You would think that the security industry in the UK would be highly regulated with clear and consistent standards and policies. The reality many would argue, is slightly different. Lamenting on the lack of consolidation across the board in the security industry, Philip Ingram, MBE takes a closer look at security regulations in the UK.
In this blog, Philip explores what is regulated, what isn’t, who are the regulating bodies and how the UK security industry could improve its regulatory measures.
The security industry remains very much polarised into two camps: the IT/cyber security camp and the physical security camp. The way they lack joint regulation and oversight perpetuates the perception that they are separate disciplines. However, with the increasing proliferation of tech-powered security devices such as drones, convergence between the two camps is the theme of many conferences and constantly on the lips of most Chief Security Officers (CSO) today.
What is worrying however is that there is no sign of convergence in security regulation yet.
Security Industry Authority (SIA) & Private Security Industry Act
The physical security world in the UK is regulated by the Security Industry Authority (SIA) under a law called the Private Security Industry Act that came into being in 2001. The SIA are an independent body that reports to the UK Home Secretary and is responsible for security and policing within the UK government.
It was the Private Security Industry Act that established the SIA and gave it the power to license and regulate the private security industry by giving it two main duties. The first is licensing individuals who take on certain security activities; this step has since been made compulsory. The second is to manage a voluntary scheme that measures private security suppliers against independently assessed criteria and this is called the Approved Contractor Scheme (ACS).
The SIA issues licences for certain activities: Manned Guarding, Cash and Valuables in Transit, Close Protection, Door Supervision, Public Space (CCTV), Security Guard and Key Holder, and individuals responsible for the immobilisation, restriction and removal of
vehicles only. Once individuals have completed the prerequisite training and passed the recognised SIA examination and their background checks have been completed, they can get their SIA license issued.
National Cyber Security Centre (NCSC) & GDPR
The cyber world does not enjoy the same level of regulatory discipline as the physical security space however. But with cyber security becoming a growing concern, there is a greater call for scrutiny in the cyberspace. The list of problems in this area start with the fact that there is no government mandated licensing of cyber security professionals.
The only law that brushes against cyber security is the European General Data Protection Regulation (GDPR) that requires certain standards of security. Of course, there are also international standards such as ISO 27001 which is the best-known standard, providing requirements for an information security management system that are applied but not demanded in legislation.
One win for the National Cyber Security Strategy was their establishment of the UK’s National Cyber Security Centre (NCSC) which is part of the Government Communications Headquarters or GCHQ as it is more commonly known.
Areas of improvement
In the physical security space, there is no mandatory refresher training for SIA certification, but more reputable large security companies run their own inhouse training. Another grave problem is that there is no weapon licensing in the UK as there are no armed security organisations, in fact not even the police carry weapons routinely.
Meanwhile, in the cyberworld, the National Cyber Security Strategy recognises the importance of cyber security but states that, “it does not want to overburden businesses and organisations with unnecessary regulatory requirements.” This passive stance can be worrisome for many as few UK-based organizations have cyber security training (20% of businesses and 15% of charities) or have adequate cyber security policies (27% and 21%), according to a Cyber Security Breaches Survey 2018 conducted by the University of Portsmouth. Meanwhile, over two in five businesses (43%) identified breaches in the last 12 months.
A final area that requires a mention from a regulation perspective is the use of drones for security purposes. Currently there is no call for a qualified drone operator who has passed a recognised Civil Aviation Authority (CAA) drone operators’ course and been certified as a competent remote pilot. My suggestion is that the CAA must approve and give permission for a drone to be used for “commercial” security purposes. This permission can be fairly general and last for up to a year in some circumstances. It is as simple as that.
Final thoughts: A call for security regulation consolidation
Security regulation and standards in the UK are certainly not consistent and seem disjointed even to those in the industry. There are ongoing discussions about trying to professionalise the industry, however, there is no overarching body which is answerable to the government for setting and upholding cross industry standards.
The lack of a centralized regulatory body just seems to perpetuate what at times looks and is dysfunctional. This is an area in which many security member associations have tried to influence, but to date all that they have managed to do is to keep the debate going. There is no real sign of a proper solution in sight any time soon.