Skip to main content

Security: A Model Less Simple

When passing through a full body scan, a pat-down search and a baggage x-ray on your way to buying a coffee in your local mall, you know you live in the era of Security.

It seems to me, however, that enterprise security operates under the sole premise that mal-intention can be prevented. Password policies, network restrictions, biometric sensors, intrusion detection, firewalls, access tokens, truckloads of technology all geared to one single goal - keep the bad guys out. Driven by fear of doomsday scenarios fed into you at numerous conferences, we treat every potential breach as a nuclear explosion and try to prevent it. I doubt anyone other than Jet Li can bring a jet down with a pocket knife (and by definition he's a rare talent), yet we – at great cost and inconvenience - make sure every pocket on a plane is empty of a knife. Even China does not have that many Jet Li's so for that kind of success ratio this is kinda expensive.

Ignored here is the strategy of deterrence - make them afraid of its consequences. This strategy can be seen everywhere the real world, but its oddly absent in the virtual world of information security. People don't steal just because a door is open; more often its because they don't want to go to jail. They know that jail is a possibility because newspapers and politicians and others give ample coverage to crime and its consequences. In societies where punishment is unlikely (such as war-torn Afghanistan) people rarely worry about consequences and crime is undeterred. Companies should similarly publicize penalties and visibly take severe action in case of breaches. An ounce of deterrent is often worth many kilos of prevention, but I've yet to see a company security policy (usually running to hundreds of pages) specify punitive actions. CISOs should get the authority to swing a big stick, and make sure that it's visibly swung when the need arises.

Its simple. Publicise the punishments (make sure they're substantial). One fine sunny day, pick a few violators and make prominent, public examples of them. Repeat every quarter, or as frequently as needed. Even the good old Chanakya recommends it - "saam, dhaam, dand, bhed" - where "dand" is the thing to note here

Prevention, of course, can hardly be neglected. Locked doors and access controls are important, but in the absence of a deterrent this leads to rapidly diminishing utility. Think of a country with no effective police; the bill for private security and electric fences will start climbing rather quickly. This is fine if you live in Wasseypur, but in other cases a few ounces of deterrence is worth more than a few kilos of prevention.

Comments

Popular posts from this blog

Outsourcing I–The "Why" Question

A little while ago, I was asked to give a presentation to CEOs on outsourcing. The audience wanted to know about adopting outsourcing for their companies; making use of its promise while avoiding its pitfalls. It seemed to me (unimaginatively, I must admit) that the whole thing boiled down to four fundamental questions - the why , the what , the who and the how . I decided to expand the presentation into a series of blog posts, one per question. The Why Question Why outsource? Given that a trillion-dollar industry has crowded a lot of people into Bangalore and made more than one driver rich, it seems a little late to ask this question. However, this isn't really about outsourcing being good or bad per se. Bloggers like us love to wallow in theoretical questions; companies usually want answers to more prosaic stuff. The question really is, why should a company be looking for an outsource partner ?   I've divided the universe into two simple flavours – Tactical and Str...

The Economics of 'E'

Mass market retailing is an expensive business. Rents, staff, inventory – the average brick and mortar retailer struggles along with barely visible net margins (spontaneous dancing is known to happen at 5%). With thousands of stores, hundreds of warehouses and over two million employees, Wal-Mart has in the last five years managed a profit margin of just 3.5%. The story is no different for any other major brick & mortar retailer, American or desi. Cool-kid-on-block Internet retail, on the other hand, thumbs a nose at the old-fashioned ways and gives the distinct impression that it can do much better. There's just one small problem. The bellweather Amazon, for all its buzz, seems unfortunately to have done much the same (indeed, a little less at 2.48% over the same period); nor has any other sizeable virtual retailer done much different. What gives? The law of unintended consequences, that's what. Lets take two of the most discussed items – rent and inventory. Mind you, thi...

Pick Up and Cash

In my last post , I talked about how giving up some of the trappings of physical retail is not without its costs. This post is about the flip side of that coin – in a way. What caught my eye was Wal-Mart's new facility allowing customers to pay cash for online purchases. The announcement (made a little over two months ago) comes with a twist unfamiliar to those Indians happy with cash on delivery – this one requires you to visit a Wal-Mart store to pay cash for what you bought on the Internet. After same-day pickups, this seems Wal-Marts latest attempt at that famous silver bullet that was supposed to defeat Amazon – multi-channel. Online shopping is still a small percentage of worldwide retail, but it is expanding far faster than the boring brick kinds. Profits may not be stellar, but growth certainly is - Amazon is climbing the ladder faster than an MBA on steroids. And physical retailers are feeling – if not the heat, then at least the smell of smoke from the flames. After ye...