• United States



Think Like a Perp

Jan 09, 20033 mins
IT Leadership

Listening to Dennis Treece, the newly installed CSO of the Massachusetts Port Authority, go on at some length about the wide assortment of threats a port can face, it occurs to me that there are certain likenesses between novel writing (my off-hours hobby, as it happens) and security (my area of professional interest). We’re having lunch in a hotel restaurant overlooking Boston harbor on a snowy December midday. Treece (about whom we’ll offer more in a future issue) is discussing the temperature at which liquefied natural gas becomes volatile and, hence, apocalyptically threatening to a densely populated harborside city like Boston. “We wouldn’t let a tanker come in to port if the temperature were out of whack. But otherwise, it’s really not all that dangerous.” As if on cue, a big LNG tanker, surrounded by an escort of tugs, Coast Guard and police and fire department boats, enters the harbor, filling the vista beyond our table.

For Treecewho oversees security for three airports, including Logan International, and the seaport infrastructure, roads and bridgesthe work domain is one which he populates with imagined potential menaces that we so-called normal people almost never have to contemplate. The drift of our conversation suggests to me that one little-noted characteristic of the ideal CSO might be a fertile, vivid and twisted imagination (which Treece seems to possess in useful quantities). For a profession whose job description is basically to try to break Murphy’s Law, the goal would be to outdo Murphy in contemplating what could go wrong.

When I point this out to Treece, he laughs. “I wish my imagination were more twisted than it is.”

Developing this gift does not come naturally or easily to most people. It requires learning to think like a perp. (I suspect this helps explain why some security practitioners are tempted to consider hiring “reformed” hackers, on the theory that it takes one to stop one.) One reason so many security people have law enforcement or military backgrounds (Treece is former military intelligence) is that they have long since mastered the techniques of perp-think. People in business, though, are not so accustomed to doing this. Bruce Bonsall, CISO of MassMutual, is quoted in this month’s cover story on fraud prevention (see “The Fraud Squad,” Page 34) lamenting how challenging it is for employees “to stop thinking like good honest people and start [thinking like] the bad guys.”

But businesses always tend to cultivate atmospheres of high-flying optimism and positivity. As valuable as it might have been to the CEOs of some now-floundering enterprises, the ability to imagine disaster falls outside of the approved spec for business thinking. Even when businesses are only talking to themselves, the sky is always unrealistically sunny. Inevitably, it falls, by default, to a chosen few to take that penetrating, sobering look at the dark side. And you’re it. So you’ll need to continuously cultivate that twisted imagination of yours. You can practice by working on that crime novel you’ve been meaning to write.