The other week I visited the corporate headquarters of a large financial institution on Wall Street; let's call them FinCorp. FinCorp had pretty elaborate building security. Everyone — employees and visitors — had to have their bags X-rayed.
Seemed silly to me, but I played along. There was a single guard watching the X-ray machine's monitor, and a line of people putting their bags onto the machine. The people themselves weren't searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn't put my bag onto the machine, no one noticed.
It was all good fun, and I very much enjoyed describing this to FinCorp's VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.
I thought the building's security was a waste of money. It was actually a source of corporate profit.
The point of this story is one that I've made in “Beyond Fear” and many other places: security decisions are often made for non-security reasons. When you encounter a security risk that people worry about inordinately, a security countermeasure that doesn't counter the threat, or any security decision that makes no sense, you need to understand more of the context behind the decision. What is the agenda of the person who made the decision? What are the non-security considerations around the decision? Security decisions make sense, as long as you understand them properly.
There's loads more good stuff in Bruce's latest newsletter by the way.