CHAPTER 2: BECOMING A DEVELOPED SECURITY MANAGER

2.1 Context

“Management is doing things right. Leadership is doing the right things.” – Peter Drucker, management consultant, academic and author.

The actual size of the global security market is difficult to estimate. The British Security Industry Authority recently estimated that the world market for security and fire protection was worth £178.6bn (1). With so many security practitioners bidding for such a variety and volume of work, it is vital that security consultants can genuinely understand and project reassurance that they can deliver an all-encompassing security capability. After all, clients are entrusting them with the safety of their most prized assets: their people.

In order to survive and prosper in dynamic and complex modern operating environments, businesses increasingly seek strategic partnerships. Such synergy will reach deep into their sales channels and supply chains. Moreover, C-suite executives and senior managers often operate under tightening regulatory burdens and extended, strict, legal, economic and reputational parameters. Brand integrity is sacrosanct. In emerging markets, where standards and norms may be under-developed and inconsistent, the strategic and tactical competence of the security function gains enormous significance to the overall corporate health and well-being of an organisation. In many respects, medium-to-high risk security operations draw out the best from security enterprises, as non-security staff look to them for professionalism, reassurance and leadership in an emergency or crisis.

Reassurance and the projection of continuity and unalarmed contingency planning, seems to be a recurring success factor among enterprises that I have seen fair well amid uncertain times of economic crashes, sprawling conflicts, political disorders and natural disasters. The US military came to view the post-Cold War era as a Volatile, Uncertain, Complex and Ambiguous (VUCA) worldwide operating environment (2). Principal sources of threat have moved from being established national alliances and blocs, to rather random, fluid sub-state terror groups (sometimes operating within the haven of a failed state). Security risk uncertainty has been compounded by malfunctions in the economic sphere. By the late 2000s, a deeply wounding worldwide economic crash, precipitated by a wholesale write-down of toxic debt, caused bank crashes and government-led (tax-funded) ‘bail-outs’. Moreover, the risk of uncontrolled sovereign debt and its impact on future social order is still ranked highly by the World Economic Forum Global Risks Report, most principally in Europe and America (3). Yet these same economic factors have prompted the security industry to innovate around technologies and provide more ‘intelligence led’ working in response to client risk. Risk assessment and prioritisation of risk treatment is now a fundamental, core business management activity.

For clients, a credible security consultant will be required to understand, plan and also skilfully communicate a strategic view of risk. They should have researched the client company to such a point of expertise that they can think laterally about the array of risks and vulnerabilities that challenge their client’s overall organisational resilience. Security entrepreneurs will therefore be requested to convey a high degree of reassurance that they are not just subject matter experts in their own field of security risk management, but are corporate business coaches and enablers. It’s a lot to prove for somebody who is also a full-time entrepreneur!

2.2 Role of security director

The professionalisation of private sector security services is a phenomenon much commented on in modern times. As a long-serving manager and prominent security author, Charles ‘Chuck’ Sennewald observed wryly:

“In the past five decades the security function has climbed up from the depths of organisational existence, from dank and smelly basement offices, to the heights of executive offices and a place in the sun. Despite some major downsizing, corporate mergers, and the growing emergence of facilities management and technology replacing some security personnel, security is now viewed as a critical part of most organisations today, with security professionals reporting directly to senior management, if not the chief executive officer” (4). The requirement to meet and surpass an array of proliferating professional standards, protocols and codes of conduct, insurer demands and nascent legislation, has driven up the service level quality of security companies, it has been widely argued.

In addition, there is also a prerequisite for organisations to protect their corporate reputations in challenging media environments, where a negative news story can reach influential audiences – such as potential customers or key stakeholders, including government ministers – within seconds. The performance of any security team, its incumbent professionalism, integrity and utility, therefore does play a significant role in shaping perceptions of entire organisations or sectors. For example, scandals involving private security functions have engulfed most UK oil and defence corporations at some point. This has led to all manner of longer-term resiliency issues, such as frequent site protests, political inquiries and an enduring aura of brand toxicity, in the eyes of important local/regional stakeholders.

Thus, it is fair to say, that few executives sit in a more risky role upon an organisation’s central dashboard than the modern day security director. Depending on the organisational structure and grand title, security directors can be relatively low-ranking, on many occasions not a C-suite executive director. Whilst others might report directly into the CEO or sit within the executive board. During a period of perceived ‘peacetime’, many colleagues will fail to see security functions as anything other than an irritating overhead. Business development, telesales, marketing and invoicing are all visible financial engines that drive businesses forward. On quiet days and weeks, when (ironically) the often-invisible but busy hand of security has actually delivered on its pledge to create a secure workplace, many outside executives will inevitably view security functions as a drag upon the business.

Nevertheless, during major threats and incidents, the security team will gain prominence. Utilisation and professionalism by the wider business will be demanded from every quarter. The observable skill of a security function’s response will be assessed and hopefully well received. There will be clearer exposure of the sheer scale of prior planning involved in crisis management to non-security employees. Staff will be seeking reassurance and many will become professionally and emotionally dependent on the security function.

Thus, the security director operates under twin pressures. They need to put in place a security strategy that prevents loss to the business and much of this hard work is invisible, because successful security measures often remain unseen. Yet a security director will also position themselves to become a master of value-added services, nudging their company to an overall state of improved organisational resilience. In effect, an effective security director becomes the ambassador for overall security-related resilience issues across the whole business. That’s quite an imposing level of personal and departmental responsibility.

Whatever an organisation’s shape or structure, the security director “should not be viewed narrowly as a unique security specialist but rather as an effective executive (first) in the security field (second)”, says Sennewald (5). As a senior manager, they are effectively a company leader, a strategic planner and departmental/management goal setter (6).

Security entrepreneurs will often be bidding for business along a dotted procurement line into an organisation’s security director. An external security consultant should carefully research and map-out the client’s organisational structure, culture, key players and stakeholders. After all, they are entrusting contractors with their own colleagues’ welfare and their own immediate career reputation.

There will be an expectation of a security director that potential consultants and contractors have done this necessary groundwork. However, decent online researchers beware! Organisational structure maps (sometimes called ‘organograms’) are often static, one-dimensional and outdated. They rarely give the necessary context or colour in order to help external contractors confidently approach security directors for new business. Further research around the ethos and interests of leading executives and target markets is well advised, before compiling a business proposal. Harvard Business Review management analyst, Bob Frisch, points to the importance of understanding that in each larger enterprise a de facto ‘kitchen cabinet’ exists; a small coterie of people who work closely with the CEO or executive chairman who take the lead in most major decision making within the target company (7). Before any presentational pitch, or meeting with company executives, an advanced security consultant will diligently conduct market research and specific analysis around an organisation’s security risks, but also try to establish the main motivations or goals of its executive leadership. This enables the external consultant to step into the shoes of potential buyers and understand how they might be able to assist their clients to achieve their objectives. Even if business is not won on the day, this intelligence-led business development approach will bring in longer-term results in terms of reputation and corporate muscle memory.

2.4 Fitting security into a wider context of resilience

“… we live in a brittle society where threats and natural hazards are more frequent and intense than a decade ago.” – Charlie Edwards, Resilient Nation (16)

So far, in this chapter, we have taken a closer look at two multinational companies, considered the complex role of security director, and broadly established that security management is an unpredictable and expansive responsibility that moves fluidly like an ink spillage, into many outlying domains of organisational resilience. Most notably, security has much synergy with functions that are also responsible for emergency planning, business continuity, risk management and information assurance.

The security function can act as an organisational shock absorber which can prevent a negative incident morphing into wider crisis or contagion. Therefore, much professional focus nowadays centres around how well the modern security professional can understand, and proficiently plan for wider issues that have a strong likelihood of impacting wider organisational resilience issues. Security staff at every level should see themselves as the company’s eyes and ears, attuned to the overall welfare and progress of the organisation.

What is resilience? Before we progress further, it is worth spending a little time considering this sector buzzword. This is because understanding the emerging discipline of organisational resilience is so intrinsically important, in order to attain respect and sustain a solid reputation, particularly after the 9/11 terrorist atrocities in New York.

Several years ago, the think-tank DEMOS established an advisory group of corporate and public sector emergency planners to consider what was meant by resilience. DEMOS then produced an influential pamphlet, Resilient Nation. The publication identified various international case studies of good practice and generated much interest from policy-makers and practitioners. The project advisory group defined resilience as: “The capacity of an individual, community or system to adapt in order to sustain an acceptable level of function, structure, and identity” (17). The sector is now drenched in competing definitions. Sutcliffe and Vogus describe resilience as,“the maintenance of positive adjustment under challenging conditions“ (18). While academic, Alastair McAslan, offers that resilience is the “ability of something or someone to cope in the face of adversity – to recover and return to normaility after confronting an abnormal, alarming, and often unexpected threat” (19).

The DEMOS report confirmed thinking among many security and emergency planning professionals that it was impossible to, “expect the emergency services to arrive in an instant during the event of a major disaster”. The report stated on its cover page that ... “next generation resilience relies on citizens and communities, not the institutions of state …” (20). This grassroots thinking chimed more with the US Federal Government model, which emphasises local empowerment and resourcing. In the US, emergency planning is rooted in county and state-level agencies and power is passed upwards towards Federal Government. Although this procedure has rapidly altered with the creation of the Department for Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) after the 9/11 terrorist atrocities. The National Infrastructure Advisory Council (NIAC), which reports into the DHS, issued a Critical Infrastructure Resilience report in 2009 which stated:

“ … the challenge facing government is to maintain its role in protecting critical infrastructures, while determining how best to encourage market forces to improve the resilience of companies, provide appropriate incentives and tools (including national standards) to help entire sectors become resilient, and step in when market forces alone cannot produce the level of security needed to protect citizens, communities and essential economic systems” (21).

The thrust of government and official thinking is that private organisations should take the lead on emergency preparedness and start ‘expecting the unexpected‘ as business group London First recommended in their well-received business continuity pamphlet, by the same name, issued to corporations in partnership with the UK National Counter Terrorism Security Office (NaCTSO) and BCI several years ago (22). Moreover, with cutbacks to government budgets impacting heavily on fire and rescue, policing and defence departments across most major economies since the global financial crash, the sphere of organisational resilience has become, potentially, a greater and wider source of income for security consultancies than was envisaged a couple of decades ago.

So how can we plan for resilience? Decent team organisation by way of clear lines of authority, clear tasking, mutual trust, accessible hierarchies (to report problems), and transparent goals, all continue to be successful management values that underpin flourishing security enterprises. For most organisations, a potential slip-up by a security-tasked employee is a significant key point of failure, both in terms of asset and reputational loss. Thus, specific training, instruction and a consistent goal of surpassing compliance – rather than merely achieving it – are all vital ingredients to a successful organisational security function. Some of the job and task roles will be as follows: security manager; assistant security manager; building security; investigators; asset protection; fraud prevention; asset tracking; security guarding; close protection officers and team leaders; loss prevention and inspection; control room operators; undercover agents; CCTV and surveillance officers. But the modern reality is that most security operatives could conceivably carry out other security functions; they are not mono-trained or solely interested in a single business area. Substantial security professionalism is more a mindset, than a trade. All security professionals are expected in the modern era to actively absorb, understand and ultimately translate an array of corporate security risks, which may well start out as harmless intangibles, but if left ignored or mishandled, can cause severe organisational damage in the longer run.

2.5 Sub-disciplines of organisational resilience: Security, emergency planning and business continuity

Much has been written about the convergence or closer integration of security-related functions within enterprise organisations during the past two decades. Some of this has been driven by ICT and the importance of addressing cyber/information security because all such risks interrelate and interact. The industry trend has been towards a closer synthesising of, or even indeed, the formal integration of security with emergency planning (EP) and business continuity management (BCM). These three speheres have become accepted in many quarters as the core-subdisciplines of organisational resilience (23). Business continuity is a diverse and widely debated concept. Helpfully, the Business Continuity Institute website describes BC as: “taking reponsibility for your business and enabling it to stay on course whatever storms it is forced to weather“ (24). For most academics and practitioners, BC is more about keeping an organisation at maximised levels of resilience. BCM professionals do this by addressing the impacts of major disruptions in a planned manner (hopefully beforehand), rather than forensically analysing future threats or causes of risk. The integration of these three disciplines in the workplace has been addressed in some companies by creating broader resilience or risk management portfolios. In many companies, during recent times, such resiliency job roles have been pushed upwards in the organisational structure, into the echelons of upper middle management, or even to executive director levels. Security company, G4S, kindly hosted a high-level roundtable discussion on the topic of Organisational Resilience, shortly before the London 2012 Olympics and Paralympics. Out of 15 major companies in attendance, more than half of those represented held job titles that indicated responsibility for organisational resilience, in contrast to traditional functions of security (25).

On the downside, the integration of EP, BCM and security remains a hotly contested, and unresolvable marriage of convenience in many larger companies. Duplication and territorial tensions can be commonplace, even if an overarching director of resilience, or equivalent, is in place. Integration of enteprise risk management functions has also invariably led to efficiencies and a sense that some executive leadership teams have used the integration of security, BC and EP functions to cut overall risk management resources which could stretch the finite bandwith of security management to breaking point. To do more with less may well be a modern workplace mantra. Moreover, sometimes it is actually poor work practices or ambivalent business cultures, rather than a lack of resources, that can undermine organisational resilience, or a company’s ability to adapt quickly enough to unfolding threats.

Some major organisational failures during contemporary times do powerfully demonstrate that large organisations which have experienced significant crises have often deployed substantial resources into so-called risk management strategies. Yet they were either unable to realise the scale of hazard occuring before them, or were institutionally incapable of adapting to avoid or mitigate it. For example, academic, Geary Sikich, points to oil-major BP being stuck in an ‘activity trap’, where the company was unable to free itself from traditional patterns of process and behaviour, both prior to, and after, the 2010 Deepwater Horizon disaster. The company suffered huge reputational damage, and fines totalling several billion dollars, after a dozen oil platform workers were killed on a subsidiary platform in the Gulf of Mexico and billions of gallons of oil were poured into the marine environment. Moreover, in the cash-rich telecommunications sector, following a fire at a components factory in Alburquerce, US, the manufacturer, Philips, notified its main customers, Nokia and Ericsson. Nokia immediately sourced alternative components and effectively tied up the contingency market. Confidently believing that its own organisation was resilient, and that the problem at Philips would soon be fixed, Ericsson’s leadership failed to respond and sourced no alternatives in the first week. When the Swedish company finally attempted to locate back-up alternatives, few were to be found. Ericsson were unable to carry out new product launches and the company made 16bn Krona ($1.5bn) of losses later that year. It has, to date, struggled to recapture its dominant market share. Indeed, when we reflected on the Royal Dutch Shell Group‘s troubles in the 1990s, several pages ago, official reports do not indicate that the company experienced the Brent Spar and Ken Saro-Wiwa crises because it was starved of cash and resources. Financial resources were aplenty. Common sense less so, perhaps.

As McAslan contends: “Resilience also suggests an ability and willingness to adapt over time to a changing and potentially threatening environment” (26).

In essence, measures to embed and strengthen resilience do clearly include market and threat analysis, prior crisis planning (including life-like rehearsals), regular monitoring and auditing of risk management systems, legal compliance and competent crisis response. These are rather obvious ingredients that most of us know and delight in practising and talking about. But there is so much more meaning to the term organisational resilience. It is a mindset, a company culture and a team awareness dynamic within any company ... from the receptionist, to the top floor C-suite executive.

2.6 Management and balancing important priorities

There is sometimes frustration with management theories and ‘number crunchers’ in any setting, and the security management sphere is hardly any different. But regardless of our own personal leadership traits and workplace approaches, the setting and organisation of strategies, department priorities, policies and crisis management plans, will usually require the approval and buy-in of colleagues and stakeholders who are not strongly related or connected to security management approaches and concepts.

There is no single panacea for security management. No dominant rule book. Shelves of books, toolkits, formal guidance and articles from practitioners and researchers have been produced; each with different nuances and emphases. Just a fraction of these appear in this book’s reference sections at the end of each chapter. Nevertheless, these documents do have at least one common denominator. They are all produced from the worldview of their author. Indeed, the recipients and clients of your security strategies are equally as diverse. They may well have a knowledge gap at a technical level about security management, but they will have their own perceptions, life experiences and career skills that may well inform some strong counter-views to what your department hopes to achieve. With many security products and services often invisible to busy end-users, security practitioners might want to be extra alert to the fact that data sets (such as service level agreements being surpassed) really can evidence success. Credible and favourable statistics carry great importance when convincing clients of the benefits of hiring or retaining your services.

From the client’s perspective, they will be seeking a measurable return on investment (ROI) from their security functions. It’s worth security consultants’ bearing in mind that there may also be some additional pressure on their own client, who may themselves have had to argue persuasively with other work colleagues in order to reach outside the organisation to bring in extra layers of security. “ROI must be communicated clearly at all times by all security contractors”, says Jon Hill, managing director of close protection solutions company, Polaris. “My client is not just the security director at a given organisation, but his boss, his executive team and his CEO, who come into contact with my staff day in and day out (27). If things go quiet, they need to know that they are not pouring money down a drain by retaining us”, Hill concluded.

There are several ideas by security contractors to provide reassurance to customers that they are sustaining value for money. Interim feedback reports can be submitted to clients with auditable and transparently presented customer feedback data. For longer-term contracts, the client will often stipulate service level agreements (SLAs), and if this isn’t the case, security contractors shouldn’t be shy to ask for such parameters. Far from being a ‘rod for their own back’, SLAs can provide a structured framework to actively demonstrate achievements and competence by the contractor or entrepreneur. Measurables, including key performance indicators (KPIs), can also assist individual consultants; a 360 degree appraisal of performance areas, success criteria and a restatement of the client’s goals, are likely to assist both sides in the longer-run. Too many security contracts still fall foul of (often unwritten) agreements and ad hoc relationships which can then offer no defence against service termination by the client. This is because the contractor never bothered to establish what the client’s goals and success criteria were in the first place.

For the security manager or consultant, service delivery data can be measured in a number of ways. For example, by visibly reducing the loss of quantifiable assets across specific business areas, or the entire business itself. In addition, security managers and function heads might also be able to reduce annual expenditure on related expenditure, such as reducing legal costs, the downtime of IT systems, or perceptible increases in customer satisfaction or site visitor reassurance.

Calculating loss and showing value

Perhaps the best way to illustrate the financial value of a security function is to tabularise the loss (shrinkage) to the business from criminal activity. Deal in hard data, build on trend analysis, establish patterns and set realistic targets. If no such data exists, carry out comparative analysis at similar venues or other company branches, but be crystal clear with so-called comparative analysis that you are – to all intents and purposes – performing a very useful baseline illusion. After all, you don’t want the company leadership getting carried away by setting unrealistic goals and holding over-inflated expectations!

For example, in Figure 8 below, we are going to take the average retail shrinkage in the UK (of 1.37% recorded in 2011, according to the BRC) and apply it to some imagined profit and loss (P&L) figures for an invented company we’ve named Buckinghamshire Food Malls Inc. We can actually calculate loss by researching any type of quantifiable loss metrics that would be comparable to performance measurements being gathered in any other business department or enterprise. Some examples being: trading days lost, unit jobs lost, cash loss, and so on.

