It’s apropos that I’m starting this blog while enjoying the security theater accompanying the Democratic National Convention here in Denver. Specifically I’m watching the blackhawk helicopters patrolling our friendly skies. I enjoy watching them so I’m not complaining. The point is that while it seems so obvious, preventing a terrorist attack is hardly an important element of their mission. Because that is what almost everyone thinks that security means in this context.
You see security is all about risk management and threat mitigation. So what would you think the risk of a terrorist attack occurring in Denver during the DNC – that could be mitigated by attack helicopters – would be? I’m thinking somewhere between slim and none (closer to none). So if a terrorist attack is the threat you are trying to mitigate then attack helicopters are great security theater. Fun but useless.
Now don’t interpret this as an indictment of the Department of Homeland Security. On the contrary, I believe that an important part of their mission is security theater. “Now just hold on a minute!” I hear you saying, “didn’t you just say that security theater is useless?”. Well you’ve got me. What I meant was that it’s useless in the context of actually mitigating a threat. It’s extremely useful in the sense that it shows that our government is is taking steps to protect us. Steps we can see. And we FEEL better about it. The reality of this situation is that a terrorist attack is not one of the risks being addressed by the blackhawks and security theater is just a nice side effect.
So how does this apply to you? Well, again it depends on the context (doesn’t it always?). If you are a large corporation – like the many vying for my attention and sage advice (hey, it could happen) – security is about managing the risks to your IT infrastructure, protecting your information and complying to the standards and regulations of your particular industry. If you are a small business security is about managing the risks around the communication channels to your employees and customers like making sure those channels are highly available (if your web site isn’t available your customers can’t buy anything) and that those channels are safe for both you and your customers to use (you really don’t want somebody hijacking your customers’ information or using your web site to distribute malware). If you are an individual, security is mostly about mitigating the risks of connecting to the internet without the benefit of high priced network hardware and an IT department (your kids and your son-in-law aren’t really an IT department). The point is that security has different priorities to those with different risks. I’ll address each of these different situations in detail in upcoming posts.
But right now I’m going outside and watch the blackhawks.