Photo Credit: The Lowry, Salford via Compfight cc
The Great British Bake Off has become a surprise hit on BBC television, bringing together amateur bakers to compete against each other under other the critical gaze of the expert judges.
Each week, one of the contestants is eliminated and the result is supposed to be that we end up with the amateur baker of the year. But I am not always convinced this is the only purpose. Along the way we get to meet the most weird and wonderful people who seem to have difficulty assimilating with each other in a large tent. Last year we had the famous Alaska-gate where one baker was nobbled and ended up throwing his Baked Alaska in the bin out of frustration. This year we have already had betting suspended as the result has been leaked (rather like Dorret’s mousse in the latest series).
What has this to do with InfoSec? Let’s begin with complacency and covering up the truth. The expression WYSIWYG, what you see if what you get, is much used in IT. However it can cover a multitude of sins, rather like icing. Many of the bakers create cakes where the underlying structure is not particularly good and the texture is wrong, but when they present them to the “Gingham Altar” they are covered in Icing or cream and you cannot see the cracks underneath. It is only when judges Paul Hollywood or Mary Berry cut into the cake that we can see the faults. Your security infrastructure can be rather like this. Your management information may give you a wonderful warm feeling, but as soon as a capable hacker comes along, the underlying cracks can very easily be shown up. On the TV show, the result is merely a red face and some acerbic comments from Paul and Mary. In the real world the outcome can be more serious.
There is another aspect of GBBO I think we can learn lessons from too. In the technical challenge, the bakers are given a classic recipe from either Paul or Mary but some of the information is missing or vague. It is then their job to implement the recipe to get the correct outcome. Doesn’t this sound awfully like implementing a security policy? If everyone involved in implementing the policy does not have all the information, then the outcome will be unpredictable. Even worse, if the end users find the policy (or recipe) so complex that they cannot understand it, they may think they are compliant without fully realising they are not. The recipe for your users should be clear and in language that they can understand.
A final point about this and other cooking shows is one of intellectual property. Probably the biggest single fiction genre on the market currently is cookery books. Anyone that gets to the final of Masterchef or GBBO will almost certainly have the opportunity to write a cook book. The only issue with this is that if you are making your best recipes on the show, you are effectively giving your ideas away for free. This is akin to you publicly giving away your intellectual property in business without sufficiently protecting your interests. If what you are making public is what differentiates your company, try not to let other companies see how you do it.
The Great British Bake Off is about as British as it gets. We have dry wit, tears, high camp and the inevitable patting on the back as the losers are shipped out each week trying to keep a stiff upper lip. But as a model for InfoSec awareness, there are some points I think we could all learn from.