You can't secure what you don't acknowledge.SM

Monday, January 7, 2008

Holiday shopping insight: Security for security's sake?

Over the Christmas holidays I noticed an interesting retailer procedure that strikes home with us in information security. It's manager overrides...You know when you buy something special or need to return something that requires manager approval...The cashier has to call over a manager to override what s/he is trying to do. I certainly understand the need for an override. Maybe the purchase is over $500 or there's no receipt for a returned item. Makes decent business sense: just have a policy and associated procedure where a manager has to "approve" certain transactions.

Well, I think we've all seen what happens during this so-called approval stage. Does the manager come the register and talk to you, talk to the cashier, review the item in question? Absolutely not! At least in my experience. Instead, they walk over, multi-tasking - 10 things going on at once - and punch in their secret code (that everyone can see, mind you). Hardly a single word much less a peek into what the override is actually for.

This is EXACTLY the problem that many organizations have with information security policy enforcement and procedure execution. There's no real oversight. Someone with manager designation says "YES", whatever is approved, and nothing really good has been accomplished other than showing that employees can all work together to go through the motions in order to make the auditors happy.

Why not allow the cashier to just do the override...? It'd save everyone - including customers - a ton of time added up day in and day out. Why even have the policy or procedure anyway if nothing beneficial is coming out of it? Formal processes only get in the way of doing business, right?

Perfect example of security for the sake of security...nothing more and nothing less.

No comments:

Post a Comment