Have a Coke and a (Security) Smile
Sometimes, security just sucks.
It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.
When it’s not done well, well…
I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.
Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.
The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.
Getting credit for the hotel stays was another story.
What I thought would be a quick call to the provider, started out bad and turned worse.
“Thank you for calling [hotel provider], can I help you?”
I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.
I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.
Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.
This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.
Even the Secret Service lets the President kiss a few babies.
I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.
But I might still ask for that Coke recipe.