Tuesday, November 04, 2008

What Kind of Security Do You Have?

SECURITY – The term has become prevalent in today’s world. And using the term in the context of protective efforts, it means different things to different people: It may mean the protection of our nation from terrorists; it may mean the feeling of well-being experienced by a senior citizen when the front door is locked at night; or it may mean anything in between. But even in the business world, which has embraced the concept of security for years – even if as nothing more than a necessary evil – there is no consensus as to what “security” really means.

In common business philosophy, “security” usually refers to a program for protecting the organization’s assets; and it is usually meant to be a proactive program involving the implementation of various strategies to prevent or diminish the likelihood of the occurrence of bad things. And that is fine…as far as it goes. But organizations sometimes forget that “protecting assets” should be a comprehensive business strategy that not only achieves asset protection but that also limits liability. And the concept of liability avoidance is all too frequently overlooked in the development of a security program.

In reality, there are 3 different kinds of security:

First is the “one-size-fits-all,” “everyone-does-it-like-this” kind: “Joe down the block has a guard and a camera, so I better have a guard and a camera.” This may be sufficient for some businesses, and may occasionally achieve a semblance of actual security – even if only by luck and chance. But luck and chance have a habit of disappearing when needed most.

Then there is “good” security. This is usually a program designed with some specific intent to address the protection of the company’s assets. This may also be sufficient for some businesses, and certainly is better than the haphazard approach. But unless the program has been developed by someone with security knowledge and experience, and unless a recognized program development process has been used, there is still no assurance that the program will be successful or will withstand a legal challenge.

To digress a moment…legal challenge? Why should development of a security program be concerned about a legal challenge? Because no security program is infallible and failure-proof – even with a comprehensive security program, some bad things can and will happen. And when some kinds of bad things happen, lawsuits will result. And when a lawsuit arises, it will not be good enough to demonstrate that a good security program existed. It will also be necessary to demonstrate that the security program was reasonable, adequate and sufficient in relation to legal standards. Which brings us to the third type of security…..

Legally defensible security. This is a program that has been designed not only to protect, but to withstand legal scrutiny when challenged. It is a program that has consciously taken into account the potential threats and risks that might be encountered, the various methods and strategies available to counteract those threats and risks, and then has taken those countermeasures and strategies and implemented them in some formalized manner. This is the kind of security that affords reasonable, adequate and sufficient protection against reasonably foreseeable risks.

In other words, the best security program is one which not only achieves its protective function successfully, but which has been developed and implemented in a manner which can be defended in court.

What kind of security do you have?