Security Gone Wild!

               You’ve seen, or at least heard of, the various Girls Gone Wild videos.  You know the ones, where young women, apparently intoxicated and on spring break, do things on video that they may regret later.  And judging by the news stories about the ensuing lawsuits, many do regret their actions.
               So what happens when your security program goes wild?  Well, it probably will not prompt any sales of DVDs.  A security program gone wild can cause serious problems: you can end up with ineffective security at best and, at worst, a serious hindrance to your business goals.
               As is often the case, you can have too much of a good thing and security is no different.  Excessive or overdone security will do more harm than good.  It can destroy productivity, affect employee morale and in the long run cause staff to ignore and even actively work against security measures.
               There are three primary ways that security can go wild – and none of them even involve alcohol.  The first is overkill, followed by FUD and last zero-tolerance.
Let’s take a closer look at each of these wild mistakes.
The first one is overkill.  This is often encountered with IT security.  Information Technology departments face many challenges and, in this day and age, are critical to the success of any organization.  This goes far beyond IT security issues.  Businesses need IT departments to provide reliable access to information on the network, fast internet access, email, streaming video, data backup and all the various software needed in a modern office.  IT security also faces very real threats from potential hackers and cyber attacks – any of which could cause severe damage or shut down daily operations.  The recent cyber attack on Lockheed Martin is an example. 
That said, IT departments often have strict procedures, which can go wild.  One IT security department tightened the guidelines on the process for creating employee network access, shutting out a number of department leaders in the process.  In one case, an employee was terminated late on a Friday and there was concern about his network access.  The department manager contacted IT to immediately close out the access, but was refused, as the manager did not have authority to access the security request form needed.  In the end, the employee had access for several months after being terminated and was actually seen in the public parts of the building on the organization’s computers.
This is a classic example of good intentions paving the road to hell, as the saying goes.  The process was well meaning, but had unintended consequences that actually undermined security.  The same type of problem applies to physical security.  Security procedures that are too strict or interfere with employees’ ability to perform their jobs will be ignored.  Employees will work around the restrictions if they are unreasonable.
The second way that security goes wild is FUD – fear, uncertainty and doubt.  This is the bread and butter of some security professionals.  They try to build support by outlining worst-case scenarios and creating fear and doubt about what could go wrong.  There is certainly a time and place for this, when a realistic assessment clearly points to severe risks.  But too often, the security leader relying on FUD becomes an obstacle to changes or new processes.  They become the “no” person holding up an organization.  As a result, leaders will leave them out of the decision-making and away from the ‘real’ business.
I have to wonder how much security has fallen back on that since 9-11 and how many sales pitches have been made based on what could happen in regards to terrorism.  Entire industries have built up around global terrorism.  Seeing some of the videos of Osama Bin Laden, wrapped in a blanket, watching an old TV makes me wonder how we could have been so afraid of him.  Of course, there are many examples of very real and deadly attacks carried out by al-Qaida and other terrorist groups since 9-11 and before and there is no doubt that the threats will continue.  Still, there is an element of security gone wild in some respects.
The last pitfall is zero-tolerance policies.  Zero-tolerance may sound like a good idea, but too often interpreted as maximum punishment.  How many stories have there been of a kindergarten student being expelled for having a plastic knife in their lunch?  One story was about an elementary student who had a tiny plastic gun for an action figure with him.  It is okay to have a zero-tolerance policy, such as violence at work will not be tolerated.  That does not mean that each situation all involve the maximum punishment.  At work, an employee reading a gun magazine during his break (the adult equivalent of the action figure gun) and another employee who threatens a co-worker should be handled differently. 
The common theme when security goes wild is the absence of discretion and a security program focused on all the worst-case possibilities.  And the common outcome is the loss of confidence in the security program by staff, by visitors and even customers.  This translates to the loss of effectiveness of security.
To avoid going wild, business leaders need to make sure that their company’s security plan supports the goals and operations of the enterprise.  Decisions should be based on realistic risk assessments and account for the organizational culture.  Security should enhance the business, not hinder it or hold it back.  Don’t let your security go wild – you may avoid unnecessary lawsuits, embarrassing videos or at least bad PR!

No comments:

Post a Comment