Photo Credit: b-e-m via Compfight cc
Who doesn’t love the frisson of getting an upgrade, especially when you’re facing the prospect of a long business flight? The transport industry’s pricing strategy is based on the fact that people will pay (or at least get their companies to pay) for Lounge Access or a seat on the ‘posh side’ of a flimsy curtain on a short haul flight, as they perceive value in the difference from the standard service . The pricing differential is even more acute on a Long Haul flight where Airlines have a near monopoly (it’s not like the customer will hop on another flight if refused an upgrade, after all) and they know that those to whom they decline entry have little choice but to come back.
Airlines use Access Control to create a feeling of exclusivity and to charge a premium price. Potential new customers for the elite service are occasionally upgraded, so that they know what they are missing and will be motivated to push their employer to upgrade them in future. There is no value in protecting the information that a free massage is available in ‘Upper’ Class and if an airline upgrades someone to an empty seat, it costs them nothing.
In other businesses, decisions concerning access control are far more difficult. In the Cyber Security world, I can’t use this trial-by-error method . I need to know what information I own and where it is stored. I also need to know what information the users can access through their job role, management level , partner status etc.
So how do you make decisions about what is important if you don’t know what data you have and where it is? How do you decide who should see that information? Even more importantly how do you make sure that you don’t offend your partners and customers by refusing them access or, worse still, giving them such unlimited access that having access becomes devalued – they think anyone can get in and they stop trusting you. Do you want them to feel cheap by implication – a sort of Groucho Marx “I never wanted to be a member of any club that would let me in”?
If you can take the time to give your data identity, you can make more informed decisions about who is given access to it, delivering the access needed to keep your business moving, without the risks associated with a blanket ‘Access All Areas’ pass.
