The New Job Security
by Greg Hutchins
Security is an international issue that crosses borders. In today’s asymmetric war on terrorism, everyone and everything are possible targets.
Government and industry are expending many resources to keep the United States safe, opening up career opportunities for quality professionals.
Executive Order 13434, which came out this year, states:
In order to enhance the national security of the United States, including preventing, protecting against, responding to and recovering from natural and manmade disasters, such as acts of terrorism, it is the policy of the United States to promote education, training, and experience of current and future professionals in national security positions (security professionals) in executive departments and agencies.1
Organizations are writing security protocols and standards to respond to global threats. The International Organization for Standardization (ISO), responding to concerns that the survival of a nation’s citizenry requires the security of critical societal and infrastructure areas—not just national security—is developing systems of standards for societal security.
ISO’s families of security standards under development include ISO/IEC 27001, ISO/PAS 28000 and ISO/TC 223.
ISO/IEC 27001 covers requirements for IT security management systems. Similar to ISO 9000, it is the foundation for third-party cyber security audits and registration.
ISO/PAS 28000 provides specifications for supply chain security management systems to prevent terrorist events. The standard is perfectly timed, with reputation risk perhaps the major driver for its adoption.
No company wants to state on a national newscast that it did not have a supply chain security management system should an event occur in one of its shipping containers. No company wants to see its name on the front page of newspapers or its executives testifying about an event on Capitol Hill.
ISO’s work on ISO/TC 223 includes business continuity planning (BCP), sometimes simply called continuity planning. This area has become particularly critical since Hurricane Katrina, when the federal government and state and local jurisdictions couldn’t respond adequately.
If a tsunami, earthquake or terrorist incident occurs, public safety authorities don’t want to be in a similar predicament, so they are developing response plans.
ISO says it is getting into BCP to:
… work toward international standardization that provides protection from and response to risks of unintentionally, intentionally and naturally caused crises and disasters that disrupt and have consequences on societal functions.2
Career Growth Opportunities
Each of these families of security standards will require a new governance, accreditation and registration structure. Registrars will provide the security management system certifications. Auditors will have to be trained to conduct these security management system assessments.
Other employment and entrepreneurship opportunities abound in mitigating risks, developing risk plans and preventing catastrophic events from occurring. Quality professionals know that prevention, not inspection, is the way to ensure products and services conform to standards.
Securitas, one of the world’s largest security companies, views BCP as an emerging area in which quality professionals can add value. According to Fred Krift, vice president of quality at Securitas Security Services USA, “To support specific clients’ BCP requirements, Securitas has developed staffing augmentation plans that complement their individual response plans.”
Quality professionals can add value to IT and supply chain security management systems, BCP and the development and adoption of new ISO standards related to these areas.
ISO/IEC 27001 follows the same process based approach as ISO 9000, the quality management series, and ISO 14000, the environmental management system standard.
The challenge of supply chain management, such as container security, is moving from an inspection to a prevention mind-set. It is estimated that less than 10% of the containers coming into U.S. ports are inspected. Physically inspecting every single container entering the United States would be impractical and even impossible.
A company’s adoption of a supply chain security management system is a more realistic approach that would be more effective than conducting statistical inspection or even 100% inspection of containers.
The prevention logic applies to BCP and all ISO security management systems. As Krift from Securitas says:
Our continuity planning approach helps us to prioritize essential branch office service delivery processes, identify significant threats to normal operation and plan mitigation strategies that we can implement in responding to and recovering from a critical event. It addresses the essential business processes we manage … and it helps us identify specific levels of support needed to meet each of our clients’ unique response and recovery requirements.
The federal government has estimated that hundreds of thousands of companies, nonprofits and state/local agencies will become involved with security management systems and BCP.
This means there will be abundant consulting and employment opportunities in these areas for quality professionals who are aware and prepared.
- Executive Order 13434, “National Security Professional Development,” May 17, 2007.
- Business Plan ISO/TC 223, ISO, Nov. 24, 2006.
GREG HUTCHINS is an engineering principal with Quality Plus Engineering and Lean SCM in Portland, OR. His firm has received a certificate of conformance for its critical infrastructure protection forensics and assurance analytics from the Department of Homeland Security. He is a member of ASQ.