The world is a more dangerous place, our IT systems are increasingly vulnerable to crime and our world is ever more dependent on technology to function properly. Surely the time is now here for every business to make sure that their security and resilience specialists are qualified.
If the medical profession has a key role in the health of our society and people, do the security and resilience professions have a key role to take care of the health of a business and its customers?
Would you be happy to pay for a surgeon’s advice on your serious health problem if they were not qualified? And not just for health diagnosis, I also want all the doctors and nurses who provide me with care to be qualified too.
Actually, I’m not sure I would accept an unqualified doctor’s advice even if it was free, unless the advice came from my mother who says she knows best!!
So why is it still common for a business to take security and resilience advice from people who are not qualified? Surely the health of a business and the protection of customer’s asset are key to the health of that business and yet most security and resilience specialists are not adequately qualified.
I know of many global companies who rightly place being secure and resilient as a key element of their brand. And, even after experiencing security problems, including customer data theft and poor performance, the companies continue to claim they are working hard to improve, but, at the same time, continued to recruit their security and resilience managers and “experts” from existing employees, none of whom are likely to have a suitable qualification.
This situation is worrying for a number of reasons:
- It would seem that many businesses have no respect for the skills and professional standing of a security or resilience specialist.
- That even high profile Brands would be prepared to trust their security and resilience to unskilled and unqualified employees. Probably they do the same with risk managers too.
- That such a situation is not known to the shareholders and customers.
- That the Regulations and international standards don’t require evidence of qualifications.
It seems odd to me that the world of security and resilience is increasingly regulated, and demanding of licenses and standards, but those involved in providing the security and resilience risk mitigation solutions can still be unqualified.
But some things are changing, because of litigation. Rightly so, in my opinion, those adversely affected by a business security or resilience failure are seeking accountability and compensation for the pain and damage caused.
Terrorist attacks in recent years are an example of where subsequent inquiries take a hard look at the processes to reduce risk and in many countries, their financial institutions are held accountable when customers and shareholders are adversely affected by fraud and other process failures.
We now see thorough and public enquiries into business failures and we see those held responsible being held to account and punished. This type of accountability can only increase in the years ahead. This will also affect those who give advice or propose risk solutions, on behalf of the business, who could be held liable too. Two simple examples of high security risks might be:
- The duty of care to employees contracted to work in or travel through areas of high risk of kidnap or violence. Will the risk assessment and risk mitigation be conducted by a qualified specialist?
- The global network of cloud services, where the business may not know exactly where all the customers data is used or stored. Will a qualified security and resilience specialist have knowledge or input to the risk assessment and risk mitigation plans?
Sadly, it is more likely that the security and resilience specialists are well meaning, hardworking and maybe even experienced, but not qualified. It is also hard to determine what a suitable qualification should be.
There are many specialists who join the security and resilience industry after careers within the military or police services. This is typical throughout the world.
But does a distinguished and honourable career as a soldier qualify that person to advice on business risk mitigation? Is it likely that the former police officer will speak and understand the language of a modern business? Probably not, so their access and credibility within the ‘C’ suit of business leaders will be hard to achieve.
Of even greater concern is the likelihood that the unqualified could propose and implement the wrong risk mitigation solutions. It is also hard to accept that such amateurs would be able to develop modern effective and efficient options.
So what can be done?
First is to get national and international regulations and standards to require security and resilience specialists to be qualified and experienced to a suitable level.
Second, for every business to ensure their security and risk specialists are qualified and capable to meet the needs of the business.
Third, to appeal to all those security and resilience specialist to look closely at their careers and take steps as soon as possible to achieve a meaningful level of qualification.
Fourth, for litigators and insurers to look at the qualifications of those advising a business on security and resilience issues when something has gone wrong, or preferably for insurance premiums to be reduced for those companies that only employ those who are qualified.
We at Resilience Guard GmbH have been investing and delivering quality training to the security and resilience industry for many years now. We deliver a variety of bespoke and recognised classroom based training courses and we have contributed to a partner company that delivers elearning courses worldwide for security and resilience specialists. The iSMTA.com specialises in security and resilience courses for all those who are looking for high quality and industry accredited courses for security and resilience specialists who don’t have the time for classroom training. Resilience Guard was responsible for writing the iSMTA Diploma level Business Continuity Management long course.
All these modern elearning courses aim to help those students who are busy and want to learn at times that suit their lifestyle. Using elearning is perfect for a national or international business’s to get their security and resilience specialists to a high standard in a consistent way wherever they are located and without travel costs or taking time away from the office.
But the main point is this – it does not matter if the specialist is educated in a classroom or their home by online elearning, the specialist just needs to gain suitable qualification to be that specialist.