2007: “We don’t yet know what we don’t know.” 2008: “Still don’t know what we don’t know” 2009: “It’s time someone took the initiative to find out” According to Reference.com, Professions are at least to a degree self-regulating, in that they control the training and evaluation processes that admit new persons to the field , and in judging whether the work done by their members is up to standard. A professional is a worker required to possess a large body of knowledge derived from extensive academic study , with the training almost always formalized. Typical professions include accountants, architects, engineers, lawyers or doctors.
The success of homeland security and global war on terrorism strategies and plans is dependent upon the availability of skilled and experienced security risk management professionals. Since 9/11 a significant amount of energy had been expended studying risk management, developing new risk analysis approaches, hosting expert forums, and speaking about risk management and it use in homeland security, national security, and intelligence. Many of these initiatives were based on untested assumptions about who risk management professionals are, what they know and what they need to know. Currently a number of initiatives are underway to train and/or educate security risk management professionals. SARMA seeks to provide something that right now only it can. The demographics and opinions of hundreds of individuals who self-identify as security risk management professionals. This study was limited in scope to three areas. 1) Personal demographics, educational background, employment information and opinions.
SARMA conducted the first known survey of individuals involved in the emerging profession of security analysis and risk management to allow SARMA and other organizations to measure the profession’s future progress. All SARMA members and approximately 1,500 SARMA newsletter recipients will received the survey invitation by email. Recipients were encouraged to forward the survey to any colleagues who perform similar work but may not have received the invitation. All responses were completely anonymous.
Response rate over 14% based on our mailing list of 1540 valid addresses. Some responses may be the result of invitees forwarding the survey to their colleagues.
To ensure we understand what SRM professionals actually do, we asked a question that helped define the activities of respondents. On average, respondents answered 3.8 tasks each.
The “average” professional is: * 85% are male * 81.6% are older than 35 years of age, although above that ages are distributed evenly * 50.6% work for a consulting firm, contractor, private sector or academia * 58.3% have more than 20 years of work experience * 23% claim between 5 and 10 years of SRM experience, although a similar amount (22.6%) claim more than 20 years * In terms of background before becoming risk professionals, the largest single grouping, 20.3% has a military background * 53.3% Perform risk services for either the departments of Homeland Security or Defense * 53.3% have a US Govt. TS or TS/SCI security clearance * 86.1% have other responsibilities in their organizations, such as project/program management, general management or business development
We detected no pattern other than the vast majority of security risk management professionals are mid-career or later in their career. Education and training professionals should take note of the need to educate the next generation of professionals, while also considering the significance of educating an already senior and well educated population of professionals. (I might add that the majority of respondents already have a master’s degree.)
Again this question illustrated the relative seniority of the respondents self-identifying as risk management professionals. It is important for educators to note that with nearly 60% of the profession reaching retirement age in the next decade or so, a significant “brain-drain will occur unless significant training and education efforts are developed and begin producing the next generation of risk management professionals.
While the field of security risk management has been around for at least a a decade prior to the tragedy of September 11, 2001, the slight majority of security risk professionals appear to have entered the field AFTER 9/11, limiting both their educational opportunities and perspective. Educators should be mindful of the body of knowledge and experience pre-dating 2001 and the creation of DHS in 2003. Over 50% of respondents already have this knowledge/experience, making it essential that educators don’t re-invent what experience has already created.
For those supporting DHS/homeland security 47% were contractors and 41% were government employees
The majority of SRM professionals responding work in the DHS, DOD, or the private sector environment.
This is a most interesting statistic, as many professionals tend to perceive the majority of professionals share the same background as they do. According to the survey, most of those assertions are unfounded.
ASDFF At least a master’s degree: 57% Importance of skill sets to professional advancement (“very important” OR “important”): Qualitative analysis: 86% Project management: 84% Subject matter expertise in security: 78%
On-the-job training and self-instruction are the most widespread ways to learn RM skills. The respondents answered 3.1 of these each on the average. Fewer than half have had classroom training.
EMPLOYED BY Department of Homeland Security (DHS) 27 41.50% Federal Government Consultant/Contractor 21 32.30% Private Sector 10 15.30% Academia 3 4.60% Background: science 10 18% military/law enforcement/security 24 42% intelligence, social science 10 18% IT 3 5% academia 2 4% other 8 14%
It should come as no surprise to anyone that the vast majority of security risk professionals are male.
SARMA Education Survey 2009
The Security Analysis and Risk Management Professionals Survey: An Educational Needs Analysis Understanding where the profession is now, and what it needs in the future. Ed Jopeck Director and Immediate Past President, SARMA and Director, Security Risk Management, SRA International
Session Objectives <ul><li>To better understand the demographics of the security risk management profession </li></ul><ul><li>To determine what respondents have learned, and how they continue to learn, about security risk management </li></ul><ul><li>To provide a more accurate understanding of requirements for future training and educational programs </li></ul>
What is SARMA? <ul><li>SARMA is a non-profit, professional association serving those responsible for analyzing and managing security risks to systems, structures, operations and information from man-made threats. </li></ul><ul><li>SARMA seeks to form public-private-academic partnerships to facilitate the further development, standardization, and professionalization of a broadly-defined security analysis and risk management discipline. </li></ul>
About The Survey <ul><li>SARMA conducted the survey of security risk management professionals between March 2-9, 2009 </li></ul><ul><li>Over 1540 survey invitations were sent out </li></ul><ul><li>Surveys contained questions about: </li></ul><ul><ul><li>Individual characteristics </li></ul></ul><ul><ul><li>Education and training </li></ul></ul><ul><ul><li>Career satisfaction and security </li></ul></ul><ul><li>The survey was completely anonymous </li></ul>
About the Respondents <ul><li>221 responses received at first cut-off </li></ul><ul><ul><li>189 responses from the US, </li></ul></ul><ul><ul><li>24 responses from other countries </li></ul></ul><ul><ul><li>27 different states (including DC) represented </li></ul></ul><ul><ul><li>91 respondents from DC/MD/VA </li></ul></ul><ul><li>Gender </li></ul><ul><ul><li>85% were male </li></ul></ul><ul><ul><li>12.6 were female </li></ul></ul>
What defines a “Security Risk Professional”? Someone who:
Individual Characteristics Profile <ul><li>The survey revealed typical respondent was: </li></ul><ul><ul><li>Gender: Male </li></ul></ul><ul><ul><li>Age: Older than 35 (81.6%) </li></ul></ul><ul><ul><li>General Experience: More than 20 years of work experience </li></ul></ul><ul><ul><li>SRM Experience: Between 5 and 10 years of SRM experience (although a similar number claim more than 20 years) </li></ul></ul><ul><ul><li>Background: Military background </li></ul></ul><ul><ul><li>Application Domain: Performs work for the Department of Homeland Security or Department of Defense </li></ul></ul><ul><ul><li>Clearance: Has a US Govt. TS or TS/SCI security clearance </li></ul></ul><ul><ul><li>Other Responsibilities: Project/program management, general management or business development </li></ul></ul><ul><ul><li>Salary: 40% make more than $100,000/yr (16% make more than $150,000/yr) </li></ul></ul>
Typical Education Profile <ul><li>Degree: Half have a master’s degree or higher </li></ul><ul><li>Acquired skills through: on-the-job training and self-instruction </li></ul><ul><li>For additional training: </li></ul><ul><ul><li>attends conferences and workshops, </li></ul></ul><ul><ul><li>reads security risk web sites and books </li></ul></ul><ul><li>Values additional training in: </li></ul><ul><ul><li>project management </li></ul></ul><ul><ul><li>qualitative analysis </li></ul></ul><ul><ul><li>expertise in security </li></ul></ul><ul><li>More than half hold a professional certification . The most common certifications held are: </li></ul><ul><ul><li>OPSEC Certified Professional (OCP) </li></ul></ul><ul><ul><li>Certified Protection Professional (CPP) </li></ul></ul><ul><ul><li>Program Management Professional (PMP) </li></ul></ul>
Methodologies <ul><li>Respondents identified 124 unique methodologies or techniques for security risk analysis. </li></ul><ul><li>The top five accounted for only 28% of all responses. </li></ul><ul><li>Top 5 Methodologies </li></ul><ul><li>CARVER – 14 </li></ul><ul><li>RAM-x (C, D, W) – 14 </li></ul><ul><li>ARM/CRM – 12 </li></ul><ul><li>MSRAM – 6 </li></ul><ul><li>OPSEC – 6 </li></ul>Some other answers: SHIRA, TRAM, RAMCAP, HLS-CAM
Project Credits <ul><li>Sponsored by the Security Analysis and Risk Management Association (SARMA) </li></ul><ul><li>Survey prepared by SRA International </li></ul><ul><li>With generous contributions of time, expertise and perspectives of numerous risk professionals working together for the common good </li></ul>
Job Security and Satisfaction <ul><li>The typical risk professional: </li></ul><ul><ul><li>Is “satisfied” with both their job and their salary </li></ul></ul><ul><ul><li>Makes between $100,000-150,000/yr </li></ul></ul><ul><ul><li>Secure in their employment but concerned about decreases in their future earnings </li></ul></ul><ul><ul><li>Believes that “improving strategic thinking and direction” is the most critical challenge facing the profession </li></ul></ul>