From Compliance to Reliance

Is COVID19 the catalyst the global security industry needs to trigger a revolution?

Sometime in the mid-1980s, I remember reading a novel called The Planiverse, by A. K. Dewdney. It was inspired by Edwin Abbott Abbott’s Flatland: A Romance of Many Dimensions from 1884, which told the story of an ill-fated love affair between geometrically-shaped aliens living in a universe that consisted of only two physical dimensions. Planiverse worked brilliantly at illustrating how people who live inside a world that is dimensionally limited have absolutely no possible way of imagining, perceiving or observing anything that exists along another axis.

The story springs to mind whenever I encounter individuals who seem incapable of stepping away from the tram rails they’ve been driving down, and often (unfortunately and disappointingly) many of those people are life-long members of the security community.

For some reason, it gets people’s backs up when I say this. They take it as a personal afront, but the point to be taken from the story of the geometrical figures on the little flat planet is that it’s not your fault. There’s nothing you could have done to make those other dimensions exist where they didn’t before.

Of course, change and evolution have occurred in the security industry through the years, but despite a handful of monumental trigger events that could have resulted in seismic change there’s never been anything significant enough to result in a revolutionary change – something big enough to add a new or previously hidden dimension. 

Perhaps now, though? Or at least soon.

The problem with risk is that it’s all about things that are relatively unlikely, and the law of diminishing returns kicks in pretty fast once you start to apply mitigation. These factors mean that it often looks as though what you’re doing is working, even when it isn’t. You spend your money on the solution you think is the right one, then wait for the same infrequent, unlikely event to happen again… It’s hardly surprising that people (vendors with products to sell, much of the time) claim to have discovered “Best Practice”, and encourage their resellers to go around re-applying the same ill-fitting band-aid to every other remotely similar-looking scenario they can find.

Before you know where you are, Best Practice turns into a Standard, and then we’re teaching it to people like it’s the only thing there is, and scratching our heads in bemused disbelief each time some anomaly results in an outcome our Tried and Tested Standard can’t accommodate. That’s when we start to hear expressions like “there’s no silver bullet solution” or “the threat is moving too fast for us to keep up with”. What these statements really mean is that we didn’t get to the nub of the issue the first time around and now the inertia of the trading mechanism that creates and disseminates product hasn’t made enough money to make the next step of evolution commercially viable yet.

There’s no doubt – I would contend – that advances in security techniques and technologies have made a significant difference to the resilience of some aspects of our societies, our communities and our enterprises, but that law of diminishing returns thing is always there. 

It’s actually been really useful for the industry. If you take the pessimistic perspective, it does mean that an awful lot of what we do doesn’t really work – not 100% of the time under 100% of the circumstances, but in honesty when does that matter? As long as you’re consistently north of 50% of the time and 50% of the circumstances, those are good enough odds to make money, and if the circumstances only come along once in a blue moon (like most so-called Black Swan events do) then who’s actually ever going to know if my “solution” works at all…? Nobody until after my invoices are paid, that’s for sure…

But hey, if we harden and we segregate, and if we extend our situational awareness and improve our event response systems, then we’re going to be in a better place to defend against the predictable low level stuff that we weren’t able to resolve prior to employing a security solution, and we end up with something that looks good and works a lot of the time. That’s a good thing. No argument there.

In the last few years – maybe a decade, but not universally that long – there’s been a growing focus on those Black Swan incidents and where they come from. Why weren’t we able to predict more? 9/11 was viewed as a Black Swan event at the time, and yet afterwards it emerged that there had been mountains of evidence that clearly indicated what was being prepared, and glaring holes in our safeguarding systems made it comparatively easy for the attackers and their planning teams to achieve their goals right under our noses. Those events and some of the lessons learned resulted in significant improvements in safety and security in the aviation sector, and also a few “knee-jerk” responses that actually provide no direct benefit whatsoever, but because of the law of diminishing returns they create an environment that stifles some other low level risk activities, and this prevents the catalysing effect that prevents other more serious incidents from coming into the foreground.

Pushing things into the background does not make them go away though. They just add to the array of potential Black Swan events that can still happen when the ill-wind blows from the least fortunate direction, or onto a dimension where our inability to get off the tram rails prevents us from seeing them coming.

We’ve begun to see how taking a converged approach, breaking down silos of information and intelligence between different parts of an organisation and encouraging collaboration – both interpersonal and inter-modal – can reveal things that were otherwise hidden in the noise or sitting in some parallel dimension where those responsible for security couldn’t previously perceive or observe them, and this holistic viewpoint is very obviously a huge advantage over how we used to work. But pushing through the membrane from the pre to post convergence age is not something that’s easy for everyone to do. People want to create new hierarchies and fiefdoms, or drag the crumbs of information they find elsewhere back into the same old hidey-holes, recreating the old structures with a handful of new windows pointing myopically and suspiciously out at these hostile and alien-looking new sources of data.

Meet the new standard. Same as the old standard…

Compliance has been our go-to cop-out for some time in security. Building a standard that we can vaguely agree upon gives us a hovering yardstick over which we can leap in order to demonstrate that we’re doing something, without ever really needing to demonstrate how high that stick might be relative to everything else, or revealing all of the other issues that we’re totally failing to even mention, and in aviation security (as an example, but definitely not the only guilty party here) the difficulty of applying fixed standards to every territory across the globe where there’s an airplane regardless of its culture, its wealth, its risk perception or exposure has meant we’ve relaxed the concept of compliance with standards to the much less stringent or mandatory level of acceptance of guidelines or “Recommended Practices”. 

