Certification: IFPO vs. ASIS

Conventional wisdom says you should get your IFPO certifications (CPO for security officers, and CSSM for supervisors or managers) first, and your ASIS certifications (PSP for security officers and CPP for supervisors or managers) after you have been in the industry for 5-10 years. The ASIS certifications require a minimum amount of time for the PSP (5 years) and the highly-coveted CPP (7 years with a bachelor's degree, 10 years without, and of this time 3 of those years must be "in charge of a security function.") Conventional wisdom then contradicts itself with "the CSSM counts as a continuing education credit for maintaining the CPP credential, so it is good preparation for the CPP."

In my experience interviewing for management positions and being involved in training security officers on the job, and with my background in adult education, I differ with conventional wisdom on this:

1. The IFPO materials are more for Security Companies than for individual security officers. If you are setting up a new security company, the IFPO materials provide a great instant training program for your security staff, from new hires to management.
2. Everyone in the security industry knows who ASIS is.  If you mention that one of your goals is to be a CPP, the next question out of their mouth is likely to be "oh, are you already an ASIS member?"
3. There are three kinds of companies out there: A) security companies that use IFPO materials, B) security companies that have sub-par training for their employees, and C) security companies with their own in-house training system. Most companies fit under the category of B and C and will look at you funny when you mention the IFPO. If the company does actually know who the IFPO is (company type A,) then your credentials bring nothing new to the table for them - you are only trained by the standards they have already set for themselves - nice, but not great.

So here's the IFPO + ASIS certification path that makes sense to me:

1. IF and only if your work makes you, get the IFPO CPO. Studying the CSSM material at this point is a great idea because it's a top-notch management text, but no need for certification just yet.
2. The first certification you pursue on your own is the ASIS PSP. Now you have an actual ASIS certification, even if it is not the CPP. It probably is good preparation for the CPP, covering some of the same technical material.
3. A few years later you get the all-important ASIS CPP.
4. You pick up the massively under appreciated IFPO CSSM for continuing education credits after getting your CPP (with little effort because you've been gawking at the material for years already.)

What this means to most security professionals is that they should be working on their ASIS PSP certification if they are not yet qualified for the ASIS CPP certification, only worrying about what the IFPO has to offer them AFTER getting the ASIS CPP certification. Summary: IFPO certification helps your employer, ASIS certification helps you.

Deadly Questions

I recently went through a series of 4 interviews where I was basically offered a $60k/year job, and then they renegged on me just before the final "signing on the dotted line" meeting. The interviewer said this was as a result of my answers in the last interview*. (Other people from my company who have interviewed with this company say it seems this company does not like my company, and there are plenty of possible ways that could be.) Throughout this process I was asked a number of alarmingly provocative questions - the kind of questions that if you don't BS your way through, you are going to incriminate yourself.

One question they asked be about early on was "what do you know about being audited?" What they were probably talking about at the time (and I didn't get at the time because they did not say "security audit") is called a "penetration audit." A "penetration audit" is when someone employed by your client or security company tries to fool your security staff into not doing their job correctly. The client or security company then savagely beats the security manager for "not training the security staff sufficiently." This is why security companies own brief cases full of fake guns, bombs and other things that look like the belong in a toy store - is for doing penetration audits. Of course if you know that your account was "being audited" - it means you failed the audit, so both a "yes" and a "no" answer to this question is incriminating, because either "you don't know" or you have made a major mistake as a security professional.

