Tuesday, July 1, 2008

Insecurity and the Need for Heroes

I was in Lower Manhattan on 9/11 when the planes hit. And as the horrible events of that day unfolded, I, like many other New Yorkers, tried to help.

I went first to St Vincents in Greenwich Village to donate blood, watching as thousands of dust-covered refugees from the City streamed north, past white-coated doctors and nurses waited in vain beside a line of empty gurneys.

Then, once it became clear that blood wasn't what was needed, I headed with a group of other guys over to the docks to volunteer to help dig people out - only to be turned away because they wanted people "with tools and experience" - as in, experience in digging and cutting through steel and concrete.

So I went back to the neighborhood - just as the National Guard arrived and started locking everything down, from 14th St south to Battery Park.

As it turned out, the only heroic act that I managed to perform during 9/11 was the procuring of emergency supplies and the refilling of Kristen Johnson's water cooler (it's a long story). Hardly the stuff of legend. I went to bed - late - deeply unsatisfied with my contributions.

Meanwhile, the real heroes became more heroic to us New Yorkers by the day.

That afternoon, and for all the next day, and days after that, we would cheer them on from the east side of West St, as the firefighters and cops and construction workers kept digging, looking for "the people in the pictures" as we came to call the missing in the weeks after the tragedy.

The experience was unprecedented for me. I'd never felt such insecurity - or been in the middle of a disaster scene before. I had never ever before seen real life heroes up close, working to save lives - except for doctors and nurses and mothers. This form of heroics - the disaster response - I had no ability to comprehend it beyond the obvious sacrifice happening right in front of me.

Which brings me to the subject of this blog.

In his book "The Black Swan", Nassim Taleb postulates that a forward-thinking, highly-placed politician could have prevented the tragedy of 9/11 - by forcing the adoption of laws mandating additional security in the form of terror-proof, secure cockpit doors on aircraft.

He then explains that had this additional security been put in place, 9/11 would probably not have occurred, and New York, and the WTC, would have continued much as before.

But as Taleb explains, every action has a cost. Imagine the life of our politician as he faces re-election one year after his successful legislation. His success in forward-thinking has, unexpectedly, created a large personal problem: His overwhelming success has resulted in the complete destruction of a whole class of threats.

What remains, once the threat of an attack has been removed? The cost. And only the cost. Ask George W. Bush and Dick Cheney.

And so it ends with our hero. Taleb's story concludes with our lawmaker - the politician who "prevented" the attack - being turfed out of office for imposing such a ridiculously costly and unnecessary "security burden" on the airline industry, perhaps after the running of an ad campaign explaining how "all that money" could have been "better spent".

Taleb's story (originally told to explain the theory of Black Swans, like 9/11) goes a long way to explain why CSO's and their hard-working IT security staff often feel unappreciated.

It explains why boards and governments almost never sign up for large-scale security spending. It explains why "adequate amounts of security" and "heroics" will forever be incompatible. It explains why firefighters get depressed and sometimes light fires.

It also explains a lot about the security software industry. Analysts and engineers working in antivirus facilities like Authentium's Virus Lab sometimes get frustrated when criminals and hackers get lionized by the press - especially after an all-nighter spent securing the world from the threats they've created.

Taleb's story illustrates why when insecurity is rife, as it was on 9/11, heroes are needed. But it also explains why, with few exceptions, the names of the most successful folks in the threat prevention business are seldom heard outside of the industry.

Because, by improving security, they have killed off the likelihood of threats, and the need for heroes. They have made the terrible event go away, before it could occur, and become invisible as a result.

No comments: