The business of security is changing, so, should you? That was the opening question posed by industry veteran and Chartered Security Professional (CSyP) Peter Houlis, of 2020 Vision Technology, at the recent ST14 North conference-exhibition in Manchester.
This presentation looks at my journey to becoming a Registered Chartered Security Professional, and why after 40-odd years in the security industry, I believe it was a necessary move. During the talk, we’ll look at the changing face of security, the modern threat landscape and the technological advances in security systems driving the need to evolve an industry into a recognised profession. Then I get to talk about me – my own personal voyage through the security industry starting out as a young 16-year-old.
Security: a complex and diverse subject.
Advances in technology and the move to IP coupled with the new perception that security is a business practice, rather than a grudge purchase, is driving the need for better-qualified security practitioners.
“The business of security has shifted from protecting companies from risks, to being the new source of competitive advantage”. Briggs and Edwards (2006)
Post-9-11 the world changed, it’s now clearly evident that security is a very complex and diverse subject, not to mention a constantly moving objective. As a discipline, it’s a contributory factor towards business success and needs to be valued as a business process that’s actively championed from the very top of an organization. Everyone in an organisation needs to adopt the security culture and understand its business value. We need to appreciate it in the same way as health and safety, quality and equality and diversity, etc. We can only achieve this status quo by raising the standing of the security profession.
Evolving threat landscape
When I first became involved in security, almost 40 years ago, crime seemed quite simple. Today, that simply is not the case. Globalization and technological advances are changing the world, the political landscape, and the criminal menace. In turn, this is creating both business opportunities and threats, at the same time raising fear and uncertainty around the world.
Civil unrest and conflict are widespread. This is increasing antisocial behavior and acts of terrorism, in turn, increasing criminal acts. Of course, terrorism needs funding, often through criminal means such as major fraud, think cyber-security or drugs, from the crime lords to the drug users — who usually fund their habit through criminality — and you begin to see the connections. As the risk landscape becomes increasingly unpredictable due to globalization, political instability, cost sensitivity, organized crime, pervasive regulatory compliance, technological advances, and natural disasters, the importance of the role played by the security profession increases further in terms of protecting people and assets, whatever the type of practitioner — a security manager, consultant, technology vendor, or security officer.
Moreover, the modern security professional needs to see the bigger picture and absolutely understand an organisation’s business.
The focus of security is shifting, for everyone.
Security must get a grip of new technology
The technical side of the industry has also changed with the introduction of IP enabled security devices and systems and has blurred the lines. The old barriers between security, IT and facilities are simply not there any longer. As security professionals, we need to understand where we fit in the bigger picture. We have to understand what the technology; Video surveillance, access control, intruder detection et cetera can do and from a security prospective, what operational issues we can address. We need to know how these things relate, and to educate our clients if we are to add benefit to their organisations.
I often wax lyrical about the exciting opportunities advancing technology in the security sector is providing for the serious systems integrator, and the fact that it presents such a great catalyst for change.
Growth in IP security and surveillance, and the developing convergence with IT certainly provides a powerful platform for transforming our industry. However, with opportunity comes challenge and change.
Most security companies will need to learn how to apply new equipment and solutions – servers, hubs, switches, PoE and systems, IP protocols, networks and cyber security analytics, etc.
Systems are now more powerful and complex, encompassing a host of hardware, firmware and software residing on a common network and performing an array of functions. All of this is usually derived from an assortment of manufacturers, suppliers and developers.
As these systems become more bespoke, intelligent and interconnected, a more diverse and higher degree of skills will be required to make these systems work correctly.
Converged security as operational management tools
We need to get to grips with this convergence. In our case, it’s a pretty ambiguous term, covering a multiple of operational roles and a range of security disciplines, which encompass the union of both technology and operations, described as technology convergence and operational convergence.
Technology convergence is defined as the merging of distinct technologies and devices into a unified whole. In other words it’s about integrating everything onto a common network: communications, IT equipment; PC’s workstations, servers, printers, social media, BMS etcetera, data for payroll, HR, procurement, social media etcetera, and security devices.
Operational convergence is about merging the various security management disciples, policies, procedures, risks etcetera.
Convergence is not new. However, security is one of the last functions within an organisation to merge onto standard IT equipment.
As technology change expands the use of security (and, in particular, surveillance) systems far beyond security uses, so it also transforms them into an operational management tool.
Security professionals must gain a greater understanding of their customers’ business requirements outside of ‘the security brief’ such that they can develop and provide systems, which deliver true business benefit (in terms of providing ‘real time’ visual intelligence for operational uses to maximise ROI, for example). It’s about providing ‘situational awareness’.
After all, ‘Information is King’ and most definitely paramount in terms of realising informed decisions. The technical role is now about implementing technical solutions, which efficiently provides instant and relevant information, whether that be a break in, trespass, health and safety infringement or an operational process going wrong. We need to make that information easily accessible when required and facilitate its sharing between all interested parties in the same way that has made the IT sector all-powerful.
Such technical solutions have become embedded as a requisite facility of nearly every department in every enterprise.
In fact, nearly everything we do in life today involves an element of IT. Convergence relies heavily on IT, it’s their infrastructure everything relies on. We need to make friends with the IT person and be treated as an equal.
Professional qualifications
It’s fair to say the IT sector is qualifications-driven. There are numerous academic qualifications in computing and IT up to PhD level in computer sciences, giving the IT sector instantly recognisable professional credibility. Equally, most other business functions require qualifications, Accounting, Bookkeeping, Health and Safety, HR, etc.
Qualifications demonstrate the holder’s ability to complete a comprehensive education, training and intensive study programme in a given subject(s). This provides proof that an individual is knowledgeable and has a clear and demonstrable understanding in his/her field. Above all, perhaps, it proves they can learn!
Sadly, this is something the more mature security industry has failed to achieve. Could this be partly down to a lack of professional qualifications? Fortunately, today organisations like Tavcom Training have filled the education gap and universities are now offering security related degree courses.
True – and confirmed – security and technology knowledge
Whatever side of the security business you operate in, to be taken seriously by your peers and other business professionals, todays security professional needs to exhibit a level of knowledge and competence in a diverse range of security subjects and business skills. To understand when and where expert advice can be obtained, and when specialist knowledge in a particular discipline is required.
For example on the technical side, if we’re to succeed and be taken seriously by IT professionals we need to ‘talk the IT language’ and, what’s more, prove we really understand it. This does not mean we need to be experts in IT but we do need to show we are experts in our own field. In our sphere of expertise we need professionals with a true and confirmed knowledge of the technology, how and where to apply it and a demonstrable awareness of how it sits in the network topography.
We also require a clear understanding of the clients’ business functions. We need to know more about how a given client’s business works and how we can introduce technology to deliver benefits in terms of increasing efficiency, reducing manpower and mitigating risk, etc.
Regrettably, the security industry has been slow in developing appropriate qualifications. However, as we migrate more and more towards IP-based networked systems, and if we are to hold our own against the IT sector, we need to drive for a more professional industry supported by relevant qualifications and certification.
If we do not have this knowledge to hand then we run the risk of ‘losing our industry’ and missing a huge opportunity for it to develop into the bargain.
Likewise, if you are in a security management role you need to understand your clients’ security problems and business objectives if you are going to add value through security and the client needs to feel confident you really understand his issues. This brings us nicely to me. Although I had 40 years’ experience in security and systems I wanted to demonstrate to my customers that I understood their security risks and business objectives.
Hence my journey to Chartered status.
My personal journey
1974 Commenced career as trainee security engineer, Security Alarms (Northern) Ltd.
1976 Grade 1 Fire and Security Engineer.
1976 Headhunted to national company, gained high security and CCTV experience.
1977 Asked to return to Security Alarms as field service engineer, responsible for local region; maintaining and service of wide range of electronic security systems.
•Retained by Lander Alarms post take over.
•Refined knowledge of break in techniques.
1982 Moved to local company as engineering manager running nine engineers in installation and service department.
Stepping out
1982 Set up Intruder Alarms (Northern) in partnership.
Company became limited; joint Managing Director although role remained technical.
Achievements:
➢NACOSS (now NSI) approval, wrote manuals.
➢Police Force approval
➢BS5750 QMS accreditation, wrote QMS manual.
➢Secured national contract with Kwicksave, Charlie Browns and Northumbria Water
➢Grew from zero to eighteen staff and 11,000 systems.
➢1988 Started to investigate new security technologies. Research through various manufacturers, suppliers, installers and reading
➢1992 Sold shares to set up 2020 Vision after short business course at Northumbria University,
➢SSAIB accreditation and appointed Board member.
Gained BS 5750, Chas and Safecontractor accreditation.
➢Secured first University client and Northumbria Police contract for towns and City Centre.
➢2009 implemented ISO 9001:2008 IQMS, 14001:2004 & BSOHSAS18001:2007 and Business Continuity Plan.
Guided 2020 Vision to become a multi award winning integrator, well respected by a diverse range of clients and peers, with high client and staff retention and repeat business.
Achieving Chartered Security Professional status
All told, I have spent more than 40 years in the security field gaining a broad knowledge of security, of securing against risks and running a business, but I had very little on paper that endorsed that knowledge and experience. So, I looked at the Registered Chartered Security Professionals criteria:
Knowledge and practical skills,
Leadership and Communications,
Professional Commitment.
I believed, with encouragement from the Security Institute, that I met the CSyP requirements. The next step was to complete a very detailed application listing, with supporting evidence how I met the requirements. Then, as I do not have a security related degree, I was asked to complete a 10,000 word thesis on four given security subjects. I enjoyed researching and writing this, although it took some time for me to get my head around academic style writing and Harvard referencing. Finally I attended an interrogation, I mean interview with two assessors and an observer.
Conclusions
Security cannot be achieved in isolation; it is a business problem, challenging the security industry to make dramatic changes, the aim to achieve strategic and higher operational level competencies in security management. To meet the challenges the modern security professional will need to be recognised as a proactive advisor and enabler of security and risk management decisions, for the protection of the organisation, and as a valued equal to fellow business professionals. Professional qualifications and Chartered status are the individual’s path towards earning the respect of fellow business professionals. It’s a demonstration that a given individual can add value to his or her organization through best-practices in security. Finally, in a diverse and dynamic subject continual review and constant personal development of knowledge and skill through, education, research and networking is paramount, in retaining value.