Half way through the interview process, they had me submit written answers to the following list of questions (which they later cross-examined me on in a panel interview, and then cross-examined the verbal answers from that interview in yet another interview):

1 . Why are you interested in this opportunity with our company?
2 . What do you know about our company?
3 . Why do you wish to leave your current employer?
4 . What criteria are you using to evaluate the company you hope to work for?
5 . What are your career goals?
6 . How will this opportunity help you achieve those goals?
7 . What are the most rewarding/least rewarding aspects of your current job?
8 . If someone asked your current manager what are your greatest strengths and
your greatest weaknesses, what would they say?
9 . How have you handled situations in which there’s conflicting information from
a number of sources? How do you sort through it, get to the root issue, and
develop a relatively simple and practical win-win solution?
10 . How have you handled a surprise turn of events within an on-going project?
11 . What certifications do you hold?
12 . What is the current size of your staff?
13 . What is your management style?
14 . To you, what makes an effective/ineffective manager?
15 . Are you able to manage simultaneous tasks? Please give examples.
16 . What is an example of a time when you had to take a contrary position, against
some significant opposition? How did it play out?
17 . How would you rate your interpersonal skills?

So many man-traps to step in, so little time. My answers should have probably been measured in sentences rather than paragraphs.

* The questions from the final interview were (verbally):
1) name a serious mistake you have made in the work place, and what you have learned from it.
1.5) name three things you would hope to avoid in in your next job.
2) where do you want to go with your career,
2.5) what qualities would your manager need to help you get where you want to go?

There is no way to give a satisfactory answer to these questions without careful planning or extreme dishonesty. (For example, I gave them 4 straight answers for questions 1 and 1.5, answers that were for completely unrelated events. However, I got the impression later that they thought that they were all about exactly the same event, so supposedly I would have hired a young female security officer who I then sexually harassed and got into trouble with HR... which of course I never said or did was ever even accused do doing anything like that at all - those questions imply a correlation between your answers even when there is no correlation implied by your answers.)

What they are probably trying to do is make sure that the interviewee knows how to keep their answers short and not say anything to incriminate themselves. I want to collect a list of killer questions asked in interviews, and have my canned answers prepared. Feel free to leave nasty questions you have actually heard in interviews in the comments to this blog post.

Hospitals currently hiring in Seattle

At least 3 hospitals are currently hiring security staff in Seattle today, all of which you would apply for online through a website for that hospital:

1: Children's Hospital

2: Swedish Medical Center

3: Harborview Medical Center (apply through "UW Hires" website.)

The lowest one starts off at around $14.50 and has a pay scale based on experience that applies even when you are first hired including your previous experience. At least one of these hospitals is hiring 3+ security officers, so that your odds of getting on right now are very good. If you want to get into medical security, this is a good time to do it in Seattle if you are an experienced Security Officer.

Stuxnet, Siemens hardcoded password and a new era of security vulnerability

Article discussing the Siemens hardcoded password in industrial control systems:
http://www.wired.com/threatlevel/2010/07/siemens-scada/

The above article citing the Siemens negligence/incompetence has been made extremely pertinent by the Stuxnet virus, which is the most important leap forward in threat level of any virus in history: http://www.wired.com/threatlevel/2010/07/siemens-scada/


The building I provide security to uses Siemens to control the building's processes and access. Stuxnet was meant for industrial systems such as nuclear power, it would be a case of over-alarm and exaggeration to say common office towers in Seattle are in imminent danger, at least as of 2010.

But programming technologies that are at one time difficult and only for the rarest breed of brilliant hacker are often eventually made into cookie-cutter/mass-produced programs that are simple to deploy by any malevolent middle-intellect. We may have entered an era in which the very systems we use to automate a site's security measures becomes a tool of bad guys -a tool they could use to unlock doors, turn off alarm monitors, or any other action the industrial control system has in its scope of control.

-Lance Miller this.is.lance.miller@gmail.com

Can security companies survive?

In the downtown Seattle core, we are starting to see some contracts go in-house, rather than use private security companies. I believe this could be part of a much larger trend. Here's why:

• We are in a new age of economic austerity, and private contracting is only more efficient for temporary services. If you need a new annex built on to your building, it makes sense to hire private contractors to do it, because even if it is more expensive in the short term, it's much less expensive than permanently hiring on a full time construction staff. However, if you have an on-going regular need like IT for example, you will save money by hiring permanent IT staff because you cut out the private-contractor middle-men. So in the case of janitorial or security, it makes a lot more sense in times of tight economic budgets to have these services carried out by employees rather than by private contractor employees.
  
