Security Regulations: Chaos in a Three-Ring Binder
Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?
By Sarah D. Scalet
July 01, 2003 — CSO — Bob Hayes is tackling chaos.
Chaos, in this case, resides in a set of three-ring binders that the former security director of Georgia-Pacific and former security operations manager for 3M has lugged around for months, and which he now plunks down on a table in a standard-issue conference room north of Atlanta. Inside the binders are hundreds of pages from dozens of legislative bodies, regulatory agencies and industry consortia around the world, all of which dictate what, since 9/11, companies should be doing to protect themselves against terrorism
The papers are neatly punched, indexed and occasionally underlined with red pen. They are never dog-eared or crumpled. Hayes is far too fastidious for that.
Nevertheless, it's a futile attempt at organization. In fact, as I sit with Hayes at one of the Fortune 500 companies where he's been consulting since leaving Georgia-Pacific during a restructuring this past January, I get the sense that in his quest to conquer those reams of paper, he is losing.
"There's no way that you could be up on all this," says Hayes, 52, who has the sturdy but trim build of the Montana Army National Guard enlistee he once was and the Rolex watch and black sports jacket of the Southern businessman he now is. His neatly trimmed hair seems brown or gray depending on the light, just as his demeanor seems to oscillate between that of a confident scholar and that of a confused student, depending on the moment. He's a scholar in that he's spent months studying a wave of 9/11-inspired rules and guidelines that suggest, when pieced together, that security is well on its way to becoming a fully regulated industry. (This despite what the Bush administration would like you to believe: that market forces, more or less unaided, will compel right behavior.) He's a confused student in that the pages in his binders are teeming with legalese and potential contradictions that are far beyond the grasp of any one person. (After all, one mega law firm has put more than 50 attorneys from 17 disciplines in charge of trying to sort out what the new security rules mean for clients.)
"When you start putting this whole picture together of how complex and huge this security issue has become," Hayes says, winding himself up even as he tries not to rise off the seat of his chair, "it's not just computer security; it's not just physical security. It includes how you hire people, how you build your warehouses. That's the story we're trying to tell: the magnitude of what's coming down the road."
Bob Hayes
- Risk-driven Compliance and Security Management
- Simplifying Risk Management: Is Your Company Measuring Up?
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- Take the Cost, Complexity and Frustration Out of Two-factor Authorization
- Security Protection via the Cloud
- Pillars of Enterprise Protection: Protecting the Infrastructure
- Midmarket Insights from the Global CEO Study
- The New Voice of the CIO - Implications for IT Managers
- Five Critical Success Factors in Overcoming Workforce Disruptions
