I would love to say that I had a master plan, but I did not. However, that does not mean that you should not!
To answer the question of: how did I end up at a security industry-focused software company, let’s hit a few milestones and you will quickly see that it was definitely not a linear journey. Needless to say there were a few stops along the way. Some of the stops were more enriching than others, others more painful, but the one commonality is that all were eye-opening and opportunities to learn – about business, and specifically, the business of security and providing security. Today I realise that many of these are able to be shared examples of how security business could run smarter and deliver more.
Writer’s caveat: in no way am I trying to say -nor should this piece be read- as though my journey is anything special. It simply is that: my journey and a way to share some learnings along the way.
(………….Just to make things clear, although his modesty prevents elaboration, Mark is one of the most highly respected security industry professionals in the world. An IFSEC Global influencer in security industry thought leadership; leading light in ASIS; Fellow of the UK Security Institute; major player in one of the most rapidly growing security tech companies in the world; educator and……. he’s very tall……………………….Ed.)
I started with the Canadian division of a multinational security service provider, something which was definitely not the norm at the time for someone like me. I say “not the norm” because 20+ years ago there were not many business school graduates joining security service businesses: the vast majority of my peers were off to big four firms, big banks, and other traditional sectors.
Security as a business service was my introduction to the industry, and instantly I was able to recognise that it was so much more than “just” a staffing business. Unfortunately, some people still look at the business as a volume business – hours per week, getting people to sites, and billing for time. Through the unique lens of volume, it is often tough to measure security success when someone says, “what has security done for us lately”? This is very true considering that security is both tangible and intangible at the same time. Over the years I have found that security is a best-practices based industry. Of course there are some that do just enough to avoid being sued, but there are also real forward-thinkers that take best-practices, evolve them, and challenge the status quo.
After years on the security side (the dark side?) I had the opportunity to start my own security management consulting business (okay, consulting is actually the dark side – kidding). The effect of taking this step meant that I was forced to look beyond just the angle of the mitigating measure that is uniformed presence. A key takeaway from this experience was that clients all have very different opinions of what “security’s” definition is.
The set of lenses that I started using when on a corporate security team was eye opening. I had a unique role on the team but the learnings of working with the other teams really helped me shape my opinion of the value of security services today.
One of the major openers for me has been when it was recommended to me that I should become involved in the industry. When I started doing this with ASIS International my goal was selfish, namely: what can I learn and who can teach it to me?- of course, with the desire to get better at the business that I had chosen. I was quickly steered towards certification. As soon as I could, I obtained my CPP qualification. In my opinion, this is a must have credential for any security professional.
Once certified, I could partner my business training, my few years of experience, and my security knowledge. Arguably, the biggest benefit of obtaining my CPP, was that it gave me the credibility, or at the very least, enough ground to interact with the existing security network. The pros in the industry respected the fact that I had a base of knowledge. We see it more so today, job postings ask for the certification by name as do consulting mandate specifications.
As time went on, involvement became a way to give back to the industry that has taught me many life lessons and contributed to the extremely valuable network that I have today. Cultivating a network, coupled with having an opinion drives what I consider to be an important part of security thought-leadership, and more importantly, fundamental leadership in short.
The CPP was the one for me at the time, and I must admit that I am not done, as there are other certifications that I strive to attain. What’s vital is to determine which is the right one for you. ASIS International has four:
CPP: The security management certification
PSP: Physical security management professionals must have
PCI: A highly valued investigator credential (also look at the CFE by the ACFE)
APP: Newer to the industry? This is where to start. (Mike Hurst talks about this elsewhere in this issue of TPSO, and introduces the experiences of several that have studied and achieved this qualification………….Ed.)
How do you navigate among all of these options? The answer is to do your research! There are many other associations out there with other certification offerings. Inform yourself properly, and be critical about which one is best-suited for you. Maybe it’s risk management, or perhaps in information security (CISSP)?
As I started doing more work in the UK, I needed to learn more about the industry: where and what was similar and different to North America? In doing so, I learned that there were even more associations specific to the UK and to the rest of Europe – the better ones were not always easy to find, but there is a wide variety! A big discovery for me in this regard was the Security Institute in the UK, who have their very own membership categories and certifications.
In fact, the list of security schools, certifications and educational programs is so vast that I could not create a list of all. The point is to do some thorough digging, as most encourage some sort of continuing education (and they should!). When you seek sources to learn – do your homework. Check credentials, acceptability, reputation and overall value.
Today I work for a software company called TrackTik (look me up on LInkedin and Twitter!), and if I do say so myself, I think that I have the coolest job in the company.
I get to work with every single one of the staff of 140. They are all specialised in something different and have different backgrounds. That means that I get to continue learning all the while sharing the insight that I continue to gain and glean from interacting with a pretty awesome industry.
It can be challenging too because of the lenses that we put on. We’re ambitious and have an ample vision, and it is not always easy (in fact, it’s quite frustrating at times) to pick a single initiative to focus on in such a vibrant, and ever-changing industry!
It is particularly challenging because we are in the unique position of helping security companies and departments offer better services to their clients. We get to help them define better, which in many cases means smarter. Security companies and teams that can deliver more insight to their clients and have more insight on their businesses, are by default better. The insight can be security specific, but also much broader- involving business insight that help us navigate the much wider realities and factors, whether they be political, economic, social, legal, environmental or technological.
It has been told to me over and over again, “vendors are key to security improvement as they drive innovation”. I am not enamoured with the term “vendors” as it implies a one-way relationship. I would say that we get to be innovators and that the benefits are reciprocal. We learn from our clients the real-world issues that they are faced with and help them solve those.
Where the vendor label bothers me the most is when it comes to securing speaking opportunities. I am occasionally told that we love your topic or your abstract, but you need to partner with an end-user to get on the agenda. The fear is that the presentation will be a corporate sales pitch . Trust me it won’t. This is tough for me to accept because what we are “selling” is innovation and to get that message across mindsets need to change way before the time comes to choose a software company!
Not only do I consider myself to be fortunate to work where I do, and do the things that I do, but the appreciation is magnified because of our focus on the mission of building better software so that our clients can run smarter businesses. Contributing to the evolution of security services has been a career long focus of mine.
So, if you deliver security services or manage a security team have a long, hard look at what your frontline team does and what other value it can bring! Understand the options that are out there that will help you grow yourself and your career in this best-practice based industry, and particularly where you can make a difference!
Find your lenses and guide your career!
Mark Folmer, CPP, MSyI – TrackTik
Mark was named to the prestigious IFSEC Global influencers list in 2018 & 2019 for “Security Thought Leadership”. An highly active international security figure and member of ASIS and a Fellow of the UK Security Institute. A world renown data-driven Operations & Security leadership expert, he is based in Canada and is the Vice President, Security, for TrackTiK, a cutting edge tech company. Mark is also a lecturer and commentator on global security issues.