The Protect Duty’s road to becoming law is proving long and tortuous, writes Mark Rowe, yet once it becomes law, a yet trickier problem will remain; how to define who is a ‘competent person’ to advise the many thousands of venues and other sites that will fall under the Duty, yet have no security manager, let alone a counter-terror specialist.
This question is really a question of defining who is a security consultant, because even businesses with a security department may feel they want to bring in such expertise; even big-name social media firms, if they have cut their security department lately from 57 to five (as has happened).
Some are already defining themselves as able to offer that expertise. A senior police speaker at the Olympia Expo last autumn made the point that the authorities were not endorsing any products or services that were marketed as helping you to meet the Protect Duty. He might as well have talked to the wind, because some in the UK security industry were already seeing the Protect Duty as a rare opportunity to cash in, on a par with the demand for private military security in Iraq after the invasion of 2003, the demand for training of door staff, contract security guards, CCTV control room operators and bodyguards once the Security Industry Authority (SIA) licensing regime came in, in the mid-2000s, and the call for armed security on ships crossing the Indian Ocean in the early 2010s against Somali pirates.
Consider what details the Home Office has given so far of the proposed Duty. A site may have to train staff; draw up a ‘risk assessment and security plan’; and add, or check that it has, ‘physical security features’. Now for any security consultant to be competent in all those specialisms is quite rare. They are going to charge hundreds of pounds per hour for their services, that a theatre or place of worship (let’s say) will not be able to afford easily. Even if they can, those consultants will be in demand. Just as the start of the SIA regime implied that far more trainers were required, at least in the first years, to get everyone trained, so there may well have to be newcomers, to meet the demand for Protect Duty training, risk assessment and site surveys.
How to tell apart the newly expert, or the merely competent, from the ignorant and outright charlatan? Let’s take the SIA badging as a comparison. You test a person has a body of knowledge, in some exam. Though the SIA has only just brought in a requirement for top-up training (against some industry resistance), given the changing nature of the terrorist threat, you would hope the ‘competent person’ would keep abreast of threats, topping up knowledge (just as you would hope your doctor keeps up to date with new diseases and treatments).
Having a certificate to say you have passed an exam is not the same as competence. I may take the five-day SIA contract security course and apply for an SIA licence, on passing the criminal record check (there’s a further aspect of competency, some sort of character check). If I got a job in a shopping centre, I might have the customer service skills to point someone towards the toilets, but would I be able to handle firmly yet compassionately an aggressive beggar at the entrance? No.
Twenty years into the SIA regime, and still people who encounter contract guarding are incredulous to find people with SIA badges who cannot speak English. The equation of ability and competency depends on task. Someone with only broken English may be able to work in an office block at night where the only others around are cleaners, maybe speaking only broken English themselves. But for someone whose English is not their first language to have to handle a fire alarm activation at midday, speaking to evacuating workers and arriving firefighters? That could be dangerous.
It’ll be no good relying on what the state provides, in this physical security as in cyber. Police CTSAs (counter terror security advisers) are over-worked like everyone else in the police and public service and (working on a risk basis themselves) are going to concentrate on the largest, most iconic and consequential sites. In cyber, if you’re Royal Mail or a power station, you may well get NCSC (National Cyber Security Centre) attention if you suffer a ransomware attack. You’re a theatre in Cheshire, a factory in Wrexham? You can’t even get the police to pick up the phone when you call 101!?
How then to define a large enough body of people to deliver the Protect Duty, competently, to client sites? You do not have to trace the answer far to see how a whole structure around the ‘skills agenda’ needs constructing, that the security industry with the SIA is, gradually, building for itself. Does competency depend on experience? Are former police officers competent in this field? If they worked in counter-terror, absolutely; if they were in traffic, not so. Which qualifications if any will stamp you as competent? A security and risk management master’s degree, or a specialist counter-terror diploma? Even such a diploma may not make you competent, if the curriculum is purely academic and tells you why terrorists carry out terror, and does not equip you to survey a site.
As with financial advice, will the ‘competent person’ have to be independent? If you hire an adviser, who does surveys and every time he says that your site requires a ring of BOG bollards, and the adviser is on commission from BOG Inc, you’ve simply hired a salesman.
The Private Security Industry Act 2001 that led to the SIA did name security consultants (and private investigators, PIs) among the ‘licensable’ sectors. However, the SIA had quite enough on its plate with those occupations it did licence, and long ago the possibility of the SIA badging consultants got forgotten. PIs did become more likely to get licensed after the Leveson Inquiry and Theresa May as Home Secretary did go so far as to announce in 2013 that the SIA would do it. Nothing has come of that because defining a private investigator, and separating it from a family historian for hire, vetting and screening, and journalism, was too difficult. Likewise defining a security consultant has been on a shelf at the Home Office (pictured) filed under ‘too difficult’ for 20 years, and it is now hatching.
