Bruce Schneier has written a great essay in Wired on what he calls “movie plot security”. He points out, as the folks at What the Hack did, that too often the focus of security is about treating the perception instead of actually increasing security.

The essay explains the finger pointing that’s going on over how the Katrina disaster was handled: organizations responsible for planning must spend limited resources looking forward, but end up being judged in hindsight. Security and disaster planning are about managing risks, which means priorities are set and resources allocated. Periodically a one-chance-in-a-200 event will occur that makes the decisions appear wrong. We must accept that it is impossible to plan for every scenario, or always have the resources in the right place at the right time to address every possibility. Laying blame is easy, the harder, and more important task, is to learn from current events to improve plans for the future. As someone said on another thread: “Learning how to deal with emergency response ALWAYS builds lessons on the backs of the dead.”