I've had critical infrastructure clients call me and say they need to come up with some proposed security projects quickly so they can stake their claim to funds and get "their share" of a grant award. Unfortunately, we have repeatedly seen that funding processes and rushes to deploy technology at critical infrastructures sometimes do not consider the real vs. perceived needs for this equipment, nor the impacts these deployments will have on the overall security program.
Whether incident-driven or not, many well-meaning facilities have deployed more technology than they need. Ultimately, shortsighted technology deployments often become expensive boat anchors dragging down the security program without adequate operating or maintenance funding.
How much of which technology is enough? Try to match every technology deployment to a specific documented priority need. Make sure that these needs cannot be addressed by simpler and easier to implement and manage "low tech" or "no tech" solutions.
One test to evaluate whether you have deployed too much technology is to find the person within your organization who is most familiar with the proposed work. Ask that person to explain to a small group of non-security employees (representing various skill and authority levels), what need the proposed equipment will address, how it will accomplish this and how using this technology is appropriate when compared to other alternatives. Then, interview these employees and ask them these simple questions: Did the technology advocate's explanations make sense? Is it clear from the session that we need this equipment? Do you think our security program will be better with this equipment?
You might be surprised what insights into your security program outsiders can provide. If the explanations are not clear, concise and incorporate more than one narrow aspect of your security program, other improvements might serve you better.
James R. Black, CPP, PSP, CSC, CET serves as senior security consultant and operations manager for TRC Solutions out of its Irvine, Calif., office. Over the past 13 years, he has assessed threats and designed security systems for many of the nation's critical infrastructures. He can be reached at firstname.lastname@example.org.