Interview: Ilya Umanskiy on Security Consulting, Professional Development, and More

Ladies and gentlemen, Ilya Umanskiy is easily one of the most insightful interviews (formal or informal) I’ve conducted in recent memory. In this hour-long interview, he sheds light on the following topics:

  • Asset protection, investigations, risk management, and security consulting
  • Challenges of transitioning Military/Law Enforcement and aspiring professionals getting started
  • Professional development tips (and potential pitfalls)
  • Sphere State (mentorship project)
  • Recommending readings
  • And more

Listen to our full interview below or read the full text at your leisure.

Enjoy!

 

*Prefer to listen on Youtube instead? [LISTEN HERE]

 


Full Interview Transcript (With Links)
 

What drove you to choose your career path?

It was accidental, but also serendipitous. The accident was in the fact that I didn’t really choose it, though I always felt some attachment to it. I was simply given an opportunity, perhaps because of my affiliation with John Jay College, where I used to study and then later taught. Initially, I had contemplated becoming a lawyer, but then I read a book called “Civil Action,” which dissuaded me. And I continued my studies in the Master’s degree program at John Jay and that is the time I got a call from Prudential Financial to join their global security department. It was very fortunate for me that I was able to first of all create a good resume that stood out from the volume of other resumes at the college, but also that the person who later became my mentor, Paul DeMatteis, CPP, CFE, was also teaching at John Jay and he even today continues to recruit people heavily from there. And that was the serendipity of it, the rest was through his mentorship and his coaching, along with coaching and mentorship from a few other people on the global security team at Prudential that made me really attached and made me feel at home in this career.

 

For some of our listeners that may not be that familiar with your line of work, can you tell them what security consulting is?

To me, security consulting is the ability to look at and prioritize critical assets for clients and be able to advise them on the best ways of protecting those assets. Obviously, those assets could be a human life, information, tangible assets of various sorts (buildings, cars, computers, and so on). So, it is the knowledge of the three most important disciplines within the protection of assets that drive the consulting piece, which are operational security, technical security, and physical security.

Operational entails everything relating to the setting up of processes and administration of processes to control the governance part.Technical entails everything that we use as tools. Technology wise: computers, video surveillance, access control, and so on. Lastly, physical security entails everything hardware related: locks, doors, walls, the shape of our sites, the layout of our buildings, and so on. Those are the three that guide, as far as I understand, most practitioners that are evaluating risks and threats to a variety of assets that they identify, and then advise clients within those three key disciplines.

 

For some of our listeners that are newer, could you tell them how you went about getting started in consulting and what education and experience you needed?

Sure, as I said initially, I was recruited from John Jay College, which is a criminal justice school and primarily attend by law enforcement personnel, military personnel, and people involved in all aspects of emergency response, policing, and so on.

The study of criminal justice has a lot of policy analysis built into it. You need to understand government, and you need to understand law. That pushed me toward the understanding of risk and understanding how risk perception needs to be managed and how also it needs to be addressed. In most cases when you study criminal justice, you would be addressing that from a law enforcement/government perspective, but it is also transitional into the private sector.

That built the foundation for me in terms of being able to understand policy, procedure, structure, and so on. Basically, that helped shape my view and it also helped me navigate to the consultancy field. But, consultancy didn’t start for me until 6 years into my career. I had to learn at Prudential, being a member of the global security team and learning how to advise internally. How to be the in-house expert, and working with those who advise all levels of the organization. And that experience, in addition to having the ability to travel and having the ability to address a variety of different projects.

We were very busy, I must say, with a multitude of requirements and risks, threats, and incidents as well. Having that experience positioned me quite well to be able to take on an advisory role for various organizations. Without having that experience of being coached and mentored, and being involved in various projects in different capacities—without that, I would not have been able to become a consultant. It would have been very difficult, you need to be able to learn how to engage with people, how to understand what issues they’re experiencing, and not cause disruption to their operations or processes, simply to facilitate careful improvement. So, that’s how my direction to becoming a consultant was shaped.

And then in 2006, I joined Kroll, which was in and of itself a new learning platform for me. Again, through coaching and mentoring I leaned to become an independent consultant by working with teams and various leaders. That’s how my career evolved.

 

When you were in some of these roles, whether with Kroll, Prudential, or now with Integrated Systems & Services, what licenses or what certifications have you needed?

That’s a very good question. There is still no requirement for providing security consulting advice. It is highly dependent on various jurisdictions, both in the US and overseas. So, a lot of people gravitate toward receiving certifications from organizations like ASIS. They will have the three certifications: CPP, PSP, and PCI. Those have been historically the go-to certifications, but now that we are gravitating to the world of data security, information protection, and IT networks, there are now additional certifications that many professionals are contemplating or are already obtaining. Those are CISSP and so on.

I must say, as important as those certifications are, and particularly the content of study that is entailed in each of them, they are not an end-all. I know of people who do not carry any of those certifications and are quite capable as advisors and consultants. I also know of third-party certifications such as RAMCAP. This is also something that I have received.

They are slightly newer than the certifications from ASIS, but they’re also a very important course of study in order to understand how to manage risks to critical infrastructure facilities. And of course, a lot of peers in the industry have achieved certifications in fraud management through the industry bodies such as ACFE. So, they received the Certified Fraud Examiner certifications. That’s where people have been gravitating toward. Again, I must say, what’s important is not so much getting the certification, but sustaining your knowledge base and being a perpetual student. That is what has been driving me and I continue to learn above and beyond those certifications that I was able to receive.

 

What can you tell us about your current role with Integrated Systems & Services?

Thank you for asking, this is something that I have been trying to shape since I started, and even before I started. When we first spoke with the CEO of this firm, obviously the direction was to expand and diversify solutions and services that we as a company present to the market. At the same time, there was a need to nudge improvement for some of the internal in-house processes. So, my role entails these two aspects: one is diversification of client-facing valuable solutions and services including training, advisory work relating to set up of command and control environments, systems, review of their compliance positions, and also understanding of how the systems that clients are using are used with the highest return on investment and with the highest benefit for those clients. So, that is the client-facing site.

The in-house side is also quite interesting for me. It’s really applying something that I’ve been learning more recently, which is the change management and facilitation of improvement in an organization. So, I’m looking at various processes that the company has and looking to streamline a lot of them including communications, delivery of various solutions and services to clients by our staff and our team. And also creating more disciplined behaviors around various tasks that our team does, both that are client-facing and internal. Those are things that I’ve been doing in order to help the company grow and also score a lot more wins with the clients and have better relationships with the clients.

 

I have a quick follow up to that, in your role with Integrated, what sorts of things do you do beyond what the average person might expect of you?

You know, this is something that I have been thinking about quite a bit. I think that in any organization today, the buzzword is “transformation.” For me, this is also something that is turning out to be the reality that I live. In fact, a lot of my time is spent thinking on behalf of the team: What do we look like as a brand? What do we look like from our marketing perspective? How do we engage with clients? How do we offer thought leadership? How do we go above and beyond just the products and services that we provide to the market?

And that has been a very interesting process for me to support the team with, and to help facilitate because it is that change management that many organizations are going through and I am very glad that I am given an opportunity to play a part in it. If people think of me as just a security consultant, I think that is inaccurate. I am able to apply a variety of skills that I have picked up over the years, having done a lot of stuff that goes above and beyond just protecting assets. I would say that the transformation and change leadership that I have been applying is slightly different from what you would expect.

 

Transformation and change leadership sort of lead to my next question…on Your LinkedIn, you often mention behavioral and organizational psychology, and I’m curious, what are you specifically talking about here and how can our listeners apply and benefit from it?

We can start with behavioral psychology because it is the foundation for organizational psychology. What struck me as a professional some time ago, in about the last 10 years, is the existence of biases and sometimes lack of action on the part of clients to whom we were offering advice, myself included. The question has always been “Why?”

