised qualification alongside the other core elements that established professions require. These include formalised CPD, significant experience (a minimum of two years), membership of a recognised professional body, adherence to a strict code of professional ethics and the requirement for practitioners to have professional indemnity insurance cover.
Sounds good doesn’t it? However, without these requirements we run the risk of remaining inward-looking, fixated with pseudo self-regulation and acceptance, as is so often the case, of a first career in the military or the police as the primary requirement to justify the label ‘security consultant’.
I fully accept that, in many cases (yet certainly not all), those who have served in law enforcement or the military possess some excellent transferable skills, but in this day and age that alone is insufficient.
As one senior member of the ASC remarked during my recent research: “Security consultants should have nothing to fear from regulation”.
Regulation surely has to be seen as one of the essential steps towards acceptance of security consultancy as a true profession.

David Gill is managing director of Linx International (Corporate Security Services) and vice-chairman of The Security Institute