• With the middle-men out of the way, there is more cash to go into wages, training, benefits, etc. which improves retention and thus professionalism and quality of service. In house security is better security, especially over the long run.
  
• Another issue of professionalism is ethics. Ever since private security formed in the USA, there has been a temptation to use private security unethically (such as killing organized-union members, capturing escaped slaves, etc.) Many make the argument that the legal separation between an organization and it's security staff through a 3rd party contractor allows for more legal protection. However, it seems that this protection is so that the organization can demand unethical behavior from the contractor, such as abusing the security staff themselves, manhandling the general public, and spying on employees in ways that would otherwise be a breach of contract. It is demoralizing for security staff to endure unethical behavior, and lowers retention and thus over all professionalism on the team. The over all quality of security services will improve as the organization owns its ethical decisions.
  
• Because the USA is transitioning to a service economy, the newer employees coming into security are often better qualified and educated than the people already in the private security industry. These newer employees are also more in touch with the latest trends both "on the street" and with technology. There is often friction between the private security company's main office, and the on-site security staff who are already professionalizing faster than the main office. Cutting out that main office middle man will help organizations find out how to improve their security from the on-site security staff much more effectively.
  

Think about this: We seriously live in a world where a criminal or terrorist can stand across the street from a security officer with a smart phone, and take pictures of that security officer and his site, and sell those pictures in minutes to the highest bidder on the internet. Meanwhile the security officer can only retaliate with equal photographic force if he sneaks his game-playing, internet-browsing, texting, email-sending smart-phone into work past his employer. How can private security companies expect to survive under these pathetic conditions?

Terrorist threats and computer intrusions lead to onsite intrusions

Worst Case Scenario Thinking

I've been reading books and articles by Bruce Schneier since 2002, when I purchased Applied Cryptography. I have a 50/50 opinion of him, on some days or on some of his opinions I think he's right, and other times I disagree heartily. His recent write up Worst-case thinking makes us nuts, not safe -CNN.com is one of his best critiques of security thinking. He basically says worst case thinking makes us ineffective by encouraging and substantiating any wild claim of likely future events. His quote and critique of Rumsfield is especially entertaining.

I do think Schneier's prohibition on thinking about and preparing for the worst is a little too extreme. For instance I think all high profile government offices should anticipate an Oklahoma City bombing as at least higher than 0 probability, but of course lower than a 1.

Still, it is useful to consider an over-emphasis on the unlikely, bizarre and anomalous as unproductive preparation. In this frame of critique I'd like to suggest what is productive preparation:

1. Incorporate every anticipation into your site plans.

2. Make every task in your site plan truly doable by the employees you have. This implies officers performing with competence and honesty, but the greatest onus of responsibility is on security management to establish reasonable and doable tasks. Assigning the undoable is worse than no assignment at all, because it creates a norm to ignore orders. Of course discipline or terminate employees who do not perform reasonable orders they have had adequate training for.

3. Daily (or hourly) routines are the antithesis of worst-case thinking, they are the blah kind subject matter as opposed to imagining a nuclear bomb in a white van. Daily routines, such as patrols, are the holy grail. Security is only as good as these routines provide. The "worst case" is going to be stopped by these, not by an expensive consultant visiting your company and telling his battle stories.

4. Of course it is entirely reasonable to factor in flamboyant threat-thought such as IED's and other terrorist tactics. Security officers should have access to a compact document describing materials and behaviors to watch for.

Computer Network Security

The site I work at is government. They have chosen to use especially vulnerable software, in some cases simply not updated, and in other cases a more vulnerable software when a cheaper remedy is well known and available. My security company, and myself, lack the authority or leverage to change their computer software to something more secure. We are moving further into a century in which every aspect of business activity is controllable via computer network. Physical intrusion into the sites we are assigned to protect will happen because the computer network was hacked. I anticipate years of tension and vulnerability for traditional
security companies and their clients, as the computer network becomes more and more the entryway onto the physical site. Read: http://www.networkworld.com/community/blog/black-duck-eggs-and-other-secrets-chinese-hac

Industry Medicine

The math works something like this: if Obamacare materializes, and it appears that it will, most households making under $30k per year will be entitled to free health care. Hospitals and clinics will have a vastly increased need for security, because a lot of households don't make $30k and don't have health care. As people start to see health care as right instead of a privilege, I suspect the average patient's behavior at the doctor's office isn't going to improve either. I suspect that these factors will grow demand and wages in security generally, promoting professionalism in the industry.

