Dear Security Professional,
You are the security industry’s 21st century customer.
Yet, for nearly three decades I have heard security executives and managers talk about improving “the security industry” they work in. I have also heard personnel from security industry manufacturers refer to themselves as “security professionals”.
When I first began writing and speaking about this a little over a decade ago, I said that both of those uses of the terms (profession and industry) are incorrect, and are detrimental to the security industry and to the security profession.
The terms “security industry” and “security profession” have been used loosely and very often interchangeably. But they shouldn’t be. They have distinctly different meanings.
The term “industry” is commonly defined as “the production of goods or services within an economy”. An organization’s security director is not engaged in production of goods or services for general sale. So I published the following definitions in 2004.
The security industry is composed of manufacturers and service providers, whose purpose is to provide products and services that help an organization’s security stakeholders accomplish the job of protecting the assets in their charge.
The security profession consists of security executives, managers, supervisors and their staff—the people within the organization who are charged with the protection of assets against security risks. That responsibility is delegated to security professionals by the owners and senior executives of the business. The job of security professionals is to reduce security risks to acceptable levels at an acceptable cost. Members of the security profession are referred to both as security professionals and security practitioners.
Here is the reason the above clarifications are important:
The security industry exists to serve the security profession.
Back in 2004 most security practitioners would strongly agree that, within their own organization, the status of their position as a security manager or director was “somewhere between cleaners and facilities maintenance”.
I always heard this said somewhat jokingly, but no one ever laughed about it. A second somewhat joking comment usually followed, “At least we don’t have any high expectations to live up to!”
However, when I heard that said it was intended to be a positive statement, an encouragement for security practitioners to be braver about getting outside of the traditional security silo, aligning security more with the business and making proactive security program improvements, because the impact of misstep would be minimal.
I understood why ASIS International and security practitioners have had to work so hard to gain credibility for their vitally needed roles, and how historically relevant those joking comments were. Today, it’s not the same situation that it was 15 or 20 years ago, although things are still not how they should be.
I brought up this history, and the status issue, to provide some context for what I say next. Surprisingly to me, many security people told me I was wrong to use the term “security professional”, because an occupation couldn’t be classified as a profession unless there were college level curricula and degrees to go with them, and so until you could get a degree in “security”, I was wrong to call it a profession.
About 10 years ago, the degree most commonly found among security people was a criminal justice degree, although I can’t say how common it was for security directors to have such a degree. I found it to be the degree mostly commonly held by former law enforcement officers, who had retired and become security directors.
You may have noticed that I have been saying “security director” and “security manager” but not CSO (Chief Security Officer), as that title was not in popular use yet.
ASIS has been working since 1977 to establish professional standards for security practice, starting with the Certified Protection Professional (CPP) designation. Yet the title that showed up in my web browser tab when I visited the ASIS Certification page was “Security Industry Board Certifications”. They are still saying “security industry”. However, the word “professional” is all throughout the ASIS website. And I don’t know that I can fault ASIS for using the term “industry” when it is so commonly used by its own membership.
However, there are two other security industry associations, which do fit the definition of “security industry” that I provided at the start of this article:
- Security Industry Association (SIA) – the world’s leading association for security solutions – whose members are primarily manufacturers
- Electronic Security Association (ESA) — the largest professional trade association in the United States with the purpose of representing, promoting and enhancing the growth and professional development of the electronic life safety, security, and integrated systems industry – whose members are security system integrators
It’s Time to Make a Distinction
We no longer have any excuses to continue to muddy the waters around the security profession and the security industry. Today, in 2016, there are many colleges and universities offering degrees in security disciplines. So that excuse (a lack of college level educational curricula) fails. Now that the Chief Security Officer title is commonplace, and security is a board level concern for most organizations, the “we have no status” claim doesn’t really work anymore either.