To explain; if Buckinghamshire Food Malls Inc had reduced its shrinkage by 0.5% in 2012/13, it would have made another £5m in gross profit. If, at first, to achieve this extra profit the company had to invest in four full-time security staff, and some upgraded CCTV and motion detection equipment (the whole package costing some £2m), then the company would have made an additional £3m profit because of investment into the security function. Moreover, further security personnel and systems could have reduced shrinkage even further during the next financial year (2013/14). If the security management function within a business can evidence, calculate and communicate clear data sets in terms of loss prevention, then they can begin to earn acceptance across a wider organisational culture that they do offer a tangible and potentially significant corporate return on investment (ROI). Could a sales or marketing department generate £3m in profits each year? It’s a moot point but the mathematics described above does provide a tangible basis for many security management functions to demonstrate clear value to the bottom line of many companies.

In summary, accepting and deploying the utility of explicit key measurables (data sets) by embracing business quantification methods, will undoubtedly give any security company the competitive edge. But each success story does require further communication to the client; because spreadsheets and algorithms hardly sell themselves! Security contractors that engage with data, yet can also translate it as an engaging narrative, will notice that others begin to receive the correct message: namely, that their company think from the client’s standpoint and make their return on investment the number one priority.

Security leadership and management

Charles A Sennewald’s popular book, Effective Security Management, provides an excellent list of security management tasks. These include

•   talks to employees

•   giving direction to lower level supervisors

•   establishing loss prevention goals

•   planning new loss prevention programmes

•   hiring new security officers

•   reading reports

•   attending meetings (logical ways to coordinate and set activity)

•   making decisions about new equipment (30).

Sennewald then describes five managerial functions:

1.   Planning: “Determining future activities necessarily involves a conceptual … look ahead and a recognition of needed future actions – whether they be tomorrow or next year. It involves looking forward, conceptualising future events, and making decisions today that will affect tomorrow … The higher the level of management, the more time is spent planning.”

2.   Organising: “Determining what activities need to be done; grouping and assigning those activities; delegating the necessary authority to subordinates to carry out the activities in a co-ordinated manner.”

3.   Directing: “The managerial function deals directly with influencing, guiding or supervising subordinates in their jobs.”

4.   Coordinating: It is the manager’s job to ensure that the various tasks are scheduled and implemented in an efficient and economical manner.”

5.   Controlling: “… consists of forcing the tasks that have been undertaken to confirm to prearranged plans. Thus planning is necessary control” (31).

For Sennewald, the potential achievement of leadership, from senior managers through to supervisors, is contingent on an individual’s realistic ‘span of control’. This is a human resource management concept which translates the amount of employees that a supervisor can effectively manage at any given time. With ICT advances, and a corporate shift to cross-functional teams, traditional spans of control have shifted from an ideal low ratio (1:4 supervisor to employee, or less), to higher (read busier) ratios. It follows that managers with larger empires will be less able to successfully perform in other management functions. Sennewald believes that the most obvious ingredient of a successful manager is that they “should be able to think clearly and purposefully about a problem” (32). Other factors impact upon an ability to exercise supervision over a challenging span of control including the types of job roles under supervision (including the attendant risk levels), the level of administrative support, the experience and competence of subordinates, and the location of subordinates or the supervising manager. The following spans of control are recommended as either good or survivable by Sennewald:

•   ideal: 1:3

•   good: 1:6

•   acceptable: 1:12.

Summary of security management leadership

Perhaps then, the key to being an advanced security consultant revolves a lot around decent research, performance recording and active lines of accurate feedback to customers. Research, ask, and be confident to ask for clarification again from customers: what are their longer-term goals? What, in the best case scenario, do they want from their chosen security provider? From your research, are there realistic cost savings that you could make, on their behalf, by implementing your innovations and solutions?

Moreover, manage expectations and be realistic from the outset. A cold call for security from an unknown quantity often comes at a time of organisational crisis. It could be a knee-jerk response to an incident, or a perceived serious security breach.

Security procurement can be an emotionally-driven, volatile buying environment, whereby potential customers run hot and then turn cold; especially when a crisis cools down. At all times, be careful to offer a proportionate response, based on what is best for the client organisation. Consider how your suggested solutions will be viewed a little further down the timeline. (Defence Secretary, Bob McNamara, called this form of pragmatic, cool-headed response the ‘daylight test’.) Don’t let the heat of the moment determine your company’s future fate. This will reinforce your company’s reputation as objective, rational, and a potential long-term counsel to the client.

For me, the advanced security professional, or aspirant security director, could do worse than to aim to satisfy the following conditions summarised by my bleak, but memorable, mnemonic: RAIN:

R esilient; personally resilient; strong team player, coordinator and trusting delegator; succession planner; good communicator and contingency planner; keen to test, rehearse and review.

A daptive; flexible and innovative but has agility based on wisdom; lateral thinking around risk and threat; respectful orthodoxy challenger yet a student of traditional activity; unafraid to articulate unprecedented actions and innovations; yet strongly educated in existing good practice and context.

I nformed; well briefed and ahead of events; builds credible and robust information sources and feedback loops; core member of the wider business; rooted in a knowledge of good practice and laws; a keen reviewer; an avaricious listener at all staff and customer levels.

N etworked; can access and appreciate ‘outside’ advice; confident and popular networker; turns contacts into meaningful mutual aid and information sources; ambassador for the business within the sector; confident to share key contacts; not an aggressive pursuer of quid pro quo.

2.7 Adding value: Developing the business that clients require

“If you want to be a millionaire, start with a billion dollars and launch a new airline.” – Sir Richard Branson, entrepreneur and chairman of Virgin group of companies

If entrepreneurs don’t always know what their potential customers really want, then it may be true to say that on many occasions customers also don’t know what they require either! That is why it is so important to understand as much as possible about what they do require and why. The diverse range of security services and products can often appear quite intimidating or off-putting to outside buyers. Solutions to combat crime and treat risks are sometimes complicated and built upon compromise; to adjust to civilian working environments and fluctuating market conditions. Moreover, when security planning is at its weakest – perhaps when we are implementing things on the back-foot, in a reactive sense – a proper, reflective, cost benefit analysis process might only occur well after a major incident has occurred. Therefore, it is not untypical for buyer motivation to quickly evaporate. Security solutions are increasingly complex and integrated – they fuse together human, physical and technological ingredients – and impact upon most, if not all, corporate departments. The development and integration of major security activities and systems, such as the rolling out of access controls across a multi-sited corporation, can be large-scale and project-based. They are also likely to cause disruption. After some time, key influencers within the client organisation may have significantly cooled towards the project. Progress and client-value should be demonstrated at all times during implementation of a security project. Moreover, leadership and management are increasingly mobile in modern corporate environments, so beware: it may be that your initial buyers and sponsors have already left the building!

At this point, let’s try to step into your customer’s shoes. For a moment we will consider individual human cognitive responses to major emergencies. Psychological analysis tends to demonstrate more impulsive and/or accelerated decision making, and survivalist family groupthink, as the first phase of psychological response. Leading psychologist, Daniel Kahneman, and others, have dubbed ‘instinctive’ decision making as a ‘system one’ response (34). Then a gradual slow-down in decision making occurs as the mind begins to relax, reflect and analyse the recent experience. This is described by Kahneman as ‘system two’ of cognitive decision making. Psychologists refer to this phenomenon of binary decision making as dual process theory. In colloquial terms, this equates to the mind responding and activating instinctively in a survivalist mode of urgency. Then we humans experience a ‘cooling down period’. We begin to consider some isomorphic lessons in relation to our experience, in order to make clear sense of what we have been through, and why. Therefore, the remainder of this section will address how entrepreneurs can better understand, motivate and retain present customers. We also offer various suggestions as to how one may become the next Sir Richard Branson or Bill Gates! Paul Schoemaker, a research director at the world-renowned Wharton Business School, contends that business development professionals really need to get into the ‘head’ of their customers (35).

Communications with any customer base require several types of approach based around principles of: visibility, partnership, ethics and empathy. Long-term market considerations should be firmly rooted in your short-term behaviour. These are sometimes difficult strategies to achieve. As business coach J Haselmaier emphasises, some customers are not always clear in their own minds as to precisely what solution it is that they require. By asking the key question, ‘what is it, precisely, that you feel you need?’, the power of the purchaser can substantially shift to the entrepreneur; who is ultimately a little like a family doctor that needs to treat an anxious patient with a remedy. According to Haselmaier: “Unfortunately, determining the real needs of a potential customer is not as simple as asking them what they want. Many people are unable to clearly articulate their most pressing and compelling product or service requirements …”. Hasselmaier adds: “To learn what your customer really needs, you must watch them and talk with them. You must be sure you understand their concerns and overall business issues. Only by thoroughly understanding the broad environment your customer lives in on a day-to-day basis, as well as their specific and detailed issues and concerns, can you apply the creative efforts necessary to design a compelling solution that will be successful”.

To be clear: customers often don’t know what they want. Indeed, there are copious amounts of excellent online guidance for entrepreneurs and consultants seeking a little help to understand customer relations. Nevertheless, to some consultants, there is possibly a perception of weakness given by way of asking questions from their customers. Moreover, some potential customers choose to be neutral and stand-offish from suppliers nowadays; such are the levels of compliance and probity enforced by many procurement environments. In addition, how often can we realistically ask for customer advice and feedback? Won’t we look foolish or lose our sense of authority? Could we waste valuable time and resources unpicking popular solutions that work well with other similar customers? These are all sensible questions to which there can be no instructive answers from this author, other than to say that is down to the entrepreneur to know (research) their specific market, customer and range of product options well enough in order to answer these questions. It is, of course, far better to ask all the right questions from the outset, rather than provide a cupboard-full of wrong answers further down the line.

Earlier in this book, we spent a little time looking at business analysis of the operating environment. We looked at gathering competitive intelligence and market intelligence. We used popular business analysis research tools, including PESTLE and SWOT modelling. Such tools are critical in enabling us to understand market trends and common themes that are driving, or reducing, customer demand. It is fair to say that some of the best researchers I know are also – not by coincidence – some of the best entrepreneurs that I know. These are the people that have taken regular time to investigate and monitor their own operating environment, as a good doctor might fully appraise a wheezing patient. Those who travel by autopilot will only be able to fly so fast and so high for a limited amount of time. As Sir Richard Branson recently told Forbes Magazine: “Researching the competition has never been the Virgin way. Many of our products and services come about because we pay attention to what the market is missing or what’s not being done well” (37).

