ASIS Foundation, University of Phoenix develop 'Enterprise Security Competency Model'

Nov. 12, 2015
Model seeks to identify skill gaps in the industry to better prepare tomorrow’s security leaders

As part of an effort to ensure that security practitioners have the skills necessary to meet the demands of an ever-evolving threat landscape, the ASIS Foundation teamed up with the University of Phoenix to develop the recently launched Enterprise Security Competency Model. The model, which has been endorsed by the U.S. Department of Labor, was designed to enable organizations of all sizes to accurately define core skills and competencies required for security positions.

According to Dr. Linda Florence, CPP, president of the ASIS Foundation board of trustees and vice president and dean of specialty programs for University of Phoenix College of Security and Criminal Justice, the idea that a model such as this was needed for the profession was really born out of several research studies that were conducted on the state of the industry a few years back, which predicted gaps in knowledge and how large the industry would become in the future. In fact, a study conducted in late 2012 by ASIS International and the Institute of Finance & Management estimated there was a $410 billion annual market in the U.S. alone for security.

“There were these identifiable gaps in knowledge in terms of skills and so (Jeff Greipp of Apollo Education Group) approached the ASIS Foundation board with an idea of finding a way to identify the skills gaps and the competencies necessary to prepare the workforce for the next generation of security professionals,” said Florence. “And what that entails is the non-cyber piece. When we say enterprise security, what we’re talking about is protecting the enterprise.”

While most people are familiar with cybersecurity given the various data breaches and other online vulnerabilities that regularly make headlines, Florence said that most people are unaware of what goes into enterprise security which is really about managing the numerous risks an organization faces.  

“The security piece is a protective piece, so you have investigations – whether it is background investigations or internal investigation – crisis management, planning for events, executive protection, physical security and incorporating devices with policies and procedures and training, and then, of course, you have what everybody sees which are the guns, guards and gates,” she added. “Managing the risks and looking at security as a piece of the business, not as an overhead but as an actual piece of the decision-making process, that is how we looked at enterprise risk so the competency model addresses those areas of security where someone can look at their skills and say, ‘Well, I understand investigations from a case management standpoint but I don’t understand personnel security or I really don’t understand the physical security piece, but I understand the budgeting.’ All of those things have to come together when you’re managing risk and you’re managing the security aspect of an organization.”

Specifically, the model is broken down into five different tiers – personal effectiveness competencies, academic competencies, workplace competencies, industry-wide technical competencies, and industry-sector functional areas – to determine the skills individuals possess relevant to the security position they seek to fill within a company.

Florence believes the model will not only help people identify what other skills they need to learn in order to move into higher-level positions but will also provide those who make personnel decisions with a guide for how individuals with different skill levels should be compensated.    

“To use the example of someone who is a CPP or Certified Protection Professional, those domains within the CPP are very well defined and they are reflected within the higher levels of the model. The work is different, but those same competencies are in there and that’s reflective of folks that are actually doing the job of a CPP, so if you’re a CPP working in a hospital, you’re doing the job within the space of a hospital, but you can pick up those skills and competencies and then move on to retail or a government agency,” she said. “You’re still a security professional, what may be missing is something within your own professional development. It may be something like leadership or you may be missing something that applies to that specific area, but someone like myself who has never worked in a hospital, I could probably still work in a hospital but I don’t have the technical expertise in a hospital. What the model shows you is what you would need to work in a particular space, but the things that cut across all of them are the underlying skills that help you be successful in the workplace like communication skills, leadership skills and those sorts of things.”

In addition to the endorsement from the Department of Labor, the model has also received support from Time Warner Cable and IBM, which are already putting it to good use in their organizations.

“The Enterprise Security Competency Model is the first in the industry to identify the specific professional competencies and skills required to respond to security risks,” said Brian Allen, chief security officer for Time Warner Cable. “When we realigned our job descriptions to conform to this model, it affected more than 100 security-related jobs, increased skill sets and raised expectations for those already employed by Time Warner Cable and serves as a guide for those looking to join our company.”

“The Enterprise Security Competency Model is the industry standard IBM uses to prepare our workforce to address security challenges now and into the future,” said Mark Beaudry, Ph.D., CPP, senior security professional, IBM Corporate Security. “The U.S. Department of Labor’s endorsement of the model developed by University of Phoenix and ASIS further reiterates the need to define security through an industry-accepted standard.”

Because the security profession is constantly evolving, Florence said the ASIS Foundation is working on a process to keep the model current to ensure that it is always relevant.

“If it just sits for four years and nobody looks at it, it’s not doing anybody a lot of good because our industry changes so fast and the technology changes so fast,” she said. “Ten years ago we were talking about VCRs and now you would be laughed out of the room.”

About the Author

Joel Griffin | Editor-in-Chief,

Joel Griffin is the Editor-in-Chief of, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.