Friday, January 28, 2011

This has absolutely nothing to do with security...

 ...and yet, it does.  I could also have titled this post missing the forest for the trees.  I had an interesting experience recently (two, actually), that I thought really drove home a point we in the information security field, and in fact in any field that makes rules, often forget.  We forget the reason for rules, or we do not adequately express the reasons to those that must follow the rules.  The result can be quite frustrating to those required to comply.

I recently spent a week in Costa Rica - a beautiful country, I might add, but also my first experience outside the United States and its immediate neighbors, so there were a few cultural and communication challenges to overcome.  One evening, after signing out and calling for a taxi to take me to my hotel, I decided to check my personal email while waiting in the lobby.  I had a half hour to wait, and didn't want to sit there bored for a half hour.  

The security guard approached me and politely but firmly said I could not use my computer in the lobby.  I asked for an explanation, and after overcoming a slight language barrier, I understood that "it was policy."  OK ... I can think of a few reasons for such a policy - perhaps this city has had a problem with crime or corporate espionage and wants to treat the lobby as the unsecured space that it is (though I had no intention of viewing anything confidential in a semi-public space).  So, being the somewhat persistent (stubborn?) person that I am, I pushed for the reason for the policy. 

The security guard called her supervisor, who called her supervisor, and eventually the answer came back "ergonomía" - ergonomics.  I could not use the computer in the lobby, because I did not have a mouse attached!  This office is making a very strong push to eliminate repetitive strain injuries by prohibiting laptop use without an external mouse.  So I pulled my mouse out of my bag, attached it, and everyone was happy.  Now that could be the end of the story, but if I stop there, I ignore my point.  Had I simply complied with the policy the security guard was instructed to enforce - had I gone back inside the building and waited in a conference room instead, sans mouse, I would have satisfied the guard while completely ignoring the problem the policy was intended to prevent.  I would have continued to risk wrist injury by using the onboard eraser nub.

How many other policies do we have like this?  How many times have we inadequately trained our "enforcers," as well as the rest of the employees, to follow rules instead of explaining the goal?  Rules and policies are necessary - but they invariably have a purpose.  If we merely enforce the rules, without explaining the purpose, we often end up defeating the very reason for those policies.  Now if only I could understand why the security guard told me tonight I could not sit on the steps outside the lobby, and instead must stand on those steps...