No one knows an organisation’s unique risks better than its front-line staff. We always say front-line security personnel know the ‘real’ risks, which is why we advise clients to include them in the threat and risk discussions.
The best managers recognise this and work to engage the team in enhancing security beyond the basic procedures.
The consultants’ speak for this is security culture. Vague words but a very practical, real thing: a better description would perhaps be “the way we do things round here”. If the staff engagement is done properly, it enriches the security picture with their insights but possibly more important it energises the enthusiastic collaboration of these subject matter experts by giving recognition to their value. It’s a win-win solution.
In the security world, one of the best catalysts we have found to facilitate staff engagement and CPD is the SeMS Framework[1]. Although it was originally created for aviation, you will be able to see how it actually applies to all industries. It’s easy to read, stimulates thinking and prompts personal development as well as security enhancement. Organisations we have worked with have found the SeMS does all this and embeds security into the fabric of the organisation. This is what a positive security culture means, and it’s the cornerstone of the Security Management System. SeMS has become a bit of a buzzword but in reality it is just good management practice, so for example engaging the front-line as we have just described is good for culture and for threat and risk but is also making best use of resources, something that every manager is charged with doing but does not always achieve (not that we are suggesting you judge your current manager).
But what have SeMS and security culture got to do with CPD?
Too many people confuse CPD with formal education. The problem with the vast majority of education is that it aims to fill you with knowledge, whereas experience fills you with understanding. True CPD harnesses and develops understanding by building on past experience and what Albert Einstein called Thought Experiments – working things out for himself.
We would encourage all front-line security professionals to read the SeMS framework and ask themselves “What does this mean for me? What can I bring to my organisation?”. Imagine the number of CPD points this would be worth!
We’ve already covered one of the ten chapters, Threat and risk management, so let’s look at a couple of others.
The chapter on Continuous improvement talks about pro-active evaluation of the whole security operation. This is not a dreaded Organisation Development project (we all know what those do to headcount), this is more akin to Quality Circles where all staff are empowered not just to make a suggestion but to test it out, and if it works put it into operation. The purpose is to challenge “we’ve always done it that way”, which may not have been right in the first place and anyway is very likely to have decayed because the business and environment are constantly changing. An easy CPD win here would be to look up Quality Circle on the internet and see if it could be adapted for your organisation.
Chapter 9 of the Framework covers Culture and education. Most organisations think of education as a training programme to be delivered to the staff. Our view is that telling people is less effective than enabling them to learn for themselves, and our approach is to suggest all the topics in Chapter 9 as items for personal research. For example: Does the organisation have clear security objectives? Are my responsibilities stated clearly? Are all the procedures up to date, accessible in all the right places and clear to follow? Do I know how I could contribute positively to the organisation’s security culture?
All the other chapters have CPD angles too, which we’ll leave for you to explore (all the best maths textbooks leave you hanging like that, with words like “this is left as an exercise for the reader”).
We are sure that after you have absorbed the SeMS Framework, you will be keen and able to research other sources in areas like risk management, communication and corporate engagement, resourcing and budgeting. One of our favourites is Doughnut Economics[2] which has nothing to do with security, or for that matter doughnuts, but taught us a lot about managing resources and making an holistic business case for security investment. The key message from Doughnut Economics is that you can have too much of a good thing. Over-zealous security may not increase the actual level of protection, and could well cost more, constrain the business operation and/or drive away customers. Business cases are all about getting the balance right.
You will probably have noticed we think CPD should not be thought of as a rigid, formal process. We run client workshops designed to help people develop their SeMS for themselves by giving them the understanding as well as the knowledge, but not ready-made solutions. They learn by doing. We start out more expert than them, because we’ve done it before, but they catch up very quickly and when they overtake us (which happens more often than you might think) we find we gain our own CPD – new insights and learnings from the discussions and thought processes of the delegates. Discussions like this, which anyone could organise, are important sources of CPD that cannot be found in textbooks.
Finally, do you remember Teach Yourself books? Teach Yourself Security Management has
been published – that’s what the SeMS framework is. Get your free copy today
and if you think your manager could do with a copy, tell him/her it’s the
equivalent of Security Management For Dummies.
[1]CAP1223 SeMS Framework from the UK Civil Aviation Authority http://publicapps.caa.co.uk/modalapplication.aspx?appid=11&mode=detail&id=6543
[2]Doughnut Economics by Kate Raworth available from good bookstores or Amazon
John Wood – Director, 3DAssurance
John was responsible at the UK CAA for developing the SeMS framework, working with and guiding many industry stakeholders. Experienced in design and implementation of effective strategic change in public and private sectors, John has been a lead designer of numerous governance, risk and compliance systems
Andy Blackwell – Director, 3DAssurance
Andy is widely acknowledged as a SeMS and aviation security expert. As Head of Security at Virgin Atlantic, he was the first to implement the SeMS Framework. Now a leading SeMS exponent, Andy has authored numerous articles on SeMS and security, and speaks regularly at international security events
