Safety vs. Security: The conflating flourishes. The certified security vulnerability analyst (CSVA) and like certifications championed by Chemical Facility Anti-Terrorism Standards (also known as CFATS and periodically the subject of full-throated debate among lawmakers) in its original state trace directly to a source of revenue created by the American Institute of Chemical Engineers (AIChE) between 2002 and 2003. While these creations offer value if one is approaching security from zero, as presumed for the chemical sector, in the more mature areas of protection they quickly reveal some serious flaws. Nothing better begins to illustrate this disconnect than the requirement for anyone seeking this certification to begin to qualify for it by necessarily being a process safety engineer for at least five years. (Ironically, one or two of the three individuals who created the body of training material that went into preparing applicants for this certification numbered among my former subcontractors who possessed neither an engineering nor a safety pedigree, thereby making them unqualified to sit for the exam and certification they helped create.)
The fundamental point of cognitive dissonance between safety and security when dealing with anti-terrorism is that the two disciplines see the world differently. Safety, for the most part, is concerned with avoiding self-inflicted wounds. Inherent in this mind set is the notion that most hazards are avoidable if properly communicated, hence the absolutely supreme importance of communicating everything to everyone to the fullest possible extent.
To the security professional, however, the concern is not with minimizing self-inflicted wounds. It is with defending against the focused attack of adversaries bent on one’s annihilation. In this world, over communicating means exposing one’s vulnerabilities to the point of inviting attack. Consequently, security professionals board certified in security management cannot even qualify to sit for the Certified Protection Professional exam until they have demonstrated a good 10 years of having served in responsible charge in a security capacity, namely, of being the main person held accountable for the protection of people, property, or some kind of operation. The level of security expertise on tap from a CPP is thus significantly more substantive than that of a CSVA who lacks any requirement for direct security experience but, instead, qualifies for the CSVA certification by virtue of a safety pedigree plus successful completion of a coin-operated program for manufacturing instant security experts. Moreover, by embracing the process safety language and bias of AIChE, CFATS aligns its stated security function with a safety function which, in the world of asset protection is a one-off endeavor. Safety and security are not the same. To the extent that CFATS continues to reflect a process safety bias that is oblivious to traditional security focus on protection against hostile forces and instead accords greater priority to communicating hazards or OSHA-style compliance, the safety-security disconnect ultimately performs a disservice not only if extended to the water sector but even to the chemical sector. Only the chemical sector, inured as it is to risk management process-intensive protocols and compliance orientation, finds the familiar in this safety bias, in other words, its comfort zone. Sadly, this approach offers little anti-terrorism protective value in and of itself.
-- Nick Catrantzos