Okay, so we've all adjusted to the colour alerts put out by the government. But what do they really mean to us? And, more to the point, what do we really mean to them?
By "them," of course, I'm referring to the new Department of Homeland Security. I don't think the guys in Washington understand that CSOs have a serious place at their table. As owners of 85 % of the critical infrastructure of this country, the private sector is an important constituency for the DHS. When it comes to cyberspace, product diversion, financial crime and a host of other domestic threats, the private sector operates the safeguards. It is no longer feasible--or preferable--for the public sector to single-handedly control the protective apparatus of this nation.
However, the legislation that created the DHS never clearly identified the private sector's role in homeland protection. Nor did it balance the strengths, weaknesses, needs and resources of government and business in protecting critical infrastructures. It merely acknowledged the need to share information in unspecified ways with the private sector as well as with state and local governments.
I must say, I'm disappointed. I really thought our government was going to get busy developing a new way to engage the private sector--and CSOs as the accountable parties in such a partnership. The post-9/11 months have certainly demonstrated the private sector's need for more accurate and actionable information from the government so we can make more focused security decisions. And CSOs may have information critical to the public sector's timely awareness of threat and risk, precisely because we are on the front lines.
CSOs have been busting their butts to get someone in the DHS to recognise that they exist as a constituency. It's long past time for a meaningful dialogue among the DHS, the FBI, other government agencies and America's CSOs.
Before writing this piece, I searched for information to counter my own concerns. I found a quote in Government Executive magazine from Alfonso Martinez-Fonts Jr., the assistant secretary for Private Sector Coordination at the DHS. Seems he's been "making the rounds in Washington," meeting with the US Chamber of Commerce, the National Association of Manufacturers, the Council on Competitiveness and The Business Roundtable. I'm glad Alfonso is venturing so far from the office; clearly, he'll get the real poop from that proximity.
He's talking to the same organisations that have recently reported no appreciable increase in security funding due to terrorism--or other concerns, for that matter. And Martinez-Fonts' conclusion from these meetings? "Differences between the department and the business community can be reconciled." Boy, am I relieved.
Who Do You Trust?
I'm not one to mince words. The DHS and our national security apparatus have--or ought to have--the ability to share with the private sector information on emerging and immediate threats. I know that it's early in the life of the DHS, and I recognise the challenge Secretary Tom Ridge has in consolidating so many government agencies to focus on domestic terrorism. But aside from some high-level engagement of selected sector ISACs and the newly announced initiative targeting money laundering, I haven't seen any effort to engage CSOs or to address the risks confronting the private sector. The DHS's outreach has been to state and local governments that are screaming about the alert process and resulting overtime costs of their police departments.
I don't know exactly what a multisector information-sharing network with CSOs and the DHS would look like, but I know that the homeland security mission begs for a new paradigm of information-sharing. Of course, legal impediments abound for sharing information at a level of detail that is truly actionable. The other real constraint in sharing information is trust.
However, the government says it hesitates to hand out information because it doesn't know the CSOs. What a bunch of hooey! They owned our clearances. Still, the issue of non-U.S. ownership is a complicated one, and the question of how to protect the information granted to a "cleared" corporate individual is a fair one. Look to the defense establishment for that answer. Big companies with the highest classifications of sensitive information are sufficiently compartmentalized, while noninvolved company business goes on outside the cone of silence.
Perhaps a bigger issue is in sharing information that could be used by competitors or headline-seeking US attorneys. While my experience in sharing sensitive information with my competitor counterparts has been positive, I recognise that we don't want to open our kimonos as an unconscious act.
For those who say it can't be done, I point to the State Department Overseas Security Advisory Council as a model for a public/private partnership that works unbelievably well and with a spirit of collaboration. We also occasionally--I repeat, occasionally--see a concerted effort at proactive sharing by enlightened Agents-in-Charge of the FBI and Secret Service field offices. The DHS needs to learn from those models and establish protocols for real, substantive information-sharing.
Invitation to Dance, Etcetera
So here I am in a homeland security state of mind, when I get an invitation to be granted immediate certification in homeland security (limited time only!) if I have significant military, law enforcement or other experience that interfaces with homeland security. They'll automatically give me 100 points toward a Level I Certification in homeland security and provide an easy-to-follow questionnaire to tally up my experience.
I start with my military experience: 30 points if I was a captain, 60 if I was a colonel, and 75 if I was a general. No, no and no. I get credit for experience with explosives ordinance disposal, "etcetera." Unfortunately, I was just a bohunk GI. On this scorecard, run-of-the-mill soldier types get nada. I knew I should have stayed in.
The questionnaire also gives credit for law enforcement experience, so I pick up a few points for time spent too many years ago.
Then it reviews private security experience. Yup, a decade of CSO'ing along with more than 20 years in homeland-related experience. We're gaining on it now.
But with medical and health profession experience, I get nuthin'. I can also consider other homeland experience such as psychology (huh?), treaty inspection, accounting, cybersecurity, EMT, transportation and, of course, good old etcetera.
In the final stretch, we round out the exercise with education, knowledge (I'm sure I've got some of that somewhere) and an opportunity to make a plea for skills they may have missed, such as (you guessed it) etcetera. Pray with me.
All told, I amass 475 points. Holy certificate! I can be granted immediate certification in homeland security! Wait a minute. What's this? I've got to join an association that I've never heard of and plunk down $480 for a membership fee and my certificate. For that, I get a subscription, networking opportunities, a referral service and the opportunity to attend conferences (sponsored by none other than the guys who have granted me this new certification) and hear from acclaimed folks who have no apparent relationship to the practical problems I face on a daily basis. Etcetera. Guess I'll pass on this one.
These grandfathered "certifications" really stick in my craw. But it's more the gall to capitalize on this whole homeland security thing that really offends.
The other thing that bothers me about this homeland security certification process is what it says about the sponsoring organization's perceptions of security as a profession. Look at the emphasis on prior military and law enforcement for accreditation. Human resources and headhunters fall prey to this idea--that this type of public-sector experience makes for an effective CSO. Don't get me wrong, I did my time and am blessed with knowing a great many fellow CSOs who come from law enforcement, and they have done very well within their corporations. But it is also true that client businesses often think of the function as the corporate cops versus an integrated element of business process. I guess I understand the CISOs who see themselves as more business-process-oriented than the ex-fed who is perfectly satisfied to limit his practice to investigations or executive protection. While corporate anxiety has clearly waned, a sustained concern for domestic terrorist threats may reinforce these backgrounds as primary hiring criteria.
But I seriously question if this is the future. Today's risk environment is driving expectations in many companies and will do so in others as we look ahead. A cursory review of risk management literature of just a few years ago fails to find any real concern for terrorism, reputational risk or other security risks. Look at what cybercrime, 9/11 and Enron have done to your risk manager's vocabulary. A dark side to that trend is the soaring cost of risk-related insurance. The board of directors is focused more than ever on the proactive protection of the technical environment, business continuity and corporate ethics, issues they see as far more threatening to their survivability than terrorism.
Sure, my nose is bent out of shape a bit because security is now a big deal in Washington. And we've been out here protecting our part of the homeland since Tom Ridge was an assistant DA. Frankly, if he can get all those agencies he now owns to talk to one another, I guess I shouldn't be so damn puffed up about what info I have that he could use.