Here's the low-down in the Health Care Security-specific certification. The organization is called the IAHSS (International Association for Healthcare Security & Safety.) Their top level certification is called the CHPA (Certified Healthcare Protection Administrator.) They have 3 lesser certifications for Basic, Advanced, and Supervisor levels, which sound ideal for someone trying to get into the Health Care segment of the security industry.

Licensed investigative company offers cellphone location service

For $95 you can the exact location of someone's cellphone. Another service they offer is a Telephone Card Spy, you give someone this calling card and tell them its free and encourage its use. You then can get info on every call made on it. Welcome to the 21st century.

http://www.best411.com/

Union Advantages?

Private security's roots have a controversial anti-union history that we pride ourselves in. It's easy to see the conflicts-of-interest that the usually-mixed unions courting the security industry create. Even for a cutting-edge lefty-progressive like myself, unions put employees at odds with security business ownership, a problem because I want to see more worker-cooperatives in the security industry.

However, I have noticed that the top performing security companies in the Seattle area in 2010 have strong relationships with unions. This has forced me to look beyond my ideology and ask "is there a serious advantage to a security company being unionized?" I have come up with 4 points so far that are not dependent on each other, so any one of them stands as an advantage without any of the others:

1) I have heard "a good HR person can get around 80% of the union grievances that can come up, seriously deflating the power of the union: unions tend not to have the mental and monetary resources they need to do provide effective services." The problem with this claim is that it outlines an important specific advantage for a security officer to be in a union: a good 20% of the time, the union will be able to keep him from getting fired when things get ugly.

2) Another claim is "all unions do is protect bad employees." In the security industry, "training = good employees." Unions often pressure employers to make training options more available to their employees. Unions also raise what employees can make at a job, increasing the odds of employees staying instead of moving to another job, thus increasing the amount of experience on the security team.

3) The companies that try to find loopholes out of contractual obligations to have their security officers unionized are not fairing well right now. Though politics is a major factor, keep in mind there are politics going on for the individual security officer as well. If the security officer is not unionized and has to keep employees from stealing who are unionized, that security officer has a huge disadvantage in "my word against yours" situations. You can bet that many clients (or the people they answer to) understand this about security-services quality, in spite of whatever political pressures they are under.

4) Saying "unionization requirements for security accounts is only about politics" is taking a very narrow view, and ignores the academic management studies on this topic. People feel like they need to protect their jobs, and often keep feedback from their superiors. Because of this, HR often prides themselves in "telling people what they need to hear, even if it is not what they want to hear." Where Unions come into play is when HR or upper management needs to hear something that they don't want to hear. The union can give realistic information about employee needs and the health of the account that upper management can't get anywhere else.

Again, I sympathize with those that are concerned that unions harm the security industry. We need solid chains-of-command so we can act fast in emergencies. This does not invite employee feedback, and until recently we have thrived as we have rejected unions. However, we are in the middle of major paradigm shifts in the security industry right now. In nature, the more adaptable a creature is, the more likely it is to survive. The security companies that can't learn to live with unions will also fail to learn to live without them.

Surveillance Camera Debate

Bruce Schneier CNN.com essay:
http://www.schneier.com/essay-309.html
The surveillance camera industry rebuttal:
http://www.securityinfowatch.com/surveillance-industry-responds-bruce-schneier

I disagree with Schneier if he is advocating exclusively more manpower and little or no cameras. One of the retorts to Schneier refers to video footage as a superior forensic tool. Another retort mentions live cameras as a way for first responders to go straight to where the action is, especially in the case of the Virginia Tech shooter incident.