We’re now faced with something that is not a criminal or a terrorist, but that has the potential to devastate our economies and our populations if we don’t keep it at bay. No matter what we decide to do and what actions we take in the major developed nations over the coming months, there is no doubt now that the virus is going to remain in circulation either in its current form or as a mutated version that we will need to continue dealing with for a very long time. 

Research from Imperial College estimates that if no action had been taken against the spread of COVID-19, there would have been 7 billion infections and 40 million deaths this year. With just 7.7 billion people on the planet, those infection figures are jaw-dropping, and the number of deaths actually outpaces the expected total number of births on the planet this year by around 20%.

Thankfully, it would appear that with the various measures now being taken to combat the spread of the virus these will not be the outcomes we’re going to see, but that is not to say that we no longer have cause for concern. With nothing more than guidelines and recommended practices to rely on, the constant threat of COVID-19 being re-introduced into recovering populations from countries that do not have effective levels of protection or countermeasures will remain very significant, and we could find ourselves trapped in a revolving door scenario for years – if not decades – to come. And that’s assuming that some other new biological hazard with similar or even worse rates of transmission doesn’t sprout up elsewhere in the meantime.

So, in the past, our leaky borders let in a few terrorists or a container-load of illegal immigrants now and then. Our intelligence services would more than likely track them down over subsequent years as they emerged online in chatrooms or through sting operations, or social services would nab them one by one as they tried to claim benefits or popped up on the streets. An annoying burden on our already stretched resources, but nothing exponential or potentially so deadly, even if something as nasty as a suicide vest or a mass-attack did slip through the net.

What we’re looking at now is a dimensional shift.

Perhaps never before has the need for a revolutionary change in how we secure our national been needed, although – in actual fact – almost everything we need to make those changes is already available to us. We know how to identify people, to create effective perimeters and boundaries. We’re able to isolate, separate, confine and restrict people and vehicles very effectively. The tools we have for analysing and correlating behaviours with different types of risk have become astonishingly powerful over recent years as our ability to apply deep learning and machine intelligence to the mountains of data available from the ever-increasing quantities of sensors in our environment has become more common. Communications and logistical technologies have come onstream that let us do things at arm’s length and in remote locations that we wouldn’t have been able to a decade ago, and these capabilities will be seen as invaluable when we take the fight against risk into the new-world dimensions we’re about to face.

But as an industry – and as a legislature that will increasingly rely upon the private security sector to support national interests and policing in this new era – we need to step up. 

Of course, the shoplifter in the supermarket and the petty burglar on the housing estate remain, as do the organised crime gang operating drugs and people trafficking networks and the terrorist groups pushing hatred and radicalisation around the world via the internet; but for those who’re working in the protection of international borders and the physical interfaces between people through which our nation-states might be exposed to the rule-ignoring and potentially disastrous threat of biohazard as well as everything else, we need to rise to this new set of challenges in a far more uncompromising fashion. What point will there be in having stringent security measures at the airside/landside boundary if an illegal clinging to the underside of a freight car in the channel tunnel can still occasionally find their way through, or if the occupants of an inflatable boat in the channel will be routinely plucked up and brought ashore as soon as they report themselves in territorial waters?

And this is not protectionist xenophobia looking to drag the Brexit drum out of the cupboard for another quick batter before we all forget about it, this is more about the lip-service that’s often been paid to security in the past, where budgets and inconvenience often result in end users choosing to adopt the most rudimentary levels of compliance rather than taking steps to actually plug the gaping holes where we all know they actually exist.

The threat of repeated lock-downs and the associated potential for years worth of disruption and economic stagnation mean we cannot continue to take the lackadaisical “these things happen once in a blue moon” approach that’s been the way of our collective past.

We don’t live in that dimension anymore.

By moving into a risk-driven frame of mind, adopting a new range of uncompromising approaches to maintaining separation between the threats we’ve suddenly had our eyes opened to and the critical assets we now need to stop taking for granted, we can significantly raise the bar on all forms of risk. 

We’re never going to eliminate risk and there will always be an unexpected element we didn’t see coming, but just think about it – the security industry is on the front line here. We’re the ones defining how we’re going to defend ourselves and our infrastructure in the future. The law of diminishing returns is all we’re ever going to have to work with, but if we stop accommodating the inadequacies of a comfortable status-quo and take away the compromises we are so often forced to make, we can break out into that new dimension 

Most of the tools we need are there already. This is not a root-and-branch, tear it up and start again moment, but it is a paradigm shift nonetheless. Look at how the people on the front line are being placed at risk, but also how necessary people are in the equation. Look at how the flow of information and disinformation has characterized much of the landscape, and how international differences have demonstrated that a “one-size-fits-all” approach isn’t as easy to define as we’d perhaps like it to be. Every government has said they’re listening to the scientists, but everyone is doing something a little differently, so flexibility and fluidity are as important as rigidity and rigor. Finding the balance and building the right kind of response both at a strategic as well as a tactical level is where the art is, and we need properly skilled and informed people with the right kinds of tools at their disposal, and structures that allow information to get to and from the right places at the right times.

The response has been amazing already, but we’re a long way from getting through this, and even further from building the resilience and continuity measures into governments and organisations to be able to recover from this first of a kind event and prepare for future re-runs of the same thing. 

I just hope that traditionalism and conservative thinking won’t stop us looking much more seriously and consistently out into these extra dimensions of the security universe from now on.