Monday, March 15, 2010

Security's "Cycle for Failure"

Here in simplistic terms is my perspective of the basic cycle that causes many of the problems that are faced throughout the security industry – what I have termed the “cycle for failure:”

1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.

2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.

3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.

4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.

5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.

6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.

I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.