The Purses and Flagpoles of Security Policies

Published on 23rd June 2022 Author: Rob Black

Jamie Smed, CC BY 2.0, via Wikimedia Commons

I never knew what a danger soccer moms’ purses were.

That is, until I attended my very first professional soccer game at Gillette Stadium.

A friend of ours invited a few families to join them to watch the game. Until a few hours before arrival I could not have confidently named the home team.

It’s the Revolution – clever pun. I can’t remember who the visitors were.

I do not know much about non-American “football.”

I had to ask our hosts how many players are on a professional team. What are the rules for substitutions? What’s that round thing that they are kicking? (Okay, I know that one, but there’s a reason I coach basketball and not soccer.)

As a big fan of the New England Patriots, I have been to Gillette many times before.

Since I was always with the guys I never paid attention to the “bag policy.”

It turns out that there are a lot of rules governing the type of bag you can bring into the stadium.

That meant that all of the ladies (soccer moms) with us had to head back to the car to drop off their pocket books.

We proceeded through the security system, which is way, way better than when I last attended. The devices scan for weapons. The machines are looking for guns and explosives, but they aren’t metal detectors. You don’t have to take anything out of your pockets.

You can just walk through at a normal pace. You don’t have to slow down, and don’t get the uncomfortable moment of the guy patting you down.

After passing through security, we get into the stadium.

I didn’t realize it but a lot of people take soccer very seriously.

There were giant flags on huge metal poles.

Wait, what?

Gillette Stadium’s Threat Model

Let’s review the Gillette Stadium threat model.

Top threat: Soccer moms with purses.

Also a threat: Traditional guns and explosives.

Not a threat: Guys drinking lots of beer while swinging gigantic metal poles.

Or so that’s what this security guy deems by Gillette Stadium’s policies.

That brings me to your security policies.

Security Policies

Every company has a few idiosyncratic policies.

Some let employees do whatever they want on their computer and network.
Some give vendors broad leeway because they have a “legacy” contract, even though they don’t comply with current company requirements.
Some allow acquired software groups to follow their own rules instead of the corporate Software Development Lifecycle.
Some allow drunk fans to wave giant metal poles in the middle of a crowd.

Sometimes, these idiosyncrasies are intentional policy. Other times, no one has gotten around to correcting it.

If it’s unintentional, what should you do about it? Here are some concrete suggestions:

1. Actually read your policies.

Read through your existing policies. If you haven’t taken a look in a while, you will likely be shocked to find:

Stuff that’s been there for years and no longer applies.
Stuff that’s in there that never applied because you copied it from the original policy template.
Stuff that you intended to do but never got around to it.

2. Amend your policies.

Your policies should describe what your employees are actually doing, not an ideal state. Never put aspirational items in your policies.

Imagine if you were in court answering the opposing attorney’s questions after a cybersecurity incident resulting in significant loss. “It says here that ALL systems MUST have Multi-Factor Authentication (MFA) on them. Why didn’t you follow your policy for System XYZ?”

You want workable policies that your organization can live with.

First, amend your practices. There may be some things in those policies that you want to follow. Start doing them.

Ask the engineering lead for the group that is not on the corporate SDLC to start following it, or make suggestions for how his/her group recommends changes to the policy.

After your practices are updated, codify them as new (or updated) policies. Senior management should read the policies, and be confident they are being followed. Senior management must sign off on them and stand behind them with the whole organization.

Speaking of which, don’t forget to roll out the updated policies to the whole organization!

Conclusion

Gillette Stadium likely has their own reasons for disallowing purses while allowing flagpoles. The types of hardcore fans who want to bring in flags may have a better experience and come back to their games more often, which the stadium considers worth the risk of an injury caused by a fan with a flagpole. They may believe purses are an easier way to conceal something such as a weapon or sneaky snacks that threaten their concession sales.

The point is, they have decided what is and is not appropriate based on their risk tolerance and organizational needs.

A few idiosyncratic policies like this are okay – as long as they are intentional, specific to your organization’s risk profile, and compliant with whatever standards you need to be compliant with.

Having policies that are out-of-step with your organization’s practices because you haven’t updated them in a few years is not okay.

I’ve gotta run – I’m going to get a giant Patriot’s flag for my next visit to Gillette Stadium!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).