Saturday, April 24, 2010

Security Regulation Allure

A colleague with an approved and funded internal mandate to spend employer money on security improvements faces an internal raid. Other, financially strapped parts of the enterprise must scramble for money to forestall layoffs.  No matter how notorious those others may be for extravagant spending patterns and chronic inattention to budgets and deadlines, the larger organization must save them. Otherwise the specter of layoffs will cloud this workplace forevermore.  Or so the prevailing wisdom goes.  Welcome to a smaller, personal version of "too big to fail."

How does this connect to security regulation? Well, the only functions spared from this plundering are those cringing behind the force field, Regulatory Compliance.  No problem, you say?  Surely this protection extends over my colleague?  Not at all.  You see, my colleague is guilty of bureaucratic transgressions:  basing security investment on an analytically supported business case and playing by the rules to make this case, obtain approvals, and run an above-board program with total transparency and multiple audits.  In a bureaucracy, however, none of these steps matches the force field's value in shielding security investment from raiding.  If, instead of doing things the hard, responsible way, my colleague had a handful of regulations to brandish, the raid would be defeated.  

Security is no toggle switch to turn on and off instantly just before an attack.  It is a rheostat that takes time to put in place and to calibrate for adjusting to the needs of moment.  But my colleague working to put this rheostat in place is now stymied by internal antibodies that do not understand or want to understand this subtlety.  For them, if the money is not going into core business or into regulatory compliance, it is up for grabs.  And thus the predatory and myopic impulses of bureaucratic self-preservation override the best efforts of a security professional to protect an organization from everything but ... itself. 

-- Nick Catrantzos 

Saturday, April 10, 2010

Are Shortcuts Dangerous?

From today's front page: "Polish President Lech Kaczynski was killed early Saturday along with his wife, several top military officials, and the head of the national bank when their plane crashed ... [http://www.cnn.com/2010/WORLD/europe/04/10/poland.president.plane.crash/index.html?hpt=T1]"

After taking into account the elements of human tragedy and inevitable failure analysis sure to follow, what does a security professional see in this story? A costly reminder of why even B-grade corporations and institutions adopt policies that prohibit all executives from traveling by the same conveyance at the same time. In some cases, insurance policies and governing bodies bolster the reminder. Seeing top management as an asset that ties into the valuation of the enterprise, they insist that all these precious eggs not travel in the same basket.

Policy and reality frequently diverge, however. Even A-grade corporations and institutions with mature executive travel policies often end up placing their leadership at risk by ignoring this policy. Or, if not actually ignoring it, they rationalize it away as a priority to be seconded to the more pressing trump cards of cost, schedule, or efficiency. Respectively, the arguments go like this. One, the institution saves money by sending all the executives on the same flight. Two, given busy calendars, there is no time to fuss with scheduling separate flights for all the VIPs. Three, the executives must certainly be more productive if allowed to leverage travel time by talking shop and furthering their employer's business instead of napping or talking to themselves, as they might if deprived of familiar company while traveling.

Even security may be conscripted to the cause of defending this bad decision and policy violation. After all, one may argue that it diverts fewer resources to protect one limousine convey and secure one aircraft reserved for conveying VIPs from one secured location to another. Cheaper, too.

Both arguments fall apart if one takes the long view. The real cost comes not from distributing one's risk instead of risking all assets together, but from considering what it takes to recover from self-facilitated decapitation. And if, by any chance, a loss-producing event like this plane crash involves not mere chance but calculation, dispersing the targets would have limited the attacker's chances of attaining the sought-after combination of means, target, and certainty of success.

Once again, there is no smart way to be stupid, as this Polish tragedy will no doubt reveal in days ahead.

-- Nick Catrantzos

Saturday, April 3, 2010

More of Same Yields More of ... Same

When the ethically flexible Frenchman who commands the police under Nazi masters in Casablanca appeases the ranking Nazi du jour by announcing he is rounding up TWICE the usual suspects, is he anticipating future grant dispensers and homeland security experts who demand equal satisfaction on the heels of every spectacular attack? It certainly looks that way. Else why do last Monday's Moscow subway bombings trigger the usual knee-jerk reaction at home? This reflex compels earnest homeland security critics to remark that America lags in anti-terrorist defenses of our own subways and surface transportation. This is how one accounts for the significance attached to pointing out that we have spent only $21 million of $755 million allocated for transportation security grants, per a June 2009 GAO report (at http://www.gao.gov/new.items/d09491.pdf).

The conventional wisdom is that this lag in spending reflects insouciance on the part of defenders. The corollary is that these slackers should be spending with gusto on risk assessments and detection technologies to demonstrate their competence. But is this round-up of twice the usual suspects really wise? Or is it ill advised?

Consider: TSA has deployed viper teams and carried out exercises at transit hubs already. I witnessed one myself at Union Station a few years ago. Hundreds of responders participated, sharing lessons across jurisdictional lines. But they had to run their exercise early on a Saturday morning to avoid complicating already unbearable commutes in a large metropolis. There lurks a lesson here for anyone who uses trains and subways infrequently: You cannot harden such a target sufficiently without paralyzing its capacity to perform. Anyone who had to rely on the train to go from Washington D. C. to Manhattan while air traffic was grounded immediately after 9/11/01 will likely remember how adding one more complication to normal business travel would have easily halted that travel altogether.

There are times when institutions do their best by not disbursing public funds with feverish abandon. This is one if those times.

Transit security on the scale necessary to thwart a terrorist attack like Moscow's lends itself poorly to American freedom of maneuver without undue personal invasions. Otherwise, costs become prohibitive, lines crawl, and defense remains uncertain. A better approach would be to invest in citizen involvement, empowering and one day enabling fellow commuters not only to spot attackers but to also intervene to stop them, with the same assurance of Good Samaritan protections they would receive if performing CPR or a Heimlich maneuver.

Otherwise, we fool only ourselves and engage in security theater by calling for more spending, more cops on trains, more bomb-sniffing dogs, more security patrols, more interagency coordination -- more everything -- except feasibility and proof of results. We round up twice the usual suspects with little danger of catching the most deadly one before he or she strikes. We also force TSA into the role of the French police in Casablanca, a force reduced to appeasing petulant masters more than doing a tough and necessary job within available resources.

-- Nick Catrantzos