What education standards are required for security “practitioners”, managers, “consultants” and “professionals”?

The question of education is a common consideration within the security industry but rarely defined and qualified. 

Evidence of this can be seen daily in the hiring, appointment, tasking and promotion of “security” individuals. 

A note for readers: anything contained within quotation marks here is an emphasis that the term is highly subjective and therefore used arbitrarily, incorrectly or inconsistently. 

That in itself raises concerns and compounds the inconsistencies in this area. 

Firstly, let’s consider a framework of education requirements and how they are best allocated. 

I will use a universally applicable and accepted framework for international education standards, as outlined in the Australian Quality Framework. 

This broadly consists of certificate-level, diploma, bachelor degree and advanced degrees. 

Note that I’m excluding “certified” as this again is highly subjective, rarely universal and an extremely cohort, commercial and power-laden value, all to often driven by commercial not academic or educational standards. 

Certificate level encompasses and conveys specific security knowledge and requirements such as facts, technical procedure, compliance and adherence to laws, accepted practices and industry norms, with limited theoretical content. 

A certificate is typical and best suited for those that work within a security management framework, environment, without acting upon or interpreting environments not already evaluated and systemised. 

Diploma level encompasses and conveys specialised security knowledge and skills applicable to a broad range of environments. 

At this level, individuals develop theoretical knowledge within a narrow subject vertical and have started to developed some analytical and problem orientated skills. 

A reminder, there is still limited business or management content and qualifications at this stage.

Bachelor degrees are the layman’s benchmark for “professional” education, skills and knowledge. 

Security graduates at this level are seen as autonomous, prepared in advance and able to consider and communicate specific subject matter knowledge, within the constraints of their experience, seniority and employment circumstances.  

Again, business and commercial acumen is neither assumed nor overly developed.

It is at around this level, organisations, individuals and industry confuse separate, generalist and business specific education such as an MBA with security education and qualifications. 

They are not the same. 

They are not interchangeable, and it is worth emphasising that an MBA without any other supportive or qualitative security-specific education, is not consistent with a mid to senior level “security” “manager, consultant” or “professional”.

Ask any other profession. 

An MBA is no substitute for a medical, engineering, accounting or legal degree. 

Security is no different. 

 Lastly, a Doctoral Degree with the security profession, as with most other professions, encompass and conveys the individual posses systematic and critical understanding of a complex field of learning, in addition to specialised research and contributory profession skills. 

A Doctoral level implies reflection, synthesis, evaluation, adaptation, pioneering, development and expert level judgement and contribution. 

Unless otherwise included or stated, this level may still be exclusive of specific business or commercial education, qualifications and experience. 

For ease and speed of educational comparisons, using ordinal numbers on a linear scale, a certificate level education is a level 1 to 4. 

A diploma is around level 5. 

A Bachelor’s degree is a level 7. 

A Doctoral degree is level 10. 

I don’t advocate a simple numbering system, to sum up, an individuals education, experience and qualifications but it is a useful delineation between levels and more natural to consume for non-technical roles such as HR, executive management and peers. 

Hopefully, this is clearer for those inside and outside of the “security” profession. 

However, as I have noted in other informational sessions, education is just one of the 5 core elements to consider for a holistic, “well-rounded” security professional. 

Lastly, most importantly, and for many most contentiously, is the management of meaning. 

“Security” needs to be specified and refined in this context too. 

Corporate and commercial “security” is not public security. 

Education, qualifications and specialisation are not universal and in many instances, not or limited in its transferability. 

An MBA is a business education qualification. 

Not a technical, scientific or profession-based attainment. 

The debates continue around the management of technical and professional disciplines, without expressed qualifications in said area. 

Conversely, real-world examples abound whereby technical expertise has failed in management and commercial environment. 

Any Military, Policing, National Policy, Intelligence or Terrorism specific education and graduate level are equally bounded by their content, focus, authority and environment. 

They are NOT universal, catchall competencies, qualifiers or standards for corporate and commercial “security”. 

They may even be limiting, unrelated or outright problematic if applied in other contexts. 

Unfortunately, many organisations, professionals and cohorts fail to declare, acknowledge or understand this reality too. 

If you examine the literature, research, analysis and outcomes, this is a growing concern for many and the aetiology of suboptimal results and even failures. 

The end requirement is dictated by the requirement, environment and organisation’s context. 

Education is appropriate for the level of sophistication, variance and environment. 

It is a companion requirement, not a standalone achievement. 

Ensure you understand the variations, interpretations, influences, and required outcomes before you make any broad assumptions or inconsistent comparisons with like-for-like.

Tony Ridley

Enterprise Security Risk Management