Cool as McCumber: Signs, Signs, Everywhere a Sign...

They are blocking out the scenery, breaking my mind. Do this, don’t do that; can’t you read the sign?

OK kids, those lyrics were only covered by Tesla in the 1980s. I was in high school for the original 1971 hit from Canada’s Five Man Electrical Band. When I was 16, it was such a cool song. Turn up your transistor radio (not even boom boxes back then) and get your sisters to yell at you to turn it down…those were the days. I was just starting to grow my hair out, so I too could look like Duane Allman when I played my guitar. Too bad I never learned to play like him.

It’s funny how your perspective changes as you age. Sentiments expressed in the sign song speak to Utopian dreams of communal property and peaceful co-existence. These days, I am much more prone to a Clint Eastwood-in-Gran Torino get-off-my-lawn mindset while I’m tweeting from #OccupyMyPorchSwing. I suppose that now officially qualifies me as a geezer with a technology fetish.

I find it odd that old song popped into my head just this week as I was getting settled in another hotel room. Along with the normal signs displaying the exits and the statutory rack rate on the back of the door, I found a hang tag in the bathroom extolling the virtues that would be visited upon the world around me if I chose to keep my used towels. It provided instructions on how the housekeeping staff would determine if I was “participating” in the hotel chain’s “green” initiative.

As I dropped my suitcase on the bed, I noticed two hang tags on the pillows. I knew one would be the expected breakfast room service menu that requires me to hang out my preferences before 2 a.m. The other was a hang tag that promised me 500 hotel customer loyalty points if they could avoid changing my linens during my stay — in order to “save the planet.” One could easily surmise the hotel’s answer to global environmental issues is a return to medieval sanitation standards.

The kicker was the sign stuck on the shower wall just over the handle. It was titled “Refresh Yourself: Restore our World.” It pictorially showed how they had installed a “heavenly” dual shower head so I could refresh myself, but wanted me to be aware that they turned one side off to conserve a precious natural resource…water. I was welcome to press the little button to enjoy a luxurious shower, but lo unto those who would do so and so destroy the world. Was I supposed to refresh myself, or restore the world? Phooey on the hotel for confronting me with a Hobson’s choice just to take a lousy shower after traveling all day. I grew up being taught clean linens, freshly-washed towels and a clean body were good for the individual and the world.

Those of us in the security business love our signs as well. We often use this medium to threaten, scold, promise, cajole, promote, inform, demand, beg, plead and extol to get across our security dogma. The form many of these signs take on has also changed from the heady counter-culture days of the 1970s. Sure, I still see security warnings, posters, signs, tags, notices and newsletters — but it is just as likely to be a warning on a webpage, an e-mail, text, tweet or pop-up window sent from a corporate server.

Signs, in all their variety, are a vital conduit to convey key issues of risk management to your constituents; however, security professionals need to ensure their signs don’t become a self-mocking exercise in frustration and non-compliance. The most important first step is to minimize those knee-jerk responses to isolated incidents. These responses are usually prompted by keester-covering, barn door-slamming legal advisors after the event has occurred. Consider McDonald’s “HOT LIQUID” warnings on coffee cups.

There are important requirements, issues, and concerns that we are required to bring before those we protect. It is critical we take the time to reflect how best to convey our message. I once worked for a company where the IT department issued dozens of e-mails a week regarding upcoming IT outages. Of course, every employee would like to be notified of such an eventuality…that is, unless the IT department sends out several company-wide e-mails per day about any and all outages — even for a small accounting application used only by three employees in Hong Kong. After a week of slogging through the lengthy caveats and exclusions, everyone in my group simply added the IT warnings to their spam list.

If a system was going to be off-line, it was easier to find out when you couldn’t gain access on Sunday afternoon. You just waited until Monday. Being surprised by the exception was simply easier than attempting to be forewarned.

Your signs say a lot about you. Ensure you are projecting the proper image of your security responsibilities, and your organizational risk management program. Use them sparingly and wisely, and be careful to avoid hyperbole. People just might find out you are turning on both showerheads and demanding clean towels during your hotel stays, and then you will be accused of trying to poison the planet.


John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail