Is your ‘placebo security’ solution keeping you awake at night?
How do you avoid Placebo Security – ineffective measures that just give the appearance of robust security – and ensure the measures in place are tailored for the actual risks and threats faced by your organisation?
The relationship between the security consultant and their client
I think that there is a parallel between a medical professional and a security practitioner. Looking back at a time when I was sitting in front of a neurosurgeon, who was telling me everything he was going to do to save my life, I am struck by how dependent I was on his knowledge, expertise and judgement. I was entirely reliant on him selecting the right course of action (and having steady hands of course!).
I think the analogy works when describing the relationship between a security practitioner and their client, who, like me with my illness, has no real understanding of their requirement and the best way to mitigate it. When I was poorly, I had the comfort provided to me by my family and friends, but what helped me sleep at night was the assurance my neurosurgeon gave me that if I trusted him, everything was going to be ok.
In the same way, a client gets their assurance by trusting their security consultant to provide them with the confidence that their estate, corporate premises, information, or artifacts are safe from harm. Sometimes, when the security consultant hasn’t spent the time to appropriately understand the actual threats and risks the client has (and, of equal importance, the ones they don’t have), it leads to a false sense of security that the client has no understanding of.
I call this ‘placebo security’.
Placebo security
Placebo security refers to measures that are implemented to protect an individual or premises, not because they are effective in protecting against specific threats, but rather because they give the appearance of security based on limited understanding of the actual threats faced by the client.
I don’t think that there are many security professionals actively selling placebo security based purely on profit, but I do think that as an industry, our client-facing consultants and sales people must understand the varied and bespoke threat vectors that organisations or individuals face, in order to effectively protect against evolving risks.
It’s crucial, in my opinion, to move away from recycling old security solutions as a one-size-fits-all approach. Consultants and sales people must stay informed about current threat landscapes and by doing this, they can tailor security measures to address specific vulnerabilities and challenges that are unique to each organisation they support.
The role of the client
Whilst consultants and sales people have a responsibility to maintain currency in their fields and understand emerging trends and threat vectors, clients also have a major role to play in preventing the integration of placebo security measures in their regime.
By asking targeted questions of security professionals during the early/assessment phase of their work, clients can help focus their consultant on threats and vulnerabilities that are specific to their situation. Asking consultants and sales people to identify current weaknesses and gaps in security posture is essential but this must be supplemented by near real- time intelligence on the environment the client is operating in from both a physical and technical perspective, and also with a focus on the inadvertent and deliberate threats from within and outside to their organisation.
Security professionals must understand what the most sensitive areas they are being asked to protect are; this should be a two-way discussion between the security professional and client, and if the client doesn’t know, the security professional must undertake a journey of discovery with the client to find out, instead of arbitrarily assuming that the threat must require a major overhaul of the physical or technical security posture with expensive installations that in many cases, in the absence of threat intelligence, don’t mitigate the actual threat.
When I sat down with my neurosurgeon, if he’d had told me to swim the length of the Thames to get better, I’d have done it, and I think that consultants and sales people in the security industry often wield the same influence.
Placebo security severely disadvantages the client because it creates a false sense of security. The client may sleep at night believing they have adequate protection, when the security measures and practices they have in place do not effectively mitigate risk.
Clients should opt for a bespoke intelligence-led security solution because it offers personalised protection based on the client’s specific needs and threat landscape. By leveraging intelligence to inform security measures, security consultants and sales people can proactively identify and mitigate risks unique to the client, enhancing their overall security posture.
A tailored approach to the implementation of security measures enables better threat prevention and detection and overall defence against both inadvertent and sophisticated deliberate threats. There is a place for the implementation of basic and complex physical and technical security solutions, but it should be based on the client’s actual requirement and not recycled security solutions.
Placebo security might help us sleep at night, but it doesn’t keep our people, information, facilities or assets safe when we really need it to.
Matt McGinn
Managing Director
Global Protect