security industry survey of risks and professional ......security industry would be likely to face...

Security Industry Survey of Risks and Professional Competencies

About Us

About the ASIS FoundationThe ASIS Foundation, the 501(c)(3) nonprofit arm of ASIS International, is dedicated to providing high-quality and contemporary research and education opportunities that serve to enhance the security profession. Through the awarding of scholarships, the Foundation ensures that those pursuing a career in the field of security management are able to realize the highest academic achievements. Foundation programs are supported solely by contributions from individuals, ASIS International chapters, and other organizations who share its vision of advancing both the security profession and the professional. Visit asisfoundation.org.

About Apollo Education Group, Inc.Apollo Education Group, Inc. is one of the world’s largest private education providers and has been in the education business since 1973. Through its subsidiaries: Apollo Global, College for Financial Planning, University of Phoenix, and Western International University, Apollo Education Group offers innovative and distinctive educational programs and services, online and on-campus, at the undergraduate, master’s and doctoral levels. Its educational programs and services are offered throughout the United States and in Europe, Australia, Latin America, Africa and Asia, as well as online throughout the world. For more information about Apollo Education Group, Inc. and its subsidiaries, call (800) 990.APOL or visit the Company’s website at apollo.edu.

About University of PhoenixUniversity of Phoenix is constantly innovating to help working adults move efficiently from education to careers in a rapidly changing world. Flexible schedules, relevant and engaging courses, and interactive learning can help students more effectively pursue career and personal aspirations while balancing their busy lives. As a subsidiary of Apollo Education Group, Inc. (Nasdaq: APOL), University of Phoenix serves a diverse student population, offering associate, bachelor’s, master’s and doctoral degree programs from campuses and learning centers across the U.S. as well as online throughout the world. For more information, visit phoenix.edu.

The College of Criminal Justice and Security at University of Phoenix offers undergraduate and graduate degree programs with management-focused curriculum to help students develop the skills required to be leaders within the security industry and other related fields. For more information, visit phoenix.edu/cjs.

http://asisfoundation.org

http://apollo.edu.

http://phoenix.edu.

http://phoenix.edu/cjs

Executive Summary 2

Introduction 4

Background and Purpose 4Survey Process 4Respondent Demographics 5

Survey Results 7

Risks 7Challenges 8Critical Competencies 10

Summary and Conclusions 12

Using Competencies for Talent Development 12Recommendations for Stakeholders 13

References 14

Acknowledgments 15

Learn More 15

Appendix 17

Table of Contents

1

Background and PurposeThe U.S. security industry is a more than $350 billion market. From small businesses to multinational corporations, today’s organizations face increasingly complex enterprise-wide risks. Despite the critical and expanding role of today’s security professionals, to date there exists no agreed-upon, complete set of competencies utilized across all roles and levels of the security workforce; nor are there uniform educational guidelines for individuals to develop these competencies.

To help address this deficit, the ASIS Foundation partnered with University of Phoenix to undertake a series of research activities to identify the industry’s talent needs and to generate actionable recommendations for strengthening the industry’s workforce.

• National Roundtable: In June 2013 the ASIS Foundation and University of Phoenix convened a national roundtable of senior leaders from the security industry, higher education, and government to identify the top security risks and challenges that the industry will face in the next five years, and the key competencies that security practitioners will require to manage the risks and challenges effectively.

• Roundtable Report: The roundtable findings were published in Enterprise Security Risks and Workforce Competencies, a report released by the ASIS Foundation and University of Phoenix in fall 2013.

• National Survey: Continuing their collaborative investigation, the ASIS Foundation and University of Phoenix conducted a national survey of security industry professionals in fall 2013 to validate the roundtable findings with quantitative data to help verify and prioritize the identified security risks, challenges, and professional competencies.

Survey ProcessThe ASIS Foundation invited members of ASIS International to participate in the online survey. To help ensure validity of the results, survey participants were required to meet certain professional criteria.

More than 1,800 ASIS International members indicated interest in participating in the survey. Of that pool, 483 respondents met the survey criteria.

Those who met the criteria were asked to complete the survey by (a) responding to demographic questions, (b) ranking previously identified security industry risks and challenges, and (c) rating the importance and frequency of 22 professional competencies used in the security industry.

All 483 respondents were currently working in the United States and had a professional focus on general security management. Just over 70% were currently directors or managers, with more than 75% of those being responsible for managing or supervising security functions only for their employer.

Executive Summary

Cybersecurity, crime, mobile technology, natural disasters, and globalization were the biggest security risks anticipated in the next five years.

2

Key FindingsCybersecurity, crime, mobile technology, natural disasters, and globalization—in that order—were ranked as the top five risks most likely to affect an enterprise over the next five years. Management issues and limited resources, industry segmentation, the aging workforce, and a lack of standardized education and certifications were ranked as the leading challenges facing the security industry.

Decision making, oral communication, critical thinking, maximizing others’ performance, and persuasive influencing were ranked as the most critical among 22 core competencies that security practitioners will require to successfully perform their responsibilities over the next five years.

Implications The survey findings have implications for many stakeholder groups, including organizations, security industry leaders, career counselors, talent development leaders, and higher education institutions, as well as current and aspiring security professionals and career changers. Full recommendations for these stakeholders are presented in the final section of the report.

All stakeholders, however, can benefit from understanding the competencies critical to success in the security industry. Having a standard competency model (defined as a collection

of industry-specific skills and traits used to measure worker performance) can make educational pathways, hiring, training, professional development, and performance management more efficient. Competency-based training and benchmarking programs can help organizations achieve specific outcomes and empower individual workers’ self-development.

Candidate selection tools based on standard industry competencies aid in clarifying subjectivity and setting expectations by demonstrating the organization’s values and desired behaviors. If the competencies identified in this report are used for hiring, they should be defined in terms of observable behaviors and performance indicators that testing can reveal, and should therefore exclude competencies that professionals would be expected to learn once hired.

Decision making, oral communication, critical thinking, maximizing others’ performance, and persuasive influencing were the highest-ranked competencies for tomorrow’s security professionals.

3

The U.S. security industry is a more than $350 billion market, supporting millions of practitioners who occupy critical roles in dozens of industries.1 Security careers span diverse industries in every sector of the global economy, ranging from positions with small and medium-sized businesses to leadership roles essential to protecting every aspect of an enterprise. Along with its exponential growth, the security industry is also rapidly changing, relying more than ever on workforce innovation, professional development, and relevant education to maintain success. Employers need industry-aligned academic and training programs that will adequately prepare aspiring security professionals for these challenging and rewarding careers.

Although there is industry consensus on the competencies required by experienced security professionals to earn a professional certification in security, to date there exists no agreed-upon, complete set of competencies utilized across all roles and levels of the security workforce.2 Nor are there uniform educational guidelines for organizations to develop these competencies for the security workforce.

To help address this deficit, the ASIS Foundation has partnered with University of Phoenix to undertake a series of research activities to identify the industry’s talent needs and to generate actionable recommendations for strengthening the industry’s workforce. This report is the product of their multifaceted and collaborative r esearch effort.

While the security industry spans both operational and informational security, the term “security” in this report refers only to operational security, comprising activities to mitigate and prevent harm across an enterprise.

Background and PurposeAs part of its ongoing collaboration with the ASIS Foundation, University of Phoenix conducted an industry roundtable on security talent development in June 2013. Its purpose was to identify the top risks and challenges the security industry will face in the next five years and the competencies security professionals will require to

address those risks and challenges effectively. During the roundtable, senior leaders from the security industry, higher education, and government engaged in discussion to identify (a) enterprise-wide internal and external security risks; (b) challenges that might impede the security industry’s development and cohesiveness; and (c) fundamental competencies required of security professionals, regardless of their industry. Roundtable findings were published in the 2013 report, Enterprise Security Risks and Workforce Competencies: Findings from an Industry Roundtable on Security Talent Development.3

Building on the roundtable findings, the ASIS Foundation and University of Phoenix launched a national survey in fall 2013 to gather quantitative data from a broader sample of security industry experts. The survey’s purpose was to prioritize the previously identified risks and challenges, and to identify in greater detail the importance and frequency of the agreed-upon professional competencies. Developing a more thorough understanding of required workforce competencies can help industry leaders establish strategic frameworks for talent development. Understanding competencies can also enable more effective recruitment, selection, and hiring of qualified professionals.

Survey ProcessThe ASIS Foundation invited members of ASIS International to participate in the survey. To ensure data were collected from those individuals who were likely to be most knowledgeable of future risks, challenges, and critical competencies, only those who met specific professional criteria were asked to complete the entire survey. To meet the survey criteria, individuals had to be currently working in the United States. Their primary work focus had to be on general security management, with responsibility for managing or supervising a security function for their employer or for one or more clients their employer served. Individuals also had to be currently employed with a job title of CEO, president, general manager, owner, principal, partner, chief security officer, vice president, director, or manager/supervisor of security personnel.

1 ASIS International and the Institute of Finance and Management, The United States Security Industry: Size and Scope, Insights, Trends, and Data, ASIS International, 2013, https://www.asisonline.org/ASIS-Store/Products/Pages/The-United-States-Security-Industry-Size-and-Scope-Insights-Trends-and-Data.aspx.2 A “competency” is defined as a group of related skills and abilities that influence a major job function, indicate successful job performance, are measurable against standards, and are subject to improvement through training and experience. See CareerOneStop, “Develop a Competency Model,” 2014, http://www.careeronestop.org/COMPETENCYMODEL/userguide_competency.aspx.3 University of Phoenix and ASIS Foundation, Enterprise Security Risks and Workforce Competencies: Findings from an Industry Roundtable on Security Talent Development, Phoenix, AZ: University of Phoenix, 2013, http://www. phoenix.edu/ASIS2013Report

Introduction

4

Those who met the criteria were asked to respond to three demographic questions, reporting the security-related certifications they held, the industry or primary type of business where they currently worked, and their highest level of education completed. Survey participants were then asked to rank the five risks and four challenges that roundtable participants had identified as those the security industry would be likely to face in the next five years. Survey respondents were asked to rank these risks and challenges on a scale from 1 (most likely to face) to 5 (least likely to face). Risks were defined as threats that might cause harm or loss to the enterprise. Challenges were defined as issues that might hinder the industry’s cohesiveness and effectiveness in responding to risks. Participants were also asked to note any other risks or challenges not listed in the survey that should be in the top five and top four.

Survey participants were then provided a list of 22 competencies that security professionals may need to demonstrate in order to mitigate the risks and challenges that the industry is likely to face in the next five years. The competencies were formulated based on information provided by the roundtable participants on knowledge, skills, and abilities required of security professionals. Participants were asked to rate (a) how important they believe it will be for security professionals to demonstrate each competency (from 1 = unimportant to 5 = very important) and (b) how frequently they believe security professionals will need to demonstrate each competency (from 1 = rarely to 5 = on a daily basis).

Respondent DemographicsOf the 1,883 individuals who opened and began responding to the survey, 483 met the population criteria and completed the entire survey. All 483 respondents were currently working in the United States with a focus on general security management. As shown in Figures 1 and 2, just over 70% ofthe respondents were currently directors or managers, with over 75% being responsible for managing or supervising security functions only for their employer.

Although the exact number of security professionals who meet the criteria in the United States is unknown, 379 completed

■ CEO/president/ general manager/ owner/principal/ partner■ Chief security o�cer■ Vice President■ Director■ Manager■ Supervisor of security personnel

4.55%11.18% 5.18%

8.07%

28.57%

42.44%

Figure 1. Respondent Titles/Levels

Note. Total who responded to the question = 483 (100%)

75.98%I manage/supervisesecurity functionsonly for my employer.

Figure 2. Organizational Function


24.02%I manage/supervisesecurity functions forone or more clientsserved by my employer.

5

surveys would be needed to generalize the results to an estimated population of 28,000 with a 5% confidence level and a 95% confidence interval. Twenty-eight thousand is likely a significant overestimate of the number of individuals who meet the population criteria, because that number includes ASIS International members who represent a wide range of roles and ranks, including those outside the functions and organizational levels of the targeted respondents. Therefore, having 483 qualified respondents in the final survey pool enables an extremely high level of confidence that the results reflect the views of the general population of security professionals who meet the defined criteria.

Respondents reported possessing a variety of security-related certifications (see Table 1). Although approximately one quarter of the respondents (24%) reported having a credential other than one included in the survey, the most commonly reported credential (41%) was the Certified Protection Professional (CPP), offered by ASIS International.

Respondents worked in a variety of industry sectors/businesses and had varied educational backgrounds. Almost 50% of respondents reported being employed in security (approximately 19%), a manufacturing/industrial business (approximately 11%), public health and healthcare (approximately 10%), or at commercial facilities (approximately 8%). Most respondents reported their highest level of education as a bachelor’s or master’s degree (approximately 69%; see Figure 3).

■ High school■ Associate’s degree■ Bachelor’s degree■ Master’s degree■ Doctorate

1.45%30.43%

13.87%

38.1%

16.15%

Figure 3. Respondents’ Highest Levelof Education Completed


Note. Total respondents = 470. Respondents could indicate more than one certification.

Table 1. Security-Related Certifications (N = 483)

Certification n (%)

CPP 193 (41.06%)

PSP 25 (5.32%)

CFE 21 (4.47%)

CHS 17 (3.62%)

CPO 16 (3.40%)

PCI 15 (3.19%)

CHPA 14 (2.98%)

CFI 10 (2.13%)

CLSD 8 (1.70%)

PPS 6 (1.28%)

CIPM 5 (1.06%)

CISM 5 (1.06%)

CISSP 5 (1.06%)

CSP 5 (1.06%)

CBCP 4 (0.85%)

CSS 4 (0.85%)

CST 2 (0.43%)

CFSSP 1 (0.21%)

Other 114 (24.26%)

Introduction (cont.)

6

Risks Respondents were asked to rank the five risks that roundtable participants had identified as likely to affect enterprise security in the next five years. For consistency, risks were defined as follows:

Cybersecurity: An enterprise is at risk of cyberterrorism and cybersecurity breaches from organized external perpetrators, rogue hackers, terrorists, or internal personnel with criminal intentions.

Crime: An organization faces risk due to ongoing crime, such as theft and fraud, and violence from within and outside the organization.

Mobile technology: An organization can be harmed by compromised data and/or compromised confidential or proprietary information on mobile devices.

Natural disasters: Increased frequency of unpreventable natural disasters such as floods, earthquakes, and wildfires put an organization at risk.

Globalization: The worldwide scope of an enterprise, coupled with geopolitical conflicts and/or socioeconomic problems,

makes it vulnerable to having its intellectual or physical property compromised (e.g., due to having little control over external staff or supply chains).

As shown in Figure 4, cybersecurity (39%) and crime (33%) were the two risks selected by the largest percentage of respondents as most likely to affect enterprises in the next five years; globalization (37%) and natural disasters (31%) were the risks identified by the largest percentage of respondents as least likely to affect enterprises.

Respondents were also asked to report what other risks not listed, if any, they believe should be in the top five risks enterprises will face. Analysis of open-ended responses revealed 17 categories of additional risks. The three most often mentioned were (a) risks related to the lack of financial resources and/or budgetary constraints (financial and budgetary), (b) risks related to acts designed to cause bodily harm at a person’s current or former workplace (workplace violence), and (c) risks related to domestic or international acts designed to make a political statement (terrorism).

0% 10% 20% 30% 40% 50% 60% 70% 80% 100%90%

39%Cybersecurity 11% 10 %23% 17%

■ 1 (Most likely) ■ 2 ■ 3 ■ 4 ■ 5 (Least likely)

33%Crime* 21% 16%13% 16%

12%Mobile Technology 26% 6 %29% 27%

9%Natural Disasters 24% 31 %20% 16%

7%Globalization 18% 37 %14% 24%

Figure 4. Rankings for Each of the Five Security Risks Most Likely to A�ect Enterprises

*Crime values total 99% due to rounding.

Survey Results

7

ChallengesRespondents were asked to rank the four challenges that roundtable participants had identified as affecting the security industry in the next five years. These challenges are defined below.

Management issues and limited resources: Organizations may struggle to ensure security professionals have the business knowledge and skills needed to perform their job (e.g., to contribute to strategic planning efforts, show value to company executives and board of directors, and effectively assess and contain risk).

Industry segmentation: Organizations may be challenged to ensure a cohesive approach to operational security (e.g., due to the wide variety of security jobs, settings, and specialties, and the tendency of security professionals to work in “silos” that reinforce the diversified structure of the profession).

Aging workforce: Enterprises may face a talent shortage due to large numbers of baby boomers retiring and insufficient numbers of qualified younger workers being attracted to security careers.

Lack of standardized education and certifications (across all roles and levels of the security workforce): Attracting and retaining security professionals with the required competencies may be difficult for enterprises due to inconsistent approaches in higher education and industry training and development.

As shown in Figure 5, management issues and limited resources (53%) and industry segmentation (21%) were the two challenges selected by the largest percentage of respondents as most likely to affect the security industry in the next five years. An aging workforce (36%) and lack of standardized education and certifications (38%) were the challenges identified by the largest percentage of respondents as least likely to affect the security industry.

Respondents were also asked to report what other challenges, if any, they believe should be in the top four challenges that the security industry will face. Analysis of open-ended responses revealed 13 categories of additional challenges. The three most often mentioned were (a) challenges related to managing personnel within the organization (HR management), (b) challenges related to managing financial resources (budget), and (c) challenges related to the use of technology or IT (technology).

0% 10% 20% 30% 40% 50% 60% 70% 80% 100%90%

53%Management issues andlimited resources 8%25% 14%

21%Industry segmentation 19%35% 26%

13%Aging workforce 36%19% 32%

13%Lack of standardized educationand certi�cations 38%22% 28%

Figure 5. Rankings for Each of the Four Challenges A�ecting the Security Industry

■ 1 (Most likely) ■ 2 ■ 3 ■ 4 (Least likely)

Note. Columns may not sum to 100% due to rounding.

Survey Results (cont.)

8

Aligning Organizational Objectives—Identifies and implements security-related goals that align with overall corporate goals and comply with regulatory standards.

Anticipatory Thinking—Proactively seeks to identify potential security industry risks, and develops and implements strategic plans to address long- and short-term goals to ensure organizational preparedness to mitigate and respond to risks.

Balancing Priorities—Takes actions that demonstrate appropriate balance between security needs and the rights of individuals.

Business and Financial Literacy—Exhibits sufficient business, financial, and legal understanding to speak the language of company executives, make the case for the ROI of the security function, develop meaningful security-related business recommendations, and successfully deploy security strategies that align with corporate goals.

Collaboration—Accomplishes security-related work activities and goals by effectively working with a diverse group of people in a team environment and engaging others in best practices.

Critical Thinking—Gathers and analyzes data, using logic and reasoning, to make sound short- and long-term security-related business decisions.

Decision Making—Makes sound, fact-based, and timely securi-ty-related decisions, even when under pressure, that reflect the long- and short-term security interests of the organization.

Enterprise Risk Assessment—Proactively uses knowledge of risk assessment theories and crisis indicators to effectively recog-nize crisis situations or potential disasters.

Enterprise Risk Management*—Takes a holistic approach to risk management, working to break down silos between physical and technological security and provide comprehensive risk management solutions.

Global Awareness—Understands global security issues and how the organization will compete to successfully achieve security-related business objectives worldwide.

International and Multicultural Competence—Seeks understanding of perspectives, traditions, values, and practices of culturally diverse individuals and applies understanding to perform security-related tasks effectively.

Maximizing Performance of Others—Supports, encourages, and helps other security professionals achieve their full potential, coaching and providing effective learning resources and experiences to help other security professionals maintain security systems and follow protocols.

Message Development—Develops and delivers appropriate messages that need to be communicated to stakeholders (e.g., to media, law enforcement, public safety officials), especially in emergency situations.

Multicultural Versatility—Adapts own behavior to demonstrate proper and culturally appropriate behavior when dealing with others from different cultures and countries on security- related issues.

Oral Communication—Expresses thoughts verbally in a clear, succinct, logical, and organized manner.

Organizational Compliance—Develops, follows, and enforces standard security operating procedures and crisis/emergency protocols (e.g., using Direction, Control, and Warning).

Persuasive Influencing—Uses compelling communication to persuade others (e.g., organizational executives) to listen and commit to, and act on, security-related issues.

Public Speaking—Delivers polished and persuasive presentations, confidently and credibly, when addressing diverse groups of people within and outside the organization.

Security-Related Literacy—Stays abreast of security industry trends and best practices, and maintains access to current industry data to inform organizational decision-making and operations

Self-Regulation—Remains in control and calm when under pressure to identify resources and lead others when responding to and recovering from emergency situations.

Succession Planning—Anticipates long-range security staffing needs and develops the internal talent necessary to support the organization’s strategy.

Technological Excellence—Proactively seeks to maintain and expand hard science, technology, engineering, and math (STEM) knowledge needed to perform tasks involving security-related technologies (e.g., biometrics, radio frequency identification systems, satellite-based surveillance and tracking systems, hybrid technology cards) and understand emerging IT security solutions and system integration processes.

Table 2. Competency Definitions

*The security industry is moving toward using the term enterprise security risk management to designate this competency.

9

Critical CompetenciesTo verify and prioritize the 22 competencies, respondents rated each competency on importance and frequency (see Table 2 for definitions for each competency).

Importance and frequency ratings. Descriptive statistics for frequency and importance ratings were calculated (for ratings of all 22 competencies by importance and frequency, see Tables A1 and A2, respectively, in the Appendix). Addressing the competencies’ importance, most respondents indicated that lack of proficiency in any of the 22 competencies would at least moderately impact a security professional’s performance. A minimum of 89% of the respondents rated each competency as at least important to success (as indicated by a 3, 4, or 5 rating).

The competencies rated as least important, as indicated by percentage of respondents assigning them a 1 or 2 rating, were international and multicultural competence (11%), multicultural versatility (9%), technological excellence (9%), global awareness (8%), and public speaking (5%).

Addressing the competencies’ frequency, respondents indicated the six competencies security professionals will least frequently need to demonstrate, as indicated by a 1 (rarely) or 2 (less than periodically) rating, were international and multicultural competence (25%),

multicultural versatility (20%), public speaking (19%), succession planning (18%), global awareness (18%), and technological excellence (17%).

Five of the 22 competencies appeared in both top-seven rankings: decision making, oral communication, maximizing performance of others, collaboration, and persuasive influencing.

Criticality. To prioritize the 22 professional competencies, the criticality of each competency was calculated. Criticality was determined by multiplying the average importance by the average frequency for each competency (see Appendix, Table A3). Table A4 in the Appendix includes each of the 22 competencies in order of criticality. As shown in Figure A3 in the Appendix, the five most critical competencies are decision making, oral communication, critical thinking, maximizing the performance of others, and persuasive influencing. The five least critical competencies are global awareness, public speaking, technological excellence, multicultural versatility and international and multicultural competence. The word cloud in Figure 6 illustrates three clusters of competencies by criticality: the top five most critical (largest font), the next five most critical (medium font), and all others (smallest font).

Survey Results (cont.)

The seven most important competencies, as determined by the highest percentage of 4 and 5 ratings, were:

• decision making (92%),

• oral communication (91%),

• anticipatory thinking (87%),

• maximizing performance of others (86%),

• collaboration (84%),

• self-regulation (84%), and

• persuasive influencing (84%; see Appendix, Figure A1)

The seven competencies reported as those which security professionals will most frequently need to demonstrate, as determined by the highest percentage of 4 and 5 ratings, were:

• oral communication (88%),

• decision making (86%),

• critical thinking (80%),

• maximizing performance of others (78%),

• collaboration (78%), and

• organizational compliance and persuasive influencing (both 72%; see Appendix, Figure A2).

10

11

Figure 6. Security professional competencies

Decision making

Critical thinking

Oral communication

Maximizing performance of others

Persuasive influencingCol

labo

rati

on

Ant

icip

ator

y t

hink

ing

Org

aniz

atio

nal co

mpl

ianc

e

Sel

f- re

gul

atio

n

Bal

anci

ng

prio

riti

es

Aligning organizational objectives

Security-related literacy

Message development

Business and financial literacy

Enterprise risk assessment

Enterprise risk management Succ

essi

on

plan

ning

Global awareness

Public speaking

Technological excellence

Mul

ticul

tura

l ver

satil

ity Inte

rnat

iona

l and

m

ultic

ultu

ral c

ompe

tenc

e

The purpose of the survey was to prioritize the risks and challenges that the security industry is likely to face in the next five years, and to verify and prioritize the competencies that security professionals will need to demonstrate in response to those risks and challenges. The greatest percentage of respondents indicated cybersecurity and crime as the two risks that enterprises are most likely to face in the next five years. The greatest percentage of respondents anticipate that, in the same 5-year period, enterprises are most likely to face cyberterrorism and cybersecurity breaches from organized external perpetrators, terrorists, or internal personnel with criminal intentions. Enterprises also are most likely to risk crime, such as theft and fraud, and violence from within and outside the organization.

The two most likely challenges that respondents believe enterprises will face are management issues/limited resources and industry segmentation. In the next five years, organizations are likely to be challenged to ensure security professionals have the business knowledge and skills needed to perform their jobs (e.g., to contribute to strategic planning efforts, show value to company executives and the board of directors, and effectively assess and contain risk). Organizations are also likely to be challenged to ensure a cohesive approach to organizational security (e.g., due to the wide variety of jobs, settings, and specialties; and the tendency of security professionals to work in “silos”).

To effectively mitigate the identified risks and challenges, security professionals will need to demonstrate specific competencies.

Quantitative results indicate that each of the 22 competencies will likely be important to security professionals’ successful job performance. Although respondents’ answers spotlighted the top competencies, 90% or more of the respondents indicated that lack of proficiency in any of the 22 competencies would at least moderately impact security professionals’ performance. Even so, some competencies may be more critical than others, as reflected in their importance and frequency ratings.

Using Competencies for Talent DevelopmentUnderstanding the competencies critical to successful job performance is important for creating a strategic framework for security professional talent development and for creating selection procedures to hire security professionals who can perform required work activities. Taken together, the qualitative findings from the 2013 Enterprise Security Risks and Workforce Competencies roundtable, and the quantitative findings from the 2013 survey of security professionals, provide useful information to help guide talent development of security professionals.

A competency model is a collection of skills and traits used to measure worker performance in a given industry. A model can aid managers and human resource professionals in hiring, training, and goal setting.4 Having a competency model is critical when implementing a development program. Competency-based training programs can be highly effective because they are designed to yield specific behavioral outcomes that support successful job performance.5 Such programs also enable organizations to create benchmarks by assessing each individual’s current level of competency in comparison to the desired level. In addition, these training programs also help promote the creation of action-oriented individual development plans to guide self-development.

Competencies can also serve as the foundation for developing selection tools. Competency-based selection is considered more equitable because it minimizes the subjectivity often associated with many traditional, intuition-based selection processes. Not only

4 CareerOneStop, “Competency Model Clearinghouse,” 2014, http://www.careeronestop.org/CompetencyModel.5 Multiple sources support the uses of competency models. Those consulted for this discussion include Biddle Consulting Group, Uniform Guidelines on Employee Selection Procedures, 2013, http://www.uniformguidelines.com/uniformguidelines.html; Aaron J. Kraus and Chantale N. Wilson, Leadership Development for Organizational Success, white paper, October 2012, http://www.siop.org/WhitePapers/Visibility/LeadershipDevelopment.pdf; Leslie A. Miller, Robert B. Lovler, and Sandra McIntire, Psychological Testing: A Practical Approach, Thousand Oaks, CA: SAGE, 2013; Society for Industrial and Organizational Psychology, Principles for the Validation and Use of Personnel Selection Procedures (4th ed.), 2003, http://www.siop.org/_principles/principles.pdf.

Summary and Conclusions

Understanding the competencies critical to successful job performance is important for creating a strategic framework for security professional talent development.

12

can competency-based selection result in improved objectivity, but such selection can help set expectations for security professionals by showing them what the organization values and what behaviors employees must demonstrate to be effective. In addition, competency-based selection can help increase hiring-decision consistency and provide legal protection for employers.

Should the competencies identified in this report be used for selecting security professionals in accordance with the Equal Employment Opportunity Commission’s Uniform Guidelines on Employee Selection Procedures,6 the competencies should be operationally defined in terms of observable behaviors. In addition, any selection instruments or procedures designed should test for the desired behaviors or performance indicators. The competencies included in any selection procedure should not be those that a security professional can be expected to learn on the job.

Recommendations for Stakeholders Because the security profession comprises multiple job descriptions, constituencies, and educational qualifications, a collaborative approach to security competency development—featuring the input of a wide range of stakeholders from diverse industry sectors and functional areas—can help ensure readiness for tomorrow’s perceived risks and challenges.

Organizations should ensure their current personnel and new hires have the competencies and skills to address the security risks identified in the survey as those most likely to affect enterprises in the next five years, and should identify any additional training and education programs needed to increase risk readiness in these categories.

Security industry leaders should collaborate with corporate or enterprise executives to ensure that management issues and limited resources—identified as the top challenge facing security personnel—do not impede security readiness. Security leaders should also continue to expedite the convergence of operational and IT security resources via dialogue between professionals in both areas, and by establishing training programs, job descriptions, and operational processes that emphasize this goal.

Career counselors should consider the core competencies rated most highly in this survey when advising individuals with security-industry career aspirations. Understanding core competency requirements can aid prospective students in the important process of identifying the right training and education for their success in the industry. Beyond the core competencies, all 22 identified competencies will likely be relevant to security professionals’ successful job performance.

Talent development leaders should convene to endorse the competencies identified as essential for workforce success, and should maintain a competency model for use by industry stakeholders.

Higher education institutions may find industry segmentation a challenge when crafting cohesive educational tracks owing to the wide variety of jobs, settings, and specialties across the industry. By developing non-degree and for-credit educational offerings with industry leaders’ and employers’ input, colleges and universities can improve the career relevance of their programs.

Current security professionals should supplement their technical skills and security specializations by developing cross-functional knowledge and interdisciplinary competencies to improve collaboration with professionals in other specialties and functional areas, with the goal of enhancing enterprise-wide security functions and preparedness.

Aspiring security professionals should identify educational programs that best equip them to succeed in the profession.

Career changers should identify existing gaps in their education and career experience and opportunities to obtain targeted education and training to close the gaps.

Competency-based training programs can be highly effective because they are designed to yield specific behavioral outcomes that support successful job performance.

6 Uniform Guidelines on Employee Selection Procedures, 29 C.F.R. 1607 (1978), http://www.gpo.gov/fdsys/pkg/CFR-2011-title29-vol4/xml/CFR-2011-title29-vol4-part1607.xml.

13

ASIS International and Institute of Finance and Management. (2014). The United States Security Industry: Size and Scope, Insights, Trends, and Data. Portland, ME; Institute of Finance and Management.

Biddle Consulting Group. (2013). Uniform Guidelines on Employee Selection Procedures. Retrieved from http:// www.uniformguidelines.com/uniformguidelines.html

CareerOneStop. (2014). Competency model clearinghouse. Retrieved from http://www.careeronestop.org/CompetencyModel

CareerOneStop. (2014). Develop a competency model. Retrieved from http://www.careeronestop.org/COMPETENCYMODEL/userguide_competency.aspx

Kraus, A. J., & Wilson, C. N. (2012, October). Leadership development for organizational success [White paper]. Retrieved from http://www.siop.org/WhitePapers/Visibility/LeadershipDevelopment.pdf

Miller, L., Lovler, R., & McIntire, S. (2013). Foundations of psychological testing: A practical approach. Thousand Oaks, CA: SAGE.

Society for Industrial and Organizational Psychology. (2003). Principles for the validation and use of personnel section procedures (4th ed.). Retrieved from http://www.siop.org/_principles/ principles.pdf

Uniform Guidelines on Employee Selection Procedures, 29 C.F.R. § 1607 (1978), http://www.gpo.gov/fdsys/pkg/CFR-2011-title29-vol4/xml/CFR-2011-title29-vol4-part1607.xml.

University of Phoenix and ASIS Foundation. (2013). Enterprise security risks and workforce competencies: Findings from an industry roundtable on security talent development. Phoenix, AZ: University of Phoenix.

References

14

A collaborative effort by the ASIS Foundation—in conjunction with its parent organization, ASIS International—and University of Phoenix enabled the research study that gave rise to this report. The ASIS Foundation and ASIS International helped to articulate the need for an in-depth investigation of security risks and competencies, and to define the value of a national survey for the industry as a whole. The Foundation also facilitated the outreach to the vast pool of ASIS International members whose deep industry knowledge and willingness to participate in the survey enabled the broad cross-section of industry insights that are aggregated in this report.

To help ensure the study’s significance for educators and talent development leaders, the University’s College of Criminal Justice and Security provided important insights on how to develop this research to support educational innovation that helps prepare the workforce for tomorrow’s security careers.

Apollo Education Group’s Industry Intelligence and Thought Leadership team applied its industry research expertise to design and conduct the study, and to prepare and publish this report. Thanks belong to James M. Fraleigh, copy editor, and Graham Smith, graphic designer.

ASIS Foundation and ASIS InternationalBarbara Buzzell, Foundation Director

James B. Evans, Chief Financial Officer/Vice President, Administration

John Lechner, Director of Education

Leigh McGuire, Marketing Manager

University of PhoenixCollege of Criminal Justice and Security

Spider Marks, Executive Dean

Apollo Education GroupJeff Greipp, J.D., Group Vice President

Corinne Lyon Kunzle, Industry Information Manager

Leslie A. Miller, Ph.D., Research Associate

Caroline Molina-Ray, Ph.D., Executive Director, Industry Intelligence and Thought Leadership

Learn MoreTo download this report, visit apollo.edu/securityindustry.

© University of Phoenix 2014, 2015. All rights reserved.

Acknowledgments

15

Appendix

Note. Row percentages may not add to 100% due to rounding.

Table A1. Competency Importance Ratings by Number and Percentage of Respondents (N = 483)

CompetencyUnimportant Important Very important

Missing1 2 3 4 5

Organizational Leadership

Anticipatory Thinking 0 (0%) 2 (0%) 60 (12%) 93 (19%) 328 (68%) 0

Enterprise Risk Management 2 (0%) 14 (3%) 89 (18%) 177 (37%) 201 (42%) 0

Enterprise Risk Assessment 1 (0%) 12 (2%) 105 (22%) 189 (39%) 176 (36%) 0

Critical Thinking 0 (0%) 7 (1%) 71 (15%) 152 (31%) 253 (52%) 0

Decision Making 0 (0%) 3 (1%) 36 (7%) 119 (25%) 325 (67%) 0

Balancing Priorities 0 (0%) 12 (2%) 120 (25%) 131 (27%) 220 (46%) 0

Aligning Organizational Objectives 0 (0%) 8 (2%) 87 (18%) 159 (33%) 229 (47%) 0

Self-Regulation 0 (0%) 5 (1%) 74 (15%) 125 (26%) 279 (58%) 0

Organizational Compliance 0 (0%) 4 (1%) 77 (16%) 152 (31%) 250 (52%) 0

Focusing on People

International and Multicultural Competence 9 (2%) 44 (9%) 184 (38%) 127 (26%) 118 (24%) 1

Multicultural Versatility 6 (1%) 38 (8%) 178 (37%) 137 (28%) 122 (25%) 2

Maximizing Performance of Others 0 (0%) 4 (1%) 65 (13%) 145 (30%) 268 (56%) 1

Collaboration 0 (0%) 6 (1%) 71 (15%) 164 (34%) 241 (50%) 1

Succession Planning 0 (0%) 16 (3%) 134 (28%) 161 (33%) 171 (35%) 1

Communicating With Others

Persuasive Influencing 0 (0%) 4 (1%) 73 (15%) 116 (24%) 290 (60%) 0

Public Speaking 1 (0%) 25 (5%) 124 (26%) 152 (31%) 181 (37%) 0

Message Development 0 (0%) 7 (1%) 90 (19%) 160 (33%) 226 (47%) 0

Oral Communication 0 (0%) 3 (1%) 41 (8%) 124 (26%) 315 (65%) 0

Industry and Technological Knowledge

Technological Excellence 3 (1%) 39 (8%) 178 (37%) 140 (29%) 123 (25%) 0

Security-Related Literacy 2 (0%) 9 (2%) 96 (20%) 174 (36%) 202 (42%) 0

Business and Financial Literacy 1 (0%) 12 (2%) 102 (21%) 176 (36%) 192 (40%) 0

Global Awareness 8 (2%) 28 (6%) 152 (31%) 147 (30%) 148 (31%) 0

17

Note. Row percentages may not add to 100% due to rounding.

Table A2. Competency Frequency Ratings by Number and Percentage of Respondents (N = 483)

CompetencyRarely Often On a daily basis

Missing1 2 3 4 5


Anticipatory Thinking 3 (1%) 25 (5%) 142 (29%) 114 (24%) 199 (41%) 0

Enterprise Risk Management 12 (2%) 60 (12%) 162 (34%) 148 (31%) 101 (21%) 0

Enterprise Risk Assessment 7 (1%) 45 (9%) 157 (33%) 174 (36%) 100 (21%) 0

Critical Thinking 3 (1%) 14 (3%) 80 (17%) 133 (28%) 253 (52%) 0

Decision Making 0 (0%) 10 (2%) 56 (12%) 89 (18%) 328 (68%) 0

Balancing Priorities 2 (0%) 35 (7%) 108 (22%) 104 (22%) 234 (48%) 0

Aligning Organizational Objectives 4 (1%) 26 (5%) 160 (33%) 159 (33%) 134 (28%) 0

Self-Regulation 11 (2%) 30 (6%) 101 (21%) 142 (29%) 199 (41%) 0

Organizational Compliance 2 (0%) 17 (4%) 115 (24%) 149 (31%) 200 (41%) 0

Focusing on People

International and Multicultural Competence 29 (6%) 90 (19%) 162 (34%) 113 (23%) 88 (18%) 1

Multicultural Versatility 19 (4%) 78 (16%) 174 (36%) 117 (24%) 94 (20%) 1

Maximizing Performance of Others 3 (1%) 12 (2%) 89 (18%) 146 (30%) 232 (48%) 1

Collaboration 3 (1%) 15 (3%) 89 (18%) 143 (30%) 232 (48%) 1

Succession Planning 12 (2%) 78 (16%) 178 (37%) 127 (26%) 87 (18%) 1


Persuasive Influencing 3 (1%) 19 (4%) 113 (23%) 121 (25%) 227 (47%) 0

Public Speaking 17 (4%) 71 (15%) 196 (41%) 107 (22%) 92 (19%) 0

Message Development 12 (2%) 32 (7%) 136 (28%) 160 (33%) 143 (30%) 0

Oral Communication 1 (0%) 8 (2%) 48 (10%) 97 (20%) 329 (68%) 0


Technological Excellence 19 (4%) 63 (13%) 177 (37%) 136 (28%) 88 (18%) 0

Security-Related Literacy 5 (1%) 21 (4%) 147 (30%) 157 (33%) 153 (32%) 0

Business and Financial Literacy 5 (1%) 39 (8%) 124 (26%) 159 (33%) 156 (32%) 0

Global Awareness 22 (5%) 65 (13%) 137 (28%) 141 (29%) 118 (24%) 0

Appendix (cont.)

18

Note. Criticality was determined by multiplying participants’ ratings of importance and frequency; maximum score = 25.

Table A3. Competency Importance, Frequency, and Criticality Ratings


Competency Importance Frequency Criticality

Anticipatory Thinking 4.55 4.00 18.20

Enterprise Risk Management 4.16 3.55 14.77

Enterprise Risk Assessment 4.09 3.65 14.93

Critical Thinking 4.35 4.28 18.62

Decision Making 4.59 4.52 20.75

Balancing Priorities 4.16 4.10 17.06

Aligning Organizational Objectives 4.26 3.81 16.23

Self-Regulation 4.40 4.01 17.64

Organizational Compliance 4.34 4.09 17.75

Focusing on People


International and Multicultural Competence 3.62 3.29 11.91

Multicultural Versatility 3.69 3.39 12.51

Maximizing Performance of Others 4.40 4.23 18.61

Collaboration 4.33 4.22 18.27

Succession Planning 4.01 3.41 13.67



Persuasive Influencing 4.43 4.14 18.34

Public Speaking 4.01 3.39 13.59

Message Development 4.25 3.81 16.19

Oral Communication 4.55 4.54 20.66



Technological Excellence 3.71 3.44 12.76

Security-Related Literacy 4.17 3.89 16.22

Business and Financial Literacy 4.13 3.87 15.98

Global Awareness 3.83 3.55 13.60

19


Table A4. Competencies by Criticality

Competency Category Criticality

1. Decision Making Organizational Leadership 20.75

2. Oral Communication Communicating With Others 20.66

3. Critical Thinking Organizational Leadership 18.62

4. Maximizing Performance of Others Focusing on People 18.61

5. Persuasive Influencing Communicating With Others 18.34

6. Collaboration Focusing on People 18.27

7. Anticipatory Thinking Organizational Leadership 18.20

8. Organizational Compliance Organizational Leadership 17.75

9. Self-Regulation Organizational Leadership 17.64

10. Balancing Priorities Organizational Leadership 17.06

11. Aligning Organizational Objectives Organizational Leadership 16.23

12. Security-Related Literacy Industry and Technological Knowledge 16.22

13. Message Development Communicating With Others 16.19

14. Business and Financial Literacy Industry and Technological Knowledge 15.98

15. Enterprise Risk Assessment Organizational Leadership 14.93

16. Enterprise Risk Management Organizational Leadership 14.77

17. Succession Planning Focusing on People 13.67

18. Global Awareness Industry and Technological Knowledge 13.60

19. Public Speaking Communicating With Others 13.59

20. Technological Excellence Industry and Technological Knowledge 12.76

21. Multicultural Versatility Focusing on People 12.51

22. International and Multicultural Competence Focusing on People 11.91

Appendix (cont.)

20

0 5 10 15 20 25 30

20.75Decision Making

Oral Communication

Critical Thinking

Maximizing Performanceof Others

Persuasive In�uencing

Figure A3. Top 5 Security Competencies by Criticality

20.66

18.62

18.61

18.34


0% 10% 20% 30% 40% 50% 60% 70% 80% 100%90%

88%Oral Communication

Decision Making

Critical Thinking


Collaboration

Figure A2. Top 5 Security Competencies by Frequency

86%

80%

78%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 100%90%

92%Decision Making

Oral Communication

Anticipatory Thinking


Collaboration

Figure A1. Top 5 Security Competencies by Importance

91%

87%

86%

84%

21

security industry survey of risks and professional ......security industry would be likely to face...

Documents