Ten years ago this month, I wrote the following in my monthly column for this magazine: “It is frustrating to the point of absurdity — the fact that the security mindset in our country sets us up for the tragedies like those we all witnessed on September 11, 2001. While we cannot asses blame for mindless acts of terror, the circumstances that make it easy for Americans to become targets can’t be denied. We as security professionals, we as citizens share culpability to a point.
“Security in some sectors, like our culture, tends to be a repetitive series of knee-jerk reactions. Whether it is in the corporate boardroom or in the Oval Office, security has consistently been the least important item on the line-item budget. Security is too expensive. Security just doesn’t have the necessary ROI. Security is intrusive. Security infringes on our personal freedoms. Security is inconvenient. Security discriminates. Security is threatening.”
Looking back ten years later, we can certainly see some changes in the security landscape. Corporate security directors are getting more face-time on Mahogany Row. Increased public exposure of security’s role has sharpened our situational awareness. Even the federal government has benefitted by becoming the largest security employer in the world with the creation of the Department of Homeland Security. Late night talk show hosts are very thankful.
“Our top story tonight, Attorney General John Ashcroft and FBI Director Robert Muller held a press conference today to announce that Al Qaeda is planning attacks somewhere inside the United States at sometime in the future. So go about your normal lives, but with a vague sense of foreboding.”— late-night talk show host Craig Kilborn.
Yet, that vague sense of foreboding is not as funny as the comedians would have you believe. As our world has expanded and globalization embraces everything from commerce to communication, the world has gotten flatter. We have seen a new business model evolve globally. Instead of giant corporations and superpowers driving world events and finances, the model has shifted to far-flung start-ups that can now compete in the new marketplace with low-wage manufacturing, software piracy — not innovation — and even outsourced design work from American companies who feel they are too tax-burdened in the U.S. or simply don’t give a damn where their technology lands.
New York Times columnist Thomas Friedman refers to this phenomena as “mutant supply chains,” which, like Al-Qaeda, enable small groups to make a big, destructive impact.
Ten years after 9/11, the world of terrorism has also gotten flatter. We have witnessed the destruction that a small band of dedicated zealots can create from London to Mumbai, from Madrid to Tokyo and almost everywhere in between.
The technology revolution has made it possible to deliver terror by Twitter and Facebook, hatch mayhem by laptop computers and coordinate the logistics, schedules, financing and budgets of carnage through a Website, by a cell phone or by e-mail. The terrorism of the 21st century is the dark side of globalization.
It is this shrinking world — as much as the events of 9/11 — that have changed the security landscape forever. Globalization may be great for business, but it has made the job of mitigating risk nearly impossible.
Security is about process, not technology. Many security policies are written that sound great on paper but have no teeth because they are not verified or audited. Implementation of a security policy is viewed as the final step in some altered state of project management. Actually testing and setting metrics to your policies are often still viewed as threats to management and something that must be avoided to keep the board from seeing how things really are and what the real costs of not addressing risk are.
A security policy is a business process. And any business process that is not validated is useless. If nothing else, the residual effects of 9/11 have clearly demonstrated that mitigating risk requires a strategic plan, organizational alignment, and most importantly, the courage to confront the enemy — even if it is in your own boardroom.
If you have any comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at firstname.lastname@example.org.