com•pla•cen•cy
1. a. a feeling of quiet pleasure or security, often while unaware of some potential danger, defect, or the like;
b. self-satisfaction or smug satisfaction with an existing situation, condition, etc.
pan•ic
1. a sudden overwhelming fear, with or without cause, that produces hysterical or irrational behavior, and that often spreads quickly
It has been said that complacency and panic are the two most common modes for businesses with regard to security. That matches my company’s consulting experience.
In fact, complacency and panic seem to be two sides of the same coin. Companies are complacent about security (nothing bad is happening) and don’t give security the attention due. Then when an incident occurs, panic mode ensues. Neither is a fiscally responsible position. That’s why I’m hoping lots of CEOs, COOs, CFOs and board members read this text.
Panic
Many of my company’s consulting engagements start with a call from an organization in panic mode. A major security incident has occurred. Appropriate security measures were not in place. The result: maximum impact.
Typically in such a situation, senior executives are focused on dealing with the incident at hand. Security objectives are set based upon (a) what will fix the security vulnerability and (b) what will fix the public relations problem. However, panic mode skews the processes and the outcomes for both.
Often the security outcome is best described as “narrowly focused overkill.” As a result there is too much expenditure for the actual security improvement gained.
Responsible companies with well-intentioned management can issue broad statements (internally or externally) that commit the company to across-the-board security initiatives. Such initiatives are often doomed at the outset because: they don’t take into account the resource requirements, aren’t based on an assessment of actual security needs, and don’t implement security as a management system. This results in too high a resource expenditure for too little security improvement.
Complacency
However, when the commotion subsides there is now a sense of accomplishment (so many people were so very busy) and since no new bad thing is happening, complacency sets in—much faster than you might imagine.
Ultimately the company’s true security profile is changed little. Unidentified vulnerabilities sit calmly awaiting the appearance of the next threat, when the coin will flip back over to panic mode. That’s the syndrome in a nutshell.
Antidote
The antidote to the Complacency and Panic Syndrome is nothing melodramatic. It consists of correctly-measured doses of two ingredients. The first is a longstanding security practice called security risk assessment. The second is putting in place a security management system that implements security as an on-going process. It can be—and should be—a simple system.
Risk Reality
I love this maxim:
If you haven’t identified your risks, you’ve already accepted them.
Of course, if you have some security measures in place, you are probably mitigating some risks that you haven’t identified. However, without a current risk assessment you are almost guaranteed to be at risk in ways that you don’t know about.
- Currently, what are your most critical business assets (personnel, material, information, reputation and business processes)?
- When were the chief risks to them last assessed?
- Who accepted the residual risks after the security budget was spent?
Not knowing all of the answers, or not having answers you find acceptable, are indicators of security complacency.
And now you know, sooner or later, what happens without the antidote, don’t you?
Best regards,
Ray Bernard
P.S. To quickly rate your organization’s security function, see Article #6 of The Security Minute: Rate Your Security Program in 90 Seconds.