A few weeks ago I had a quick 48 hour trip into Rome. Never having been there I was keen to take in the sights. In short order I found myself on a tour of the Vatican and later a tour of the Colosseum. At the end of the day I was sitting in an outdoor cafe having a glass of wine. I was thinking back over the events of the day in an effort to drown out the complaints of my feet.
Something struck me. The stark realization of just how many tourists I had seen drifting about the city with their fanny packs and rucksacks. Most were wearing t-shirts with some location from the US emblazoned on them. Others had similar giveaways as to their point of origin. It was something else to behold.
As I sat in the cafe I noticed a couple with their map, backpacks and fanny packs trying to puzzle out which direction they should be going. The male unit noticed me and wandered over. “Excuse me, do you speak English?” I nodded and smiled. “Which way to the Trevi fountain?” I gave them the directions but, I let them know it wasn’t open just yet as the refurbishment had not yet been completed. They were crestfallen. I said, “There is no shortage of places to see here before you head back to Chicago.” They both nodded. Then she asked, “How did you know we were from Chicago?” I smiled, “Lucky guess?"
To paint the scene, the male was wearing a Cubs shirt and the female of this duo was wearing a Blackhawks jersey. Not much of a stretch to guess where they were from. I noticed that one of their backpacks was open and I let them know. They were thankful that I let them know and wished me well and were on their way. These two had been wandering around with their pack open for an indeterminate amount of time. I could clearly see a wallet. They were screaming "rob me”.
This scenario made me think of so many organizations that I’ve encountered in the past like this. We would have pentests done and vulnerabilities would be discovered. The necessary platitudes would be delivered and the perfunctory handshakes and head nobs would be issued. Only to see the same vulnerabilities show up on a report the following year. “Why is this hard” I would wonder out loud to now one in particular. Why would this pattern of behaviour continue?
That couple from Chicago really sent me into a spiral after they had left. Many organizations have their stated mission. They have their functions but, there isn’t always an appetite to concentrate on items that are not in their core competency. They have their map and know where they want to go but, seemingly unaware as to to pitfalls that await them.
Security situational awareness is something that needs to be better developed in organizations in general. We can’t just let them fumble along in the hopes that they will get to their destination. There needs to be a concerted effort so that they don’t get pick pocketed along the way.
I slumped back into my chair and beckoned the waiter to come to the table. I was going to require more wine.