How can we Identify client requirements?

To summarise, how might we identify precisely what our existing or potential customers require? Here are some actionable ideas that may help your enterprise to harness its competitive edge:

Focus groups: a facilitator, or two, conducts a small focused audience through a list of quantitative, semi-structured and qualitative questions. This method is particularly useful for organisations with a high public profile which often attracts large volumes of multi-themed feedback. Groups are also effective for assessing emotions and initial responses.

Surveys and data mining: effective for gaining trend analysis or even gap analysis, where you suspect operations are going awry, or perhaps higher potential demand is not being met. Analysts, Symphony IRI, run 100,000-strong ‘customer networks’ for Walmart, whereby the conglomerate’s suppliers, and aspirant suppliers, can view and purchase consumer analysis (42).

‘Secret Shopper’ and ‘Undercover Boss’: experience your own service in the ‘first hand’ by attending the front-line customer experience anonymously and passively. For further information, watch an episode of Undercover Boss – there are popular editions in the UK and US. There are many to choose from but one of my favourites is a Securitas CEO returning to the shop-floor and a university Chancellor in California stepping into the shoes of campus staff and employees. Both episodes are provided in our references section at the end of this chapter (43).

Knowledge sharing and leadership: by running briefings and seminars for clients and potential customers; absorb learning and capture data from interactive exercises into the sessions.

Feedback loops: operating social media platforms and website forums, or closed feedback forums with key stakeholders, to feed in innovative ideas or feedback customer experiences/observations.

Competitions: run purposeful competitions to generate new ideas and customer pipelines.

Marketing partnerships: running any of the above – including industry events – in tandem with others in your supply chain or channel sales partners to the wider market. Trade associations are often looking to badge themselves with partner events because it saves them the costs and effort of delivering their own event. By doing this, your enterprise will get a guaranteed larger audience and extra credibility of working with an established trade association.

Unique sales proposition

Now that we know a) our market environment and b) our potential customers better, entrepreneurs may wish to now consider what it is about our people and our services that make us essential to them? How can we convince them of the benefits of accepting our proposals? How can we help them to achieve their goals and make their commercial journey easier?

Amid so much good online and published guidance for entrepreneurs and business development executives, the UK Business Link and the Canadian Business Network is clear and purposeful. Companies are advised to develop and continuously remind their employees about their unique approaches and products. Their guidance states: “Every business needs a reason for their customers to buy from them and not their competitors. This is called a Unique Sales Proposition (USP). Your USP can be identified by completing the phrase ‘Customers will buy from me because my business is the only’” ... (43).

An example might be that you are the only company to only employ former Special Forces personnel, or that you were the first company to insist that all your maritime security operatives possessed an International Certificate of Competence for skippering a vessel. Nevertheless, it is important to appraise the uniqueness and value of your USP regularly because security industry markets do move exceedingly fast. What began as a USP not so long ago, may have subsequently morphed into standard, expected, industry practice and appear somewhat stale.

Please note, your USP should change as your business or your market changes. And you can have different USPs for different types of customer. “However good your product or service is, the simple truth is that no-one will buy it if they don’t want it or believe they don’t need it. And you won’t persuade anyone that they want or need to buy what you’re offering, unless you clearly understand what it is your customers really want”, observes the Canada Business Network (45).

2.8 Why do businesses fail?

Many business start-ups fail within the first 12 months. According to the US Small Business Administration, more than 50% of small businesses fail within five years (46). Corporate analyst, Michael Ames, gives the following reasons for small business failure in his important book Small Business Management:

•   Lack of experience

•   Insufficient capital (money)

•   Poor location

•   Poor inventory management

•    Over-investment in fixed assets

•   Poor credit arrangements

•   Personal use of business funds

•   Unexpected growth (47).

Professor Edward Deming, one of the world’s most eminent management consultants, famously identified ‘five diseases of management’. Deming was credited with helping to substantially rebuild Japan’s broken economy after World War Two, contributing with management thought that enabled the country to become the world’s second most powerful economy within a decade. Deming urged that manufacturers cooperate over wider market and economy-related issues; that marketing is the science of understanding what repeat customers think; and that initial stages of services and design must include research. Deming’s five diseases of management are described below, courtesy of the excellent business website Mindtools.com:

1.   No consistent purpose: strategy and goals continuously change. Prior strategies and initiatives are not given time to succeed. Staff morale declines as employees feel that they can’t achieve objectives.

2.   Focus on short-term profits: companies focus on short-term growth and sales at the expense of longer-term projects and therefore fail to anticipate future growth and see the end of market and product cycles.

3.   Managing by fear: whereby employees focus only on short-term goals and avoiding sanctions; rather than having managers that approach appraisals by coaching, empathy and identifying opportunities for employee development.

4.   High senior management turnover: it takes time for managers to develop and embed into their role and to develop the relationships and authority that will be necessary for them, and their department, to succeed. High turnover permeates down into the mindset of all employees, impacting retention across the organisation. It can also seriously risk the transfer and leakage of critical knowledge capital to competitors, or motivate existing managers to establish competitor start-ups.

5.   Focus only on visible figures/statistics; rather than subjective human factors such as ‘happy customers, high product quality’ and a ‘positive work environment‘(48).

Avoiding business failure by addressing hazards and risks

One glaring omission from the above list of reasons for business failure is a poor or unprepared response to a major incident or crisis. Major incidents, such as fires or natural disasters, may threaten business survival in its entirety. But tragic events also present opportunities for security enterprises and consultancies to demonstrate their expertise, and also their intrinsic organisational skills in emergency and contingency planning. Ames’ omission represents a much wider knowledge and competency gap manifest among many business managers, strategists, entrepreneurs and investors: namely, crisis leadership. The fact remains; skills in contingency and crisis planning could actually become critical success factors for new and emerging enterprises, as companies become more engaged with organisational resilience as a core executive business strategy.

Addressing reasons for failure: The balanced scorecard

Addressing the last of Deming’s points (see above), the balanced scorecard, developed by Robert Kaplan and David Norton, is a strategic management tool that serves to recognise that non-financial data – such as customer satisfaction or staff knowledge capital – may be just as significant to longer-term organisational prosperity as, say, quantitative sales figures and balance sheets.

Kaplan and Norton refined and elaborated upon a ‘dashboard’ of organisational performance measures that had originated from French engineers. According to the Balanced Scorecard Institute, “the balanced scorecard approach provides a clear prescription as to what companies should measure in order to ‘balance’ the financial perspective” (49). The following four perspectives should be taken into account in the overall measurement of company performance, the Institute recommend:

The learning and growth perspective: staff training and company cultural approaches; company approaches to self-improvement; knowledge of employees … the only repository of a company’s knowledge.

The business process perspective: internal business processes, such as metrics to monitor management knowledge of how well the company is running, and whether services conform to customer requirements and expectations.

The customer perspective: customer retention data; present revenues may indicate a healthy business but if customers are dropping away from the business this fact may be missed before it is too late to respond and repair.

The financial perspective: Existing financial data is crucial but perhaps additional financial data is required on the dashboard, such as expanding costs, risk assessments and any cost benefit analysis undertaken (50).

Critical success factors

Entrepreneurs are advised to develop critical success factors (CSFs), alternatively known as key results areas (KRAs), that are defined organisational goals, established to help one measure the direction and success of their company. According to the business advice website, Mindtools, CSFs serve as a reference point for senior management (at least) to revert back to, in order to check progress and also raise some CSFs as permanent agenda items at senior management team meetings, boards and shareholder meetings (52). CSFs can be a wide set of principles; they can include, designing products that are attractive to customers, monitoring market requirements, delivering staff satisfaction and retaining valued employees. Nevertheless, it is expected that several CSFs will be client focused. I present two examples:

1.   Imagined company, H & A Security Services, will carry out an annual client survey and receive at least 95% ‘good’ or ‘excellent’ feedback from customers across the Middle East and North Africa (MENA) region.

2.   H & A will introduce a new free business intelligence bulletin covering MENA region every week for our key clients (£50,000 per year or above value contracts).

2.9 The requirement for professional proficiency

“No plan of operations extends with certainty beyond the first encounter with the enemy’s main strength.” – (Prussian military strategist, Field Marshall Helmuth von Moltke)

Security, as a profession, perhaps has a collective ‘chip on its shoulder’. Many security professionals perceive themselves to be part of a relatively embryonic and underdeveloped profession. But this isn’t necessarily the case. Many student essays and sector presentations that this author bears witness to, tend to bemoan the indisputable fact that the security and risk management sector needs to be more advanced and professional. (We’re hardly alone in this.) References are commonplace to ‘security’ as a discipline being in some way substantially younger and inferior in comparison to the more established professions of law and medicine. Maybe it’s fair comment. Medicine and science are sometimes rightly enshrined with a ‘halo effect’. Yet the legal profession has conjured up a myriad of howlers. Grossly unfair and unprofessional results include, in the UK, the notorious false conviction of the so-called Guilford Four and Birmingham Six group terrorism suspects. This was caused, in part, by very well educated judges who inexplicably failed to deliver a fair trial by keeping key witnesses away from a courtroom. Moreover, many centuries ago, other scientists conspired to create the professional and religious excommunication of their colleague, Galileo, who bravely maintained his inconvenient but accurate hypothesis that the world was indeed round.

In medicine, a large number of pharmaceutical practitioners and doctors – colluded and collaborated in the sale of the Thalidomide drug during the 1950s and 60s. Dozens of senior medical practitioners – who had signed the Hippocratic Oath at the outset of their illustrious careers – maintained that the drug was safe for pregnant mothers, despite much emerging evidence to the contrary. This professional disaster led to tens of thousands of infant deaths and severe, irreversible, abnormalities for survivors and their families. Harold Evans, at The Guardian newspaper, described the case as “the greatest man-made global disaster” apart from war. The perpetrators at a German pharmaceutical company evaded prosecution (53).

