BEST DEFENSE STRATEGY: CORPORATE DENIAL

Nov 1, 2005 12:00 PM, LARRY ANDERSON, EDITOR

GOOD CORPORATE SECURITY starts with a risk assessment — right?

It's one of the more basic tenets of the security trade, and yet one that is being called into question of late.

There is a curious Catch-22 that relates to the performance of risk/vulnerability assessments by corporations. It goes something like this: You can't know what security measures you need without doing a risk assessment. After the risk assessment, implementation of its recommendations is limited by the availability of funds. If you don't do the assessment, you can't know what security improvements you need. You can't know whether there is enough money to implement the recommendations of the assessment until after it is done. And yet, the written documentation of those needed improvements can later be used as evidence that you were negligent.

So what is the answer? To avoid vulnerability assessments? To shred them (if money isn't immediately available to act on their recommendations)? To undertake security improvements on an ad hoc basis, not related to any specific evaluation of security vulnerabilities? To avoid security issues altogether?

These are all questions that have to be top-of-mind for corporate management and security professionals in the wake of a recent jury ruling that the families of victims of the New York World Trade Center garage bombing in 1993 can proceed with lawsuits for monetary damages. The jury found that the building's owners did not act on documentation of the garage's security challenges — so-called “warnings from its own security consultants that the garage was vulnerable.” The jury ruled that the owners were aware of the danger, and yet did nothing. In assigning blame, the jury found that the owners were 68 percent liable. The terrorists were only 32 percent liable.

Let's take a moment and reflect somberly on the screwed-up nature of that decision, without offering any specific commentary on whether it reflects more poorly on our nation's court system or on the intelligence of that jury.

While suspending (or repressing) our most extreme reactions, let us instead pause to absorb the extreme practical, real-world effects of such a position.

Can't you just hear all those corporate minds slamming shut to the idea of an honest appraisal of security needs followed by a thoughtful, businesslike allocation of available resources? Don't you just see the long line of corporate officers being led by their attorneys down the path of that most ineffective of security strategies, denial?

Lesson: If we can't mitigate our vulnerability, we should at least not document it.

Wonder who that jury would blame for the second World Trade Center terrorist attack (on Sept. 11, 2001)?

---

YOUR THOUGHTS

We are looking for reader feedback. E-mail landerson@primediabusiness.com and tell us what you think!

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue