Security's Everyman

Security's Everyman

Friday, June 27, 2008

Why process trumps technology

My morning routine usually involves having Headline News on the TV as I'm getting dressed and packing my lunch. A couple of mornings ago I heard a snippet of a story about a child abduction from a daycare center in Arkansas that caught my attention. Obviously, as a parent and caring individual I was sad to hear that it happened but what raised the red flag in my mind was a comment that they were going to install security cameras to combat this.

When I got a chance I used a little "google foo" (OK, it really wasn't google foo but I like that word) and found an article to verify that was really what I heard. Here is an article that confirms that and adds a little more that either wasn't mentioned on HLN or I ignored didn't hear. This is a quote from the article.

Those picking up children are required to show ID, she said. She added the center is installing security cameras and is exploring a keyless lock pad that would require a different number for each family. A person could not enter the building unless they knew the code, she said.

My first thought was that putting in security cameras was a knee jerk reaction that really would do nothing to stop this from happening again. I would be helpful in identifying the person but will not stop this. I do think that cameras are a good idea but before cameras there needs to be policy, process and procedures. After reading the article it is obvious that they have the 3 P's in place but they were not effective in this case because someone failed to follow at least one of the P's.

Similar scenarios are played out in businesses and IT shops all over the world almost daily. Something happens and immediately knee jerk reactions occur. When the 3 P's and common sense prevail the reactions stop in their tracks. Unfortunately common sense often fails instead of prevails. Products are purchased just to "show" that we are on top of the situation. Decisions are made to ease tensions and worries that really do nothing to solve the real problem.

When Policy, Process and Procedures are in place, followed, monitored and verified then there is less need for knee jerk reactions because things work better. In order for these to be effective your employees have to know about them, what they say, how they work and that they are not suggestions. In some cases there needs to be specific training to ensure proper compliance with them. Having them sitting on your company intranet is not enough. If your employees don't know about them then they are useless.  Often these things are created just to keep audit happy and then they are forgotten about or blatantly ignored. This works for a while but one day it will catch up to you. When something bad happens or audit decides to verify whether or not you are following them then you will have problems.

The purpose of Policy, Process and Procedures is to ensure that you are doing things in a way that allows you to operate your business effectively, efficiently, securely. They also serve as a way to ensure that what you are doing can be repeated and verified. They are not just a bunch of documents that are boring to read they are vital to the long term success of your program. They are the things that makes your technology work effectively and that allow you to continue operations if the technology fails.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.