Kevin Beaver's Security Blog

What do truckers in the inside lanes, the Georgia State Patrol, and infosec policies have in common?

Security policies are garbage unless someone actually enforces them. They exist to tick boxes, impress auditors, and give leadership a warm-and-fuzzy about “doing security.” But when nobody lives by them, they’re nothing but paperwork liabilities. Certainly not the safeguards many assume them to be. They’re certainly not worth the paper on which they’re printed, or the storage space they’re occupying on the network.

Security policies can be bad for business when a policy exists but isn’t followed. I think it’s worse than no policy at all because it creates a false sense of security and a giant liability when something goes wrong.

As I drove through Atlanta for a business meeting recently I was reminded how, on Georgia’s interstates, 18-wheelers camp in the left lane by the dozen even when they’re not supposed to. Why? Because there are zero consequences. They apparently hand out commercial driver’s licenses to anyone they can, yet assume compliance will happen? Not with the newer generations of truckers, apparently. This has gotten so bad in recent years. I’ve made several cross-country road trips in the past few years and it’s a problem everywhere but certainly seems to be worse here in Georgia. 

Check out this one example out of a half-dozen truckers on my drive with zero interest in following the rules of the road. Note the sign he’s driving under. 😁

These 🤡s are everywhere. It’s odd because I don’t recall seeing these problems with older generations of truckers back in the 1980s through the 2010s. It has gotten bad just recently…since that virus thingy.

You know what’s even more interesting is how these truckers get away with it. Zero consequences, it seems, except for the poor automobile drivers they end up tangling with.

This leads me to the Georgia State Patrol (GSP)…Georgia’s “finest”. I may be wrong (I often am!) – it sure seems that the GSP guys are so busy flexing their shiny Mustang and Camaro muscle threatening to pull over speeders on holiday weekends that they don’t have enough resources to pull any trucks out of the inside lanes as they blow through metro Atlanta. Sure seems like wasted (600+) horsepower…and, of course, taxpayer dollars. And, by the way, speeders are NOT the problem…they are simply low-hanging fruit that these government agents can pick on to make it look like work is getting done. Here are just a couple of pictures of what I’m referring to:

Cool cars, GSP. I’m sure your officers love speeding in them. It’s a shame you’re not using them to fix real problems.

On my drive last week, I couldn’t help but wonder past the GSP and ask myself where Metro Atlanta’s Cobb County PD and Marietta PD were as well. They certainly weren’t on I-75 enforcing our state’s truck laws. I suppose they were occupied with grander pursuits as well.

It’s the same theater in the corporate world…Executives quote if not wave their password policies, zero-trust memos, and strict “cybersecurity” standards while ignoring employees who prop doors open or stash data on unencrypted USB drives. Or, they’ll complain about necessary security controls because they’re inconvenienced. Over the decades, I’ve written about the irony behind how laws and policies and how useless they are because they’re not enforced. Here are a couple of pieces that are still published.

“Security policy oversights we keep making”…note the date of this article. The same things are still happening.

“People are violating your security policies and here’s why”…literally, because they can.

You may have a policy or even 20 of them, but when policies are not enforced, it doesn’t matter…Defensibility isn’t about having the right words in your policy…it’s about demonstrating you act on them when it counts.

So here’s the million-dollar question: What is it going to take? A fatal wreck caused by a left-lane semi? A mega-breach because someone ignores the password policy… again? A public exposure of agencies that refuse to do their job?

I’m not pushing for AI traffic cops or surveillance cameras. We definitely don’t need more government. And most companies don’t need more security policies. I just want honest rules: if a law or policy is worth having, enforce it. Otherwise, scrap it. At least then expectations are set and no one pretends.