‘What makes the modern security professional?’ As Tony O’Brien observes, the right combination of the security mindset, hard skills, soft skills, technical skills, self-awareness and adaptability is almost impossible to define. Today, and increasingly so, it’s all about an individual who is just as comfortable in the cyber world as they are in the physical realm and who understands the connectivity and interdependency of both.
As converged security services develop at a rapid pace, finding people with this diverse skill set is proving to be somewhat challenging for many reasons. There’s a requirement, then, to talk about building these professionals from the ground up and assess what we can do to prevent the rest of the industry from becoming the next dinosaurs.
When I think of the pace at which the world is evolving and developing, it both amazes and worries me. If we consider that, just ten years ago, many of the platforms we now use on a daily basis didn’t even exist, and that in five years’ time they will likely be obsolete, this illustrates precisely how quickly the world – not to mention ourselves as its inhabitants – can evolve. It also illustrates how those who are not willing to adapt and develop can be left behind in the wake of this evolution.
The security industry is not immune to this risk, and particularly so in the area of cyber security. I would estimate (both anecdotally and from the new entrants I see coming through the doors) that 90% of the physical security industry is well below a basic level of understanding in areas of cyber security, cyber crime and information security. To change this situation could well take a generation. However, with the pace at which these areas are evolving, our current security population could be seen as obsolete long before that time.
Plugging the gap
As someone who teaches in this industry both at entry level and higher up, I will be the first to admit that the current training system will not be fit for purpose in even two-to-three years. It’s barely plugging the gap now. We have large skills gaps in the cyber security area and a large pool of under-trained physical security operatives. This system, I believe, is the very root of the problem.
Typically, we still treat the two areas as completely separate roles when they are not. Of course, at higher levels the technical skills will differ, but as converged services become a reality, every single security operative needs to be at least familiar with both information and cyber security basics.
The problem I see daily is that professionals operating in the physical security industry still perceive that cyber security isn’t their job. There’s a real fear of the subject. It’s the fear of the unknown and the fear of new challenges that terrifies the physical security industry and those resident within. What we are left with is a group of security specialists who know a lot about crime prevention and the essence of what a crime looks like in their field. We also have a cyber security industry predominantly made up of IT specialists who know lots about the cyber world, but not a great deal when it comes to how criminals think and act, or about the knock-on physical consequences of cyber security. Why can’t we build security operatives with a skill set in both?
This issue then escalates at the security management level, where we have people promoted from within the physical security ranks, or recruited from policing and military backgrounds, and who have high levels of physical security knowledge, but no idea about cyber or information crime. Upskilling these individuals (of which I count myself as being one) is both challenging and time-consuming. Ultimately, the pace of skills development will always struggle to keep up with the pace of change.
Pathways for transition
Currently, there are very few pathways whereby physical security professionals can transition to cyber security and even fewer pathways in the opposite direction. There are some, but they often require many years of study at an advanced level.
My opinion is that we don’t need to develop many more pathways between the two areas. Instead, we need to begin treating the two areas as a single field, and building entry level training programmes for the future security specialist which give a solid grounding in both areas.
At the top level, we will always have specialists like there are in every professional field, but this is where the specialisation should start. Once all security professionals have a solid competency level across security fields, then we can branch off into specific fields where the person’s passions or career opportunities lie. This is the way in which every other professional field works.
Consider medicine, teaching or the sciences as the perfect examples. Every professional here receives a basic grounding in the fundamentals and then chooses their specialist area at a higher level. If we want to be seen as a profession and not just a job, then this is where we need to be aiming. We simply cannot continue to ‘silo’ our efforts or both sectors will suffer over time.
Building from the ground up
My suggestion is that we begin to develop an international occupational standard for the future security operative. You will note that I said international standard as part of the International Labour Organisation’s International Standard Classification of Occupations (ISCO) which informs many countries’ national occupational standards. This would be a move beyond the typical focus in most countries on developing national occupational standards for security operatives.
We now live in a global world both in terms of cyber and physical security. Our future training needs to reflect this change and equip security professionals to work in a global security landscape. Security in the future will have fewer physical and national boundaries and we must equip ourselves now for this eventuality.
This will take time to develop and, in the meantime, we can begin to take steps with programmes that we already have to make them better suited. Until we can converge cyber, information and physical programmes, we can begin to insert modules into the current programmes to begin to give each area basic knowledge of the other.
This works both ways. Just as our current physical security training programmes have limited or no content on cyber security, the same applies in the cyber security area.
I don’t see too many cyber security programmes out there at any level which cover areas such as criminal mindset, securing physical assets or even police statement writing. Beginning to introduce these subjects into each area can set the groundwork for the future development of converged security programmes.
While we can begin to introduce these subjects to the industry at entry level, I certainly believe that we should be developing robust, converged security programmes at certificate, diploma and degree levels before the specialisation begins at Master’s level and beyond.
Appreciating the cyber risk
It’s difficult for an individual who has worked in physical security for many years to appreciate the cyber risk and to comprehend the skills required to be proficient. Now that cyber incidents have started to manifest themselves in real physical injuries and deaths, perhaps the risks involved will become more apparent.
There’s huge scope here for both sides to work together to everybody’s benefit. There is currently a large skills gap in the cyber security area. There’s also a pool of talent resident at mid-level in the physical security arena who would love to help out, but simply don’t have the tools to do so. While it may take some time to help them develop those tools, spending that time would certainly a worthwhile endeavour.
That only provides a temporary respite, however. The cyber security area will continue to grow, as will all other areas of the industry. I sincerely hope that we’re not sitting here in a number of years’ time having the same conversation. In order to avoid that scenario, we have to begin planning, developing and implementing training programmes for future security operatives which reflect not just today’s risks, but also the foreseeable risks of five and ten years’ time.
The development of this generation of security professionals has the potential to be the vanguard for the future of the industry as long as we act now. If we wait, it could be too late for even the next generation.
Tony O’Brien is Managing Director of Security Operative Training Services
*The Security Institute’s View is compiled and edited by Dr Alison Wakefield FSyI (Chairman of The Security Institute) and Brian Sims BA (Hons) Hon FSyI (Editor of Risk Xtra)
**Editors’ Note: Any security practitioner can commence their cyber security education online (and at no cost) via the FutureLearn ‘Introduction to Cyber Security’ course. There’s also the option to pay £62 for a certificate of achievement. The course development was supported by the UK Government’s National Cyber Security Programme. It provides GCHQ ‘Certified Training’ and is IISP accredited