John McCumber is a security and risk professional, and author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@cygnusb2b.com.
Usually, the fall weather in and around Washington, DC is the best time of year. Yesterday’s fall weather, however, was that first cold slap of reality announcing winter is on the way. Like many days in my job, this one was starting with a meeting over breakfast in the suburbs. I left my condo and ran face first into a strong, gusty wind, overcast skies, slashing rain, and a raw thirty-eight degrees. I turned right around and went back inside to grab a scarf and a pair of gloves to augment my overcoat.
Fortunately for me, my colleague had recommended a popular spot that had a large, free parking lot adjoining the café. As I pulled into the parking area, I heard that always-annoying fall refrain of a gas-powered leaf blower. The operator was wearing a winter coat with a rain-proof slicker pulled over it, and had a mask to protect his mouth and nose from the swirling veil of leaves, dirt, and debris he was kicking up with the infernal noise-maker. As I watched, his clouds of detritus would move away from the building only to be picked up by the gusting winds and deposited directly behind him, with a large quantity of grime attaching to rain drops and making the siding and windows a dirty mess.
As I shed my coat and scarf, I pointed the leaf blower out to my breakfast companion. He laughed and said one word, “Checklist.” It took me a moment to realize the wisdom and insight in that singular word. That was it. The maintenance company had a requirement to blow leaves and debris, and this guy was completing that checklist item so he would be paid.
Check and done. It didn’t matter that the result was the opposite of the intended goal of a clean area around the building. The building owner should have paid him to NOT use the blower.
For security practitioners, the checklist can become a way of life. Everything from a daily building security check to a complex security review of an industrial control system is usually centered on a checklist. The National Institute of Standards and Technology (NIST) has produced dozens of checklists for information security practitioners and the result of a recent executive order to develop a cyber-security “framework” for critical infrastructure is fast on its way to becoming the next security checklist. The checklist is a valuable tool for all of us, but ultimately, we need to insure we know both when and why we must deviate from it. Leaf blower guy was checking the box – and making a dirty mess in the process.
John McCumber is author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. Email him at CoolasMcCumber@cygnuspubb2b.com.