By Julian Talbot.
After more than 25 years working in security risk management on four continents, I believe I can safely say that I know every trick in the book – except the one they are using right now!
Years of working in interesting parts of the world, such as Asia, Africa and parts of Australia that most people never see, has given me some insights into the minds of the people who seek to breach our security systems or bypass our law enforcement agencies. At times I have been appalled by their ruthlessness, but equally I have found their inventiveness compelling and impressive. More on that in another article, however. One aspect of security risk management that truly stands out is the huge variation in the quality and effectiveness of the security risk management systems (SRMS) that I have witnessed. Some have been outstandingly good while some were appallingly awful. The latter to the point where sometimes I could only stand in awe at the sheer ineptitude of the security managers who designed and implemented them. Accordingly, I thought I might (tongue firmly in cheek) share with you some insights into how to build and manage the world’s worst security risk management system.
First of all, like Fight Club or life in general, there are rules if you want to build an SRMS which will put people’s lives in more risk than crossing a Bangkok motorway blindfolded, or will share your precious secrets more effectively than a press release. Sadly, it is easier than you might think but not as much fun as you might expect. In actual fact, it is fairly stressful for most of the aforementioned inept security managers. At first glance, it looks simpler to pay lawyers to represent your company at a coronial inquiry than to put the same effort into prevention, but that is not an opinion that I share. However, some managers seem to love the adrenaline and thrill-a-minute chaos of a life lived on the edge.
In any case, cutting to the chase, here are some well-established design principles to help you to live on the edge.
1) Avoid, at all costs, conducting any sort of risk analysis. If you inherited a previous risk assessment or treatment plan – destroy it. If your boss or shareholders ask where it is, blame the last guy. If you get pressure to conduct a risk assessment, outsource it to the lowest bidder and do not give them any defined scope or terms of reference. With luck, what you will get back will be a checklist of threats rather than risks. So called ‘risks’, such as ‘insider threat, terrorism and espionage’, are so vague that you will be able to justify anything (including complete inaction) but you will look impressive. Worst case, you will end up with some expensive action items that the executive management team will decide to ignore on the basis that it is too expensive and will be able to get back to your schedule of golf meetings with little interruption.
2) Make sure you pay your security team and contractors so little that they need to take bribes to feed their family. You are actually fostering an entrepreneurial spirit in the security team and helping subsidise the local community if security officers take bribes from drivers who steal fuel to sell to the local maize mill or taxis.
3) Lead by example. Refuse to wear your access pass on the basis that it is inconvenient and download BitTorrent software, music and pornography at work on the basis that it is okay for senior management. In fact, issue a written warning to any security team member who checks your web browsing history or seeks to search your vehicle at the gate as if you were just anyone.
4) Do not do any system maintenance. Let’s face it, that is just dead money that could be used to send your kids to university. If you absolutely must do any maintenance, make sure that your brother-in-law ‘wins’ the contract. After all, your sister’s husband Basil would be perfect. Your brother-in-law does not own any equipment or know anything about locks, much less CCTV, electronic access control, or firewalls, but he is more than happy to offer you some consulting work on a cash retainer. Hopefully you are getting the idea now.
5) Do not forget to do some maintenance though in the weeks leading up to your performance review, and make sure the work you do is highly visible (e.g. painting the security boom gates). Other than that, best to let those systems limp along until at least three critical security breaches have been identified, at which point you ask for more funding for (you have guessed it) your brother-in-law’s company. Trust me, there is no cheaper way to do targeted maintenance. It is also one of the best ways to subsidise an Ivy League education for your kids.
6) Training. Do not do it. But, and you need to pay attention here because this is important, you need a training budget. You will need to explain to your boss why training is so critical. If you cannot think of why it is important, hire a consultant to convince your boss and prepare a budget (probably best not to hire Basil for this one as you will want it to be funded). Okay, so that is the hard part out of the way. Now for the easy bit. At your next budget review, when your boss is under pressure to save money, you offer up the training budget. Best time to do this, of course, is just before your next performance review or when your boss is discussing your annual bonus. It is a win-win that I have seen many times. You get a pay rise and your boss gets to offer up a cost saving to their boss. Best part of all this – you do not ever have to actually ever bother with any of that inconvenient up-skilling of your staff. Smooth, eh? And really, if general staff have not got a clue about security, surely that is the responsibility of their managers. Right? If it is your team that are out of their depth with the latest security threats, just sack them. You will not only look like a team player who can cut costs, but a truly decisive and natural leader.
7) Vehicles. Security vehicles are expensive and, let’s face it, they get trashed by an ungrateful security team. How much better would it be to spend that money on some jet skis that seat three people and will do over 100 km/h across the water? The senior management team will not only be grateful for the opportunity to use them after work or on the weekend, but they will be so much better off for the networking opportunities after work. Okay, so you may face a few more losses out at the mine sites but, really, the company has plenty of money.
Hopefully you can already see how much more important that networking is amongst the senior leadership team. Remember, of course, as you are networking while racing each other on jet skis to subtly, but good-naturedly, remind the senior leadership team that the jet skis and sailing catamarans were funded by the cost savings you offered up and the sacrifices you made to do so. Now that is what I call a win-win-win.
8) The optics are important. And no, I am not talking about sniper scopes but how it all looks. An ‘inspirational’ former boss of mine lived life and made business decisions based on how each decision would look to senior management and/or in the media. Well that was the rationale at least but we quickly decided that the ultimate optic was how it would look in terms of our boss’s career prospects. A simple example of how to apply this rule would be to make sure that (no matter what the actual risks are) your division should never have more armoured vehicles or close personal protection than the rest of the organisation. Even if the people in this division are working and travelling in higher risk areas, it is best not to make a fuss with too much visible security, lest you seem to be thinking of your own team as more important than higher ranking officials and definitely not if you aspire to work in that other division of your organisation. You should definitely use ISO31000 to justify your decisions but always bear in mind that how your decisions look to outsiders or higher ranking officials will determine your promotion path and career prospects. If you have been handed a risk assessment that says something to the contrary, refer to Rule Number 1.
9) Remember to build systems that suit activities that you do not conduct. For example, if most of your information and commercial secrets are electronic, be sure to invest in physical security. Large solid doors and visible alarm systems will give people a real sense that their information is secure. Money spent on recruitment screening, security vetting, personnel aftercare, or firewalls, is largely wasted – at least in terms of your career. Stick with the visible stuff that will get you promoted. Let’s face it, even if someone successfully hacks your system or bribes your patent lawyer, the chances of anyone finding out are one in a million. Besides, even Basil can hire labourers to install doors and locks.
10) Last but not least. Encourage a culture of risk-taking. Do not, whatever you do, communicate your security risk management system within the organisation. People are pretty canny at avoiding trouble and even if they do mess up, it is best if you can threaten to issue a written performance warning for breaching a policy that they have never seen. It is much too inconvenient to have to keep that stuff updated and communicated. Always assure your senior management team that “yes, we are fully compliant with WXYZ Standards” but avoid showing the evidence if possible. They do not really want to be bothered with it (let’s face it, they have their own career risks to manage). If pushed to explain why nobody is actually exhibiting any security behaviours, may I refer you to Rule Number 6.
Hopefully these tips will help you, gentle reader, in the event that you should ever become the ruler of a small (or large) near-bankrupt security empire where over-regulation is a significant problem.
On a serious note … sadly, I find all of the above and more, systemic issues in way too many places. Sometimes it really does seem as if some leaders set out from scratch to create the most ineffective security system in the world. And yes, I know it is not easy securing a modern organisation, but how many of the above have you personally witnessed? Drop me a line at firstname.lastname@example.org or join our SRMBOK discussion forum on LinkedIn if you have other tips or similar experiences you would like to share.
Julian Talbot is the Chief Executive Officer of Jakeman Business Solutions (JBS), a $25 million professional services business which provides business strategy, risk management and information technology advisory services. He is also a Fellow of the Risk Management Institution of Australasia, lead author of the Security Risk Management Body of Knowledge (SRMBOK), recipient of the Australian Security Medal, Director of the Security Risk Management and Analysis Association (SARMA), and a Research Associate with the Australian Security Research Centre.