I'd like to dwell on video footage as a forensic tool, and make the extreme claim that video footage is always superior to someone's recollection and verbal account. The less forensic investigation relies on data stored in human brain cells, the better. Video or audio media is not inclined to subjective filtering, cultural preferences, or dishonesty. Humans are. Long live machines, our more honest and reliable resource.

Teen is beaten in bus tunnel; Metro to review security guard policies

Teen is beaten in bus tunnel; Metro to review policies -Seattle Times


QUOTING FROM THE SEATTLE TIMES ARTICLE:

The guards, who work for Olympic Security Services, provide security throughout the transit system.

According to the contract with Metro, guards with Olympic Security Services are instructed not to intervene when witnessing suspicious behavior or criminal activity, but to "observe and report" and radio the Metro Transit Control Center, which relays requests for assistance to the appropriate law-enforcement agencies.

According to the Sheriff's Office, the guards called the tunnel communication center after the Jan. 28 assault.

In light of the assault, Metro is reviewing the restriction on physically intervening in fights or other criminal activity, Desmond said.

Asked if he thought the guards acted appropriately in light of the policy, Desmond said, "The whole thing, in terms of what happened with or without a sensational video, is very concerning and very disturbing to us. On the face of it, the security guards were following the letter of the policy. I certainly wish they had done something different. ...

"We're talking with Olympic and we're going to change that policy," he said.

(cdc.gov) NIOSH: Workplace violence resources

http://www.cdc.gov/niosh/docs/2006-144/

I just went through my WA state unarmed security guard license preparation class and test. I found the Workplace Violence info interesting and am looking into it further with online government/academic resources, cases and studies. This NIOSH site replicates things taught in the OSSI training session, and of course goes further.

I will add to this blog entry as I come across especially useful information.

Training

Here some training and other info that might be useful for some or all of us.

http://www.nsetc.com/

http://www.myguardcard.com/

http://www.chooseicdccollege.com/System/LandingPages/Online_HLS_AllOnlinePrograms_58K_2Step/OHLS_allonlineprogramscs.php?source=google&campaign=hls_nw&user=dylan_content_banner

http://www.security-guard.org/

http://www.guardtrainingcenter.com/

http://www.arrowsecurity.net/training.html

http://www.scitraining.com/Courses_US/Security_Police_Sciences/Course.htm

http://www.topsecurityagency.com/

http://www.thefreelibrary.com/Security+Guard+Act+amendments+explained.-a015920938

http://www.local-security-guard.com/security-guard-training.html

http://www.csoonline.com/

http://free-pdf-ebook.com/2008/07/30/security-guard-manual/

http://www.sgmnow.com/

http://www.trainingsecurityofficers.com/

http://www.spywareterminator.com/

Certifications

I've been looking at certifications online at ASIS and was hoping that anyone else might have any others certifications out there?

In Person Meeting

I would like to set up meeting to talk about Security Information (Training, Equipment and Etc.) from time to time as people want or have time to. please let me know if anyone else has time to or wants to?

Networking

I was hoping to use this blog to networking all levels of security professional. As there are no email address of any member in the profiles. So I hope that all members will change that in their profiles. So there is easier ways for there to networking tools for all members.

Smart Phones

I can see many ways to use smart phones within the security industry. The idea are long and many so I will add to this posting soon. If anyone has any thoughts on this please post them.

Security Unions?

Any Thoughts?

Flex Work?

What is anyone thoughts on flex work? Why would anyone work that kind of shifts?

Job Openings

If anyone see Security based Job opportunities please post them to the blog so if any of our members are looking for work may see them and so we all can get a idea about whats out there and what we can do to improve the way the security industry work all who want to work in it.

Sorry life been crazy

Sorry to all members for not doing any up keep on my blog. I hope now be able to work more on the blog by working on networking with all of you and making this blog a useful tool for security professionals and anyone who want to learn about what security does and where t is going

thanks