I was travelling recently, and was struck by how mandated rules were sometimes so perplexing
Example 1:
I bought some small 100ml containers to keep my shampoo and conditioner in (see above). When I went through security at the airport, they pulled my bag.
They then proceeded to unpack my entire bag to see what the concerning item was. There was scant regard for my privacy. It wasn’t great having all these random people seeing the contents of my bag. It happened to another gentleman too, who seemed as uncomfortable as I was.
Eventually I realised that the problem must be the little containers. I said – these containers are within the allowed limit. He agreed but said they had to be in a plastic bag. I am still puzzled about what makes this bag so magic that once these containers were in the bag, all was well. I also wonder about the plastic wastage caused by this use of plastic bags across all the UK’s airports.
Example 2:
Once through security, I looked for somewhere to have lunch. There was a mexican restaurant something like Chipotle in the USA, but NOT this name in the UK. I asked if I could have only salad and guacamole. She said I HAD to have meat and rice as well as salad. Even if I paid for the meat and rice, I still couldn’t have only the salad.
Sigh
I am deliberately not naming the airport because these employees are not at fault. They are clearly following orders. Yet, from my perspective, these rules seemed nonsensical and left me feeling frustrated (and hungry!).
It is entirely possible that there are very good reasons for the use of these plastic bags, and for requiring set menus. Not knowing the rationale added to the perplexing nature of these events.
Do we have similar problems in cybersecurity? Are some of our rules and mandated processes mere security theatre and not really improving security? Or are we mandating particular actions for very good reasons but not explaining why and what they achieve?
It is certainly worth thinking about.