The SMT Forum

Judging by the huge reaction we’ve had to the inaugural SMT Forum (‘The SMT Forum’, November 2004, pp18-21), it’s clear that our initial thoughts were right… The industry is at a point in its development where a campaigning journal that can help shape the future of security management as a profession is desperately needed. Security Management Today is that journal, and shall continue to be so in the years ahead.

Those of you who’ve already perused and subsequently digested Part One of SMT’s Special Report from Securex will know that invited speakers visited Earls Court 2 in October to debate for and against the motion: ‘Should security management continue to remain as a separate discipline?’ This month, we reproduce an exact transcript of the hour-long Q+A session that followed the main presentations… and reveal the result of a straw poll of the audience.

Many interesting points were made. Some of them many of you will readily agree with, while others you may not. Several examples of perceived good and bad practice were brought to the fore as the core role and raison d’etre of the security manager was scrutinised in great depth. Is there a difference in the role between large and smaller organisations? Is outsourcing a good idea, and how important are reporting lines to – or even a seat on the – Board of Directors? All of these questions and more were considered at The SMT Forum.

Here’s the debate in full. Feel free to contact us with your views. We’d be delighted to publish them in the next available edition of the industry’s leading – and only – journal compiled each month for the UK’s dedicated band of practising security managers.

Malcolm Cheshire (executive principal, The Arkwood Centre): “Whenever I hear the term ‘facilities manager’, I’m reminded of the story of the minor celebrity who, having been refused entry to the VIP lounge, chooses to remonstrate with the receptionist. ‘Do you know who I am?’, he’ll say. ‘No’ states the receptionist in no uncertain tone. Facilities management has an over-inflated opinion of itself and constantly tries to enter areas where it doesn’t belong. It doesn’t really know what it is. I know Chris (Smith) offered us a definition, but with respect I don’t think there is an acceptable description to adequately explain facilities management. Business continuity and security define themselves.

“You need a clear vision of what you’re doing in order to be fully accountable. At the end of the day, the employees of any organisation need to feel secure. You need professional security for that. The facilities management-style approach just doesn’t cut it.”

Bob Holmwood (principal consultant, Buro Happold ITAC): “You’re right, Malcolm, in saying that the facilities management approach has a much wider, multi-disciplinary feel to it. If you attempt to define facilities management – and the British Institute of Facilities Management has been trying to do so for some considerable time – it is difficult.

“From our perspective on this side of the debate, we’re really proposing something of a ‘wake up call’ because facilities management is starting to gather a number of elements under its collective wing. For a number of reasons. For one, companies are looking at their structure and seeing that they have x number of managers dealing with x number of functions. They’re asking themselves if those managers can be ‘streamlined’ and functions doubled-up in order to save on costs.

“Also, there’s a misunderstanding of exactly what functions security and facilities management departments can actually do in reality. Without doubt, facilities managers are beginning to grab hold of the security role. Most of them do recognise, though, that what they can provide in security terms is mostly going to be reactive security. Security managers, on the other hand, can offer intelligence-driven security. There’s another option open to the host company, and that is the facilities-type approach to the problem.”

Michael Jasper (head of risk, The British Library): “We’re not saying: ‘Let’s get rid of security’, Malcolm. Quite obviously companies need it. Perhaps more so now than ever before. All we’re suggesting is that perhaps security needs a different direction in the years ahead.

“All the spurious arguments put forward by the panel speaking ‘For’ the motion must be addressed! Some companies are indeed wrong. The airline mentioned by Erez (Sharoni, general manager of UniSecure at The University of Hertfordshire) whose security manager is also an operational pilot… That’s neither workable nor practical. I agree with Erez there.

“We also hear about the miserable security officer. Perhaps it’s simply that they’re working at the wrong company for them.”

Erez Sharoni (security manager, The University of Hertfordshire at Hatfield): “Do you think that a facilities manager could set up a covert security operation with the same degree of accuracy and speed as myself, Michael? Yes or No?”

Michael Jasper: “The fall-back position for the security manager is that they’re going to say: ‘OK. Let’s take 10% of the incidents that happen in the security arena where you need that degree of security expertise and put that to the forefront. Rather than the remaining 90% of daily occurrences that could be adequately dealt with by a good quality facilities manager. That’s what we’re really talking about here. As an ex-police officer, five-to-ten per cent of my time was spent rushing around, arresting people. The rest of the role was concerned with the mundane. That could be seen to be the case in security as well.”

