B-C-METOYX

Security Reminders Inspired By Van Halen's Brown M&M Test

Blog Post created by B-C-METOYX Employee on Dec 12, 2014

It's a popular bit of Rock & Roll lore: The band Van Halen conducted a test to make sure its tour contracts were being read, placing in a line saying there were to be no brown M&Ms backstage. Not surprisingly, they found a couple browns and trashed their dressing room in response.

 

The real story is a lot less dramatic. It wasn't about the band playing games with people. It was about making sureEVERYTHING in those contracts was being read. Frontman David Lee Roth describes it this way in his autobiography, "Crazy from the Heat":

 

Van Halen was the first band to take huge productions into tertiary, third-level markets. We'd pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors -- whether it was the girders couldn't support the weight, or the flooring would sink in, or the doors weren't big enough to move the gear through.The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say "Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . ." This kind of thing. And article number 126, in the middle of nowhere, was: "There will be no brown M&M's in the backstage area, upon pain of forfeiture of the show, with full compensation."

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you're going to arrive at a technical error. They didn't read the contract. Guaranteed you'd run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

For those in security, there's a valuable lesson here. Large enterprises are constantly circulating thick stacks of to-do and not-to-do lists, directions on how to proceed, and so on. The smartest and most dedicated people are still human, prone to skimming a line here or a page there. But doing so can compromise an organization's physical and online security.

 

Akamai's InfoSec department has it's own little Brown M&M tests, which we use to keep ourselves in check and ensure we don't let serious mistakes happen.

 

My favorite example:

 

One of the security procedures mandates that employees lock their laptops any time they walk away from the desk. It's an easy rule to forget, especially if you have to run to the bathroom, or you see someone in the office you've been looking for, and rush over to catch a moment of their time. If we get caught forgetting that rule and leave the machines unlocked with the screen open for passers by to read, we have to buy a round of coffee for everyone.

 

Akamai InfoSec Senior Program Manager Dan Abraham tells the story: "I got caught on my second day on the job.  My boss found my machine unlocked and sent me the 'coffee' message. I was mortified, but she gave me the best wake-up call to how seriously we take this rule.  I set up two shortcuts to quickly set the machine in locked mode."

 

When we get caught forgetting about our own rules and get penalized, you can bet we're a lot less likely to forget the next time.

 

It's all in good fun. No one's room gets trashed, and I get free coffee -- unless I'm the guy who gets caught with an unlocked screen.

Outcomes