Tuesday, November 04, 2008

What Kind of Security Do You Have?

SECURITY – The term has become prevalent in today’s world. And using the term in the context of protective efforts, it means different things to different people: It may mean the protection of our nation from terrorists; it may mean the feeling of well-being experienced by a senior citizen when the front door is locked at night; or it may mean anything in between. But even in the business world, which has embraced the concept of security for years – even if as nothing more than a necessary evil – there is no consensus as to what “security” really means.

In common business philosophy, “security” usually refers to a program for protecting the organization’s assets; and it is usually meant to be a proactive program involving the implementation of various strategies to prevent or diminish the likelihood of the occurrence of bad things. And that is fine…as far as it goes. But organizations sometimes forget that “protecting assets” should be a comprehensive business strategy that not only achieves asset protection but that also limits liability. And the concept of liability avoidance is all too frequently overlooked in the development of a security program.

In reality, there are 3 different kinds of security:

First is the “one-size-fits-all,” “everyone-does-it-like-this” kind: “Joe down the block has a guard and a camera, so I better have a guard and a camera.” This may be sufficient for some businesses, and may occasionally achieve a semblance of actual security – even if only by luck and chance. But luck and chance have a habit of disappearing when needed most.

Then there is “good” security. This is usually a program designed with some specific intent to address the protection of the company’s assets. This may also be sufficient for some businesses, and certainly is better than the haphazard approach. But unless the program has been developed by someone with security knowledge and experience, and unless a recognized program development process has been used, there is still no assurance that the program will be successful or will withstand a legal challenge.

To digress a moment…legal challenge? Why should development of a security program be concerned about a legal challenge? Because no security program is infallible and failure-proof – even with a comprehensive security program, some bad things can and will happen. And when some kinds of bad things happen, lawsuits will result. And when a lawsuit arises, it will not be good enough to demonstrate that a good security program existed. It will also be necessary to demonstrate that the security program was reasonable, adequate and sufficient in relation to legal standards. Which brings us to the third type of security…..

Legally defensible security. This is a program that has been designed not only to protect, but to withstand legal scrutiny when challenged. It is a program that has consciously taken into account the potential threats and risks that might be encountered, the various methods and strategies available to counteract those threats and risks, and then has taken those countermeasures and strategies and implemented them in some formalized manner. This is the kind of security that affords reasonable, adequate and sufficient protection against reasonably foreseeable risks.

In other words, the best security program is one which not only achieves its protective function successfully, but which has been developed and implemented in a manner which can be defended in court.

What kind of security do you have?

Wednesday, March 12, 2008

Security Standards

There is a widespread misperception related to the concept of “security standards.” So this message will attempt to clarify the issue.

As an expert witness, I am frequently asked to assess existing security measures in relation to “security standards.” In fact, such standards do not exist, at least not in the narrow sense of universally accepted, required or codified principles (the exception being standards for Government buildings and its contractors’ buildings).

Because security is both science and art – the science being the paraphernalia, technology and techniques used in protective efforts; the art being the proper and appropriate application of that “stuff” to a given situation – there are frequently a variety of ways to achieve reasonable security. And since reasonableness of security is judged vis-à-vis the circumstances of a particular situation, reasonable security is by definition different in every situation. So in truth, a “standard” is nothing more than a best practice that some reputable body has endorsed and/or embraced; but even an accepted “standard” is not – and in fact cannot be – the appropriate security measure that can or should be applied in every circumstance.

The biggest difficulty with “standards” is not in their identification or interpretation, but in their application. Courts across the country have taken the most realistic approach to the concept of standards: While Courts will recognize that standards (in the broadest context) exist, Courts usually will then go a step further and require evidence that the standard was applied to a given situation in the most appropriate way, and was the most suitable solution to the security problem.

As an example: A Court may recognize that there is a “standard” for the appropriate minimal height, configuration and installation of a chain link fence. But then that Court will take that “standard” and seek evidence as to whether that particular standard was suitable, appropriate, adequate and sufficient for the fencing around the facility where the actionable incident occurred.

So in other words, standards are fine; but they are not – and cannot be – universal in terms of one-size-fits-all-in-every-circumstance application. Every situation is different, so security measures will of necessity be different.