Security (and Risk Management) Have a Problem: That of Education, Qualifications and Industry Density/Distribution
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Security (and Risk Management) have a problem. Not just the growing complexity, capability and persistency of threats, hazards, dangers, perils and bad actors (criminals, internal threats, opportunists, issue motivated groups, adversaries, etc) but that of consistency of qualification(s) and majority representation (power distribution curve/fat tail/kurtosis) across disciplines, industry and skill sets.
That is, both security and risk lack a universal, consistent definition.
It could mean anything and everything, therefore anyone can work in 'security' or 'risk' if vague enough, unregulated or accepted based purely on stories, titles and past 'deeds'.
Furthermore, the education, knowledge and qualifications that feed into both security and risk are scattered, unstructured and tainted/confused by a growing cohort of 'certifications', accreditations, post nominals and other 'participation rewards'. Ranging from an online forms, a few hours of instruction, structured national education programs, university degrees and advanced (Masters/Doctoral) programs.
This is particularly evident in 'cybersecurity'. Whereby some individuals and offerings label individuals as 'experts', 'professionals' or 'qualified' in a matter of hours, days or weeks.
As opposed to the years required to understand and apply not only past knowledge and research but that of the constantly changing, adapting and emergent technology, threats and techniques.
This knowledge, skills, expertise and education has precipitated and contributed to the 'perfect storm' across security management and risk management.
In other words, the majority of the security and risk management profession industry, practitioners and those in dedicated roles have little more than a generalist qualification, certification or short-course education.
Many are repurposed from other disciplines or very broad generalists.
The "Bulk" of the Security Industry
The Fat Tail Distribution (Taleb, 2007) Hypothesis
Standards only further conflate, obfuscate and attenuate the issues.
As a result, this 'open system' is experience fragility, failure and chaos, globally.
"Complex adaptive systems often tend to evolve towards a critical state - the slope of a the sandpile increases until it approaches chaos"
(Orrell, 2017)
What does security management or risk management qualifications and volume look like in your organisation, region or country?
"...when there are a lot of people willing and able to do a job, that job doesn't usually pay well"
(Levitt and Daubner, 2006)
Risk, Security, Safety & Resilience, like many professions, require objective, verifiable measures of experience, qualifications and skill.
That is, courts, insurance policies, government/commercial tenders, prospective employers, professional groups, peers and education institutions require?proof?of specific education, knowledge and competency.
However, for the most part,?both risk and security suffer from a dearth of demonstrable evidence in terms of objective qualifications, education and training.
领英推荐
As a result, this 'culture' of unverified, un-credentialed and industry norms over substantive qualifications, continues to erode efficacy and resilience.
"Many of the industry's problems (lack of regulation, poor training, corruption) continue to exist in a number of states, and looking at these problems historically should give us guidance for the future"
(George and Kimber, 2014)
Therefore, the 'cost' of cheap may well be a significant contributor to 'security decay' an fragility.
"There is no difference other than in accounting conventions between a cost and a loss."
(Bernstein, 1996)
See Also:
Collectively, lack of rigour, qualifications, research and evidence-based learning, contributes to random beliefs, controls, ideology and elegant maths that has little relevance or value to real world complexity, communities or informed resourcefulness.
The growing list of acronyms, abbreviations, buzzwords and catchphrases compound these vulnerabilities.
In sum, security and risk management are established professions informed by considerable and provisional research, knowledge, experience and educational practices. It is not a short course solution (less than 100 hrs).
It is not a second or third career, unless substantiated by nationally and internationally recognised and verified qualifications, from a transparent and qualitative body of knowledge. However, these omissions remain the norm, not exception to the rule.
The profession and qualification is not supplanted by 'celebrity status' or ill-informed, enthusiastic followers. It is time countries, cohorts, organisations, recruiters and hirers understand the difference and deficit. Because the bill may well have come due.
In short, like all commensurate professionals and worthy vocational and educational pursuits, it takes time, persistence and objective verification.
These realities apply equally to security management, risk management and security risk management. Notwithstanding that qualification(s) alone don't replace practical, tacit and implicit (codified) knowledge and experience. Both are needed. Too few have both. Time to invest and correct this vulnerability.
Security, Risk, Resilience, Safety & Management Sciences
References:
Bernstein, P. (1996) Against the Gods: The remarkable story of risk, Wiley & Sons, p.276.
George, B. and Kimber, S. (2014) 'The history of private security and its impact on the modern security sector', in Gil, M. (ed) The Security Handbook, 2nd edn, Palgrave McMillan, p. 37.
Levitt, S. and Dubner, J. (2006) Freakonomics,?New York: Harper Collins.p.95.
Marshall, P. (2013) 80/20 Sales and Marketing, Entrepreneur Media, p.41
Orrell, D. (2017) Economyths: 11 Ways Economics Gets It Wrong, Icon Books, p.215.
Rachev, S., Menn, C. and Fabozzi, F. (2005) Fat-Tailed and Skewed Asset Return Distributions:?Implications for Risk Management, Portfolio Selection, and Option Pricing, Wiley and Sons, p.41.
Taleb, N. (2007) The Black Swan, Random House and Penguin. P.219.
Tetlock, P. and Gardner, D. (2015)?Superforecasters: The Art and Science of Probability, London: Random House.pp.241-246.
Cyber Security Advisor | CISO as a service | Available for Consultancy | Cyber Risk Quantification | Security Strategy | GRC | Physical Security | BCM | Resilience | Carnegie Mellon CISO Certificate | CRISC | CBCI | CSMP
2 年100% agree. The challenge and one very important task is therefore to align the risk taxonomy from various disciplines within one organisation at least. In terms of people qualifications, there is a lot out there but anybody with an understanding of the depth and quality of the certifications and courses (most information can be googled) should be able to see through it all. At last when speaking to / interviewing people, quality and experience can be identified.