Mike Bluestone (Principal Consultant, Integra Security Solutions): “Malcolm has made some good points. I think the issue is really this. Chris (Smith, regional security manager for EMEA at HSBC Bank plc) mentioned that facilities managers have received a bit of a bashing today. That has been unintentional. Many of them are doing a first class job. However, as we mentioned in our deliveries at the beginning of this debate, facilities managers are implementers. They will be the first to admit, for example, that they’re not qualified to deal with the issues surrounding threat assessments. This is an ongoing, daily issue that’s key to the security function. We absolutely must understand that.

“In this dangerous world, where terrorism is on the increase and so too serious crime, it’s essential that any company has dedicated professionals on hand who can assess the threats and link them in to the policy and budget of the host company. That statement speaks for itself.”

Chris Smith (regional security manager EMEA, HSBC Bank plc): “There’s this quite terrifying pervasiveness that we have of major facilities management organisations approaching companies and saying: ‘We will provide you with a security service. We’ll do your catering. We’ll maintain the m&e systems.’ Often, the organisation concerned will not possess a given set of skills and so will look to buy them in. Somebody will have to pay for the management of the security company that’s brought in to be managed by the facilities management concern. In other words, the customer is paying twice.

“I think that there’s too much outsourcing going on. In some of the organisations I’ve dealt with the actual management of processes has been outsourced. I don’t think you can do that. It’s irresponsible. It’s OK to outsource a function, but the management of that function must be administered by an in-house team.”

Erez Sharoni: “I would add to that, Chris, and stress the issue of reporting lines. The facilities manager normally sits under a director or deputy director who reports to the Board. The head of security has to report directly to the Board. He or she will also be reporting on crime trends in the area and local problems relating to the site. From time to time you’ll find that there’s a conflict of interests within the organisation between security and where it actually sits in relation to the Board of Diectors.

“A prime example would be a broken window. Say a window has been smashed by thieves who’ve then gone on to steal something from inside the building. Who’s at fault here? Who needs to pay? If such damage sits under the jurisdiction of the Estate it’s the Estates Department. If you’d had a good quality, dedicated security manager on site then the window wouldn’t have been broken in the first place. There is a cost. Subcontracting means overheads, which need to be paid. Somebody is making lots of money from that. Somebody has to drive the BMW, I guess.”

Stuart Lowden (managing director, Wilson James): “The security industry has put itself in this mess. Back to the issue of soft targets, there are notable exceptions but over the years the industry has allowed itself to be pushed down the pecking order. Particularly so when it comes down to budgets. Ultimately, the client needs to decide how much funding they will allocate to mitigate risk. They’ll take the view that they’d rather spend it with a facilities management service provider than employ a security specialist.

“Who’s to blame for that? I would argue that the industry as a whole is to blame. We need to be far less complacent. We actually need to get off our backsides and look for ways in which we can make ourselves more indispensable. I don’t think we can blame the facilities management companies or the clients if we have just let it happen. It’s high time we did something about it.”

Bill Wyllie (SMT Forum chairman and head of security and vice-president, MBNA Bank Europe): “That’s a good point, Stuart. If people don’t shop at the local greengrocery store that you own you don’t blame the customers. Rather, you lay the stalls out better, having researched your target market.”

Michael McCarthy (freelance security manager working across a number of companies and disciplines): “I think the two Panels of speakers are in a great deal more agreement than they think they are! At the end of the day I feel there’s a role for the dedicated security manager if they’re in a particular company where the threat is higher now than at any time in the past. I’m thinking about the oil companies, the finance houses and the pharmaceutical firms. I can understand there’s a need for a manager here who knows the threat intimately and has an in-depth background on the company itself.

“On the other hand, if your company’s in a lower threat sector or simply faces a lower level of threat then there’s no reason why the facilities manager cannot assume the security role and buy in expertise as and when required. Actually, the two roles of facilities manager and security manager sit very close together.”

Michael Jasper: “If there is a situation on site where there are unhappy and disgruntled security officers, isn’t that about management rather than the quality of the officers themselves? I’ve encountered some dreadful security managers in my time, but then I’ve met some absolutely brilliant facilities managers who’ve been motivational and offered inspired leadership. That’s when you start to talk about good management in its own right, irrespective of what’s being managed.”

