Security Regulations: Chaos in a Three-Ring Binder

Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?

"It's scary having this degree of oversight with this many untrained cooks in the kitchen," Hayes says, in a typical turn of phrase, sitting back in his chair and taking off the thin metal eyeglasses that he likes to use as a pointer. "Here's the problem with the associations," he says, bobbing the eyeglasses up and down. "It's a matter of who does it, what's their experience, and is it relevant? But it goes beyond that. You can't have one standard or guideline that fits everybody. So you have a problem, from the beginning, of how do you write something for a tiny little chemical plant [that also applies to] DuPont?"

Case in point: The building that houses Georgia-Pacific's headquarters is managed by Taylor & Mathis, one of the largest property management companies in the South. Georgia-Pacific is the largest tenant and a part-owner of the building, but there are 10 to 20 other tenant companies and hundreds of other tenant employees. Taylor & Mathis is likely to follow whatever security guidelines the Building Owners and Managers Association (BOMA) releases. But what if BOMA decides that buildings must be evacuated whenever there's a bomb threat? From Hayes's perspective, that just wouldn't make sense. "For me to push 3,000 people out of that building is a two-hour exercise, and bombers never give you two hours of notice," he says, noting that something like 99 percent of bombs involve no threats and 99 percent of threats involve no bombs. "The property managers had never even timed it to know what their throughput was. They had no idea what it would take to empty that building. Now, you're in conflict with your own landlord."

Even more vexing than the underlying wisdom of any one set of guidelines, however, is the fact that large companies don't necessarily fall neatly into a single industry. Georgia-Pacific, for instance, is known for its paper goods. But it's also a chemical company, a transportation company, a distribution company, and evenif you count the fact that its products are used to wrap hamburgers and wipe ketchup off fingers at McDonald'sa food industry packaging company.

"You don't just pick one industry," Hayes says. "And if you're not going to use [a set of industry guidelines that might apply], you'd better have some pretty good reasons why."A New Gold Rush?If you haven't guessed by now, this particular CSO headache is likely to become someone else's bonanza. The American Institute of Chemical Engineers is charging $2,995 a head for a training course on how to implement its security guidelines. Vendors everywhere are touting software that will help companies comply with new regulations, from big Patriot Act packages down to payment-processing modules that block funding to individuals and organizations on the ever-growing list associated with Executive Order 13224. But perhaps the biggest pan in the stream belongs to Baker & McKenzie, one of the world's largest law firms, which a few months ago announced a U.S. Homeland Security Practice that brings together those aforementioned 50 attorneys from 17 disciplines.