Part 1, Understanding Security Witch-Hunt, August 19, offered analysis and inferences concerning the challenging situation of any defender in the wake of a very public fiasco where a near-term need for scapegoats may trump the organization's long-term security interests. Now, in Part 2, we shift our focus to prescription, outlining a three-pronged approach to dealing with a near-impossible situation, including steps to take and actions to avoid.
Rx 1: Take the hit without generating alibis or excuses.
The temptation to soften the blow or redirect the accusing finger of blame will be almost insurmountable. Legal advisers will counsel making no admissions of culpability, for fear of civil and criminal actions that might ensue. Public relations consultants will advise changing the subject by any means in order to deflect negative scrutiny. Governing boards and special interests alike will look for human sacrifices. What is the professional defender to do?
Focus on verifiable facts. A security problem exists when there is a substantial, adverse difference between what is supposed to happen and what actually did happen. It does no good to create convoluted story lines to account for why an octogenarian nun could penetrate a secure area without holding any defenders responsible for the breach. Now is not the time for excuses, but is it the right time to drill down into details that identify situation-specific and systemic points of failure. If a strain-sensitive cable did not detect a cut along a fence-line, for example, capture this information and, for the next section, take charge for fixing this particular problem. If further examination reveals that the reason why such a failure occurred is because the detection device was inoperable at the time owing to an unforeseen budget cut whereby funds that were supposed to be allocated for a backup battery supply and tamper alarms had instead been reallocated to, say, replacing an air conditioning unit for a data center, by all means document this as an underlying or contributing cause. However, do not highlight this particular point at this juncture. To do so gives the unprofessional appearance of trying to dodge accountability.
With the foregoing approach in hand, document all verifiable security failures and take responsibility for instituting corrective action. In parallel, document all contributing factors for later reference in management discussions about correcting systemic problems and allocating resources necessary to meet existing and emerging security requirements.
Rx 2: Having acknowledged specific, verifiable failures with brutal honesty, now develop corrective actions that fully meet all official security standards.
By no means exclude corrective recommendations that you suspect the customer will dismiss out of hand on grounds of cost, feasibility, or historical preference. Resist the temptation to buy into prevailing arguments that some official standards are unattainable, hence historically neglected or moderated by all concerned in joint recognition of resource or other constraints. The temptation may be overpowering in this case, as nuclear security is notoriously infected with very precise standards and just as reputedly overtaken by receptivity to role-playing and scripted performances that mask performance shortfalls by contriving security inspections whose occurrence and successful conclusion are known in advance.
Instead, this is the time to look at officially promulgated and contractually accepted security standards, and to propose to satisfy them in good faith, no matter what the cost. This process will no doubt unearth standards in place that were either unattainable or too resource-prohibitive to be met. In all likelihood, principals from all entities involved, including government customers, arrived at some kind of informal accommodation that permitted deviation from standards to occur. For example, if a given alarm was to officially compel arrival of an armed response within, say, five minutes at the point of an identified breach, perhaps the government customer, contract facility operator, and contract security service all previously acknowledged that distance and terrain would make such a response impossible without a helicopter on standby. Over time, the prohibitive cost of that helicopter, its pilots (for 24-hour coverage), and maintenance may have become too expensive to subsidize in the face of budget pressures. The proper way to address such a situation would have been to bring it out into the open and either revise the standard or provide a signed, written waiver under certain conditions for a given period of time. In all likelihood, however,it is just as likely that all principals found it more expedient and more bureaucratically risk averse to avoid raising the issue this way. Instead, they could, for example, mutually agree to start the countdown on response time once word of the breach has reached the nearest security responder in the field. What such an apparently minor interpretation of convenience neglects is that the time between detection of the breach and alert of the field responder may have already consumed 15-30 minutes, so that the net response to the site of the breach has now become up to 35 minutes. But, for purposes of a collusive inspection, that kind of response could still count as having met a five-minute criterion. [Note: This example is specifically created for purposes of illustration without any reference to a particular standard and is not meant as an indictment of any individual or function involved in the fiasco in question. The illustration is just a way of pointing out how operating entities, security services, and government customer representatives possessed of the best of intentions may nevertheless act in concert to undermine their own defensive posture without realizing it.]
After spelling out how to fix the security deficiencies that really do lend themselves to remedy, establish a timeline and propose to start implementing corrective actions at once. In all inspections, particularly those involving reputational risk, the goal should be to enable inspectors to say as often as possible, "Corrected on the spot."
While working on these corrective actions, concurrently capture alternatives, costs of implementation, and any recommended compromises to or modifications of official security standards. Use these data to formulate a separate impacts and options study to present to the customer at a more appropriate time, after the immediacy of the situation has subsided.
Rx 3: When it comes to addressing intangibles, like culture or mindset, instead of continuing a point-by-point response, offer up a bold program that will institute the kind of sweeping change necessary for addressing systemic and recurring lapses.
Instead of trying to vault this chasm in multiple hops, take a substantial leap. It is the only chance of avoiding ruin. This is where problem solving must give way to predicament unscrambling, where the place for specifics is in the details of designing a program and implementation schedule to support the sea change that will deliver results. What is this change, this program?
It is nothing less than a re-ordering of the workplace along the lines of a No Dark Corners approach, where the co-pilot model of engagement across the board extends not only to the teams responsible for operating the nuclear facility, but also to all the sentinels charged with its security. Everyone becomes deputized to take a hand in protection. Excuses become taboo, hence extinct. And collaboration extends to the point of making security an integral part of the overall operation, of every job, rather than a shopworn and anemically supported applique to be tacked on only when inspectors are watching.
How does one manage all these steps? For a start, one may turn to the chapter, "Consulting for No Dark Corners Implementation," in Managing the Insider Threat: No Dark Corners (Boca Raton: CRC Press, 2012). But this is not the only solution. After all, one can also resolve to accept scapegoat status and change one's company name after serving in a public pillory and being debarred from future government work.
-- Nick Catrantzos