Let’s imagine a tech start-up. It’s grown (to 50 employees? 100?) so that its founders decide they ought to hire a chief security officer (CSO). Perhaps they develop software for a sensitive client (the Ministry of Defence) or for critical infrastructure (sewage farms? The railways?) and they’ve taken the hint that they ought to have their first security person.
The sheer range of tasks for that CSO show how wide security management can be. On that CSO’s plate could be travel risk, even bodyguarding (if the executives are going on business to meet partners in Tallinn; you may know vaguely it’s in eastern Europe, but how close to Russia? Is that at all dangerous?), cyber (if staff open their laptops one morning and only get a ransomware message, is it solely a case for the IT guys?), fraud (that nice chap, the chief finance officer, is he diddling the company to afford his children’s rising school fees?), and intellectual property protection (software developers using their personal devices, moving data who knows where, into GitHub, ChatGPT). Or, for a more homely, comic image, the latest television advert for Yorkshire Tea stars the actress Sarah Lancashire reprising her role as a policewoman in the BBC TV drama Happy Valley, only her uniform says across her chest ‘Security’ as she picks things out of office bins as she investigates (and embarrasses) workers for who has stolen whose biscuits. I understand that some corporate security departments have really been tasked by staff who are bothered enough to want to know who’s taken their lunch out of the communal fridge.
That a CSO would have some tasks, and not others, would imply a foundation of knowledge that would belong to a security manager and not to others. To use a metaphor, if security management has many branches – business continuity, crisis management, counter terrorism – it ought to also have a trunk. What is it?
All risk
That occurred to me last week at an enjoyable evening arranged by Peter Connolly, the CEO and founder of the consultancy Toro Solutions, when about 30 experienced, articulate and intelligent people gathered in a room in London to chew over things. An altogether enjoyable and useful evening. Speakers used the words security, risk and resilience as if they were inter-changeable, or at least connected. Again, that implies they share a root. Is it risk? Security is only a branch of risk (crime, or an act of terror is a risk the same as a flood, fire or IT outage). Resilience you can define several ways – as bounce-back-ability, or the ability to meet, adapt to and learn from whatever hits you, whether a wild fire or a publicly-disgraced executive. If risk is the root of all three, is that acknowledged? Taught in the five day SIA door or contract security officer licence training?
Cyber ahead
The metaphor of branches, trunk and roots (drawing on sustenance, whether in professional terms new tools or thinking, or laws to comply with) is powerful because numerous specialisms are too small to generate enough volunteers or money to map themselves, to come up with exams and qualifications, based on a list of competencies and qualities required to do the job, overseen by some institution. In that regard, cyber and info-security has stolen a march on overall security management because of the Chartered Institute of Information Security (CIISec), in contrast to the plain Security Institute.
BCRP management
As for how that matters, consider one specialism, business crime reduction partnership (BCRP) management. (By singling it out, I don’t want to suggest it’s particularly at fault; on the contrary, I meet enthusiastic, hard-working and able BCRP managers.) A BCRP manager needs at least two, unconnected skills. One: to collect, analyse and pass on data, using one of numerous software packages available (SentrySIS, Littoralis-DISC and Shopsafe to name three; part of the skill may be to judge which is most suitable). And two: to meet partnership members and partners – the police, business improvement district managers – to get things done. Indeed, it’s a skill to even identify who’s who in the locality, who are the doers to get things done with and who are the blockers to avoid angering (or avoid altogether). BCRP managers are only numbered in the hundreds, meaning their work isn’t mapped; there’s no university degree in BCRP management. The best BCRP managers seem to ‘fall’ into it, not unlike security management, as a second (or third or fourth) career. Whether in retail generally or retail loss prevention in particular, they care about crime reduction enough to get drawn into it. The problem may arise when a panel is hiring a BCRP manager; what do the hirers have to go on? They may assume that someone leaving the police knows about crime, and hand them the job; if the retired cop has applied, they presumably know what they’re doing? Except that the skills of a cop are wide also – from traffic to counter-terror – and maybe wildly inapplicable to BCRPs. The former cop may do an excellent, mediocre or downright bad job; or realise it’s not for them, and resign, but the process then only repeats itself.