Mike Bluestone: “You’re right to recognise some common ground between security and facilities managers, Michael, and therefore between the two houses of this debate. The debate to be had, though, is whether security management should remain as a separate discipline, and you’ve clearly established and supported the motion by stating that there are several strands of business that will always need a security specialist because of the level of threat and risk that those industries face.”

Bill Wyllie: “Getting down to brass tacks and taking the argument to a ridiculous extreme, it’s clear that if you’re running a corner shop you don’t employ a security manager. The shop manager is the security manager in that scenario. Conversely, in a major international oil company, you wouldn’t have the chief executive doing everything himself. He would of course employ a specialist security manager.

“Thus if you’re focusing this debate it is that area inbetween we need to look at. The argument is: ‘At what point does an operation require a dedicated security manager and at what point is one not a requirement?’”

Chris Smith: “I must admit that I’m well aware of some security managers in smaller organisations who are performing a facilities management role.”

Bill Wyllie: “Could I step away from the chair myself for a moment and ask a question of the panel speaking against the notion that security management should remain a separate entity?

“Much of the discussion so far has centred on the security manager and his or her relationship with the facilities manager, but to my mind the latter role is one concerned with preserving the physical infrastructure and the physical environment, and incorporating employees within that. However, the security manager either has responsibility for (or relationships with those tasked to look after) elements like fraud, money laundering, business continuity, information security, investigations and vetting. With the possible exception of business continuity, which may sit well with a facilities management role, the rest don’t. They sit somewhere else in the company.

“That being the case, could the security manager’s role be performed by, say, the director of Human Resources?”

Bob Holmwood: “It’s an interesting point, Bill. If the security industry is going to change, and many feel that it should, then firstly it needs to define itself. It needs to command a position on the Board, or a voice on the Board. At that point it can look towards other avenues. You brought up an interesting point concerning business continuity, Bill. That should sit within the security manager’s remit because it’s the security manager who has the mindset for business continuity.

“At the moment, responsibility for this usually rests with the IT department. In this case, it’s all about opening up access to networks and information when in actual fact it should be about making networks and data transfer more secure. The security manager could reinvent himself, and give himself a higher profile by tackling such issues.”

Mike Bluestone: “Picking up on Bob’s argument, over the past 10 years or so I’ve seen the change in the Terms and Conditions that dedicated security managers are being offered by both the private and public sectors.

“If you look at the recruitment advertisements they’re demanding management competencies, etc, but they are also looking for people to take wider control of threat assessments, and tell members of the Board about risks and threats that they may not be aware of themselves. Therefore, there’s a genuine call for today’s security managers to be real innovators and deep thinkers in a way that they’ve never been in the past.

“Many multi-tasking managers have knocked on my door as a consultant and said: ‘I’m responsible for the manned security team, and I’m tasked with maintaining the CCTV, but I really don’t know how to deal with this spate of thefts or threatening letters,’ or whatever it might be. That’s where the professional security manager comes into his or her own.

“As an industry, we need to keep rethinking the developing and changing the role of the security manager. No one on my side of the debate is suggesting that it should stay as it is. It must change and develop, but that doesn’t mean we should be looking to ditch it or dilute the role. On the contrary, in fact.”

Chris Smith: “Darwen’s theory of evolution is not so much about survival of the fittest but those who are most adaptable to change – or willing to change – in order to survive. If you’re a security manager who’s been sitting alone in a silo and not understanding the full depth and breadth of the world outside, then the values you’ll be espousing will be wrong and you deserve to become ‘extinct’. Security managers must embrace all of the aspects that form the protective cloak that a given organisation needs in order to function effectively and ethically. To my mind, that’s the security manager’s role.”

Mike Bluestone: “It’s a fact that 85% of corporate fraud and theft is committed by current or former employees. Most facilities or multi-tasking managers who have a security remit do not engage in the screening and vetting process, nor the due diligence process. These are processes which are well understood and carried out by experienced, professional security managers.”

Michael Jasper: “I agree, but how many security managers out there, not just those in the top 10% of FTSE 100 organisations, have the skills to deal with such elements in any case? It may well be an increasing number, Mike, but we’ve only been talking about the last five-to-ten years when the industry has finally started to change.”

Bruce Dawson-Moray (site security manager for Wilson James at BP): “If a facilities manager has come from, say, an engineering background, they may have developed a mindset that closes them off from other ideas and different ways of doing things. However, he’s surrounded by deputies who will hopefully be professionals. They should have the necessary knowledge at hand according to their own training and education.

