Security is a negative that can never be fully established, even if its breach or absence stands out like a tarantula on a wedge of banana cream pie. Any dilettante may spot a security failure, but even the best security expert will hesitate to proclaim a site, person, or operation entirely secure. In this context, it comes as no surprise that security invites opinions from all, whether expert or oaf. Why? Security numbers among the basics in the hierarchy of needs, falling between love and hunger (if the ghost of Abraham Maslow will permit this interpretation). And, as we have established above, even the unschooled may at least comment accurately on security failures, albeit they may lack the capacity to fix them.
Whence comes the capacity to perform troubleshooting and apply innovation to security problems? The answer may not be as intuitive as for other professions. The protection business, after all, still struggles for legitimacy in the realm of academic standing and industry credentials. True, there are security degrees and certifications. However, their presence or absence seldom proves dispositive in the hiring process. Verifiable experience in the area of urgent need remains the most important criterion in filling security positions. Unsurprisingly, security training tends to be narrow and task-oriented. The practitioner earning a living as an alarm technician rides that narrow expertise into a vice presidency. The one who starts out as a guard remains a perennial solver of all security problems by proposing to add more guards to the operation at risk. The cyber security practitioner spends an entire career defending data in electronic form. The defense contract security specialist makes a living complying to contractual requirements whose principal focus is administrative herding of classified material and all those who lay hands on it. How do any of these practitioners learn to tackle a workplace violence situation, a terrorist threat, a case of industrial espionage, or a sabotage attack by a radical group fiercely opposed to their employer's existence?
They learn one of two ways, if not both. Either they awake one day and find themselves assigned to handle the emergent security problem in one of those games of cosmic tag that the Fates handed them on the job, or they actively pursue the broadening of their security experience by working for a consultancy. The first is an act of chance; the second, of volition.
Consulting turns out to be a lousy job for practitioners whose proclivities and capacity incline more toward problem-solving than business acquisition. On the plus side, a busy consulting portfolio exposes the practitioner to a broad array of clients, environments, and security dilemmas. Surviving in this arena is impossible without delivering value, which in turn compels the practitioner to learn more than the mantras of one security niche and to also employ critical thinking to address predicaments that bedevil clients. Thriving in this world, however, takes another set of skills, and these are only incidentally related to actually protecting people or property, namely, business development.
In other words, one must be able to sell in order to advance to the highest, best-compensated level of security consulting. Selling requires talking, listening, promoting, and persuading others to take a chance by engaging one's firm to provide services for which there is seldom an absolute guarantee. At its absolute best (which is an executive talent distinct from glad-handing, back-slapping peddling), this skill translates into becoming the client's trusted adviser who delivers intangible value beyond solving a single security problem. It takes finesse to do this well, and it sometimes takes a vast reservoir of confidence which suffers if needlessly burdened by doubts based on a deep understanding of security challenges. As a result, it often happens in the best of security consultancies that the person who sells the job and sustains the client relationship is not at all the same as the one who does the actual work and solves the security challenges. This situation can be hard on both the client-facing and problem-solving consultants, but it is harder on the latter.
To the security consultant in the business to protect and to solve problems, selling the work may appear unsavory or secondary, a lousy job. To the consultancy, however, getting business comes first. Without it, there can be no consultancy, no income, no professional staff to solve client security problems, no client -- nothing. The consultancy is a car where a business developing executive is the accelerator and a security expert is the brake. The car needs both to function effectively, but first needs an accelerator. Otherwise, it is not a car but a cart. And so the executive consultant whose greatest expertise is in selling services invariably bubbles to the top of the hierarchy, earning more compensation, status, and decision-making authority than the security practitioner who is expert at solving client problems but less proficient at capturing new clients. The practitioner in these circumstances makes his peace with his limitations of skills or career prospects, develops selling skill to match or exceed security expertise, or leaves for other work more suited to his capacities and tastes.
Security consulting can be a lousy job. It is by nature episodic, which means one is constantly biting into different problems without staying around long enough to digest an entire meal. Some practitioners find this aspect of the work too unsettling; they want to be on the ship when it sails. Others, however, find this work bracing and broadening. Success at security consulting brings with it exposure to more people, places, and protection challenges than a career with one or even a handful of employers would afford. It is a broadening experience akin to learning a foreign language and functioning in a new country. The practitioner who has been effective as a security consultant offers a broad knowledge base and aptitude for getting results when hired to direct the security department of a public or private sector organization. This is one way that even lousy jobs can ultimately contribute to better security: the consultant who is a refugee from those lousy security jobs appreciates the steadiness of the current employer yet brings a depth of experience unavailable to someone whose entire world view and knowledge base come from the same employer.
There is another value of lousy security jobs. Persevering through them to attain some objective measure of success eventually gives the practitioner a surer sense of self and more confidence in his or her own abilities. The net result is more security in one's own worth, a good thing to have that remains portable beyond a lousy job.
-- Nick Catrantzos