Friday, May 13, 2011

“Old School” vs. “New School” Security

There is definitely a distinct difference between “old school” and “new school” security philosophy.

While I understand and (sometimes) even appreciate and (sometimes) even utilize facets of “new school” thinking, I am basically an “old school” kind of security professional – maybe even a dinosaur. But my “old school” philosophy has been honed from over 40 years in this profession, in a great variety of activities and circumstances and situations. And my “old school” philosophy has resulted in significant successes at the 3 organizations for which I was Director of Security: no significant losses, no significant incidents, no significant problem trends, and NO successful lawsuits against my organizations. (In fact, the losses and incidents and trends and lawsuits increased substantially at those 3 organizations after I left them and was replaced by “new school” devotees.)

While there are many major differences between “old school” and “new school” security philosophy, here is what I see as perhaps the most significant: I have always spent more time planning security strategies than researching the metrics (see – “metrics” – a “new school” term). After I had built credibility in my organizations with those who counted – senior executive management, corporate attorneys and bean-counters – I was able to convince them of the efficacy of my strategies/programs without the need for the pretty charts and the myriad of footnotes and references and the 6 numbers after the decimal point. I had been there and done that and gotten the T-shirts so successfully that my word was sufficient. And then you can’t much argue with success. So I basically used my personal experience and knowledge, added a little intelligence-gathering (kept abreast of the news and the trade publications and watched and listened and observed), and then spent the majority of my time developing and refining my already-successful strategies and actually doing the things that protected my organizations.

Yes, it was a different time. Managers were selected for their abilities and were actually allowed to manage. As an experienced and credentialed security professional, I was expected to provide quality security services, and I didn’t have to reinvent the wheel every time I wanted to do something because it was presumed – in fact demanded – that that was my function as the responsible executive. Today is different, and today’s security executives rarely have the authority and responsibility (which just may equate to credibility?) to do the things that really should be done to adequately protect their organizations.

Yes, there is a big difference between vulnerabilities and threats. But until I have been convinced otherwise, every vulnerability is at least a potential threat that I have to assess and prioritize and act on. With the vast majority of my business now being involved in litigation as a Court-recognized expert witness, I continually observe organizations whose security programs are of the “it-can’t-happen-to-me” or “it-didn’t-happen-to-me-yesterday-so-it-won’t-happen-to-me-tomorrow” schools of thought; and those organization almost always lose more in the lawsuits which transpire after it does happen to them and they didn’t plan accordingly than if they had been proactive. In security, the adage of “an ounce of prevention is worth more than a pound of cure” is almost always spot-on.

I guess the reason that I will remain “old school” is because after 40 years I have the metrics to prove that my “old school” way works, while “new school” advocates can only watch and wait and hope that their way is equally as effective – I hope it is, but I do have my doubts.