Security management’s roots clearly go back to the earliest eras of homo sapien survivalist strategy. Risk awareness and mitigation go back at least as equally as far as the grand old established professions. Security was practiced by individual hunter-gatherers and by tribal group collectives; internal rivalries and insider threats, addressed by various counter-measures, have been manifest from the outset of human activity. Security is not a new profession. In fact, from time immemorial, most human beings (a far higher proportion throughout history compared to the human race today) practiced individual and collective security management techniques, for reasons of personal and group survival. Private soldiery and alliances of vigilantes has been traced back over several millennia. Organised state armies and public authority law-enforcement roles that can – only to some extent – offer human protection, have existed for just a fraction of humanity’s time on the planet! The terminology that we know today, which offers us phrases such as protective security, asset protection and intelligence, all summarise the basic defensive or offensive functions that ancient communities or territories were used to practising as second nature up to the latter part of the Middle Ages. Moreover, these behaviours and defensive functions did occur alongside exacting academic rigour and critical examination that was applied by academics and students of warfare who looked closely at the domains of: body-guarding, spying, military strategy, target hardening, border controls, asset protection, and so on. Some famous historical examples of security management include:

•   Samurai warriors in Japan forging an alliance and network among themselves to successfully repulse the 1281 Mongol invasion.

•   Swiss guards units that served as palace and bodyguards to the Vatican and the Pope, and also – from the 15^th century – to protect European royal families.

•   Public ostracism and shaming for those who committed antisocial behaviour among Inuit Eskimo societies, to deter crime and subversion (54).

•   The development of omnipotent intelligence and counter-intelligence structures, which included running spy networks, post service infiltration and decoding experts, implemented by Queen Elizabeth I’s loyal secretary, Sir Francis Walsingham (55).

•   Production of highly esoteric military, protective security doctrine across various centuries and territories, including by Sun Tzu (The Art of War: circa 4^th-6^th Century BC), military theorist Carl von Clausewitz (1780-1831), and Prussian military strategist Helmuth von Moltke the elder (1800-91), who was credited with pioneering colour-coded war gaming.

•   Policing by volunteers, groups and networks of so-described ‘vigilants’ (‘vigilantes) before professionalised police forces were formed and became publicly owned by expanding governments and taxpaying bases.

•   The building design of fortresses and castles – secured by moats, watch towers, several-metre-thick walls and security guards – and also manorial homes (with priest ‘hiding’ holes, safe rooms and secret passages to help evacuation).

•   Protective walls, such as Hadrian’s (AD122 onwards) and the Great Wall of China that marked out territory and also added protective security for communities vulnerable to pillaging. The Anti-Fascist Protection Rampart, more commonly identified as the Berlin Wall (1961 to 1989), was an ultra-modern variation.

Organisational cultures and proficiency

Most business environments are different. This section will examine different cultural attitudes to security-related training and exercising. Progress has clearly been made in a general sense, whereby the extant security industry in many geographical domains has become more professionalised, with individual practitioners becoming more proficient, and overall sector accountability becoming far more transparent. Moreover, the mass emergence of participative business cultures, whereby companies will emphasise a greater importance on individual employee empowerment, can often pose a key attitudinal and philosophical challenge for security and contingency practitioners. This is possibly because the majority of practitioners still emanate from a professional background in law enforcement or military spheres, where hierarchies and management orders are far less likely to be challenged or visibly critiqued.

Military and law-enforcement cultures

In such structured work domains as military and law enforcement, chains of command and orders are usually crystal clear, during peace time at least. The kinetic and grave nature of problem-solving – and also the underpinning authority of hierarchical decision makers – means that members of law-enforcement and military communities are usually socialised more effectively to follow orders within any workplace environment. Moreover, armed forces and law enforcement agencies still retain (and have a realistic prospect of continuing to do so) certain legal and moral covenants which give them the authority to encroach into the private sphere of their employees; whether it is through background vetting, arranging overseas housing and travel, preventing or monitoring political affiliations, or signing up employees to various, and probably quite important, codes of conduct.

Engaging and effective examples of organisational cultural socialisation can be found within many military domains, which can invoke history and a sense of purpose to their organisational mission. A case in point is the British Army Doctrine Publication produced by the aptly-named Development, Concepts and Doctrine Centre at Shrivenham’s UK Defence Academy. With razor-sharp clarity, this document expresses the importance of a coherent workplace philosophy (56). Its’ mission statement is as follows:

“This Army Doctrine Publication (ADP) builds on foundations laid by the highest Defence doctrine to provide the philosophy and principles for the British Army’s approach to operations. The philosophy and principles guide the practices and procedures that are found in tactical field manuals and other subordinate doctrine” (57).

The entire doctrine is focused, arguably, to provide a coherent and disciplined body of national security with an action-oriented team structure whose central goal is, ultimately, to provide peace through strength. Although some security plans within the private sector may indeed share some rhetorical flourishes that would suit Army doctrine – such as offering a Lawrence of Arabia quote to inspire espirit de corps – a rather bracing reality of civilian industrial life is that no major company would permit its security function to define its overarching philosophy and principles. Or, for that matter, subordinate or compel other business functions into a protective security culture, unless it was an extreme, high-risk environment. Moreover, it is likely that any attempt to establish an overarching organisational doctrine would be emphatically squashed!

In any environment, moral and emotional leadership is an accepted vehicle to spur on employee motivation and achievement. Self-esteem, love and a sense of belonging are quite high up on Maslow’s famous triangle that illustrates our ‘hierarchy of needs’ as human beings (58). This is why the Army Doctrine Publication emphasises values of patriotism and duty. The ADP then underpins such cultural values by invoking historical parallels:

“Duty is the devotion to a cause, mission and the team that transcends an individual’s personal interests or desires. In times of real adversity, when it appears that there is nothing left to give, duty requires soldiers to lead and strive even more” (59). “I hold my duty as I hold my soul”, from British playwright William Shakespeare’s play, Hamlet (60).

Culture in private companies

Inspiring words from Shakespeare indeed! But how can security managers in the private sector possibly hope to replicate such a rhetorical call to arms, without sounding slightly absurd? One of the repeated mantras within the security industry and policing circles is that all security measures have to be ‘proportionate’. In fact, the more we consider, any serious drive to embed security and resilience proficiency within lower-risk civilian organisations is significantly hampered by the relatively lax, and slightly anodyne, operating environments where companies know that they should indeed ‘expect the unexpected’ but don’t quite believe that any of the world’s ills will directly impact them.

The ability to practically influence executive decision making, and to be perceived as an authority figure – is often down to the personality traits and leadership techniques of various security managers. Because, after all, the vast majority of compliance within civilian life is voluntary and judged against the famous saying; ‘What’s in it for me?’McAslan’s thoughtful 2010 Straw-man paper titled Organisational Resilience takes into consideration such a complex dynamic in corporate business and suggests: “In reality, few organisations will experience major disruptions and therefore experience can best be achieved through exercises and rehearsed drills. IBM (2007) and others stress that exercises should be conducted regularly, following changes to the organisation’s mission and/or structure, or following significant changes to the operating environment” (61).

KPMG’s impressive paper Living on the Frontline: the Resilient Organisation recommends that following a traumatic incident, employee counselling could be required. “This is borne out by studies of individuals who were directly affected by 9/11. These revealed that in the medium term after the attack, three quarters of those surveyed experienced depression, nearly half had impaired concentration and a third developed insomnia. Significantly, (resilience planning) must be flexible enough to cope if a significant number of staff are either unable or unwilling to work in the aftermath of a disaster (62).”

Importance of doctrines and mission statements

Despite clear advantage gained from establishing strong mission statements and inspiring employees by spectacular corporate goals, individual compliance to corporate decision making is based predominantly upon voluntary adherence and acquiescence. In cases where criminal law has not been breached, real power within civilian workplace domains barely exists. This fact applies as equally to security management operatives as it does any other corporate sector officer or executive. Moreover, human rights-related laws, and the rise in litigious claims against protective security functions, in some countries, does mean that security managers would be ill-advised to carry out any physical or access-controlled counter-measures against perceived adversaries in most civilian settings. (See Chapter 3 on Legislation and Regulations.)

The word ‘doctrine’ would certainly not be acceptable for most private sector organisations utilising English language. Doctrine is defined by FreeDictionary.com as: “A principle or body of principles presented for acceptance or belief, as by a religious, political, scientific, or philosophic group; dogma”. In government parlance doctrine can be understood as: “A statement of official government policy, especially in foreign affairs and military strategy” (63).

Many private sector employees may agree with the Lebanese journalist, Amin Maalouf, when he said: “Doctrines are meant to serve man, not the other way around” (64). Indeed, a significant portion may well have consciously opted to not join the armed forces or law enforcement roles because their organisation’s activities are perceived to be too rigid, intrusive or hierarchical.

Moreover, if we think back to the army doctrine in many private organisations, security operations are rarely permitted in the civilian sphere, unless led by a law-enforcement agency. Indeed, recommendations around protective security arrangements in private companies – especially if they are blunt and non-consultative – may be perceived by managers outside the security function as a direct threat to organisational resilience. This is because some people fairly perceive that some security measures create more threats than they solve. Here are some questionable examples of security improvements: access controls that would block a quick evacuation; introducing CCTV at access points where coincidentally staff smokers congregate; this may be perceived as overly aggressive. Alternatively, random bag searches carried out upon employees in low or moderate-risk environments could be viewed as totally draconian. Such intrusive measures could establish the view that staff are mistrusted, increase staff turnover and dissatisfaction, or even lead to allegations of bullying and discrimination. As Briggs and Edwards point out: “the foundation of effective security is trust, and there is a danger that an over-formalised and rigid approach to security undermines rather than reinforce trust” (66). Such cultural obstacles can be bridged by providing a sensible explanation of security improvements via induction sessions, feedback forums and other ‘ice-breaking’ methods (67).

