 |
| Image from Pixabay |
"Beyond Customs I bought a watch," said Merlijn Kaiser in the novel Magnus by Arjen Lubach. The book is highly recommended, but this sentence deserves some attention.
Merlijn was at Amsterdam Airport Schiphol and took a flight to Stockholm. You will
encounter only one authority that performs a check: security. Apologies for the
vague term, but that’s what the airport itself calls it. It’s the inspection of
your hand luggage and yourself, checking whether you’re carrying anything that
could endanger the flight. Like scissors or explosives, just to name a few.
On flights outside the Schengen area (roughly outside Europe), you also
encounter the Royal Netherlands Marechaussee (military police), who check your
passport. But that’s not Customs. You almost never encounter Customs when
departing the Netherlands; they’re only interested in goods traffic. So, dear
Merlijn, there is no "beyond Customs" when you leave the Netherlands.
You only encounter Customs when returning from abroad. You know, after you’ve
picked up your luggage, just before the sliding doors where people are waiting
to pick you up.
It’s not uncommon for responsibilities to be confused. In the past, many
organizations thought that information security was something the IT department
was responsible for. And the IT department, in turn, thought the security team
should handle it all. Strangely enough, that was also the time when backups
weren’t made for certain systems because the client ("the business")
hadn’t asked for it. One side assumed everything would be taken care of, while
the other side strictly followed the assignment—and nothing more.
Now it’s the opposite. The business largely realizes that they are responsible
for securing their own environment, and that they may and must set
requirements. At the same time, many standard measures have been introduced.
When you buy a car, you don’t need to demand that it comes with brakes, seat
belts, and airbags; the law has already arranged that for you. The same applies
to information security: there are laws and regulations that describe the
minimum requirements a system must meet. Of course, an organization or internal
client can set higher requirements – if a risk analysis shows it’s necessary.
Because you never take measures just for the sake of it.
That doesn’t mean ad hoc measures can’t be taken. This can happen, for example,
when security professionals encounter a dangerous situation. While we’re not
responsible for "handling everything," we are responsible for
ensuring the organization is safe. In doing so, we sometimes apply professional
judgment. A nice term that essentially means: this must be done now because I,
in my role, judge it to be necessary. And you can trust that this judgment is
based on expertise.
Back to Merlijn Kaiser. Where did he actually buy that watch? Schiphol Airport has
two major shopping areas: one where you enter the airport buildings, and one
beyond security. That’s where he bought the watch. Without seeing a single
customs officer. But still, it’s a great book.
In the big bad world ...
- ChatGPT sometimes performs passport checks.
- It’s really time to say goodbye to Windows 10. [DUTCH]
- You should be able to decide how news reaches you. [DUTCH]
- There was a major vulnerability in Entra ID.
- Students pose a threat to their schools.
- Authentication mechanisms must resist phishing.
- Columnists are now also picking up on the need for European data sovereignty. [DUTCH]
- LinkedIn will soon train AI models with your data. [DUTCH]
- The Finns are seeing a sharp increase in hacked M365 accounts.
- A worm is crawling through npm packages. [DUTCH]
No comments:
Post a Comment