Security Failure is Not an Option, Unless You Make it Mandatory
Posted on Tue, Sep 07, 2010
Last week we gave you advice on how to increase the ROI of security by minimizing the risk and impact of critical system failures. We also published a new white paper on how to prepare for and prevent system failures. All of this content was written and waiting for publication when, on August 21st, a thief used a box cutter to remove a van Gogh painting worth approximately $55 million from the Mahmoud Khalil Museum in Egypt. I swear we didn’t plan this.
But it does make a perfect example of what we have been talking about. According to the Wall Street Journal and Egyptian prosecutor general Abdel-Meguid Mahmoud, “None of the alarms and only seven out of 43 surveillance cameras were working at a Cairo museum where a Vincent van Gogh painting was stolen.” To add insult to injury, this isn’t the first time the painting has been stolen from that museum.
According to a security official interviewed by Agence France-Presse, security cameras and alarms at the museum had long been out of order. "The cameras had not been working for a long time, and neither had the alarm system," he said. "The museum officials said they were looking for spare parts (for the security system) but hadn't managed to find them.”
When securing the assets of an organization where a single incident can have such disastrous consequences, a massive security system failure shouldn’t be an option. But by failing to maintain adequate security measures and technology, even unknowingly, you might as well be mandating that failure. Of course, there’s always an excuse, right? How about…
“We haven’t noticed any problems before.”
Of course not. You can still see the video on your monitor and you haven’t had any alarms. That must mean the system is still working, right? Not necessarily. Recently we performed a security audit for a client with more than 20 locations throughout the Pacific Northwest. During the system inspections, we found that more than 40% of the locations had equipment that had either failed and gone unnoticed or would fail in the event of a security breach.
Frankly, that’s not abnormal. We encounter this every time we perform a security audit for a client without a scheduled maintenance program.
Or…
“We always fix our system right away when it breaks.”
Just like how you always rebuild your office after it burns down? If you’re not currently aware of the return on investment that security maintenance provides, you should look into it. As the Mahmoud Khalil Museum learned, the most expensive part of poor security is the cost of lost assets and brand equity when security is breached.
Or maybe…
“I have a Service Agreement with my Security Contractor.”
That’s great! You’ve at least made the first step in protecting yourself by creating a proactive maintenance program. But do you really know if that Service Agreement is worth the money you’re spending on it? Does your contractor perform maintenance on a regularly scheduled basis? Does your contractor provide you a report of the work they have done and the current state of your system every time they do an inspection or maintenance? Does your contractor notify you of system components that should be replaced or could be upgraded before they fail, not after? If your answers are no, then are you really getting any protection at all?
And of course…
“We just don’t have the budget right now.”
This one is the killer. You always think it’s out of your control. If your boss doesn’t understand the importance of security or your executive management team views security as an expense rather than a contributing business unit, you’re likely to get hamstrung by your budget.
There are ways to take control of this issue, though. You can improve your chances of getting the budget you need by making your case to management in a compelling way. Of course, if the security system ever does fail, you know you’ll be in the same boat as Mohsen Shalaan and her four security guards who were arrested last week on suspicion of negligence. (Okay, you probably won’t actually be arrested since you don’t work for the Egyptian government, but you’ll definitely be in hot water.)
So what’s your excuse?
If you’re not currently working to actively prevent this kind of debacle, what is your excuse for mandating failure?