Opinion

FUD Watch | Security Theater At Its Worst

CSO Senior Editor Bill Brenner goes to New York and finds the perfect example of what Bruce Schneier calls "security theater."

By Bill Brenner, Senior Editor

September 18, 2008CSO

Security luminary Bruce Schneier has described security theater as a series of countermeasures designed to provide the feeling of improved security while doing little or nothing to actually make us safer.

Bill Brenner

I found the perfect example of that last week during a trip to New York for CSO's forum on PCI security.

During some downtime I decided to take a walk around Midtown and wound up at the Empire State Building. I decided to go up to the observation deck, figuring it would be a quick side trip.

Inside, I went through a screening line that resembles a TSA airport security checkpoint or the security line one wades through when entering a court building. Fine, I thought. This is just the way it is in the post 9-11 world. This is arguably the best known building in Manhattan and it's a tempting target for terrorists.

From there, however, people are sent through a ridiculous maze on the way to the first elevator. It's partly designed to guide people to the right places, though it seemed to sow more confusion instead. It also appears designed to slow down anyone who might be looking to cause trouble.

Along the way, peddlers stake out parts of the maze and try to sell you things: a hand-held device that tells you where to find certain landmarks below, a fancy map that does the same, etc.

This brought two things to mind: First, the security layout may well be a sham designed to slow people down so peddlers can sell them stuff. Second, if it's genuinely designed for security, it's all theater and no substance.

If anything, the maze creates more of a security risk by throwing obstacles in the way of people who might have to evacuate in an emergency.

This space is usually devoted to vendors and PR flaks who try to use FUD to drum up publicity for security products. But the government and owners of places like the Empire State Building also use FUD as a device in their own brand of security theater.

By setting up loud security barriers like this, they are doing their part to create an atmosphere of fear, when they are really out to make people feel safe.

All I know is this: If a skyscraper is on fire and I need to get out in a hurry, the last thing I want is a big obstacle course in my way on the ground floor.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

Other stories by Bill Brenner

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Prepare for (ISC)2® Certification With Villanova - Online

Rolling the dice with your security? Take the Self-Assessment Test now

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Configuration Audit and Control for Virtualized Environments

Take our CSO role survey and receive a copy of the results

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Solving Online Credit Fraud Using Device Reputation