It was dark, rainy and cold. I was driving a rental car from the airport to the hotel. My meetings were to begin first thing in the morning; however, before I could contemplate my wake-up call, I had to find the hotel. This rental car had no GPS locator, and the map and directions I had received from the rental car agency proved sadly inadequate. Given the demanding driving conditions, I opted to use my headset to call the hotel for a quick update. Here’s how the conversation went:
Hotel: May I help you?
Me: Yes. I am on Interstate 95 on the way to your hotel from the airport. Which exit should I take?
Hotel: Sorry, I’m the operator. Let me put you through to the front desk. Bzzzzztt, click…Hello, front desk, this is Sally.
Me: Hello, Sally. I have a room reservation with you tonight. I am driving in from the airport on I-95. How do I find your hotel?
Sally: We are just two blocks from the Municipal Auditorium, sir.
Me: The what?
Sally: The Municipal Auditorium, sir. If you see a sign for that, we are just two blocks away.
Me: I don’t know where the Municipal Auditorium is located in your city. It’s probably because I don’t live here. The fact I don’t live here is actually what prompted me to make a reservation at your hotel. If I knew where the Municipal Auditorium was located, I would probably just drive back to my house. Since I am not from here, could you please give me some quick directions?
Sally: I’ll have to get someone else to help you, sir. I’m not from here and don’t know the way. Bzzzzt, click….Hello, bell stand. May I help you?
Me: Repeats request while musing over how an out-of-town hotel employee stays employed.
Bellman: We are just two blocks from the Municipal Auditorium, sir….
Bellman: …, but, the easiest way to get here from the airport is to take Exit 122 off I-95, turn left at the light, and go three blocks.
Me: *big sigh* Thank you.
This real-life conversation popped into my head just this week as I got a call from my wife. She was driving for several hours to visit one of her client sites, and she called me from her car. It invoked this conversation:
Wife: Hey, would you mind looking on your computer for some directions for me?
Me: Actually, I am standing in line at the grocery store and I am not in front of my laptop. Can I help from here? Hey, wait a minute! Didn’t we just get you a portable GPS navigator for your birthday?
Wife: Yes, and I’m using it. But I also printed out directions from the Web site I used to rely on for directions. I printed out those directions to the client site yesterday, and the route is different from the way my GPS navigator is telling me to go.
Me: Which one do you trust?
Wife: Actually, the Web site. I used it for years before getting the GPS unit. Now I am not sure I want to trust this GPS witch who keeps telling me where to go.
Me: Then it sounds like you should stick to the printed directions.
Wife: Yes, but then the GPS voice nags you for miles with that “recalculating” nonsense.
Me: Maybe you could turn her off.
Wife: I don’t want to get lost.
Me: Do you have a map?
Wife: Who uses maps, anymore?
These reminisces remind me of the story of the man who had one watch and always knew the exact time. When he could afford a new clock, he was never truly sure of the time again. When making important security decisions, getting the right data from a trusted source is critical.
Our profession is based on trust. Organizational decision-makers need to trust the advice of security professionals, and in turn, we need to ensure we can get the necessary data regarding threats and vulnerabilities from trusted sources. Gut instinct is no longer adequate in this landscape of rapidly-evolving risk.
When you are asked to justify your requirements for new policies and safeguards, it is always best to be able to back it up with empirical data from reliable sources. Specifically, threat and vulnerability data are the primary categories for all security professionals. Anecdotal stories and lessons-learned can be illuminating, but they fall far short of the requirements necessary for investing significant organizational resources such as money, time and effort. Backing up your best instincts with sound data is always the best approach — unless you know exactly where the Municipal Auditorium is located.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at:Cool_as_McCumber@cygnusb2b.com.