The fifth in a series of “Seven Management Imperatives” for government leaders, based on the insights provided by some 300 senior government officials and more than 300 research reports, courtesy of IBM Center of The Business of Government.

Government leaders and managers have a fundamental responsibility to protect citizens from security threats. The weapons and tactics employed in many of today’s security threats do not require the traditional armies of the past. Malicious groups of people, down to a hostile individual operating within the homeland, can acquire and employ commercially available technology to inflict major destruction.

This puts most government leaders in the difficult position of coming to terms with a major new responsibility in the midst of a threat environment that can sometimes feel as if threats are poised to strike around every corner. How does one make sense of the problem and begin to craft practical and affordable security strategies?

Understanding the Problem

The ratio of size to impact is asymmetrical. Leaders now confront an operating environment where a single person can achieve tremendous destruction. Small groups can achieve exponentially greater effects, as seen in the 2008 Mumbai attacks, and small groups can form into a globally destructive network, witness al-Qaeda. Leaders and managers must be aware that security threats begin with the individual actor.

The threats are hidden in plain sight. There was a time when security threats were found by monitoring the behavior of large missiles, bombers, and tanks. While these threats are still relevant, many of today’s security threats are armed with the tools of peaceful civilian work–-chemicals, nuclear material, the Internet, commercial aircraft, cell phones, and other commercial technologies.

Since size is no longer required to achieve substantial effect, an individual or a small group can be a nationally significant threat. These threats are just as likely to achieve their desired effects by striking targets outside the traditional national security domain. This puts every government leader in a position of responsibility for countering security threats.

Countering these threats requires fundamentally different response strategies than those of the past century. There are five core elements to an effective and affordable response strategy.

Developing an Effective Response

First, focus on vulnerabilities, not just threats. Security threats are persistent and ubiquitous. In confronting this dizzying array, leaders and managers must focus their energies on analyzing their enterprise’s vulnerabilities. Not every enterprise will have the same vulnerability to every threat. It would exhaust an organization to defend uniformly against every possible threat. Investments should be focused on mitigating the specific vulnerabilities of the organization’s particular operating environment.

Second, a response strategy must have proactive as well as defensive measures. It is essentially impossible to detect and defend against 100 percent of the attacks posed by individuals and small groups. Leaders and managers must ensure that their strategy combines proactive and defensive measures. Proactive measures include an informed and engaged workforce and citizenry, equipped and motivated to contribute in areas including sensing, identifying, and reporting threats.

Third, prepare to recover after an attack. Leaders and managers must assess their enterprise’s resiliency to various forms of attack. How will the organization recover operations if one or more key leaders cannot function? How will the organization ensure continuity of operations in the midst of a disaster? The probability and consequences of a major attack or natural disaster on the enterprise are such that the organization must include recovery planning as part of its strategy for dealing with threats.

Fourth, plan and conduct interagency operations as the norm. As former Secretary of Defense Robert Gates has said, today’s threats require response strategies that incorporate the “whole of government.” Government leaders and managers must become adept at not only working horizontally in their own departments or agencies, but across multiple departments, agencies, and other levels of government. Effectively preventing, responding to, and recovering from major attacks will require the capabilities and resources of many different organizations.

Fifth, continuously create knowledge-the basis of all security operations. Government leaders and managers must understand a more complex and nuanced picture of the situation that includes physical, virtual, social, and cultural dimensions. Doing so requires that leaders and managers learn to create knowledge from the massive data available to them.

Fortunately, analytic capabilities are improving at a rapid pace. Leaders and managers must gain an understanding of today’s mature analytic capabilities, and leverage those capabilities to inform security strategy, plans, and operations.

Looking Ahead

An organization’s knowledge system depends on networks, which carry the data and information that feed analytics. But networks require connectivity and connectivity creates vulnerabilities. The price of interconnectivity is the continuing trade off between opportunity and vulnerability. Government organizations need to ensure that policies are in place for protecting networks and networked information.

Previous Imperative | Next Imperative