According to patterns in other industries, it should be the role of the security industry (manufacturers, systems integrators, security engineers, security consultants, industry media companies, etc.) to identify the needs of their security profession customers and find ways to effectively fulfill them.
Every few years, in security conference venues, I perform an informal survey for which these two terms are not defined beforehand. Each time, many members of the security industry professed to considering themselves members of the security profession, and vice versa. This is a situation peculiar to the security industry.
In the medical profession, manufacturers and technology consultants don’t consider themselves medical practitioners or medical professionals. They don’t practice medicine. They practice manufacturing, quality assurance, distribution, sales, product training, and so on. They are not healthcare professionals. They are manufacturing or engineering or sales or training professionals. They don’t have any confusion between who’s in the industry and who’s in the profession.
Why This is a Problem
This is the reason why I wrote this letter to you, the security practitioner, who is the security industry’s customer.
It contributes to the neglect of customers’ needs to have the customers (the security profession) lumped together in the same group as the manufacturers and service providers (the security industry). The blurring of the two helps to keep their relative roles indistinct, and works to keep the minds of security industry personnel from achieving the clarity they should have about their customers’ needs.
This situation tends to strengthen the focus on security products and services and weaken the focus on the things that determine the scope of risk management and drive the security practitioner’s efforts to strengthen the organization against security risks.
This blurring of roles (“we are all in this industry together”) is a significant contributing factor to the low expectations that security practitioners have for security technology solutions. I know of many dozens of incidents where there was some failure of a security technology deployment to do its job, and the security director got called into a senior management meeting because that failure was going to cost the company dearly in both money and reputation, as well as employee morale. The most common culprit was missing video, but there have been access control and alarm failures as well.
What medical professional would tolerate a failure of medical equipment that put a patient’s health at risk? Yet in 30 years of performing facility security assessments, I have never come across a facility that didn’t have at least one camera not functioning or not recording when it was supposed to. And the reaction from the facility security people is pretty ho-hum. “We called the installer. They will be out here tomorrow.” When I ask how often this happens, the typical response is, “We stay on top of it. Our midnight shift officers check all the cameras out every night.” And it’s common that, every so often, investigations collide with missing video recordings.
We would not tolerate that level of performance in our personal automobiles, yet we tolerate it with security technology that costs many more times what a car costs.
Why? We put up with it because we are used to it. We expect pretty much all brand name security technology to be about the same.
Based upon their experience, security practitioners set their expectations for security technology low. While there are historical reasons for that, they don’t apply any more.
Aren’t We in the 21st Century Now?
What I have been describing to you is “security in the 20th century”. Advancements in information technology started rapidly accelerating in the late 1990s, and now we have powerful high-tech equipment everywhere, including in our purses and pockets.
Our general expectations for technology progress are very high, and guess what? Pretty soon we’ll have a much lower tolerance of security technology lagging behind other industries.
And that’s the whole point of this letter. You, the security practitioner, have a critically important job to do. Look at all the technology help that medical professionals get. Why don’t you deserve technology that you don’t have to babysit? The fact is that you have deserved it for a long time. And no there is no real reason now why you shouldn’t start getting some real 21st century technology.
You Are the Customer, Right?
You are the security industry’s 21st century customer. Yes, I know that you feel loyal to the manufacturers and service providers who have brought you the technologies that you are depending on right now. I am not saying you should abandon them. I’m saying that you should strongly encourage them to up their game, and get with the 21st century. It would be better for them and better for you. (Oops—did I actually describe a win/win situation?)
Just so you know, I recently wrote a security industry analysis report for the industry’s manufacturers, and told them that they need to up their game big time, and do it now. Where are the great technology advancements like what we are what we’re seeing in other industries? In the report, I talked about the auto industry, and I asked: Where is the security industry’s self-driving car?
You can get a good idea of what I wrote to them by downloading the industry report’s free preview pages. I am sure that you will be surprised with what I wrote about you on page 39 of the report (it’s included in the preview pages). In fact, I even named the report after you.