Security's "Cycle for Failure"

Here in simplistic terms is my perspective of the basic cycle that causes many of the problems that are faced throughout the security industry – what I have termed the “cycle for failure:”

1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.

2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.

3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.

4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.

5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.

6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.

I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.