Why is it that when you offer sensible advice with which the client agrees, that very little action or insufficient action is taken in order to achieve improvement and meaningful change that is sustainable—something that prevents repeated incidents? That’s what drove me to start thinking and reading a lot of literature about behavioral psychology.

How do we make decisions? How do we either rationalize or act spontaneously in most environments? And that’s when I stumbled upon the work of various authors, but primarily the work of Daniel Kahneman and Amos Tversky. They collaborated to produce a body of research and experiments basically talking about human biases. It resulted in Kahneman’s book: "Thinking, Fast and Slow." In that book, he talked about two systems of thinking, and it perfectly fits the model of thinking about how we engage with clients as consultants and how should we expect the clients to behave.

Interestingly, behavioral psychology thinks about not just rational thought, but about feelings—about the fact that we actually feel sooner than we rationalize. And the feeling may come from just observing someone’s body language, whether your body language comes across as positive or negative, or the way you speak, the way you present, the way you share information, the way you sequence things. The feelings come first in most cases, and that’s what helps people use spontaneous reaction and be judgmental sometimes about the content that they are observing or receiving.

Then, the second part is the rational part. How do people then rationalize? How do they think about change or adapting new ways of behavior? That part takes much longer, it requires more thinking and more habit building, which is very important if we start talking about organizational psychology. So, organizational psychology is an evolved discipline that has a lot of roots in behavioral psychology. It’s something that organizations use and they look at behavior of individual people as collectives, and then look at behaviors related to business processes, and then try to facilitate positive change/positive experience for both the employee population as well as the clients that the organization is serving. Organization psychology is very useful for security consultants because everything we recommend requires some degree of adjustment within the organization.

It is with the use of organizational psychology that a consultant can be more successful in order to apply and facilitate some of the changes that they are recommending. Much like a management consultant, a security consultant is recommending something very specific for the organization to protect their assets. Sometimes you will face agreement and sometimes you will face doubt, and it is how you navigate, how you explain, how you coach organizational leaders in adoption of your strategies and your tactical suggestions, is how a security consultant can be very successful. So, organizational psychology is the foundation for driving change and dealing with large groups of people in order to both enable the business and to help facilitate better protection mechanisms and controls.

 

This is one of my favorite questions: what two or three non-security books do you most often recommend to your peers?

I must say that you didn’t catch me off guard because we just finished talking about fields that I’m very passionate about. The books that I would recommend are all related to the study of human behavior and decision making. My recent ones that I would point readers to, obviously the one that I mentioned: "Thinking, Fast and Slow" by Daniel Kahneman. But something that’s very applicable today, I find in books written by the Heath Brothers, Dan & Chip Heath. One book is called “Made to Stick” and the second book is called “Switch.”

Made to Stick” is a book about very powerful communication, and it comes with a model that any reader can use in the way they communicate. The model is called “SUCCESs,” and it’s actually in a downloadable format that they’ve posted on their website. So, if listeners check out the link, they can make use of this and better understand this concept.

The second book is called “Switch.” And as I said, that’s a book about actually facilitating change. They passionately describe real-life scenarios that organizations and people have gone through in order to facilitate change. It is completely in a global context, and it has nothing to do with the US or Asia. It is really a collection of very interesting case studies from all over the world. They incorporate the principles and concepts that have been developed by Kahneman and Tversky and apply it in their book. You find this discussion about the “Rider,” which is our rational thinking, kind of this slower more methodical way of building thoughts and processing information. And our emotional side, which is called the “Elephant” in their book.

You can then make your obvious judgements about the way that they think, in terms of what needs to be done in order to facilitate change. You can see that the Elephant being a larger body in and of itself, is difficult to sway, but when you can, change can be very powerful. And the Elephant represents a system of feeling, a system of spontaneous direction or action. So, the Rider should be motivating the elephant and giving it some direction through rational thinking. Obviously, you will see the parallels between what Kahneman and Tversky talked about, about behavioral psychology now applied to your real-life. Heath Brothers very carefully captured this model and I think it’s very, very useful.

The third book I want to stress and highly recommend for readers is “The Seventh Sense: Power, Fortune, and Survival in the Age of Networks” by Joshua Cooper Ramo. The reason I recommend this book is because it’s giving readers a sense of what powers are shaping the world: what is happening to our planet, how certain forces including technology are now taking a leading role in shaping world affairs, how we communicate, how we think, how humans behave, and also the access to various resources.

I was quite fascinated by what he has written and his approach, and some of the suggestions and prediction he makes. I would certainly recommend it to anyone who is engaged as a consultant in our field or someone who is seeking to be engaged.Because without understanding how our world is changing, what direction we’re taking and where the risks lie, which he carefully points out—without it, I think it would be more difficult to advise clients. So, I would strongly recommend those thee books.

There are many more, one of them is “Nudge” by Cass Sunstein and Richard Thaler. Also related to behavioral, but in this case, behavioral economics. It has its roots in the work by Kahneman and Tversky. So, once readers stumble upon the work by Kahneman and Tversky, they will see this plethora of additional books that are closely related to what they’ve started, by a variety of authors. And they will find excellent information on decision making and human behavior.

 

Next, what do you do differently from your co-workers or peers in the same profession?

I think for me, the important factor is the challenge of facilitating change—but before the change can be actually delivered, what is important is to understand and communicate very carefully to clients, to sort of open their eyes to the gaps that exist between what they think is the status of their asset protection and what the reality is. And what I do is apply what is a widely-known system known as positive skepticism. It’s where information about controls or the design of controls, as presented to me by the client—saying “look we have our crisis management plan, we have our policies and procedures for protection of assets, we have a variety of other documentation and processes that exist”—not to take any of that at its face value. Always to conduct an inquiry into the real-life application of those controls and how actionable they may be and so on.

To give you an example, I was working with a client who slid across the table, a very voluminous crisis management plan, being very proud of it and thinking it was the pinnacle of their crisis planning. On page 9, the decision-making authority about classifying an incident rested with two separate people who would never talk to one another before they offered their classification. And therefore, the same incident could be classified very differently by two different individuals, and they were never given this plan converge to agree on the classification. So, when I pointed that out, they were kind of scratching their heads. They looked and said, “Wait a second, we had a major company do this for us.” And I said, “True, but here you have a gap, how do you justify its existence? Do you think it’s good for you in the long run if you continue using this structure that you have currently?” And they obviously said “No.” They were thankful for me finding this, but at the same time a bit disappointed that they had invested a lot of time and effort in doing this, and thought that they had everything tightened up. And unfortunately, it wasn’t.

That is the crux of the issue that I look at more carefully than most. It’s not professional to just agree with the client that they have a robust set of documents for a set of controls, without checking how those controls actually operate in reality. And in more cases than not, you will find gaps that could be mitigated. That is something that I find significant value in for clients, and typical comments that I receive are “thank you for helping open our eyes.”

 

Now, positive skepticism I see is one of the themes that you connect to Sphere State. What can you tell me about Sphere State and what problems it seeks to address, and what you hope to achieve?

(Follow Sphere State on Facebook)

Sphere State has been on my mind for a long time. It was something that struck me as also one of the gaps that unfortunately exists in our professional community, when you look at risk management as a whole. I was a product of an academic environment, and then when I started working in my first proper asset protection/risk management job, I realized how underprepared I was though my academic work, for this job. I ended up learning quite a bit after starting in my role. That was when I started thinking, “What might be the vehicle to help someone transition?”Be it a person who is leaving law enforcement or military and then going into the private sector, which I’ve seen while teaching at John Jay College—and going through a lot of students that had very unrealistic expectations about the private sector, as they were transitioning or if they were young professionals or aspiring professionals, they did not realize all the pitfall and the level of skills that would be required.