“In theory, you could take a corporate professional who knows what the risks are to the operation, and the industry within which the business sits, and they could manage the organisation’s security. However, they would need to be able to call on professional expertise to do so. That expertise must always sit in-house. Outsourcing everything to a consultant who may not know the corporate culture of the organisation will lead to disaster.”

Bill Wyllie: “OK, but how many ‘filters’ should there be between the senior security professional and the chief executive officer?”

Mike Bluestone: “You’ve made some excellent points, Bruce. I would argue, Bill, that we need to reduce the number of filters dividing the security management functionary from the Board. There are more security managers reporting to the Board now. That happens to be a fact.

“Your point about cultural backgrounds is very important, Bruce. Knowing the culture of an organisation is essential, and you’re absolutely right that no-one knows it better than an individual from within the company. Due to the ways in which security managers of today are developing and evolving, becoming smarter and better qualified, they’re probably in a position to have a much greater view of the company culture than any other discipline could hope for. Engineers and Human Resources professionals are focused on ring-fenced disciplines, whereas the security manager has to deal with all sorts of issues.”

Bill Wyllie: “There is a school of thought that says the only person who has the same breadth of knowledge as the company’s senior security professional is the chief executive officer because they’re both tasked with an overseeing, all-encompassing role.”

Stuart Lowden: “From my perspective, I’m regularly working with facilities management companies who are going out to the market and offering a package to clients with ourselves as a service partner, and they’re talking to organisations who are effectively removing their internal security management structure. These are both larger end users and middle-market concerns. That’s the battle the security profession needs to be aware of. There’s a risk of losing the war.

“If you have organisations who take that view of their own security, and don’t believe there’s a major risk, they’ll make some nice savings by doing away with the in-house set-up and employ a services partner to take care of matters for them. That battle is yet to be won.

“Chris talked about security managers making their own position redundant by not delivering. Well, if they do, they’ll also make the position of security manager redundant within that company, and it will not come back.”

Mike Bluestone: “If I can just interject there, Stuart. I’ve seen cases where security managers in medium-sized organisations have come in, managed threats and risks very well, reduced shrinkage and losses. Their company has then gone on to be more and more successful, and is taken over. The people who take over the business then look at the figures of that business. They recognise that shrinkage levels are at an all-time low, and look at the security manager who’s being paid a nice fat salary.

“There’s no problem for him to manage, they feel, and so take steps to make him redundant. In many instances, security managers can be victims of their own success and professionalism.”

Doug Cook (corporate security manager, T-Mobile): “I had a conversation not so long ago with another security manager, and he was proud of the fact that in his organisation – a very large company – he’s regularly asked for his views concerning security issues. On the other hand, I rarely see a director or have the occasion to talk to a director in my company unless problems arise. On that basis, we must be doing something right!

“I don’t think it matters too much where I sit within the company. What I do think is that the facilities manager believes security management is all about manned guarding. It’s just another contract. That’s an unfortunate view, as manned security is but one element of the security remit. The outsourcing logic extends to outsourcing the facilities management as well, don’t forget. The operation is then even further removed from the core business of the company.

“At this point there are then genuine accountability and responsibility issues at play. It’s for this reason that I fear security managers being aligned with facilities managers. Our profile will not be enhanced in any way.”

Bill Wyllie: “I once worked with a consultant by the name of Bill Cooter, and he told me that he invented a definition of security that said: ‘Security is the protection of the Board from the consequences of the unexpected’.

“We are not comparing apples with apples in that when we talk about security professionals, one of us is thinking about the guy on the door at the local branch of Woolworths while another will be thinking about Karl Barclay, Chris’ boss at HSBC.”

Erez Sharoni: “I agree with Stuart that the industry has brought itself to its knees thanks to the way in which it has been operating. There’s no argument about that. Particularly in the manned security sector, which is cut-throat. Licensing may offer some common ground and raise standards. Let’s hope so.

“Many organisations have outsourced security because they’re incapable of handling day-to-day security issues themselves. We need the role of the security manager to increase, not disappear because it can show dividends in terms of lower insurance premiums.

“We need to reach a stage where security is demonstrably providing an enhancement to the core activity of the business. Within the next five-to-ten years, we must strive for directors of security to be on the Board of Directors in every company where that situation is applicable.”