John McCumber, author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," discusses how companies should make their policies logically flow in the November issue of Security Technology Executive.
I absolutely detested Kim Verstraete all through the latter years of grade school. She had arrived in town with the rest of her large Belgian family when I was in fifth grade. They seated her next to me in Sister Bernice’s class. We soon became dedicated enemies — at least as we understood the concept as ten-year-olds.
The conflict had nothing to do with our different family heritage. My mother’s sister married into one of the prominent Belgian families in the area, so we always had ties into the community on the west side of 12th Street — the unofficial demarcation between the Irish and the Belgians. In spite of my cross-cultural street cred, I ended up as her favorite target for abuse. As a boisterous child in my own right, I sought to pay back each insult and prank twice over.
I will always claim she started it. Not me. She would show me up in class and would ridicule me to her side of the class when I worked at my role as class clown. I would work to force at least five guys to laugh out loud during the singing of hymns and patriotic songs. Kim understood intimately that the ultimate goal of every class clown was to ensure others were punished for his or her own antics, and she would connive to get me fingered as the instigator so I would be the one punished.
One of the few upgrades we had as Catholic school students were the molded plastic chairs with attached fiber board desks complete with flip-open tops that revealed a cavernous storage area for books, pens, pencils, erasers and the other tools of elementary education. Additionally, most guys my age ensured we built and maintained both and offensive and defense arsenal of weaponry to torture perceived enemies and protect yourself and your gang. Of course, a gang of the period was usually the five or six other male fifth graders that resided on your block and shared the walk to and from the school and church. In addition to the standard rubber bands, paper clips, broken rulers and purloined silverware, I kept a special stash to use against Kim.
One of my less creative responses to these subtle attacks was to get to class early with a water cup in order to fill the molded plastic seat of her desk with as much water as it could hold. She would enter the classroom and sit down while staying focused on her bundle of books. Hilarity ensued as she had to spend the next two hours with a sopping wet uniform skirt. She would shoot me the evil eye, and I would simply shift my gaze to the ceiling where I suddenly took a great interest in the fluorescent lighting. When she finally withdrew her ink cartridge pen (ball points were forbidden) for writing, she would find it inoperable. She would only later discover someone had wedged the end of a toothpick into the nib so it wouldn’t draw ink.
As a self-appointed class clown and early victim of the yet-undiscovered childhood malady of ADD, I would make it my daily mission to see how much actual class time I could avoid. I would volunteer to be excused from class to help wheel down the school piano for Sister Margareta’s choir practice. My hand shot up when they needed students to sing in the huge church choir loft for a daytime funeral of a recently-deceased parishioner. I knew of every possible opportunity to leave the classroom and see something interesting — even if it was a flower-festooned casket in the sanctuary.
Kim soon figured out a singular approach to inflict her burning revenge on me. That was the semester she was appointed afternoon hall monitor. Suddenly, she was able to adopt the mantle of authority over regular students like me. In addition to dealing with the missing answers from the back of my textbook and the pens I found glued into my pencil well, now I had to find a way to both leave the classroom and avoid the long arm of the law in the form of a fifth grade girl with a badge.
Kim was merciless. She had a pad of violation slips she laid on me like tar and feathers: unauthorized trips to the restroom, lying to the substitute, hiding in the storage room during catechism, going to confession three times a day so I could chat with Monsignor Blecke. In addition to the legitimate raps, she also established policies of her own that applied only to me. That year, I ended up with an intimate knowledge of both the detention room, as well as my father’s belt as word of my “violations” filtered home from nuns, priests and parents.
For security professionals, it’s important to ensure those policies on behalf of your leadership flow logically from the goals and objectives of the organization. Developing and implementing consistent security standards and guidelines will allow you to manage your enforcement and compliance activities with ease. When policies appear to be random or ill-considered, employees and partners look for workarounds and even try to ignore your controls. Consistent and logical policy enforcement will go a long way improve your security posture.
At least we’re too old for the belt.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.