Counter Terrorism, Cyber Security and Corporate responsibility

by Karl Tatgenhorst on February 11, 2011

Operative on the electronic warfare fieldWhen I think of counter terrorism or executive protection I think of “hard assets”, corporations spend money hand over foot to protect so called hard assets. They tend to place the utmost emphasis on protecting physical leadership, followed by a secondary emphasis on physical infrastructure (buildings and the like). While many people may read that and think “of course they do, they have an obligation to those people”, that is true. They are obligated to protect people who may fall into harms way due to their involvement with the corporation, but not necessarily for altruistic reasons. Corporations have a fiduciary responsibility to protect what they see as their most important assets, and that is a strong motivator in assigning protection dollars.

Often, the money spent on executive protection is spent on the services of a provider that specializes in that skillset. The thinking is that an airline or a telecom do not have the resources in house to develop and train operatives for this purpose. That thinking is very logical and well placed. Companies specializing in counter terrorism and executive protection put their operatives through very rigorous training so that they can say with confidence “we can protect your assets in a variety of high stress situations”. Indeed many of these companies put their operatives through driving courses, hand to hand courses, tactical courses involving teams and shootouts with good and bad guys on the range. Every scenario they can imagine is rehearsed and rehashed until the operative can stay several moves ahead of the situation mentally.
That’s great for hard targets, but in this day and age information is just as vital and important as hard infrastructure and even as important as human resources. Given that fact it is surprising to think that “data protection” is not seen in the same light as executive protection, instead data security is a secondary function now elevated by buzzwords to a primary position. Prior to 9/11 data security was assumed to be handled by a system administrator and was a very low priority. In the grand scheme of things, this would be akin to giving a loaded firearm to the office manager and telling him/her that “you are also in charge of security for the office”. After 9/11 stakeholders met with each other and determined what their most critical data points were and then a rush of vendors put out products to sell that would cover those. Additionally, there were many legislative standards that received more push initiatives like HIPAA and PCI gave management a box to check that they were secure. The additional attention caused companies to create “security administrator” positions and “Chief Security Officers” these positions were little more than previous IT positions in many of the cases, but due to “security” in the title they became a fast track to more senior positions including CIO/CTO.
I think the time has come to see more advertising for counter terrorism standards in the data protection realm. CT operatives fire thousands of shots, back track through every training failure etc… to provide themselves with the most superior background possible. I think we should have courses where the “electronic warfare operative” to be is given constant rigorous testing scenarios to develop the fast paced analytic skills necessary to properly secure the company’s electronic assets in an emergency situation.
Gone are the days that firewalls, SNORT sensors and ACLs can secure your network. We need to be anticipating threats, watching traffic for patterns etc… The reasons for this are many. First, the government should not have to provide all forms of infrastructure security. The private sector should be footing the bill for policing their networks. Second, if for example a telecom has an organized group communicating over their devices and they identify the suspicious behavior that frees the government to act on that info instead of using all their resources simply to detect it. Additionally, if that group does some untoward act against the company’s constituents that act will tarnish the brand at a minimum and at a maximum it may force liability on them. The corporate responsibility to the board should demand a new approach to information security or data protection.
What protective measures do you think work (or don’t) in post 9/11 society?

About the author

Karl Tatgenhorst wrote 31 articles on this blog.

Previous post:

Next post: