The anniversary of September 11 has just passed — time for columnists everywhere to write hand-wringing pieces about the erosion of civil liberties, the American government’s failure to improve security and the misunderestimation (to borrow a word from the nation’s fearless leader) of the threat of “cyberterrorism.” We all need a break from that. Instead, let me tell you about my summer vacation — more specifically, about what I learned from working as a volunteer security guard.
This summer I spent several days at a music festival making sure no one got in without a wristband, and several afternoons at the food co-op making sure members paid for all their food. Both venues had crowds as honest and wholesome as you’ll find anywhere in the state of New York. And both seem to illustrate the simplest problems and solutions for not just the physical world but the cyber world as well.
That’s appropriate, since lately there’s been talk about the benefits of blending physical and IT security. The unspoken subtext is often that information security is the brains and physical security is the brawn. Certainly there’s very little brawn involved with information security, unless you count pounding policy manuals over your users’ heads (which I don’t recommend). But the fact is there’s a lot that the computer geeks among us could learn from the work done by legions of security guards who check our bags, control access to buildings and just generally keep an eye on what’s happening. Here’s what I learned, anyway.
1. Assume people will make mistakes. At the food co-op, moms and dads who need a few items for dinner load up the bottom of the stroller, take everything out of the stroller to be scanned, and then put it all back in the stroller to roll home — all while caring for their squirmy, hungry kids. I don’t assume they’re trying to smuggle anything out, but I do assume they might inadvertently forget something in the stroller. As they say, the most important job is just keeping the honest people honest.
2. Tell them why security is good for them. One day at the co-op, I got the typical grumbling from someone who didn’t want me to check his backpack for food as he was loading up his grocery bags. Feeling especially diplomatic — and powerless — I pointed out that if I just peeked inside, it would be easier for him to get past the last security check at the door, because I would have already accounted for all his bags. The approach seemed to work. The four-step process to buying groceries may seem needlessly complicated, but it’s kept the co-op running for almost 30 years. And when people understand how policies help things run more smoothly, they’re more likely to cooperate.
3. Help people. At the folk festival, nearly all of the people who came to the gate without wristbands were just confused. They needed to be pointed to the information desk or the ticket booth, or they needed someone to explain which parts of the festival grounds were open to which attendees. Being able to help people is good PR for the security team.
4. Don’t be intimidated by the bossy so-and-so. Here’s where security broke down. One woman helping run the folk festival refused to wear a plastic wristband. When I tried to stop her, she spat that she’d been driving in and out all weekend without a wristband, and then drove right past me in her pick-up. Afterwards — too late, I’m afraid — I realized that I shouldn’t have let her make me feel stupid for not recognizing her, and I should have felt comfortable calling security headquarters to confirm her identity. The people at the gates need constant reinforcement that they should report suspicious activity, even if they’re afraid of being wrong.
5. The goal is to have nothing to do. Sure, I knew that more serious things could happen. I was warned that groups of local teenagers sometimes don flimsy paper copies of the plastic wristbands given to ticket holders, non-members try to finagle their way past the front desk and get their paws on our organic produce, and shoppers try to sneak those little bottles of gelatine-free vitamins into their backpacks. These are the script kiddies, social engineers and hackers of the banjo and tofu set. To the best of my knowledge, I never encountered any of them. Most of the job isn’t nearly that exciting. So get used to it.
In fact, the biggest thing I learned is how easy it is to feel useless working security at a place where security is working. And that’s where good management comes in. The people in charge have to understand that the job is important, and tell you. And maybe, at the end of a long shift during which “nothing” happened, they might even say thanks.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.