RiskUKSeptember2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Training and Career Development<br />
‘security manager’ might refer to a traditional<br />
physical security role, an information security<br />
systems role or perhaps even a job in software<br />
development. With the concept of security<br />
diversifying in response to an ever-broadening<br />
threat landscape, this confusion can be a<br />
further challenge for traditional security<br />
practitioners when it comes to career planning.<br />
The question is: ‘What can we do about this?’<br />
Part of the wider problem might be that<br />
security still exists within a number of different<br />
silos. At the organisational level, whether<br />
fuelled by pessimism or paranoia, we’ve built<br />
walls around our departments to keep our<br />
‘security stuff’ secret without realising that<br />
what we really need to be doing is sharing it.<br />
Whether we’re helping staff in other<br />
departments to spot fraud, detect suspicious<br />
behaviour, be more aware online or respond<br />
more confidently to conflict, we’re empowering<br />
the organisation to be more secure on a ‘one<br />
person at a time’ basis. Such activity may help<br />
to raise our profile organisationally and could<br />
even trigger conversations that might reveal<br />
hidden risks or opportunities for the business,<br />
not to mention illuminate new career pathways<br />
for ourselves as practitioners.<br />
Weak at building bridges<br />
Beyond the organisational silo, the sector<br />
seems to exist in a professional one. The sector<br />
is weak when it comes to building bridges with<br />
other professions, both in terms of sharing<br />
expertise and opening further career pathways.<br />
Security people tend to network with other<br />
security people, which may say somewhat more<br />
about our ‘comfort zone’ than it does any<br />
deliberate attempt to avoid other professions.<br />
An alternative to this might be to seek<br />
speaking slots at events for other sectors, or<br />
writing security-related articles that are<br />
relevant for trade journals outside of the<br />
security domain. Security is a ‘people problem’<br />
and, as such, we have insights that other<br />
professions may duly appreciate.<br />
The final silo is the one that we build<br />
ourselves. If we only see ourselves as<br />
‘traditional security people’ then this is all that<br />
others will see us as, and their lack of<br />
understanding of the importance and scale of<br />
what it is we do will mean that they only call<br />
upon us when they think there’s a problem (at<br />
which point it’s often too late). Certainly,<br />
security practitioners have been undertaking<br />
Health and Safety accreditations for a number<br />
of years to enhance their employability, but this<br />
is perhaps an obvious step.<br />
Another potential consideration is the<br />
apparent shortfall of cyber security<br />
“Whether a security practitioner is highly qualified, highly<br />
experienced or both, suitable senior-level security<br />
management opportunities are somewhat difficult to find”<br />
professionals, with some reports suggesting<br />
the number is going to be as high as 1.8 million<br />
globally in the next five years. Considering the<br />
shift in the asset base from physical to<br />
information, this demand is foreseeable.<br />
We as traditional security practitioners need<br />
to overcome our fear of technology to take<br />
advantage of this situation. If we accept three<br />
principles – that security is a ‘people problem’,<br />
that technology only allows people to commit<br />
old crimes in new ways and that (using the<br />
CISSP certification programme as an example)<br />
nearly half of the knowledge required to work<br />
in cyber security is within our existing<br />
knowledge base – then there’s a chance to<br />
forge a different career pathway.<br />
There are also other avenues to consider. A<br />
highly competent security practitioner might<br />
add value in a range of corporate roles<br />
including FM (for physical security), HR (for<br />
people-based risks), logistics (supply chain<br />
risks) and many others. Some of these<br />
departments even have a direct career<br />
trajectory into the C-Suite (including that<br />
coveted CSO role). That being so, requalifying<br />
to move departments might provide security<br />
practitioners with longer term advantages.<br />
If we accept that security is a business<br />
enabler, we can begin to see which other areas<br />
of the organisation we can enable through<br />
sharing our knowledge and experience. Doing<br />
so will require us to broaden our horizons and<br />
open our minds. The best way to do that might<br />
be to leave the Security Department behind us<br />
forever and seek work in other teams.<br />
Banish outdated thinking<br />
Ultimately, it could be argued that we need to<br />
break our ‘death grip’ on the concept of security<br />
as a ‘department’. Such thinking is undeniably<br />
outdated. For security to be truly effective it<br />
must be part of the wider organisational culture<br />
and is therefore not a department, but instead<br />
a shared responsibility.<br />
Perhaps security should be an element in a<br />
wider management skills set instead of being a<br />
discipline on its own, similar in nature to<br />
project management accreditations?<br />
While all of this is very much open to debate,<br />
what is not is that, if we continue to do what<br />
we’ve always done, we will always derive the<br />
same end results (or perhaps worse, given the<br />
ever-changing nature of today’s world).<br />
Richard Diston MSc MSyI:<br />
Director of Ark-Services<br />
59<br />
www.risk-uk.com