Security Regulations: Chaos in a Three-Ring Binder

Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?

Bob Hayes is tackling chaos.

Chaos, in this case, resides in a set of three-ring binders that the former security director of Georgia-Pacific and former security operations manager for 3M has lugged around for months, and which he now plunks down on a table in a standard-issue conference room north of Atlanta. Inside the binders are hundreds of pages from dozens of legislative bodies, regulatory agencies and industry consortia around the world, all of which dictate what, since 9/11, companies should be doing to protect themselves against terrorismfrom monitoring factory ventilation systems to hardening computer networks to screening the staff who drive delivery trucks.

The papers are neatly punched, indexed and occasionally underlined with red pen. They are never dog-eared or crumpled. Hayes is far too fastidious for that.

Nevertheless, it's a futile attempt at organization. In fact, as I sit with Hayes at one of the Fortune 500 companies where he's been consulting since leaving Georgia-Pacific during a restructuring this past January, I get the sense that in his quest to conquer those reams of paper, he is losing.

"There's no way that you could be up on all this," says Hayes, 52, who has the sturdy but trim build of the Montana Army National Guard enlistee he once was and the Rolex watch and black sports jacket of the Southern businessman he now is. His neatly trimmed hair seems brown or gray depending on the light, just as his demeanor seems to oscillate between that of a confident scholar and that of a confused student, depending on the moment. He's a scholar in that he's spent months studying a wave of 9/11-inspired rules and guidelines that suggest, when pieced together, that security is well on its way to becoming a fully regulated industry. (This despite what the Bush administration would like you to believe: that market forces, more or less unaided, will compel right behavior.) He's a confused student in that the pages in his binders are teeming with legalese and potential contradictions that are far beyond the grasp of any one person. (After all, one mega law firm has put more than 50 attorneys from 17 disciplines in charge of trying to sort out what the new security rules mean for clients.)

"When you start putting this whole picture together of how complex and huge this security issue has become," Hayes says, winding himself up even as he tries not to rise off the seat of his chair, "it's not just computer security; it's not just physical security. It includes how you hire people, how you build your warehouses. That's the story we're trying to tell: the magnitude of what's coming down the road."

Anyone tempted to disagree should consider Hayes's track record. In 1972, he was part of a team that did some of the earliest research into what causes or prevents crowd violence, as police in Florida tried to prevent the Republican and Democratic National Conventions from ending in the police riots that marked the Democratic National Convention of 1968. Then, 15 years later, when he was the head of security for 3M, Hayes became one of the first practitioners to do anything about workplace violenceyears before the phrase "workplace violence" was part of the lexicon.

"By anybody's standards, he was one of the pioneers in workplace violence prevention for large corporations," says Park Dietz, the renowned criminal psychologist (think the Jeffrey Dahmer case) who is himself the most well-known pioneer in that industry. "If you could do a fair survey of the heads of security of the Fortune 100, Bob's reputation would rank extremely high. I do think he is a forward thinker, and if he sees a pattern there, he's right."

For CSOs, the easy way out of the pattern emerging from Hayes's binders is to let someone else deal with the problem. But the way Hayes sees it, this is a make-or-break opportunity for the profession. "You have a choiceyou can either be part of this and influence it, or sit back and ignore it and let people who have no expertise in security handle it," he says. "That's not a real smart move because then somebody says, Why do we need a security guy?"

This is why. Hayes shuffles through his stack of binders, finds one labeled Regulatory Trends, flips it open and starts talking.The R Word"This," Hayes says, popping open the binder rings and taking out a stack of papers, "is a list I got from somewhere of all the laws that have been passed [or revisited] since 9/11. I'm really bummed I can't figure out where I got this. It was a long time before I really stopped and looked at it." He pauses, thumbing through the document, which is about 15 pages long, a gray blur of laws and proposals about espionage and funding of terrorists, transportation safety and the insurance industry and, of course, the ubiquitous USA Patriot Actall legislative efforts with the underlying goal of improving national security.

"I started flipping through here and said, There's a lot of stuff going on: in the United States; in the United Kingdom. Then I saw this," he says, landing on a page halfway through the document, flashing a Grinch of a grin that makes him look 10 years younger and showing me an alphabetical list of countries also offering security-focused legislation. "Albania, Bosnia, Canada, China. You get the idea? And I say, 'Uh-oh, we're not the only ones.' This was one of the turning points."

Hayes snaps the document back into the binder and starts turning more pages, from one law or regulatory body to the next. It's not just the dreaded R wordregulationsthat he's talking about, although there are plenty of those on the state, national and international level. Take the section on the U.S. Customs Service, for instance. Customs, which touches every company that imports or exports supplies or goods to or from the United States, used to be primarily concerned with keeping drugs, illegal aliens and counterfeit products out of the country. But since 9/11, the Customs Service has changed more than its name (it's now called Customs and Border Protection) and its position within the U.S. bureaucracy (it's now part of the Department of Homeland Security).

