Security Industry vs. Security Profession

For two decades I have heard security executives and managers talk about improving “the security industry” they work in, and I have also heard manufacturers refer to themselves as “security professionals”.

Both uses of the term are incorrect, and are detrimental to the security industry and the security profession.

Definitions for these terms have not been broadly taught or published. The terms have been used loosely and very often interchangeably, even though they have distinctly different meanings.

Security Industry

The security industry is composed of manufacturers and service providers, whose purpose is to provide products and services that help security stakeholders accomplish the job of protecting the assets in their charge.

Security Profession

The security profession consists of security executives, managers, supervisors and their staff—the people within the organization who are charged with the protection of assets against security risks. That responsibility is delegated to security professionals by the owners and senior executives of the business. The job of security professionals is to reduce security risks to acceptable levels at an acceptable cost. Members of the security profession are referred to both as security professionals and security practitioners.

Here is the reason the above clarification is important:

The security industry exists to serve the security profession.

According to patterns in other industries, it should be the role of the security industry (manufacturers, systems integrators, security engineers, security consultants, industry media companies, etc.) to identify the needs of their security profession customers and find ways to effectively fulfill them.

In a recent informal survey in which these two terms were not defined beforehand, many members of the security industry professed to considering themselves members of the security profession. This is a situation peculiar to the security industry.

In the medical profession, manufacturers and technology consultants don’t consider themselves medical practitioners or medical professionals. They don’t practice medicine. They practice manufacturing, quality assurance, distribution, sales, product training, and so on. They are manufacturing or engineering or sales or training professionals.

unique situation comes into play with regard to security management consultants. In one sense they are members of the security industry because they provide services to security practitioners. However, their work involves developing security management programs, conducting risk assessments, leading corporate security task forces, writing security policy, and performing other work that is the province of security practitioners. They simply do it on a for-hire basis instead of as employees. They consider themselves “security professionals” by virtue of performing those tasks. This is in contrast, for example, to the medical profession, where consultants don’t perform surgery, make official medical diagnoses, or specify treatments.

The author of The Security Minute is himself in this situation, as he performs security management consulting. However, he also performs security engineering, consults with manufacturers, and even designs user interfaces for security software. Other consultants are in a similar position. This is a situation where a consultant can have one foot in the security industry and one foot in the security profession.

In this consultant’s experience, having an in-depth understanding of both security industry issues and security profession issues facilitates consulting to both groups.

However, returning to the theme of this issue, it contributes to the neglect of customers’ needs to have customers (the security profession) lumped together into the same group as manufacturers and service providers (the security industry). The blurring of the two helps to keep their relative roles indistinct, and to keep customers’ needs from achieving the clarity they could in the minds of security industry company personnel.

Additionally—and this is the worst impact of the situation—it tends to strengthen the focus on security products and services and weaken the focus on the organization’s objectives and strategies, trends impacting the business, and other things that determine the scope of risk management and drive the security practitioner’s efforts to strengthen the organization against security risks.

Thankfully, groups like the Security Executive Council are doing much to foster aligning security with the business, and to make the needs and priorities of security professionals more clear to security industry companies.

Best regards,
Ray Bernard

P.S. There is no additional link to follow for this issue of The Security Minute. The full story was able to be told in about a minute!


Leave a Reply

Your email address will not be published. Required fields are marked *