Years ago, when I left my career as a landscape designer/contractor to become an IT geek, I summed up my experiences by writing a book on home landscaping. Now that I have parachuted out of IT, I have been looking back at the three-legged stool—security, risk, and compliance—that consumed my attention for years. And guess what—I see similarities between information technology and education.

Way too many similarities.

In both cases, we teach (or code) to the test. We are obliged by governmental authorities to meet certain criteria--HIPAA, Social Security, PCI, Sarbanes-Oxley, and more. And that's just in the U.S. We measure, we poke and prod, and we pass along our data, which gets mulled over by bureaucrats near and far. But make it too mechanical, do it too often without thinking about the cost and benefit, and even if we ace every test thrown at us, we flunk. Because we have to design good tests, and this is far harder than it looks. For now, let’s look at one area of security and see where it takes us:

PHYSICAL SECURITY: My colleague Hans and I took a high-level inspection tour of a server farm (yes, a cloud) in a European city. The place was not easy to find. Its location was not listed in the phone book or findable via a Google search. But we had an address. We crossed streetcar tracks and wove our way through a light-industrial area to an unmarked and initially unremarkable building. We examined shrubbery, walkways, physical means of access. We looked for areas where people might hide–either to attack employees or to gain unwanted entry into the building. In this case, there was nothing green anywhere. Lines of sight were clear. The chain-link fencing was two-layered, fringed with accordion wire. We checked the security lighting—stanchions festooned with lights, high and low.

The gate – Was it a simple rising/falling gatebar that someone can walk around? No. It was an actual screened gate, with a guard to examine passes. There were physical car barriers guiding us in a Pac-man-like maze around a parking lot. Seriously—we zigged and zagged. Why? So a series of cameras could check us out from every angle as we approached. There was parking or access within a certain number of yards (ok, meters) of any entrances. We took a walk up a stairway into a gantry. We went through another ID check before the door to the gantry would open, then walked across the gantry to the actual entrance and signed in with a guard behind security glass. He inspected IDs, including passports (I had no local ID at that site in that country). We then turned things around and asked to inspect the guestbook, to verify that other visitors had been properly vetted before being granted entry. We were asked to leave all electronic equipment at the guard station—no cellphones, no cameras, no laptops, no nothing. We shed our second selves.

The rules say that we must be accompanied during our visit; we were. We walked down a concrete corridor to another guard, who escorted us to the room where our company’s servers were running.

We were not allowed to touch any hardware. We were not allowed to see any section reserved for another company’s servers. We checked the Halon system and inspection records, made sure it was up to snuff (that’s a serious pun). (Note to self: If Halon is released nearby, get out before you pass out. Huffing Halon is an early exit ticket.) We checked the HVAC and related documents (servicing schedule, sign-offs, dates). We checked the building structure for visible problems. (Note to self: Don’t build a server farm on fault lines or near fracking regions.) We checked for regular fire inspections. We checked the emergency generators, which looked big enough to power a sizable town.

All of these items we examined were on our tick-list, which contained more items than what I’ve run through here. Call it the curriculum guide of everything we were supposed to check for. And did all this prove the site was physically secure? No. It equated to a reasonable semblance of security. It means we more or less trust that all the sign-offs, all the lower-level inspections, were done thoroughly and responsibility. But there’s a long chain of people involved, and people are always the weak link.

So did we run through our tick-list and walk away with satisfied nods, thinking we’d checked out every possible avenue into the data center? No! Our mandate was not only to score the items on our test, but to be creative—to figure out what else should be checked, using what measurements, on what schedule. Because somebody, some company, some country out there is always trying to find novel ways to get inside.

I don’t want to stretch the testing analogy too far. But whether you’re talking kids or clouds, who will test the testers, to make sure they’re still relevant?