Skip to main content

Security: A Model Less Simple

When passing through a full body scan, a pat-down search and a baggage x-ray on your way to buying a coffee in your local mall, you know you live in the era of Security.

It seems to me, however, that enterprise security operates under the sole premise that mal-intention can be prevented. Password policies, network restrictions, biometric sensors, intrusion detection, firewalls, access tokens, truckloads of technology all geared to one single goal - keep the bad guys out. Driven by fear of doomsday scenarios fed into you at numerous conferences, we treat every potential breach as a nuclear explosion and try to prevent it. I doubt anyone other than Jet Li can bring a jet down with a pocket knife (and by definition he's a rare talent), yet we – at great cost and inconvenience - make sure every pocket on a plane is empty of a knife. Even China does not have that many Jet Li's so for that kind of success ratio this is kinda expensive.

Ignored here is the strategy of deterrence - make them afraid of its consequences. This strategy can be seen everywhere the real world, but its oddly absent in the virtual world of information security. People don't steal just because a door is open; more often its because they don't want to go to jail. They know that jail is a possibility because newspapers and politicians and others give ample coverage to crime and its consequences. In societies where punishment is unlikely (such as war-torn Afghanistan) people rarely worry about consequences and crime is undeterred. Companies should similarly publicize penalties and visibly take severe action in case of breaches. An ounce of deterrent is often worth many kilos of prevention, but I've yet to see a company security policy (usually running to hundreds of pages) specify punitive actions. CISOs should get the authority to swing a big stick, and make sure that it's visibly swung when the need arises.

Its simple. Publicise the punishments (make sure they're substantial). One fine sunny day, pick a few violators and make prominent, public examples of them. Repeat every quarter, or as frequently as needed. Even the good old Chanakya recommends it - "saam, dhaam, dand, bhed" - where "dand" is the thing to note here

Prevention, of course, can hardly be neglected. Locked doors and access controls are important, but in the absence of a deterrent this leads to rapidly diminishing utility. Think of a country with no effective police; the bill for private security and electric fences will start climbing rather quickly. This is fine if you live in Wasseypur, but in other cases a few ounces of deterrence is worth more than a few kilos of prevention.

Labels:

Comments

Post a Comment

Popular posts from this blog

Outsourcing I–The "Why" Question

A little while ago, I was asked to give a presentation to CEOs on outsourcing. The audience wanted to know about adopting outsourcing for their companies; making use of its promise while avoiding its pitfalls. It seemed to me (unimaginatively, I must admit) that the whole thing boiled down to four fundamental questions - the why , the what , the who and the how . I decided to expand the presentation into a series of blog posts, one per question. The Why Question Why outsource? Given that a trillion-dollar industry has crowded a lot of people into Bangalore and made more than one driver rich, it seems a little late to ask this question. However, this isn't really about outsourcing being good or bad per se. Bloggers like us love to wallow in theoretical questions; companies usually want answers to more prosaic stuff. The question really is, why should a company be looking for an outsource partner ?   I've divided the universe into two simple flavours – Tactical and Str...
2 comments
Read more

The Economics of 'E'

Mass market retailing is an expensive business. Rents, staff, inventory – the average brick and mortar retailer struggles along with barely visible net margins (spontaneous dancing is known to happen at 5%). With thousands of stores, hundreds of warehouses and over two million employees, Wal-Mart has in the last five years managed a profit margin of just 3.5%. The story is no different for any other major brick & mortar retailer, American or desi. Cool-kid-on-block Internet retail, on the other hand, thumbs a nose at the old-fashioned ways and gives the distinct impression that it can do much better. There's just one small problem. The bellweather Amazon, for all its buzz, seems unfortunately to have done much the same (indeed, a little less at 2.48% over the same period); nor has any other sizeable virtual retailer done much different. What gives? The law of unintended consequences, that's what. Lets take two of the most discussed items – rent and inventory. Mind you, thi...
2 comments
Read more

Opening Windows

Walls between work and life have broken down. Companies have not noticed. Work and leisure used to be quite distinct once upon a time (and that wasn't so long ago either). Work was carried out at designated hours in the workplace, with tools that the employer provided; home was spouses, kids and paid vacations. Even where you carried work home, it usually meant a temporary exile to the kitchen table. Once, only artists and rockstars lived without such boundaries. This, of course, is long gone. Laptops and telecommuting started the blurring process a couple of decades ago, but things really went south with the advent of  the smartphone. Uniforms gave way to business formals, yielded to business casuals before finally jumping off the roof entirely when the flip-flopped dotcommers took over. Work texts were shoved between bites of dinner, treadmills served as venues for conference calls, angry birds flirted with corporate emails and social networking finally nailed all those coffins f...
2 comments
Read more