As a global traveler, I tend to be subject to more than anyone’s fair share of security checks. This means that I am ready for them, and also tend to find patterns in things. For example, if you are in a domestic US airport (where security is TSA, not private), you don’t have to take your liquids out. I have been putting them in the top pocket of my roll aboard for years now and have only been stopped in Bozeman, MT (private security), where all the bad guys go. But try that same trick through London Heathrow, and you are guaranteed a 15-45 minute delay.


Chris & I at Trevi Fountain.

I visited the Vatican on Saturday, and thought the security was peculiar. For example, getting through the Vatican Museum (the only way commoners can go to see the Sistene Chapel) requires a basic security check, but I only had to put my camera down on the belt and the metal detector didn’t go off with my phone in my pocket. After going through there, we went to see St Peter’s Basilica and were forced to wait in yet another security line. This one was pretty amusing as EVERY third person or so set off the metal detector, but the guard just waved everyone through without even looking at why we set off the alarm. I guess it pays to tour when there are crowds.

Security controls really have two major characteristics that make them enforceable and respected. The must be relevant to the user (I would expect to have a complex password or be checked for guns when entering St Peter’s), and consistently enforced (if there is a complexity requirement in policy, machines better enforce it when I test it). The human element may bring some challenges here where people try to test parts of the control (if I think passwords are stupid, I just write them down somewhere), or find creative ways to subvert it. Compliance initiatives sometimes hurt us here because users don’t see the relevance, and systems don’t properly enforce the controls… just like what I saw at St. Peter’s.

The most accurate representation I have seen thus far was in Florence at one of the MANY museums. My phone set off the metal detector and the guard asked to see what was in my pockets. I showed him, and he let me through. That seemed to be a much more appropriate use and enforcement of controls. So as you design your controls, think about the user experience (and be sure you are subject to the same control!).

This post originally appeared on

Possibly Related Posts: