Jeff Slotnick has been thinking about, analyzing, and predicting the future of the security industry for more than 30 years. In that time, he’s seen the industry shift into a significantly more important role; a change he saw coming while working as a senior enlisted person in the United States Army Engineer Corp.
“I’ve always been an evangelist for this community,” Slotnick observes. “The more people know about how risk assessment can help them, can help us run companies better and do things more safely, the more they become believers themselves.”
Slotnick, certified protection professional (CPP) and physical security professional (PSP), is the president of Setracon Inc. and chief security officer at OR3M, based in Washington state. He’s traveled the world consulting with organizations about their risk security profiles, and the predictions he made decades ago about the evolution of standardization in the risk assessment profession are fast becoming a reality. Compliance with ISO 31000 and ISO/PAS 28000 have become much more sought after in recent years. According to Slotnick, this is a change he saw coming years ago.
“It’s the influence of technology,” he says. “ISO 31000 and similar standards help organizations grasp an understanding of their culture, not just their data. It enables them to use all the data they collect and all the devices they have—which produce an immense amount of data—to protect themselves, their employees, customers, and businesses. It’s a very exciting time.”
The ISO 31000 family of standards includes ISO 3100:2009—Principles and Guidelines on Implementation, ISO/IEC 31010:2009—Risk Management—Risk Assessment Techniques, and ISO Guide 73:2009—Risk Management—Vocabulary. Although the standards weren’t developed with the intention for certification, Slotnick expects their popularity will increase significantly in coming years as more organizations recognize the potential of the standards to make them more secure.
“I find 60 percent of this job is education,” he says. “People don’t know what they don’t know. Simply capturing data in an audit, you’re creating a very clear value statement. I can show a company how identifying and managing risk helps them avoid problems in the future. Knowing what those dangers are and being able to create a plan to prevent or eliminate them is a very valuable skill and one that more people should learn.”
Teaching that skill is something that Slotnick is very familiar with. He serves as a faculty advisor with the University of Phoenix, where he also takes classes to continue his learning. In his roles as consultant, teacher, and student, he sees the risk assessment profession moving toward full enterprise security risk management (ESRM) and ultimately enterprise risk management (ERM). This is a shift that could have dramatic consequences to the way organizations staff their executive boards.
“This is an industry in transition,” he observes. “Traditionally, we’ve seen risk as a physical thing, something to address with physical means. Now, we’re seeing organizations meld their risk profile with their OHSAS, environmental, financial, customer and employee health, cyber, and physical risk efforts. All risk is shared. When there is risk to one part of an organization, there is going to be risk exposure to many other parts. That’s an exciting thing, and it’s been a long time coming.”