The government's cry for homeland defense has given Customs vastly expanded powers, the most controversial of which is the authority to declare what's known as the 24-hour manifest rule. Before, a ship crossing the Atlantic was required to submit a list of its cargo before entering a U.S. port. As of last December, carriers headed for the United States must submit a list of cargo 24 hours before it's loaded on board. "Compliance with the 24-hour rule is a matter of National Security," warns a stern statement at the Customs website, threatening to fine offenders and keep them from loading their vessels. But complying with this rule is no small task for a carrier's customers, who may not know until the last minute exactly what they need to ship.

If that's the stick, then this is the carrot: Customs Trade Partnership Against Terrorism, or C-TPAT. This voluntary program uses the same concept as the "trusted traveler" program for airlines. Carriers who choose to participate go through a security "validation" (Customs is careful not to use the word audit) to prove they have covered every aspect of supply chain security, from sealing containers to installing adequate lighting at loading docks to giving employees incentives for paying attention to security. Companies that obtain the validation move through Customs more quickly, leaving agents free to focus on vessels that are more likely to pose security risks.

Hayes says that the security director of the company on whose leafy grounds we're meeting has gone through the C-TPAT validation process. (As a condition of the interview, he asked me not to name the company because he's there as a consultant, not an employee, and because, I sense, he wants to make it clear that this is his project, not theirs.) "It took him about six months," Hayes says. "It was a major effortand it's one of hundreds [of such efforts]."Somebody Said to Do SomethingOutside in the company parking lot, windblown trees shake a fine yellow dusting of pollen over asphalt and cars. A few stragglers return from lunch, and the April afternoon clouds are too threatening to tempt anyone to sneak out for an early tee time. Inside, Hayes is just getting warmed up. He takes a drink of water and opens a binder with a whole other set of guidelines, these with a much murkier reach: presidential directives and executive orders, which the president uses to manage the executive branch, government agencies and, by extension, any company with government contracts.

Like most people, Hayes had never paid much attention to those kinds of orders. But one day, a few weeks after 9/11, while he was still with Georgia-Pacific, he got a call from one of his colleagues in the International Security Management Association (ISMA) who wanted to know what Hayes was doing about Executive Order 13224.

"I said, 'What's that?'" Hayes recalls. "And he said, 'It's about not doing business with terrorists. We have lots of government contracts and thousands and thousands of customers. How are you going to check your list?'"

At the time, Hayes had no idea what "list" his peer was talking about. Now, he thumbs through the binder looking for the right group of documents. "This is the first one that came out," he finally says, showing me a list of names of suspected terrorists. Osama bin Laden is number 12 or so. "It started as a list of 75 people at These were groups [the government was] finding links to very early on."

Hayes started looking for the names and organizations on the list in various databases at Georgia-Pacific, both to comply with the order and to ascertain, for security reasons, that no one identified as a terrorist was working at Georgia-Pacific's more than 600 locations. Hayes made sure the government's list got checked against payroll. And against the visitor logs. And against the files for Georgia-Pacific's temporary agency, for its vendors, for its contractors, for everyone.

Then the list changed.

"Every day the list would just be bigger," he remembers. Eventually, it grew to thousands of names. "It would come out with a new date on the bottom, but you'd have no idea who they'd added to it." That meant that every name on the listnot just the new oneshad to be checked. (The government has since streamlined the process of adding names to the ever-growing list.)

And Executive Order 13224 was only the beginning.

President Bush fired off more orders in rapid succession: Executive Order 13231 on critical infrastructure protection. Executive Order 13234 creating a presidential task force on citizen preparedness. Presidential Directive 2 on combating terrorism through immigration policies.

All of them, in one way or another, involve security. Some laid the groundwork for more far-reaching rules. In May, for instance, the U.S. Treasury Department finalized the Patriot Act regulations that, among other things, require financial institutions to make sure that new customers don't appear on the suspected terrorist watch list. What became of some of the other provisions is, well, anyone's guess.

When I got back from meeting with Hayes in Atlanta, I called the White House to ask about the report that was allegedly created by the presidential task force on citizen preparedness. The White House press office didn't know; someone there referred me to the Department of Homeland Security, which referred me to the Federal Emergency Management Agency, which referred me back to the White House. Later, when I told Hayes this, he wasn't surprised. He said that was exactly his point.

"I have a headache every time I get into this. It's so complex, and there are so many people working on it, and obviously nobody is talking to anybody else," he says. The job of making sense of the mess would, it seems, fall squarely on the shoulders of the CSO. But, like most CSOs, Hayes doesn't have a law degree. He has no background in picking apart executive orders and figuring out what they mean for whom. He doesn't know the first thing about following the complex process of how a bill becomes a law becomes a set of regulations and, in time, becomes a fine for noncompliance. He is trying to chart the dimensions of a dense forest at a time when, he fears, everyone else is looking only at the trees.

"All the functions in a companyshipping, distribution, product safety, environmental, food service, everyoneare going to get some notice of individual things happening," Hayes says. Someone needs to coordinate this vision and oversee the whole onerous load of compliance. It could be the legal department. But the chief security officer, theoretically, is the one person in the organization who best understands how to actually improve security in a holistic way.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies