On September 11, 2001, every U.S. airline met the security requirements set by the government. Adherence to regulations did nothing to prevent the attacks of that day.
Many corporate and government security administrators make the mistake of building their security system and its requirements only around past events, against those methods of operation that have been demonstrated historically. In fact, the use of the word ‘administrator’ or ‘administration’ as in, for example, the Transportation Security Administration, in part illustrates the problem. Administrators are not generally innovators.
Often security policy and procedures do not benefit from but are rather dictated (and constricted) by legal or regulatory requirements. For example:
- ITAR (International Traffic in Arms Regulations) require among other things that visitors to certain facilities verify whether they are U.S. citizens. The receptionist or security officer asks “are you a U.S. citizen?” The visitor answers yes or no. In my experience, documentation is not required. Obviously, an adversary could easily say yes, regardless of the truth of it. Besides, citizenship is not in and of itself relevant to security threats. A closed question offers no information about the visitor, it’s a dead end.
- Now that the marijuana industry has opened up in many U.S. states, dispensaries and distribution centers are under a lot of regulations relating to security. But being in compliance and meeting those regulations is not the same as having good security.
- Not allowing security officers to engage with people out of fear of legal liability can produce the opposite effect and certainly is no basis for effective security.
Regulation begets risk-based approaches that miss the mark in terms of threat, which is ever-changing and therefore its mitigation needs to be forward looking. Many organizations feel good about being ‘up to standards’. But depending on the standards, this does not mean they have effective security in place. Other organizations when developing a security system make the assumption that what worked for those guys over there will work for us over here. They try to follow best practices. Since they other guy is doing that thing (maybe using CCTV) then we must also do it.
Likewise, an audit is not an assessment. An audit looks to check off boxes and ensure that regulations are met. Effective security is not about checking off boxes. Checklists can be useful as a point of departure or as an organizational tool but reliance on boilerplate often equates to skipping the step of making an assessment. Yet that assessment is perhaps the most critical step, the results of which should form the basis of an entire security system. An assessment is a study. The best assessments begin with a blank page.
Regulations and audits do not necessitate using those security features that may be the most effective: surveillance detection, an insider threat program or establishing solid security rings.
Certainly, no one is advocating for dismissing regulations or ignoring laws. But we do urge our clients to step back, take a good look around and think strategically. Identify the specific threats, leave room for evolving threats and work from that basis to build a threat-oriented, flexible system. It is tempting sometimes when there is urgency to act to slap what amounts to a band aid on a situation. After all, employees or the media or other stakeholders are clamoring for action. But the result is security managers who are running in circles, unable or failing to take control. This pattern guarantees that a given organization, corporate or public, will never get ahead of the criminal or the threat.