It was an interesting weekend, to say the least. I’ve never had to prepare for a hurricane before, so going through the exercise was a revelation in so many ways. You discover what you consider really “valuable” (like when I actually packed my external hard drive that has 10 years worth of digital images and home videos alongside our passports and insurance policies, despite it being backed up online). You also discover how much stuff you have just lying around to clean up.
And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.
Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.
The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.
It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?
So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.
[Cross-posted from the Identropy blog]