So, Sphere State then materialized just recently into a platform, if you will, for mentorship. I remember that because of the gap between what I learned in my academic environment and then what I needed to know when I joined Prudential, I ended up being dependent on coaching and people investing time into teaching me how to do certain things. I feel that Sphere State can help bridge that gap, before a candidate can start adding value to the organization. I am simply trying to offer a platform for either young and aspiring professionals, or for transitioning law enforcement or military who are seeking careers in the private sector in either risk management, investigations, or asset protection. For them to, as I can best describe it, to soar above mediocrity. Because for the most part, they do not understand the skills that are required. My goal, my objective is to help them be better than the sea of candidates that are seeking the same positions.

*Related Article: “My Vision for Sphere State” by Ilya Umanskiy

 

Next, what role has mentorship played in your career?

It pretty much helped me achieve the knowledge that I have now. It helped bridge that gap between what I achieved academically, and what I needed to know professionally. Everything but my own effort, is due to very careful/rigorous mentorship and coaching. As I said, I tip my hat off to Paul DeMatteis, CPP, CFE. I don’t think I can every replay what he has been able to do for me and for many others, by the way. He has been mentoring many young professionals over the years. I think it helped me also understand that our discipline in asset protection and risk management in general, is quite teachable, it’s not something that comes with experience in military and law enforcement alone. It’s something that you can have a fresh graduate that has relevant experience, but no former law enforcement or military background, that can also understand and learn and become as proficient, if not more proficient in the skills of risk management and asset protection.

 

In one of our recent conversations, you mentioned being approached by recent graduates who were interested in working in security consulting. So, what advice do you typically give them, and are there any mistakes that you see are common among that crowd?

What I would say is to have an open mind. I know it’s a cliché phrase today and a lot of leadership consultants and self-help gurus use those words, but I think they carry very special meaning for those aspiring to work in the field of risk management, investigations, and asset protection. A lot of young graduatescan’t afford to have misconceptions or to build certain concepts or constructs about understanding what the field is and how it works. Especially today because a lot of things in our world are changing. The same applies to how they need to think about their professional career development.

I think they just have to have an open mind and be a sponge, to absorb new knowledge, to be open to sometimes criticism, but very often simply very, very good advice. And also, very importantly, to not take things at their face value. To always be studious enough to—like we care about our health and we always go for a second opinion, to always double check things, to make sure that they make sense, that they are meaningful, particularly for those who are looking to become consultants in the future. I think that’s very important, to not be subject to those psychological biases, to over confidence, that unfortunately are very visible in the corporate world and in the government. That is one thing that I would give you.

Unfortunately, I had a direct experience just recently with an aspiring young professional who kind of had this rigidity about them. Once they told me that they wanted to be a consultant, I said, “Have you checked and do you understand the following firms…” and I gave the names of very prominent global consultancies that are in the space of risk management, investigations, and asset protection. That person didn’t know of any of those firms, and what struck me more was the referral letter that this person shared with me. That letter was full of grammatical mistakes by itself, and when I pointed that out—saying that this person might need to be cautious sharing that document going forward, they didn’t think it was such a big deal. I think that is where a consultant cannot afford to be unnuanced. Nuance is one of those very rarely applied arts that will save both your reputation and enhance your reputation, but also will help clients more than just generic advice. It is being nuanced that I would recommend as my last advice. Just don’t stop with the first piece of information that you receive. Make sure that you’re able to understand it by doing a little bit more research, by engaging with a few people who may have access to the same information, and maybe they have a different view. So, that’s something that young professionals can benefit from.

 

I’ve seen some examples in my own career and in talking to other young professionals, where their organizations almost become silos for them, where they don’t go out and seek outside advice, they just get the narrow perspective of that particular group that has been working together for 5 or 10 years, they don’t necessarily get exposure to outside opinions or thoughts or any kind of critique.

I recently had to work with a person to coach them to avoid that exact thinking, because they were complaining to me that they felt slightly stifled within the internal environment of their organization professionally. My point to them was to be patient within the organization, but at the same time, who’s stopping you in this day and age from leaning something on the outside—particularly because we have access to so many learning resources, and the majority of them are free. Plus, people today are almost required to network with one another. I think I was able to point him in the right direction toward very knowledgeable individuals and also organizations that were outside of his own kind of silo. And I think that he will benefit from it quite a bit. To me, that’s another very important point.

 

What is the worst advice you see being dispensed in the security industry?

Well, in my thinking, it’s not so much what is the worst advice, but what I find is a lack of unified advice. A lack of uniformity about risk management, protection of assets, and investigations. I find that a lot of people will talk about how to apply various controls within organizations, without thinking, “What are some of the internal resources within those organizations that are capable of application of those measures?” Because a consultant is only a touch point for an organization, they won’t be (in most cases) holding the client’s hand in applying the control measures. Or in some cases they may help, but not entirely.

So, much of the onus is on the internal responsible managers and staff members within the organization. I find a lot of advice falls short of being specific enough and being useful and actionable enough, for organizations to actually do much of that on their own.

One of the things that I tell clients is this: from the moment you engage with a consultant, consider this a learning experience. Take a pen & paper or a mobile device (on which you can record information) and then start taking studious notes. Because what you’re doing is, you’re actually receiving additional knowledge from a consultant. Next, challenge consultants on helping organizations and particularly the people they are engaging with, to understand how to take forward what recommendations are provided. Such as how to make sure that they are implemented, what might be some of the methods, who might be responsible, how to validate them, etc.

Those things, I’m happy to say are starting to get attention today. But, we still find a lot of practitioners simply offering advice, then walking away only to come back and see nothing implemented or very little implemented—not because the client doesn’t have institutional intelligence, but simply because the advice provided was not specific and actionable enough.

 

Do you have any specific ask or request of the audience or final parting words?

One thing I would like to note, and I think I mentioned it before, is the need for building a much more specific and robust skillset. Because of these converging disciplines of risk management, investigations, and asset protection, it is absolutely important for practitioners, in order to be the leaders of tomorrow, to have diverse skill sets in those areas.That is to understand the foundations of risk management, to understand how to investigate, what methodologies are out there, how to collect and analyze information, how to do desktop and also human intelligence research, how to provide the results of that analysis to the client in a meaningful way, and how to write well—because unfortunately today, we find a lot of written communication to be below expected standards, so those things are quite important.

I think that not settling for what the neighbor is doing, as we advise a lot of our clients, is what we as practitioners should be doing to always try to soar above mediocrity. And one other thing that I would ask of the community is to start thinking about convergence of our disciplines because we’ve been witnessing a lot of fragmentation. Many of us are called physical security professionals and many of us are called cyber security professionals, and then there is further compartmentalization within those disciplines. And, unfortunately, it is not helping anybody. At the end of the day, we are all together protecting assets. If as a community we think together how those assets are to be protected. Particularly,, an example could be information.

Information does not exist only as data. It exists in three domains: mental, physical, and digital. If we start thinking together how to protect an asset like this, we will achieve much more meaningful progress, rather than what is taking place today:us having fragmentation where even practitioners in what’s called cyber security are attending their own conferences and for the most part are not presenting meaningful content at conferences such at the ones that are hosted by ASIS, and vice versa. I think sharing  those ideas more widely across the board and also engaging with organizations that are going above and beyond risk management, particularly in psychology and human resources, organizational psychology, and also the

innovation spectrum like South by Southwest and RSA and many others. Expanding those horizons as a more unified group of professionals will help us achieve better results.

What’s the best way for listeners to get in contact with you?

One of the better ways is though my LinkedIn or by going to Sphere State. And obviously, the firm I am with, Integrated Systems & Services is also a good resource. If you look at any one of those three sources, that’s where all of my information is.


Stay connected with Ilya and learn more about his big projects below:

Ilya Umanskiy on LinkedIn

Sphere State on Facebook

Sphere State Website