Monday, February 18, 2008

Why this Blog, Why Now

Security professionals saw 9/11/01 as a tragedy and a wake-up call. My own security practice within a global investigative and security consultancy at the time experienced a huge, unprecedented spike in business and in publicity. From relative obscurity, I found myself having back-to-back appointments scheduled with the media by my president’s secretary because no one else in the office could speak to the larger issues of enterprise security. Yet, just getting more security business was not enough. By the end of the year, I had decided to give notice and began a migration back to the public sector by first joining a contractor for the State Department which was working exclusively on anti-terrorism and Homeland Security projects. On facing my resignation, my company president told me, “If it’s just about money, that’s easy to solve.” It wasn’t, however.

Nor, almost seven years later, is it now. September 11, 2001 fired the irreversible salvo in the Long War of throw-back barbarism against what passes for civilization and modern life. At the time, it was not only professional guardians who heard the call to action. American flags sold out of every store and waved jauntily on what looked like every other car. Military recruiters saw unprecedented lines of volunteers. A wounded population seemed mobilized and missionized, ready to take on any adversary with the kind of resolve and courage unseen since the Minutemen of the Revolutionary War. Security was also about to come into its own, with the Wall Street Journal predicting the advent of the CSO: the Chief Security Officer, who was predicted to become to every institution what the Chief Financial Officer or Chief Technology Officer had become – key executives with a place at the decision-making table of the enterprise.

Things never work out quite as predicted. Americans lose interest or even lose heart in any war lasting more than three or four years. We then begin to question not only our leaders, but also ourselves. We stop digging foxholes and lean back on our couches to psychoanalyze. And when our adversaries refuse to accommodate our proclivity for professional fault finding and apologizing and hand wringing, we look closer to home to blame more convenient, more cooperative villains: ourselves. We look for root causes, convinced that if we can understand it all, the sheer force of a good heart and open mind will wash away the hatred and end hostile action without more needless bloodshed. But we are wrong.

Security is a basic need we must address long before we arrive at the point of comfortable speculation about ultimate causes and motives. In Maslow’s hierarchy of needs, I would say security comes between love and hunger. It is easy to give it top priority when taking enemy fire. But when further removed from direct attack, we all have a tendency to lower our guard – a tendency any shrewd adversary will count on and exploit. Now, more than ever, security is a matter of survival – for individual, for organization, for institution, for enterprise, for nation, even for way of life. We need to pay attention to safeguarding our people and assets, our operations and interests. We are now in a world where security may not always seem necessary, but where it is sometimes indispensable. And it is precisely in this context that we must ask ourselves:

“All secure?”

– Nick Catrantzos

Sunday, February 3, 2008

Security Lessons from Banks and Bishops

During a single week in January, three avoidable security breaches showed what role people play in facing catastrophic security breaches. The board of a major French bank was debating whether to fire its chief executive whose rogue trader cost the enterprise $7.2 billion and set up the business for a hostile takeover (Reuters’s January 30 article, Soc Gen board ponders chairman fate, http://news.yahoo.com/s/nm/20080130/bs_nm/socgen_dc). Lesson: The time for executive involvement in security is before the catastrophic loss, not after.

Across the Atlantic, in Texas, a personal catastrophe. A Greek Orthodox bishop’s car was burglarized while he was out to dinner. The victim, himself a former US Marine, lamented the irreplaceable losses not only of a jeweled ceremonial crown valued up to $10,000 but also of a black bag given to him by the widow of a fellow Marine. The bishop felt lost without the bag, a sentimental attachment of 22 years. (Dallas/Ft. Worth NBC News of January 27, http://www.nbc5i.com/newsbycounty/15149212/detail.html) Lesson: If something is invaluable, treat it that way – all the time.

Finally, a security success story emerges, relatively unheralded. An alert Swedish bank employee managed to thwart a Mission Impossible-style digital bank heist in progress. Thieves had managed to place a device or devices under the employee’s desk. At the appointed hour, when the thieves were poised to seize control of a computer and electronically transfer millions out of the bank, the employee recognized something amiss and literally pulled the plug on a device. This action stopped the transaction at the last second. (AP article of January 30, Swedish bank stops digital theft, http://ap.google.com/article/ALeqM5jAz3WqAdnaAcvzcllNpnJbyArdvgD8UG7LIG2) Lesson: There is no more effective security measure than an alert employee who acts on suspicions.

Defending assets is quiet work, taking more diligence than dash. Only security failures make headlines.

– Nick Catrantzos