Thus, achieving the right cultural fit in terms of recommending a suitable security strategy that gels well with wider organisational culture, is a critical business skill. A security manager who is deficient in understanding the organisational context and culture of their employer or client, could also be absolutely proficient in all other necessary technical security areas. But they cannot possibly claim to be ‘proficient’ until they improve their organisational cultural antennae.

Proficiency and training

“The safety policy and procedures were in place: the practice was deficient.” – Lord Cullen’s report into the Piper Alpha disaster, 1990 (68)

London-based fitness instructor, Roger Green, is an ex Royal Marines Commando. He adeptly summarises an ethos of training that might appear anathema to some civilian sector workplace environments:

“If you run the same route or conduct the same weights programme every day, your body will get used to this, and you will not improve performance. Circuits and boot camps are excellent as they employ a principle called ‘dislocation of expectation’ meaning you do not know what is going to come next, so your body is shocked, but this leads to increased performance and progression, and ultimately a change in body shape” (69).

The British Marines’ training mantra of ‘dislocated expectations’ has an underpinning philosophy and purpose. It is to acknowledge that we find out more about individual and team potential by being tested in unfamiliar domains and analysing reactions to negative or unpredictable events. Such a method does highlight, in comparison, the risks of rehearsing and training for crises in sterile and familiar environments. How can we maximise the benefits of training if activities are designed not to tip delegates out of their comfort zone and course feedback is issued on the proviso that it does not dent self-confidence or upset existing organisational equilibrium?

Intended to assist emergency planners in civilian domains, many UK local authority emergency planning teams provide valuable advice and templates for employers and businesses seeking to enhance business continuity management (BCM) capabilities. Sometimes local authorities will also facilitate ‘buddy’ initiatives, whereby larger companies mentor and assist smaller neighbouring businesses. Many security and BCM guidance documents and templates are also published online by UK local authorities. For example, a write-up of crisis training by Humber emergency planning service:

“During the exercise, you might want to think about blowing the objectives up and taping them around the room so people are constantly reminded of them.”

Then later:

“Testing smaller parts of the plan has some real benefits. It allows you to involve experts whose role in a bigger exercise might be so small that you couldn’t justify bringing them along. We recently ran a media specific exercise where we were able to involve media officers and spent two hours talking about details we would have brushed over in ten minutes in previous exercises (71).”

Here is some further advice from international IT services provider, Capgemini: “As the goal of testing is to discover defects in the plan, a successful test is the test that does not successfully execute all aspects of a continuity or disaster recovery plan” (72). Both documents summarise a training environment that is hardly lifelike in comparison to a fast-moving and often emotionally-impacted crisis situation. But by considering some of the granular parts of wider contingency planning, this type of important detail (such as up-to-date individual contact telephone numbers) may well get missed in a fully-fledged kinetic dress rehearsal. Such detailed planning, often tackling a critical emergency planning phase at a time, can provide the overall scaffolding to achieving maximised individual and team proficiency, so long as the overall strategy is upheld, and component parts are integrated into a functioning contingency strategy. Such documents also reveal the real-world limitations of testing for security and emergency incidents in most civilian environments. The reality is that, in corporate and civilian environments, security management is not the central purpose of everyday working life for the vast majority of busy employees. It is merely viewed as an important background function. Thus legal, cultural and emotional considerations do have to be treated seriously; particularly by outside consultants who may well not have built up enough internal goodwill within the client organisation to offset any subsequent insensitivities or glitches.

Proficiency: Learning and education

Proficiency can be taken to mean a high degree of skill and expertise, incorporating capabilities of excellence, adroitness, professionalism and aptitude within a role or subject discipline. At the time of writing, a search on Google of ‘proficient security’ conjures around 15.5 million results, including a company based in Essex that goes by that very name, Proficient Security. Undoubtedly, millions of examples of proficiency in the kaleidoscopic range of security activities practiced by millions of security sector employees, do actually exist. But in this book, for the purposes of clarity and brevity, we are going to have to be a little bit discriminating! Flagship award ceremonies, including the annual UK-based Security Excellence Awards and the US-based ASIS Accolades Awards do provide some security management good practice examples (73).

Human beings can build individual proficiency by embracing a range of techniques. These include: active learning (experiential and observational), training, role-playing and war-gaming but also the accumulative expertise generated by reading and a sense of inquiry. Successful security entrepreneurship is founded upon aggressive and relevant knowledge acquisition – such as access to business intelligence and regional risk reports – in order to provide us with insight and higher levels of knowledge than that achieved by our competitors or adversaries.

Nevertheless, as a concept, proficiency also suggests an extra dimension of capability; awareness. As we will see, awareness is inextricably related to experience. If Malcolm Gladwell’s notion that it takes 10,000 hours of practice to ‘master’ a discipline is a little daunting, then perhaps help is at hand (74). The famous four-phase learning matrix also known as the conscious competence ladder does help us to understand at what levels of proficiency we may realistically be said to have achieved.

In essence, humans move up a four-phase competence ladder as they acquire more knowledge and experiential learning. In all domains of learning and competence measuring, individual awareness of knowledge gaps, or unconscious expertise, can be quite unrealistic. (Most of us sadly convince ourselves that we are great car drivers, especially on an empty road.) But I’m sure those who have tried to master a new language, or learn a new musical instrument, will recognise the following four stages (see Figure 12 below), even if they haven’t necessarily reached all of them yet.

How human beings learn

It is worth familiarising ourselves with the work of some of the most influential educationalists of modern times. Eminent among them is Benjamin Bloom (77). Bloom chaired a committee of US-based educational psychologists to identify methods of most effective learning in order to promote higher forms of thinking. His work culminated in a diagrammatic ‘taxonomy of learning’ (see below). Bloom and his educationalist supports advocated methods of learning based around evaluation, analysis and creation, and stepping upwards beyond rote learning and the retention of supposed facts.

Experiential learning

In many ways, David Kolb consolidated Bloom’s findings around the cognitive domain when he demonstrated that human beings learn through processes of discovery and experience, and then experimentation. Experience plays the primary role in our learning processes Kolb asserts. Kolb illustrates this through his Experiential learning cycle model; now adopted and understood by educationalists around the world (79).

Dual process theory

Nobel Prize-winning psychologist, Daniel Kahneman, neither contradicts Bloom or Kolb but he uses his experience from conducting and critiquing decades of exercises in cognitive psychology in order to demonstrate dual process theory. This well-established cognitive learning concept is by no means Kahneman’s invention. But his book Thinking fast and slow is a collection of remarkable observations which clearly demonstrate the strengths of reflective thinking, and show up the pitfalls of relying on gut instinct, immediate decision making (81). Kahneman’s book shows us that the celebrated notion of an accurate ‘policeman’s hunch’ might be a little more harmful than traditionalists might like to accept!

Kahneman provides several humorous and compelling exercise scenarios for readers to demonstrate that the human brain functions as two complementary systems: System 1 is effortless, instinctive, intuitive and unconscious. However, this can be overridden by a System 2 which is more effortful, analytical, intentional and reflective. Such decision making often ‘corrects’ System 1, asserts Kahneman (82).

E-learning and personal development

Increasingly, students and tutors are almost fully dependent on virtual learning environment (VLE) teaching approaches. As a tutor, my own students are located in the many medium-to-high risk environments; some face curbs to internet access. Some learners are based on vessels conducting anti-piracy and other maritime security operations. Others are located within states experiencing chronic social, political and military disorder, or inside disaster recovery zones. Such operating environments present major challenges around access to e-learning and support technologies. Nevertheless, security staff based in such locations still require professional development; indeed, perhaps it becomes even more vital to instil training and educational cultures.

As such, the well-researched findings of e-learning pedagogic specialists, such as Karen Barnstable, Pam Moule and Gilly Salmon, have added real value to the distance learning field.

In her blog Stable Transitions: A Journey of Learning, Karen Barnstable produced three top tips for online tutoring instructors. The Three Ps of Online Instruction include being ‘proactive’. Barnstable states: “know your course, know your students”, by way of “regular announcements and interventions”. Second, be ‘professional’ by issuing “timely responses, established office hours, the use of professional language inter alia” (84). Third, be ‘personable’ and consider how to “add inspiration or suggestions to responses”. Barnstable seems to recommend a much heightened level of personal communications with distant learners and also a more direct, instructive, approach compared to traditional classroom delivery methods.

Salmon produced a five-stage model for e-moderating by identifying five core stages for course moderators:

1.   Access and motivation

2.   Online socialisation

3.   Information exchange

4.   Knowledge construction

5.   Development (85).

Fellow e-learning specialist, Pam Moule, found that some e-learning programmes were “too dependent on group networking and brainstorming and therefore could hinder students’ progress through stages of the [Salmon] model, and potentially up the e-learning ladder” (86). Moule further recommends that there is significant “potential available to use e-learning as part of an integrated approach that includes face-to-face delivery” (87). In the security management sphere, this has indeed been achieved by various higher education establishments in the UK – including Buckinghamshire New University, Cranfield and Portsmouth University – that blend e-learning with classroom delivery and tutorials held over VOIP and/or digital media platforms, such as Skype and Blackboard.

Higher education: UK professional standards framework

Educationalist John Dewey, from the famous Chicago school, reflected in his book How We Think that: “We do not learn from experience … we learn from reflecting on experience” (88). A century later, consolidating Dewey’s findings, a UK professional standards framework was produced by the Higher Education Academy. The HEA’s framework sought to better prepare students for a knowledge-based economy, whereby the vast majority of national university education was more strongly aligned to providing a mix of practical and academic learning techniques. The aim was to help lever graduate and post-graduate students into a stronger employment market position; to improve prospects for graduate employability. The 2011 Framework comprises of 16 overall areas of activity, existing across ‘three dimensions’, these being: areas of activity, core knowledge and professional values (89).

