Jiri’s Notepad

When government security practitioners first come to private sector, they are generally apalled about the security (or lack of). Swift call to action to improve the abysmal situation comes next, followed by its failure. The reasons are quite simple and they well explained by the following snippet from a paper on civil service reform, which is about management controls in general, but which is quite applicable to security: “All organisations trade off corruption and efficiency. A typical global company could spend a hefty proportion of its revenue on audit and still not eliminate fraud. In practice, a very small proportion is spent on audit, just enough to prevent most fraud. The vast majority ofmanagement attention is on efficiency, the customer, innovation and so on, ie doing the business. In the civil service the proportions are not quite inverted, but an inordinate amount of bureaucracy is given to the prevention of fraud.”

So yes, from risk-averse government security point of view, security in commercial enterprises is not great, but this is intent rather than ommition. Seeming lack of controls gives commercial organisations flexibility and efficiency to pursue their main business objectives they may not be capable of achieving otherwise.