A version of this appeared in the Business Voices: Outside Opinion Column of the Chicago Tribune, May 6, 2012

Business Security Blunders Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne National Laboratory As security vulnerability assessors, we repeatedly see the same kinds of security mistakes across a wide range of business and government enterprises. This article discusses some of the most common and dangerous general mistakes. Probably the most serious mistake is having a poor security culture. This includes being reactive instead of proactive about security; not thinking like the bad guys; scapegoating after security incidents instead of trying to fix the problems; not undertaking independent, critical, creative vulnerability assessments and security reviews; and confusing or overemphasizing threats (who might attack when and how) at the cost of not understanding vulnerabilities (security weaknesses that can be exploited). Poor security cultures also have a binary view of security. They encourage the viewpoint that something is either secured or it is not, even though security is actually a continuum. Poor security cultures do not tolerate questions, criticism, or debate about securityalthough anything as challenging as security, and involving so many tradeoffs and value judgments should be controversial. There are also problems with over-confidence, denial, or wishful thinking. Organizations with poor security cultures are often obsessed with secrecy (security by obscurity). In reality, securitysomewhat counter-intuitivelyis usually better when it is transparent. People and organizations cant keep secrets, anyway. But more to the point, transparency allows for accountability, review, criticism, and employee buy-in. In a business with a poor security culture, the discovery of security vulnerabilities is viewed as bad news. In fact, finding vulnerabilities is good news. Vulnerabilities are always present in very large numbers. Finding one means you can do something about it. Its also a serious (though common) mistake to think that all security vulnerabilities can be found and fully eliminated. Another big security mistake is to mistreat or allow the mistreatment of frontline security officers. This can have serious consequences for security effectiveness, the risk of insider attacks, and morale. The notoriously high-turnover rate for security officers is often more a matter of poor treatment and inept supervision (people leave jerks, not jobs) than the relatively low pay and prestige of many guard jobs.

Other common and serious security mistakes in the business world include confusing control and security theater (fake security for show) with real security, or even making security the enemy of productivity and of employees (this is fatal). Its also a mistake to think that engineers understand security. They often dont because their mindset is quite different from what is needed for good security. Business should try to avoid unwarranted faith in high-technology, remaining skeptical in the face of the ever-present hype and snake oil. They should not confuse inventory technologies (RFIDs, GPS, etc.) with security technologies, nor mindlessly apply layered security (security in depth). Companies should be leery of compliance-based security. Security rules often need to be followed, but mindless adherence to formal security rules, policies, and procedures will not guarantee good security. In fact, in our experience, at least one-third of security rules in large organizations actually make security worse for a variety of reasons, including flawed onesize-fits-all thinking. Some businesses (to their determent) dont view protecting the companys reputation as a security function. Many businesses have no meaningful plans in place to deal with the inevitable product tampering and product counterfeiting. Waiting until you are enmeshed in a crisis and public relations disaster is no time to begin thinking about how to deal with these problems. Few organizations do a good job with insider threat mitigation, even though there are some simple, inexpensive tools. Few have effective security awareness training for employees, and few adequately prepare employees for dealing with social engineering (using psychology to compromise security). Many large corporations spend a considerable amount of money on an impressive, hightech surveillance center and video monitoring network. This might indeed be prudent if your facility or campus is in a high-crime area, or if large-scale thefts of company property are likely. Many companies, however, would be better off focusing on other areas of security such as improving cargo security, insider threat mitigation, intellectual property and trade secret protection, tamper detection, and product anti-counterfeiting efforts. They would also do well to better motivate and prepare employees, contractors, consultants, customers, vendors, and former employees for good security. Security is a difficult challenge at best. But if your business can avoid some of these common, serious mistakes, your security has a much better chance of succeeding.

About the Author: Roger G. Johnston, Ph.D., CPP is head of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory, near Lemont, IL. The VAT has provided consulting, training, vulnerability assessments, and security solutions for dozens of companies, government agencies, and non-profit organizations. Roger also serves as Editor of the Journal of Physical Security.