Originally intended for university and college lecturers, the framework actually provides a very decent professional overview of some key ingredients required in order to develop thought-leadership and high-end market respectability. It’s a truly useful document for security practitioners interested in continued professional development for themselves, or for conceptual implementation across a larger organisation, including corporate environments. What better way can there be, either by becoming a subject matter expert or developing a campus of expertise within your company, in order to attract clients and wow stakeholders?

Awareness and proficiency

“We are sometimes blind to what we see. And we are also blind to what we are blind to.” – Nobel literature award winner and psychologist, Daniel Kahneman (90)

The key to achieving proficiency is, of course, a great exertion and sense of inquiry around one’s chosen specialism. Possessing a demonstrable body of relevant knowledge, inevitably does lead to respect by peers and fellow professionals. But, does such an encyclopaedic knowledge-base of our discipline invariably mean that we are proficient? Not at all! Security management is a role whereby colleagues and clients look to us to have continuous situational awareness. The following two video clips may provide some surprises as to how deficient most of us human beings are at recognising situational changes:

Further information: Proficiency and standards bodies

It would take a whole book to capture the entire educational and standards architecture within the security industry. Below I describe several notable organisations:

British Standards Institute

“Standards are a tried and tested way to work more efficiently and effectively. They help organisations to improve their performance, reduce their risk and help them be more sustainable (91).” – BSI online

The BSI facilitates several committees of subject matter experts (SMEs) to produce and agree basic guidance for a plethora of security management, information security management, emergency management and business continuity-related challenges. The principal forum – yet not the only board – overseeing security and business continuity-related matter is the societal security management (SSM) committee, at present working on standards and/or publicly available specifications in crisis management, private security contracting and overall organisational resilience. Key guidance so far produced by SSM and more technical committees, include:

BS 8418 – 2010 CCTV

BS 8243 – 2010 Alarms

BS 7858 – 2009 Security screening of employees

BS 8484 – 2009 Lone worker devices

BS 7984 – 2008 Key-holding and response services

PAS97 – 2009 Mail screening

BS 8507-1 2008 Close protection services

ISO/IEC 27001 – Information security

ISO27031 – ICT continuity and best practice

BS 25999-2 Business continuity (now ISO22301).

Much of the guidance produced by the world’s most prominent standards organisations, including Australia, Canada, France, Germany, the United States and Japan, can end up being promoted, debated and accepted as international standards by the International Standards Organisation.

The emergence, and growth, in security and related disciplines has had a profound impact on supply chains and, indeed, all entrepreneurs. Many buyers, particularly public authorities, seek reassurance from within their supply chain that contractors and service providers are fully compliant and accredited to certain national and international standards. For example:

“The UK government, in a strategic effort to make Cloud services available to UK public sector organisations, has set up the Cloud Store, through which Cloud services can be procured. In order to be listed, a Cloud Service Provider has to go through a formal accreditation process. This builds on a fully-scoped ISO27001 certification and is usually to provide services rated at either IL2 or IL3 (92).”

National occupational standards (NOS)

NOS are baseline standards written by industry practitioners to ensure that workplace qualification courses cover key areas within a stipulated job area. For example, in the security domain, several NOSs exist to assist training providers and course validation authorities (such as the influential not-for-profit organisation Skills for Security) design, develop and monitor the standard of training courses (academic levels 1-3). They can also be vital in helping organisations develop their own training initiatives, appraisals, policies, operating procedures and guidance. NOS publications include:

•   security search operations (2013)

•   eEvent security operations (2013)

•   electronic security systems (2013)

•   security management (2012)

•   mechanical fire protection (2012)

•   port security operations (2011)

•   CCTV operations (2011)

•   providing close protection (2011)

•   enforcement agents (2011)

•   security and loss prevention

•   private investigators (2010)

•   security dog handling (2009)

•   physical security (2009)

•   human identity and biometrics (2009)

•   information destruction operations (2009).

Source: Skills for Security website: 2013 (93)

National security inspectorate (UK) (NSI)

The NSI aims to “be the ultimate reassurance in fire, security and related facilities management approval”. The NSI evolved from a number of trade quality organisations which were concerned about poor standards within the security and fire alarm industry which potentially caused major lapses in health, safety and security functions and undermined consumer confidence in industry solutions around crime and fire prevention. The NSO carries out what it describes as: “robust, high-quality audits of home security, business security and fire safety service providers”. Companies apply to be audited and quality checked by the NSI, in order to provide customers, and their own internal stakeholders, with assurance and confidence (94).

UK security industry authority

Following a number of high-profile lapses in standards of private sector security practice, the UK government passed the Private Security Act 2001, and established a security industry authority (SIA). The SIA issues licenses for a variety of security functions and also runs an approved contractor scheme, a bill which included the formation of a formal security authority, which was accountable to the Home Office and its lead government minister. According to the organisation’s website: “SIA licensing covers manned guarding (including security guarding, door supervision, close protection, cash and valuables in transit, and public space surveillance using CCTV), key holding and vehicle immobilising. Licensing ensures that private security operatives are ‘fit and proper’ persons who are properly trained and qualified to do their job” (95). Nicely put.

Chapter 2: Wrap-up

In closing this chapter on Management, we reflect on some of the approaches and attributes that will help your company gain the competitive edge. These include:

•   According to veteran security management guru, Charles (Chuck) Sennewald: “Despite some major downsizing, corporate mergers, and the growing emergence of facilities management and technology replacing some security personnel, security is now viewed as a critical part of most organisations today, with security professionals reporting directly to senior management, if not the chief executive officer”.

•   During major threats and incidents, the security team will gain prominence. Utilisation and professionalism by the wider business will be demanded from every quarter. The observable skill of a security function’s response will be assessed and hopefully well received.

•   Before any presentational pitch, or meeting with company executives, an advanced security consultant will diligently conduct market research and specific analysis around an organisation’s security risks, but also try to establish the main motivations or goals of its executive leadership.

•   The security function can act as an organisational shock absorber which can prevent a negative incident morphing into wider crisis or contagion. Therefore, much professional focus nowadays centres on how well the modern security professional can understand and proficiently plan for wider issues that have a strong likelihood of impacting organisational resilience issues.

•   Substantial security professionalism is more a mindset, than a trade. All security professionals are expected in the modern era to actively absorb, understand and ultimately translate an array of corporate security risks, which may well start out as harmless intangibles, but if left ignored or mishandled, can cause severe organisational damage in the longer run.

•   ROI must be communicated clearly at all times, by all security contractors. As one CP company boss put it: “My client is not just the security director at a given organisation, but his boss, his executive team and his CEO, who come into contact with my staff day in and day out”.

•   Accepting and deploying the utility of explicit key measurables (data sets), by embracing business quantification methods, will undoubtedly give any security company the competitive edge. But each success story does require further communication to the client; because spreadsheets and algorithms hardly sell themselves!

•   Security procurement can be an emotionally-driven, volatile buying environment, whereby potential customers run hot and then turn cold; especially when a crisis cools down. At all times, be careful to offer a proportionate response, based on what is best for the client organisation. Consider how your suggested solutions will be viewed a little further down the timeline. US Defense Secretary, Bob McNamara, called this form of cool-headed, pragmatic response the ‘daylight test’.

•   Progress and client-value should be demonstrated at all times during implementation of a security project. Moreover, leadership and management are increasingly mobile in modern corporate environments, so beware: it may be that your initial buyers and sponsors have already left the building!

•   Those entrepreneurs and managers who travel by autopilot will only be able to fly so fast, and so high, for a limited amount of time. As Sir Richard Branson recently told Forbes Magazine: “Researching the competition has never been the Virgin way. Many of our products and services come about because we pay attention to what the market is missing or what’s not being done well”.

References

1)   BSIA (2012)

2)   McAslan, A. (2010), ‘Organisational Resilience Understanding the Concept and its Application’. Torrens Resilience Institute. Available from: http://torrensresilience.org/images/pdfs/organisational%20resilience.pdf

3)   World Economic Forum (2013), ‘Global Risks Report’

4)   Sennewald, C. (2003) ‘Effective Security Management’, New York: Butterworth-Heinemann

5)   Ibid p.44

6)   Ibid. p.43

7)   Frisch, B., (2011), ‘Who really makes the decisions in your company?’ HBR, accessed and downloaded on 19/02/2015 at: https://hbr.org/2011/12/who-really-makes-the-big-decisions-in-your-company

8)   Grant, R., (n.d.) ‘Contemporary Strategy Analysis’ p. 121

9)   Ibid. p.129

10)   Ibid. p.89

11)   Ibid. p.67

12)   Ibid. p.74

13)   Ibid. p.75

14)   Ibid

15)   Ibid. p.82

16)   Edwards. C., (2009), ‘Resilient Nation’

17)   Ibid.

