3:00 PM -- Almost five years ago, a group of rather poorly trained terrorists took over four planes and successfully completed three missions. Looking back, it's clear that the United States and many corporations have overreacted since then.
Massive amounts of money have been spent on increasing security and mounting various wars. But at the end of the process, many would argue we are actually less secure now than we were before the attacks.
The process for any security project, governmental or corporate, is to analyze first then develop and execute a plan that will adequately address the threat. Before 9/11, the policy was to go along with the demands of hijackers. That policy was almost instantly changed. And while planes could still be hijacked, it was unlikely that attackers could do anything more than crash the plane (or be shot down).
Let this sink in. If we had done nothing other than simply reinforce a policy of non-compliance with hijackers, the new risk would have been mitigated and hijacking in general would have become much less likely. Instead we spent billions, put several airlines into bankruptcy, and arguably did ourselves more damage than the attackers did because we felt the need to act before we fully understood what we needed to do.
While conspiracy theorists think this was orchestrated to give the U.S. government more power, it is hard to see that kind of capability in the current U.S. administration, suggesting this was simply foolish overreaction.
Recalling Sun Microsystems
Shortly after 9/11, I had lunch with one of my Sun friends and he said the incident so scared the Sun executive staff that they moved their offices to a more secure location and hardened the upper floor they occupied so it could withstand a tank round.
This was hardly inexpensive, but they felt they needed to do something. While the odds of being attacked in this way were astronomically small, all the attacker would have to do is shoot at the lower exposed part of the building for it to collapse. I remember suggesting the employees on lower floors put arrows in their windows pointing up saying something like, "The idiots are up there."
While I'm sure it did wonderful things for morale at Sun to see executives building a top-floor fortress at headquarters, it was also a colossal waste of money and resources at a time Sun clearly didn't have them to burn.
However, the executives were frightened and operations had to do something to make them feel safe. Evidently, the more cost effective path of pointing out they weren't targets in the first place either didn't work or was ignored. (It is kind of fun to build forts after all.)
The clear lesson through all of this is to stop and think through an exposure and do a risk assessment before spending your money. You will often find that the event that triggered the concern is no more likely, and maybe even less likely, after the event has occurred, and you may only need to point this out to executive management. On the other hand, you may find you have been ignoring an exposure that should have been addressed. But if you don't take into account the entire ecosystem, your fix will probably either cost too much or be largely ineffective (or both, which I've seen is very common).
As a security practitioner your job is not to make the executive staff feel safe; it is to protect the assets -- physical, human, and virtual -- cost effectively. In a strange way, simply making people feel safe may actually increase the exposure, because they are less likely to be prepared to act if they see a threat.
With security, as with most things, it is better to aim then fire, rather then simply pull the trigger until you are out of ammo.