What is the one thing that has made the biggest contribution to improving security? By Andy Blackwell and John Wood

Andy Blackwell and John Wood have been delivering practical and strategic SeMS (Security Management System) solutions for the past five years.

Here they discuss “the biggest contribution to improving security” – the prize offered by every new security fad.

I’ve been working in the sector, in various guises, for more years than I care to remember, and one question I get regularly asked is: what is the one thing that has made the biggest contribution to improving security? Now fads come and go and I’m sure that many of you raise your eyebrows when your organisations announce their latest grand initiative that will supposedly transform it and place it on a path to wealth and greatness. You’ve been there before, I can tell, and whilst we often get whipped up in the challenge and excitement of a new project, it is often rapidly followed by disappointment as the initiative fails to deliver. I’ve seen many of these ‘fads’ come and go, with varying degrees of success and often leaving me and my colleagues wondering what’s coming next to drain our time and resources. To be perfectly honest, when I was volunteered to be a SeMS pioneer, the ‘fad’ word did enter my mind. I was in a demanding operational role, with a small support team and had an ominous feeling that SeMS was just another task to add to my ever-growing list of things to do. That said, I was intrigued by the concept and knew we needed to do things differently on the security front, which tended to be pro-active and at times chaotic, due to the dynamic nature of the threat landscape the industry was facing.

My initial fears were quickly allayed when I first met John, who at the time was the CAA’s SeMS Project Lead. Far from it being a case of having to reinvent the wheel, John and his team encouraged us to, wherever possible, make use of our existing processes and systems. It was more about harmonising and fine-tuning what we had, rather than creating something new. We had most of the components needed for a robust SeMS, as I’m sure you will have, but needed help with the ‘system’ and understanding how it all fitted together. With each new SeMS workshop session I took part in, I could see that SeMS was making my life easier, not harder as I’d first imagined. Time spent implementing our SeMS invariably delivered equal, if not greater, payback in the form of time saved, efficiencies and peace of mind.

When the CAA embarked on prototyping SeMS, we had a few volunteers but one of them stood out. Andy had been volunteered by his boss, which might have felt to him like a poisoned chalice, but it did mean that he had management commitment to make the SeMS a success – a key success factor for a sustainable SeMS. The commitment may not have been for the purest motives, but it gave the company a head start that others did not have.

The other key success factor they had was Andy. I’ll spare his blushes but he brought four key attributes (others scored one or two out of four on this attribute scale).

First, as soon as he saw the SeMS concept, Andy had the right motives. He could see the benefits to his company and his team.

Second, he put a lot of thought and experience into the design, not only of his own SeMS but of the prototype SeMS Framework. Industry had been invited to SeMS workshops to design the Framework, and we had plenty of mostly well-meaning reviewers and critics, but Andy was one of only a handful of real creators and do-ers.

Thirdly, Andy was open and honest from the outset, and we quickly developed a working relationship where we could and did challenge each other’s ideas robustly.

Finally, Andy was an enthusiastic and effective ambassador, speaking on behalf of SeMS publicly as well as within his organisation.

The result was success for him and success for me. For Andy, the company had a working SeMS very quickly and the corporate knowledge and culture to continue to improve it. Andy will give you any number of examples when even his embryonic SeMS helped him out of a challenging situation.

For me, the SeMS Framework was finalised and published to a lot of industry approval. The project proved that the SeMS concept was not just an elegant theory but was (a) immensely practical in improving security, and (b) was not high-maintenance. Once established, it is self-sustaining just like Finance and other management systems in the company.

So, to answer the original question, SeMS is the one thing that I can hand on heart say has made the single most useful contribution to helping enhance security and deliver assurance. There is nothing complicated about SeMS, other than perhaps its name which tends to cause confusion. In its simplest form, SeMS is an assurance system for security.

If you’re fed up with fads then take a look at the SeMS framework and I’m sure you’ll agree that its simplicity will enable organisations, large and small, to make a difference to their security. Originally developed for aviation, it can be used with ease across all sectors.

The benefits of SeMS are worthy of an article in their own right, but perhaps the easiest way to encapsulate them is to say it’s all about doing things right the first time. In many security critical sectors we won’t always have the luxury of a second chance!

Readers of a certain age will remember the advert “So good I bought the company”.

Well we didn’t do that, but the way we worked together was so effective (at least in our opinion!), we decided to form a company that would keep pushing SeMS forward and 3DAssurance was born.

In Andy’s story you will have seen what’s needed to make SeMS work. No silver bullet, no superpowers, and we really do think an effective SeMS is achievable in any organisation, and that it will make a big, big contribution to improving security.

Of course our aim is to make a profit by doing good work for our clients, but for us it’s not all about the money. SeMS really was our baby and we want it to thrive (no jokes about which of us was the mother please, you’re better than that). We promote SeMS and Risk Management at conferences and we spend a lot of time on our own R&D.

And of course we are often invited to contribute to publications. There are not many that we value and enjoy contributing to, so we are delighted and honoured to have been invited to contribute to the TPSO magazine. Front line security officers are underrated and undervalued, yet they have the vast majority of security experience – real experience – in their organisations. Often that is going to waste, and we see SeMS as the organisation’s opportunity to engage all that capability. If we can mobilise a grass-roots understanding of SeMS, it will benefit the whole company, and eventually the whole industry.

PS a tip for all companies. 3DA has a Rude Protocol at the heart of its culture, based on the way Andy and I first worked together. If one of us thinks the other has got something wrong, we say so immediately. It’s no good being polite for the sake of politeness, or waiting to check all the facts. In a good working relationship, you can say “you’re wrong”, and if it turns out it was you that was wrong, you can just admit it. Much less time wasted, pride not damaged and feelings not hurt. Somebody (probably Ricky Gervais) once said “people choose when to be offended” – we choose not to be offended.

We plan to tell you more about SeMS in later editions. Do let us know if you have questions or if we’re not covering the right topics – or even if you think we are talking rubbish. We won’t be offended.

John Wood & Andy Blackwell

John Wood – Director, 3DAssurance

John was responsible at the UK CAA for developing the SeMS framework, working with and guiding many industry stakeholders. Experienced in design and implementation of effective strategic change in public and private sectors, John has been a lead designer of numerous governance, risk and compliance systems.

Andy BlackwellDirector, 3DAssurance

Andy is widely acknowledged as a SeMS and aviation security expert. As Head of Security at Virgin Atlantic, he was the first to implement the SeMS Framework. Now a leading SeMS exponent, Andy has authored numerous articles on SeMS and security, and speaks regularly at international security events.