Depth & Breadth of Knowledge/ Understanding: Variance within Security, Risk & Management

Knowledge and understanding are constant assumptions across management but remain routinely unevaluated within security and risk management.

That is, to what degree and specialisation can individuals demonstrate, specific to their vocation and role within security and risk management?

Superficial knowledge results in broad understandings but with little relevant depth.

In other words, introduction to any subject provides for the most rudimentary levels of understanding of the real world complexities and issues of the subject.

Language serves as a good comparison. A short course in language offers the basics of communications and sufficient skill to 'survive' within a foreign or new environment. One may even appear an 'expert' to others that have little to no comparable language skill at that time. Expert becomes hyper contextual and may never be truly comparable or verified.

This is the realm of most certifications, standards and associations.

The next level requires objective standards of education and qualifications. National and international educational institutions are required for validation, delivery and assurance at this level. In other words, lessons, classes, assessments and assignments specific to the topic are required. The same applies for security and risk management.

This is routinely where the bulk of security and risk management practitioners and professionals stop or cluster. That is, diploma level remains one of the highest objective and verifiable standards for security and risk management within industry and practitioner cohort. The classification can be considered slightly broader and slightly deeper than that of the new and inexperienced entrants to the vocation.

However, 'book-learning' isn't the pinnacle of experience and qualifications. Application, experience, trial/error remain essential elements... not to mention time.

Pure academic routinely produces significant depth without expanse. In other words, the world and views are informed by curated findings, education and tutorial perspectives. It has yet to be applied in the real world under real world conditions with both enabling and obstructionist human actors.

This is the realm of bachelor degrees, MBA's and generalist vocational undertakings with occasional security and/or risk topics.

Extensive (comprehensive) knowledge and significant depth serves as a temporary waypoint for expertise. In other words, science evolves, knowledge is reformed and skills decay. What was extensive and relevant varies from year to year, sometimes sooner. Therefore currency and continued learning is required to not only achieve but also maintain this level.

This is the realm of verifiable expertise, professionals and specialists. That is, is security and risk management specific. Moreover, it is demonstrable with specific examples and experience of application. This part remains contentious though as many individuals and organisations routinely assert experience, including showcase clients and projects, yet upon professional critique they remain rudimentary (despite seemingly complex and comprehensive work product) contributions or views on security and risk management.

In sum, security and risk management knowledge can be objectively evaluated for both depth and breadth, but they are not the same thing. Moreover, the knowledge and education should be validated by specialist and approved educational institutions, not clubs, associations and affiliations. Furthermore, it should be hyper specific to security and/or risk management, not generalist narratives and occasional text or inclusions. Finally, and most importantly, knowledge and qualifications should be applied in the real-world, not just a classroom or online. As a result, simple scales routinely produce scary results, in addition to cutting through self-authored expertise, job titles, random certifications and many other increasingly unsubstantiated claims of expertise and experience. Courts, scandals and failures are often the last to apply this calculus but the findings remain alarmingly consistent.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences