Finding The Hidden InfoSec Story

Backstage Rider


In the 1980s, the rock bands were known for excess off the stage much more than on it.

While Spinal Tap had ridiculed to the extent of reduction on the stage, off it the classic scene with the “small bread” showed that it is best to get your facts right when making a request to someone you don’t know. However what I want to establish with this Analogy is showing how the concept of the backstage rider can be related to the IT policy.

Our subject is American rock legends Van Halen. On one of their tours, their rider demanded a bucket/bowl (depending on who you believe or read) of M&Ms, famously “with the brown ones taken out”. This was later and historically related to as rock star excess and ego behaviour.

On the contrary though, this was put on not because of “Diamond” David Lee Roth’s egotistical behaviour or a repulsion towards the brown shelled delicacy, instead this was to ensure that the event staff had actually read the rider in advance of Van Halen arriving. If there is no brown M&Ms present then there is the proof that the staff have read and obeyed the request.

Spinning this into an information security angle, IT management prepare a company IT policy that staff receive on day one of joining the company and sign it without reading it (I’m talking from personal experience here from a previous position).

Often these are spread over several pages, rarely updated and hard to consume for a current member of staff, let alone someone starting on day one who is expected to understand the company compliance standpoint.

With Van Halen, they made a simple demand that ensured that the venue staff would read it and the band and management would know it has been followed. With IT policy, simple steps to know that it has been read are joy hard to implement either.

Consider spot tests of the policy, company challenges and outreach efforts to ensure that the policy is being followed. If it is not, evaluate whether the problem is with your staff or policy; and act from there. The simpler your IT policy is to follow, the fewer mistakes should be made.

Author: Dan Raywood

Share This Post On