Quote of the Week

Today's quote of the week comes from one of my favorite tweeps and fellow security aficionado The Grugq. Pretty much sums it up.

@GoddamGeek no. The meaning of privacy and security are context sensitive and defined by the user. It becomes a semantic debate
— the grugq (@thegrugq) April 7, 2014

The Security Professional's Creed

After my latest post, I started to think about what it means to be a "security professional". I use this title on my personal emails and how I describe my passion to others. I find most people, to include fellow "professionals", are pretty unclear what a "security professional" actually is or should be doing. So I decided to create a creed I think summarizes what we believe, practice, and require as professionals. Let me know what you think.

1. I am a security professional. I will provide protection when requested or required. I will do this to best of my ability and will ensure my fellow professionals, sub-contractors, and employees do the same. I will work within the parameters you give but I will not sacrifice quality and how I ensure you and your assets are adequately protected.
2. I am a security professional. I have an amazing legacy. I come from Pinkerton, the Bow Street Runners, and Robert Peele. Society is safe and secure because men and women like me and my team have stood watch over the things and people others have said needed protection. We have done this dutifully and often with great sacrifice. In my field, there are no long funeral processions when we lose someone "on the job". There's no horse-drawn carriage. If we're "lucky", there's an article in the paper. Yet, here I stand ready, willing, and more than capable to make that sacrifice if need be.
3. I am a security professional. I may not be a gun-toter or a patrolman. I may be the guy working on your firewall or doing your annual risk assessment. I may be the guy in the parking lot you ignore as you hurry to your office while I stand watch in the cold, rain, and insanely hot. I may be the guy walking around your child's school to keep out drug dealers and other criminals. I may be the private investigator you call when your wife is charged with a DUI. I may be the private investigator you call when the police have failed and you need a lead in tracking down a missing child. I may be the 24 year old security officer who takes up someone else's patrol sector for the night and is mercilessly killed because I asked for an ID. I am a security professional.
4. I am a security professional. I am not a guard dog though I may use them on occasion to protect you. I am not your maid or baggage handler though I am happy to work alongside them in protecting you. I am an enabler. I ensure what I need to do doesn't impede on your ability to do what you need to do.  I am not an obstacle nor am I a nuisance. I am a professional.
5. I am a security professional. I have a variety of experiences and I've been educated by a school where the lessons learned are taught in measurements of life or death. Just not anyone can do what I do. It's hard. I'm a security professional.
6. I am a security professional. I take detailed notes, draw sketches, outline terrain features, study the threat inside and out, meet with stakeholders to address risk management, and I know the things you want protected most and where you're most vulnerable. I'm on-time to meetings. I dress professionally. I address you by terms of address you're familiar with and requested. These are big responsibilities I shoulder alone with my team. We are always adapting to your protection needs. Why? Because I'm a security professional.
7. I am security professional. Yet, I make mistakes. I may try my best but there will be a few isolated times where I forget something. While you're upset, I am even more mad that it happened. You see, I'm disciplined. When I'm in the workplace, I don't engage in office gossip. I strive to manage my personal life so it doesn't conflict with my professional life. I ask for help when needed and I seek opportunities to grow. I treat what I do as a profession and not a "job". I am security professional.
8. I am a security professional. I may not be a security "expert". As a matter of fact, I'm uncomfortable with the term. I know most "experts" are only good at one thing - convincing you they're an "expert". I don't have all the answers but I know where to find them. You could very well have a situation that I'm not familiar or equipped to deal with. When this happens, I will transfer the task to someone else who knows better than I and I will "shadow" them until I am. I am a security professional.
9. I am a security professional. I may be a guard, officer, manager, agent, director, or chief, but, at the end of the day, I am a professional. I treat this as a profession and I demand you do as well. I ensure my team and I adhere to the highest standard. Our job demands it. Countless lives depend on me and my team being effective mitigators every day in the event the threat shows up. We are prepared to detect, deter, delay and if needed, destroy the threat. We will do this and more. We are security professionals.

OPINION: Why Your Terrorism Expert Isn't A Security Expert Always

I know some of you already know the answer to this. Just bear with me while I explain it to those who seem confused. First, let's begin with telling you why I'm even bothering. Through various social media accounts I participate on, I have come across folks who seem to believe their education and/or sort-of-relative experience makes them experts in physical security. As I have explained earlier, I am certainly not qualified to call myself an expert but I have a swath of experience and knowledge that allows me to adequately determine someone's expertise in my field. Because of this, I have run across a many of people who the media and others have extolled as subject matter experts on everything from active shooters to in-depth espionage cases. It seems the loftier the person's former or current professional title is the more they seem to call on them to give their commentary. As you might imagine, I have become angry and dismayed by what I have perceived as reckless de facto expertise certifications given to people who are often woefully unqualified. Let me explain:

