A recent event over the holidays, the failed terrorist attack on flight 253 from Amsterdam, has predictably resulted in a flurry of activity by politicians and pundits to foist new “security measures” unto the public to assuage our fears of the boogey man boarding airliners. As most people know, these measures accomplish nothing to actually increase security but rather they are an attempt to make us feel that someone is actually doing something. It is strictly public relations.

The other morning I read a terrific piece by one-man security think-tank Bruce Schneier written for CNN. It serves as a terrific introduction to what is known as security theater. From its Wikipedia entry:

Security theater has been defined as ostensible security measures which have little real influence on security whilst being publicly visible and designed to demonstrate to the lesser-informed that countermeasures have been considered. Security theater has been related to and has some similarities with superstition.

Now, let’s transpose this to Information Technology.

Recently I had the opportunity to consult for a start-up company in a very nascent and competitive sector in the virtualization marketplace. Their product is a virtual desktop solution based off of a completely proprietary protocol stack and driver suite. It’s very cool stuff, and very complex. This provided their senior management team with a number of challenges wherein we can draw parallels to security theater.

Since no metrics yet exist to quantify the entirely subjective nature of a user experience or satisfaction index (the first company to reliably demonstrate a workable metric will dominate more than just the virtual desktop market), senior management drew some downright bizarre conclusions about root causes of unhappy users experiencing application crashes, iTunes running sluggishly, Excel scrolling too slowly, etc. Their analysis resulted in a firm commitment to a belief that the software being developed by the engineering team was infallible, Apple and Microsoft products are bug-free, and that the undeniable cause of all issues was that IT personnel did not participate in this illusion.

The problem this created was an entire department, IT, left trying to consider how to inform overly-experienced management (there is such a thing) that managing expectations is entirely different from managing perceptions. Feigning concern for non-existent problems in order to assuage worries about product performance does a disservice not only to employees, but ultimately to the shareholders. However, it does fall right in line with the meme that perception is reality. Once you buy into the meme, it’s not such a leap to start to believe that creating perceptions creates reality; a concept which is very popular, but not even consciously realized, in larger companies.

Perception: The IT department is terrible.
Reality: Brand new, highly complex software still under active development has the potential to crash and create problems.

Perception: Taking my shoes off at airport security makes me safe.
Reality: Terrorists also wear underpants.

The unfortunate nature of this resulted in directives more fitting for mature, large companies than those just scratching the surface of their growth stage. It’s incredibly cynical to say, but it’s also incredibly accurate: Forgo actually solving problems, but make sure you create the impression that you are. If everyone does this, then everybody is covered, and everybody’s jobs are safe. Create the perception, create the reality. This is management theater.

The longer this behavior is allowed to linger (especially in senior management), the more and more institutionalized it becomes. It can be very challenging to dig a company out of its effect.

As a business leader (and let’s never forget that you are part of the team, not the team itself) if you suspect you have a problem, you need to step back and interface with people outside of management. Get a feel for what issues can be addressed proactively before they become severe. Do you have a member of the management team who is blaming rather than addressing? Cut them loose before it’s too late for yourself and your shareholders.