Wednesday, September 05, 2012

A Lesson from the Past

I think the adage “If no order, chaos” is truly applicable in the security world – not necessarily to the security function per se, but to the overall concept of security, loss prevention and asset protection within business organizations.

I am old enough to remember the days when order and discipline was the rule of thumb in the business world:  Executives set goals and broad strategies; management made policies and rules to support and implement the strategies; and employees were expected – nay, REQUIRED – to follow and implement the rules and procedures and policies.  Each of those three tiers had its inherent authority, responsibility and accountability.  If a particular person in a particular tier did not properly exercise his role, he would be disciplined – formal discipline on his record, or demotion, or termination.  Everybody clearly understood his particular defined role in the organization, its concomitant responsibilities, and the penalties for failure.  Supervisors and managers were responsible for assuring compliance – they actually supervised and managed.  This was the very concept and essence of ORDER.

In those days, there was far less opportunity for internal security problems within a business organization because there was a defined system of checks and balances, and there were people in place to assure that the system functioned properly and successfully.  The thought and belief was “Even if Big Brother (i.e., Security) was not watching, my boss was.”  I had to perform and behave, or I’d be gone.

Today, that scenario does not exist.  Everybody does everything, so nothing really gets done thoroughly or correctly (another true adage:  “When everyone is responsible, no one is responsible”).  Executives don’t have time to formulate sound goals and strategies because they’re too busy and worried about what is now the end-all and be-all of business: next week’s profits.  So management muddles along, trying to support the executives’ “goal” of next week’s profits.  And the employees do whatever their job-of-the-day happens to be.  EVERYONE gets frustrated.  There is NO sound management or supervision.  So there is lots of time and opportunity to devise devious schemes for “getting my fair share” and doing things in the easiest, simplest way possible, which results in errors and mistakes and an I-don’t-care attitude.   This is the very concept and essence of CHAOS.

Some organizations still focus primarily on “old” security ideas like preventing, mitigating and managing external problems.  But that is because there was a time when focusing on external problems (like theft, trespassing, vandalism, bad checks and credit cards, etc.) was pretty much the sole extent and focus of the security function because there just weren’t that many other issues for Security to be concerned about, because when there was ORDER the internal systems worked and resulted in efficiency, correctness…and low levels of loss.

But now in the land of CHAOS there are many more things to be concerned about in terms of protecting an organization, many (most?) of which are internal, because Security has been charged with cleaning up the mess created by the broken systems that were broken by someone else.  And in order to fix this pervasive problem, we have to first repair the broken windows before we can make sure that they don’t get broken again.

Oh for the simple life of the past……