1. Just because you were Special Forces or even a spy doesn't mean you're an expert on all-things related to security. I LOVE special operations folks. They do stuff other people can't and only dream of doing in the name of God, country, and duty. They are elite and deserve all of the praise and accolades that come from doing awesome work in their field. Let me explain. I'm not taking anything away from people who could kill me from a thousand yards away or who kill bad people in far away lands. However, not every special operations person knows about alarm systems, CCTV, CPTED, security operations, video analytics, or a host of other things I cover here to the level where they are the only people qualified to speak on physical security matters. Some do because their mission may require it. Just like I'm familiar with special operations because I had a job that required some knowledge of them doesn't mean that I'm an "expert" in special operations. This doesn't stop our media and a few Fortune 500 companies from proclaiming some of these folks who "look and sound the part", yet have never worked a single security project, as experts.
2. They have a Ph.D in Middle Eastern Literature and Art and know about every major terrorist attack in the region and have a blog their peers think is top-notch. Coincidentally, they know everything there is about active shooters, CCTV footage, small arms, and small unit tactics. Folks, seriously, after every active shooter event, spy story, or terrorist attack, there's a deluge of these folks through my various social media feeds. These are excellent folks in their field. They've got more education and background in studying terrorism than I could ever dream to have. Many of them are great people who only want to share knowledge. For those who have done that with me, I'm extremely grateful. However, there's another segment of this population who often come across as belittling in their demeanor. I appreciate all opinions. I truly do. I won't even pretend like I know everything (even on things where I may know a bit more than I let on) because I don't. I enjoy discourse and exchange of ideas. What grates on mine and other security professionals' nerves are non-native academic "experts" who come as though your opinions are somewhat flawed because you haven't taken their course or written a paper on it. I'm sorry - I got my experience in the field and learned what little I do know by seeing the world through the lens of a person actually doing the job you allude to know so much about but never did.
3. They've read a bunch of blogs, some books, seen a few DEFCON talks, and follow some guys who pick locks. Sounds legit. That's great. But that doesn't make them an expert. In my opinion, expertise is derived from a multitude of professional experiences and in some cases, academic knowledge on the topic. I appreciate their enthusiasm but they can call me when they've suffered their first physical breach from an armed adversary at a facility the've been entrusted to protect. The world I operate in is much different than those books, articles, DEFCON or TED talks could convey adequately. That doesn't mean their opinion isn't worthy. I wouldn't dream of making that kind of determination. In your dialogue with professionals in this field, don't assume things you've read about physical security related topics are true or accurate. Assume you may not know everything either. If you're a reporter, never assume because a guy wrote a book on terrorism he understands why a 15 year old boy shoots up his school. Take into account not everything that goes boom in America was made because "they hate freedom".
4. Your "security expert/guru/prophet" is a cyber-security dude who does encryption, firewalls, and IDS. That's great. But just like I know basic stuff about that stuff, unless they've worked on or designed physical security systems or apparatus, that doesn't necessarily make them an "expert" either. Chances are they've also never done a bag search, searched a vehicle for IEDs, detained shoplifters, or a host of other events physical security professionals have had to encounter. In the cyber world, they're awesome. This does not mean they understand burglaries, forced entry, active shooters, or property trespassers, though some may.
5. They've been referred to as a "security expert" but their experience is almost invisible. I've seen major corporations shell out some serious money to make guys who "sound smart" about security the "face" of their security initiatives. This is VERY bad. It undermines the strides we've made in this industry to standardize what it means to have expertise in this field, when major companies assign people as their "subject matter experts" when they have minimal experience doing anything in security. If I just touched a hammer yesterday for the first time, would you make me the foreman of the crew building a high-rise today? 
6. Your expert has certifications. I'm not impressed. Actually, that's not entirely true. If your expert has certifications that they earned, I'm impressed. The American Society of Industrial Security, Inc. does an awesome job of certifying people based on merit and performance. This is why their certifications are the best in the industry to have, in my opinion (and a few others). I'm not saying everyone else's certification is bad. Some are really good. I'm thinking of getting a few non-ASIS certifications myself. However, let's not be naive. There are certifications you can buy to make yourself seem more qualified than you are. This is dangerous yet is also HIGHLY ignored in some instance. The best place to witness this disgusting hoax is on LinkedIn. I LOVE LinkedIn but there are some profiles which are full of self-aggrandizement. Don't believe the hype, folks. Do your due diligence.
7. Your expert is a former cop who never did security details when he was working and his degree is in a non-related field. Being a cop is VERY cool. I'm a bit prejudiced but I think cops are more diversified than we acknowledge. That being said, I have found where security managers are former cops (those looking for a post-retirement job) who haven't worked security prior, they have found the transition to be more difficult than they or management may have imagined. The personnel, the jurisdiction size, and overall authority are different. The mission is also different. Yet I have seen companies hire people from law enforcement solely because management sees an intersection of subject matter expertise which may not even exist. Law enforcement and security are different species of the same animal in some respects.

I hope no one takes offense to this post. I'm just a bit wary of countless people peppering social media with facts and ideas which are unfounded and dangerous. Most times, these people are ignorant of the damage they're doing. Many believe that "expertise" is a subjective term and they have as much credibility as anyone else to give their commentary to masses they believe need to hear it. This is all very true. I have almost no issues with this. Many of them didn't want to be considered "experts". Often, there is a void of "experts" for the media and others to call on and so the people who "sound the part" get called. Perhaps, we need to move beyond our acceptance of "anyone can do security" to one where we recognize and respect the professionalism that is required to do this job and those who actually do it.