Chaos Theory

Last month I complained about carrots. This month I’m complaining about sticks. Apparently, there’s just no pleasing me.

The gentleman on our cover is Bob Hayes. We posed him in some woods near his office, in Atlanta, to make the metaphorical point that a bunch of dense, confusing and potentially contradictory regulations are being promulgated now by various federal, state and local governments, as well as by industry consortiums within the private-sector wing of the so-called critical infra-structure. Hayes, the former security director of Georgia-Pacific, has made a thorough study of the changing regulatory climate (see Sarah D. Scalet’s cover story, “Chaos in a Three-Ring Binder,” Page 28). He predicts that security will soon become one of the most highly regulated areas of endeavor in U.S. business, and he is apprehensive about the implications of that.

CSOs in affected industries will face a mighty challenge. As business has long asserted, regulation imposes added costs and management burdensrequiring oversight, compliance reporting and, frequently, some extent of process remediation. While the goals of regulation are often worthy, the particular mechanisms can be cumbersome and even foolish. It is probably too much to ask that the clever munchkins toiling away in this or that agency coordinate with one another while formulating regulatory provisions; or that people with deep expertise within the affected industries make sure that the measures reflect real-world practicalities; or that someone owning sufficient clout, within the Department of Homeland Security or some other megabureaucracy, be empowered to reconcile the discontinuities among clashing regulations. (As Scalet observes in her story, complying with one regulation might require that another either be ignored or willfully flouted.) Come what may, it will fall significantly to CSOs to sort out the mess.

What worries Hayes the most is the element of surprise. He believes that CSOs, by and large, don’t have the slightest clue that an onslaught of regulatory load is about to crash over them, plunging their organizations into waves of red tape. Perhaps they believe what the Bush administration has energetically insisted throughout its tenurethat carrots are so much more effective than sticks. But carrots, as I wrote last month, are not sufficient to guarantee a consistently high level of security. Unless the force of compulsion is brought to bear on private enterprises in reasonable ways, there is no certainty that our critical infrastructure will be well protected.

Bob Hayes’s call to action is roughly as follows: If CSOs don’t get in front of this process—if they simply let it happen without becoming aggressively, constructively involved—then they will surely suffer the consequences of Murphy’s Law. Left to the unaided devices of the regulation makers, chaos and arbitrariness will take hold. The world will, ironically, be made less secure. And, in addition, way more stupid.