Security Regulations: Chaos in a Three-Ring Binder

Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?

"We started to see individual questions coming up that all had this underlying theme of security related to 9/11," says Teresa A. Gleason, a partner in the firm's international trade group, who is coordinating the new practice. "The intent is to recognize that there is a common theme cutting across all disciplines of the law: security and antiterrorism-related issues."

Gleason envisions two kinds of clients: those who have one or two questions about a particular issue that cuts across industries and areas of the law, and thoseka-ching!who want to figure out what everything combined means for their companies.

"It could be a lawyer in the company. It could be a security officer, like the people who read your magazine," she tells me from her office in Washington, D.C. "We're still a new group, and most companies are still dealing with [the new laws] when a particular issue arises rather than looking at it from a more comprehensive viewpoint, but I think that will change. I think there's a movement toward looking at it in a more comprehensive way."

It's one thing for someone like Bob Hayes to take this on as a pet studyeven if it has consumed 15 percent or 20 percent of his time in the past year. It's another thing entirely for a law firm like Baker & McKenzie to bet so many resources on the premise that many of you, surrounded by paperwork in conference rooms across the country, will first pull out what's left of your hair, and then give up and call an expert.

Hayes, for one, has ideas for how CSOs could handle all this, ideas that he hopes to implement at whatever company offers him his next CSO gig. Maybe, he wonders, the answer is a RACI matrix with all the regulations down one side, and columns CSOs can fill in clarifying which part of the business is "responsible," "accountable," "consulting" or "implementing" for a particular area of the law. (For a downloadable RACI worksheet that you can use in your own organization, go to www.csoonline.com/printlinks.) But that's just an idea. For now, he thinks, it's enough for him to start compiling the list of everything that's out there to make sure his peers know about it.

"It wasn't that I started out one day and said, There's all this stuffI think I'll research it and put it together," Hayes says. "In the past few months, it's become evident that everybody in the world is now weighing in on security. You've got more regulation or direction in security in the past three years than probably in the previous 50 years. Clearly, the magnitude of what's happening has surprised me." He offers me a soda and some pretzels, the only way he can think to stave off the migraine he knows he's spreading. "You're going to give a bunch of people a headache when you publish this article," he says. "Do I make my case? The landscape has changed."