Cool as McCumber

We were winding down our tour of Italy last month. My wife had always wanted to see the sights there, so we decided to make that our 30th anniversary gift to each other. We had already been to Rome, Florence, Venice, Siena and Pisa. Now we planned to relax for the last two days back in Rome to savor the food and views before our return flight to the United States. We had one last excursion planned - a Rome-by-Night tour scheduled through an online agency we had used for most of the rest of the trip. All our tours had been excellent: we had knowledgeable guides and breathtaking venues. We just wanted a final cruise through the streets of Rome to see the illuminated statues, fountains and ruins.

This last tour was the only one we shouldn't have taken. We were driven around back streets in a van picking up other tourists at hotels and then off to the booking office where we had to sit and wait in a hot (non-air conditioned) bus as the tour operator conducted business. After two hours, we finally saw our first illuminated marvel - the Trevi Fountain. We saw it only after leaving the bus and hiking several blocks. Our tour guide was tiredly reading from a boring script in four languages while we stood cheek-to-jowl with tourists and gawkers representing the entire United Nations. On the long hike back to the bus, we conspired to make an escape - refund or not. Near the waiting bus, we spied a taxi queue, and pushed through the tour group, sprinting toward the first taxi in line. The tour guide spotted us and was shouting something in Italian as we shut the door to the cab. The only words I heard in English were "no refunds."

When we got back, we were able to give some very nice feedback online to all the great tour operators, restaurants and hotels so future travelers could make more informed decisions. We were also able to warn others of Green Lines Tours, which had arranged our annoying schlep around Rome at night. After seeing many other similar horror stories about this outfit, we realized we should have spent some more time seeking out the feedback loop before booking a tour with them. We will not make that mistake again.

Other feedback programs are not so easy or so accurate. Our house cleaners started leave a little card with a unique log-in number after each cleaning asking for feedback. After doing it twice, I stopped. I figured if I stopped using their service, that would be the feedback they would receive to determine they weren't doing so well. The survey itself was tedious to fill out because they expected me to rate items of minutiae such as the dusting of baseboards and toilet cleanliness. It took me longer to fill out the survey than to clean the toilets myself.

The team leader for our cleaning crew approached me a couple weeks later, begging me to do it every time. I asked why, as she has been with us for 10 years. When there's a problem, I simply let her know, and it's always fixed - it has worked for a decade. Why do I need to complete a lengthy homework assignment about each weekly service I pay someone else to perform?

She said her managers wanted weekly feedback, and were posting results on the wall at their office. She complained that if she wasn't getting all 5's (on a 1 to 5 scale), she would get "counseled." I chuckled as I recalled the old US Air Force rating system where the same type of "firewall" performance appraisal (all top grades on fifteen factors) was considered the baseline of minimally accepted performance. A "firewall APR" didn't really mean you were outstanding. It meant you hadn't assaulted the base commander's spouse recently and you hadn't been arrested for anything else. Every couple of years, the Pentagon demanded more realistic bell-curve results, and the troops would all get dinged that year. However, within one rating cycle, it was always back to the "firewall" as the standard. Now I have to rate my poor housecleaner on the same inflated scale.

A feedback loop is also a vital component of your security management program. You'll not likely have online survey tools or a security blog, but you do have feedback loops that need to be maintained. Sometimes that feedback comes disguised as compliance metrics. These are the checkboxes and numbers passed up the chain of command to demonstrate your compliance with regulations, laws, polices and guidelines. Most security professionals have compliance standards they need to meet; however, they aren't the real story.

Our security programs cannot be defined and managed simply by compliance with statutes. A great security program is one where those in charge understand how well they inculcate a security culture within their organization. The efficacy of such a program focuses on the human element. In other words, gaining and weighing feedback on how the program is perceived and supported by non-security personnel. Do they feel they have a stake in protecting the organization's major assets - people, property and information? You need to establish and maintain a feedback loop on that critical element from those you support.

But if you just want a restaurant referral in Italy, call my wife. I'm too busy checking for dust on my baseboards.

John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: