Monday, September 14, 2009

Security and Fluffy Bathrobes

Toilets, auto emissions, Hunter S Thompson, all that 201 CMR 17.00 stuff, and now bathrobes- I know, but hear (read?) me out on this one.

I tend to be cheap about travel, all I usually want in a hotel room is a halfway decent bed, a functional shower, and relative cleanliness.  Occasionally, however, I stay someplace without a complimentary "Hookers and Truckers" floor show in the iStock_000003675016XSmallparking lot.  Sometimes, I end up staying in nicer places, and on rare occasions I stay in very nice places (this generally involves someone else's money, or a complimentary upgrade due to a colossal screw up by the hotel).  How do you know when you are in a "luxury" hotel (or at least a luxury suite)?  It isn't just the big things (big rooms, big TVs, big bathtubs, etc.) but the smaller things like mints on the pillow and the sure sign- the fluffy bathrobes.iStock_000009055193XSmall

So what's the point?  You (or someone) has shelled out a lot of money, and the hotel wants you to feel like you are really getting your money's worth- because they know if you don't, you will not do it again.  It is only fitting, if you spend a lot of money, you should know where it went and feel good about it.

Thankfully, the people who control security budgets don't expect to see where all that money has gone, nor do they expect to feel good about it... oh, wait.  But we already do a great job at keeping people informed and... um, strike two. 

It's different you say, they *have* to spend money on security.  No, they do not.  There may be a wide variety of factors which compel them to spend the money, but especially in this economic climate (hey, there's an area where some Global Warming is needed), financial pressures force some hard decisions.  No matter what the regulations say, if the choice is between making payroll (and thus existing into next week) and anything else, "anything else" better be pretty darn compelling.  Assuming your situation is not that dire, you should still think about the visibility of your security efforts, and whether the organization gets a good feeling from it.  I am not advocating that your IT and security team(s) start offering a bed-time turn-down service to the boss (actually, I strongly advise against that) but think about what visible benefits your organization gets from their IT and security budget.  If the answer is "not much", start thinking about how to change that.  Don't bore people with too much detail or too frequent updates, but find a way to make your work visible (in a good way, not just as the jerks who always say no).