A colleague with an approved and funded internal mandate to spend employer money on security improvements faces an internal raid. Other, financially strapped parts of the enterprise must scramble for money to forestall layoffs. No matter how notorious those others may be for extravagant spending patterns and chronic inattention to budgets and deadlines, the larger organization must save them. Otherwise the specter of layoffs will cloud this workplace forevermore. Or so the prevailing wisdom goes. Welcome to a smaller, personal version of "too big to fail."
How does this connect to security regulation? Well, the only functions spared from this plundering are those cringing behind the force field, Regulatory Compliance. No problem, you say? Surely this protection extends over my colleague? Not at all. You see, my colleague is guilty of bureaucratic transgressions: basing security investment on an analytically supported business case and playing by the rules to make this case, obtain approvals, and run an above-board program with total transparency and multiple audits. In a bureaucracy, however, none of these steps matches the force field's value in shielding security investment from raiding. If, instead of doing things the hard, responsible way, my colleague had a handful of regulations to brandish, the raid would be defeated.
Security is no toggle switch to turn on and off instantly just before an attack. It is a rheostat that takes time to put in place and to calibrate for adjusting to the needs of moment. But my colleague working to put this rheostat in place is now stymied by internal antibodies that do not understand or want to understand this subtlety. For them, if the money is not going into core business or into regulatory compliance, it is up for grabs. And thus the predatory and myopic impulses of bureaucratic self-preservation override the best efforts of a security professional to protect an organization from everything but ... itself.
-- Nick Catrantzos
Subscribe Now
AddThis
Nick Catrantzos + Tom Goff
- All Secure
- NICK CATRANTZOS is the lead author of the All Secure website and is the emeritus security director for a large public organization. He has also managed security aspects of corporate takeovers, response to international hostage situations, and finding and keeping secrets. He has been board certified in security management, licensed as a private investigator, and certified as an incident commander. He worked as a case officer for a discreet branch of public service. He protected stealth technology at Lockheed and, later, as a consulting security director for both Kroll and Control Risks, he assisted executives with workplace violence cases and with protecting VIPs and critical assets globally in volatile areas. Nick's partner, TOM GOFF, was a captain in the Military Police Corps, U.S. Army Reserve and has a law degree from the University of California at Davis. He is a former reporter for Fortune Magazine, was senior editor at New York Magazine and Esquire, and has provided crisis and communications counsel to senior executives at Fortune 500 companies, including Lockheed, ARCO, Microsoft, Nissan, and Sony Pictures.