18)   Sutcliffe, K.M. and Vogus, T.J. (2003), ‘Organizing for Resilience’, University of Pennsylvania. Available from: http://cpor.org/ro/sutcliffevogus(2003).pdf

19)   McAslan, A. (2010), ‘Organisational Resilience Understanding the Concept and its Application’. Torrens Resilience Institute. Available from: http://torrensresilience.org/images/pdfs/organisational%20resilience.pdf

20)   Op. Cit., Edwards: 2009: 16

21)   (NIAC: 2009: 10)

22)   London First, NaCTSO and BCI (2006), Expecting the unexpected: Business continuity in an uncertain world

23)   A number of academic courses refer to Business Continuity, Security and Emergency Planning being core sub-disciplines of ‘organisational resilience’ including the Bucks New University MSc programme

24)   BCI website (2015), ‘What is BC?’ accessed and downloaded on 20/02/2015 at:

25)   G4S Organisational Resilience Roundtable, hosted by Robert Hall, at London Headquarters, July 2012

26)   McAslan: 2011: 7

27)   Interview with Jon Hill, MD of Polaris, in London on 25/02/2015

28)   Gordon., A., (2009) Future Savvy

29)   C., Meyer 2009:17

30)   C., Sennewald

31)   C., Sennewald 2003: 4

32)   C., Sennewald (2003: 59)

33)   Branson., R, (n.d.) quoted online and downloaded on 21 10 2013 from: www.brainyquote.com/quotes/authors/r/richard_branson.html#3Qr25uycsibMjv4x.99

34)   Kahneman., D., (2012), ‘Thinking fast and slow’, London: Penguin

35)   Schoemaker (2013), ‘Five ways to know what your customers want before they do’ downloaded on 21 10 2013 from: www.inc.com/paul-schoemaker/5-ways-to-know-what-your-customer-wants.html

36)   Haselmaier., J, (2013) ‘Think You Know How To Meet Customer Needs?’, downloaded on 21 10 2013 from: www.pragmaticmarketing.com/resources/think-you-know-how-to-meet-customer-needs

37)   Shawbel, D., (23/09/2014), ‘Richard Branson’s Three Most Important Leadership Principles’, accessed and downloaded on 22/02/2015 at: www.forbes.com/sites/danschawbel/2014/09/23/richard-branson-his-3-most-important-leadership-principles/

38)   Rumelt (1982), ‘Diversification Strategy and Profitability.’ Strategic Management Journal 3., pp. 359-69

39)   Galbraith., J., and Kazanjian, R., (1986) ‘Strategy Implementation: Structure, Systems and Processes (2^nd ed.): West Publishing, St Paul, MN

40)   Porter., M., (1980) ‘Competitive Strategy’. New York: Free Press

41)   Ideaelevator.co.uk/ was accessed and downloaded on 22/02/2015 at: http://ideaelevator.co/tag/product-life-cycle/

42)   SymphonyIRI., (2013) ‘Data Sheet: Walmart Customer Advantage’, downloaded from: www.iriworldwide.com/Portals/0/ArticlePdfs/Customer-Advantage-DS.pdf

43)   (2013) Undercover Boss UK: Securitas’s Chief Executive Geoff Zeidler steps out of the boardroom www.youtube.com/watch?v=CQX8UMaf60g (47.39) and (2013) Undercover Boss USA: University of California Riverside Chancellor sees his campus through the eyes of visitors and staff (English narration, Spanish subtitles):

44)   InfoEntrepreneurs (2013) ‘Know Your Customer’s Needs’, downloaded on 21 10 2013 from: www.infoentrepreneurs.org/en/guides/know-your-customers--needs/

45)   Canada Business Network online, ‘Infoentrepreneurs’ accessed and downloaded on 22/02/2015 at: www.infoentrepreneurs.org/en/guides/know-your-customers--needs/

46)   Longley., R, (2013) ‘Why small businesses fail’, accessed and downloaded on 22/10/2013 at: http://usgovinfo.about.com/od/smallbusiness/a/whybusfail.htm

47)   Ames., M., (1983) ‘Small Business Management’, West Publishing, St Paul MN

48)   Mindtools (2013), ‘Five diseases of management, downloaded on 21 10 2013 from: www.mindtools.com/pages/Newsletters/22Oct13.htm

49)   Balanced Score Card Institute: accessed and downloaded on 08/11/2013 at: http://balancedscorecard.org/Resources/AbouttheBalancedScorecard/tabid/55/Default.aspx

50)   Ibid.

51)   12manage.com, (2013), Balanced Scorecard, downloaded on 08/11/2013 from: www.12manage.com/images/figure_bsc.jpg

52)   Mindtools (2013), ‘Critical Success Factors: Identifying the Things That Really Matter for Success’, accessed and downloaded on 21/10/2013 from: www.mindtools.com/pages/article/newLDR_80.htm

53)   Evans, H. (14/11/2014), ‘Thalidomide: how men who blighted the lives of thousands evaded justice’, accessed and downloaded on 22/02/2015 at: www.theguardian.com/society/2014/nov/14/-sp-thalidomide-pill-how-evaded-justice

54)   Robinson, P., (2013), Natural Law & Lawlessness: Modern Lessons from Pirates, Lepers, Eskimos, and Survivors, University of Pennsylvania, accessed and downloaded on 08/11/2013 at: http://scholarship.law. upenn.edu/cgi/viewcontent.cgi?article=1388&context=faculty_scholarship

55)   Budiansky, S., (2006), Her Majesty’s Spymaster: Elizabeth I, Sir Francis Walsingham, and the Birth of Modern Espionage: UK: Plume Books

56)   Army Doctrine Publication Operations, (2010) Shrivenham: Development, Concepts and Doctrine Centre. Downloaded on 21 10 2013 from: www.gov.uk/government/uploads/system/uploads/attachment_data/file/33695/ADPOperationsDec10.pdf

57)   Ibid

58)   Simply Psychology online (2015), ‘Maslow’s Hierarchy of Needs’, accessed and downloaded on 22/02/2015 at: www.simplypsychology.org/maslow.html

59)   Op., Cit., ADP: 2010: pp.2-23

60)   Shakespeare, W., (1603), ‘Hamlet’, Act 2, Scene 2, published in London between 1603 and 1605

61)   McAslan, A: 2010: 11

62)   McAslan and KPMG, 2007, p.12

63)   Freedictionary.com, definition of “doctrine” accessed and downloaded on 22/02/2015 at: www.thefreedictionary.com/doctrine

64)   Maalouf, A., (n.d.) cited on goodreads.com website, accessed and downloaded on 25/02/2015 at: www.goodreads.com/quotes/463454-doctrines-are-meant-to-serve-man-not-the-other-way

65)   Morgan Stanley, (2013) Mission Statement, Company Culture and Diversity Strategy, downloaded on 21 10 2013 from: http://bankingisback. toigofoundation.org/firmProfile_MS.html

66)   Briggs, R. and Edwards C, (2006) ‘The Business of Resilience’, London:Demos. p.37

67)   Ibid

68)   Cullen Report. In Oil & Gas UK, (1990), ‘Piper Alpha Disaster Lessons Learned’: accessed and downloaded on 21/10/2013 at: www.oilandgasuk.co.uk/cmsfiles/modules/publications/pdfs/HS048.pdf

69)   Green, R., (2013) Personal Fitness Training philosophy downloaded from website on 21 10 2013 from: www.rogergreenpersonaltraining.com/

70)   Teller et al (2006), Crisis Intervention Team Training For Police Officers Responding To Mental Disturbance Calls, Psychiatric Services, February 2006, Vol. 57, No. 2

71)   Humber Emergency Planning Service (2009), Business Continuity step-by-step guide Part 3 Testing and exercising your business continuity plan, downloaded on the 06 11 2013 from: www2.eastriding.gov.uk/EasySiteWeb/GatewayLink.aspx?alId=103463.

72)   Cap Gemeni (2013), ‘End to end business continuity testing’, accessed and downloaded on 06/11/2013 from: www.capgemini.com/sites/default/files/resource/pdf/bc_continuity_whitepaper.pdf

73)   ASIS (2013), ASIS International Selects 2013 Accolade Winners, downloaded on 21 10 2013 from: www.asisonline.org/News/Press-Room/Press-Releases/2013/Pages/ASIS-International-Selects-2013-Accolades-Winners.aspx#13838214886531&false and: United Business Media (UBM), Security Excellence Awards, accessed and downloaded on 06/11/2013 at: www.securityexcellenceawards.co.uk/

74)   Gladwell., M., (2008) Outliers, New York: Little, Brown and Company

75)   10minutemanager.com, ‘Competence Ladder’, accessed and downloaded on 07/11/2013 from: http://10minutemanager.com/wp-content/uploads/2013/10/Competence-ladder.jpg

76)   Mindtools (2013), ‘Conscious Competence Model’, accessed and downloaded on 07/11/2013 at: www.mindtools.com/pages/article/newISS_96.htm

77)   Bloom, B., (1956), ‘Taxonomy of Educational Objectives’, Handbook I, The Cognitive Domain 1, New York: David McKay Co Inc.

78)   www.ginabudi.com

79)   Kolb, D., (1984), ‘Experiential Learning: experience as the source of learning and development’, Englewood Cliffs: Prentice Hall

80)   University of Gloucestershire. (2015), accessed and downloaded on 23/02/2015 at: www2.glos.ac.uk/gdn/gibbs/ch2.htm

81)   Op., Cit., (Kahneman: 2012)

82)   Ibid

83)   Insbury, D., files downloaded on 21 10 2013 from: http://davesainsbury.files.wordpress.com/2013/02/untitled.png

84)   Barnstable, K., (2012), ‘Three P’s of Online Instruction, in Stable Transitions: A Journey of Learning’: accessed and downloaded on 23/11/12 from: http://kbarnstable.wordpress.com/2012/09/05/three-ps-of-online-instruction/

85)   Salmon, G., (2000) ‘E-Moderating, the key to teaching and learning online’: London and New York: Taylor and Francis

86)   Moule, P., (2007), ‘Challenging the five-stage model for e-learning: a new approach’, ALT-J, Research in Learning Technology, Vol.15, No.1, March 2007

87)   Ibid

88)   Dewey, J., (1910), ‘How We Think’, New York: Heath & Co.

89)   Higher Education Academy, (2012), ‘Framework Guidance Note 3: What are the Dimensions?’ March 2012. Accessed and downloaded on 23/11/2012 from: www.heacademy.ac.uk/ukpsf#dimensions

90)   Op., Cit., (Kahneman: 2012)

91)   British Standards Institute, pages for security related activity, accessed and downloaded on 08/11/2013 from: www.bsigroup.co.uk/en-GB/standards/#standards

92)   IT Governance (2013), ‘Cloud Security Governance’, downloaded on 08/11/2013 from: www.itgovernance.co.uk/cloud-governance.aspx

93)   Skills for Security (2013), National Occupational Standards, access website at: www.skillsforsecurity.org.uk/index.php/help/35/2

94)   National Security Inspectorate in the UK can be accessed at: www.nsi.org.uk/about-us/

95)   Security Industry Authority UK website can be accessed at: www.sia.homeoffice.gov.uk/Pages/home.aspx