What TSA Shows Us About Data Security Policy

Sue Marquette Poremba
Slide Show

Five Warning Signs Your Security Policy Is Lacking

Warning signs of a weak security policy from SunGuard Availability Services

This Thanksgiving holiday, we had company at our house, so that meant my view of the TSA airport security drama came from my couch and what I saw on TV or read online. I heard the term "security theater" thrown out a lot over the past week, as well as a lot of commentary questioning whether or not we can do this better.


I couldn't help but think that TSA's security problems run parallel with security issues and policy in so many different venues, including information and network security. The need is there. The good intentions are there. But the execution of the policy has a lot of room for improvement.


As it turns out, this very same notion was also on the mind of Robert Lemos at InfoWorld. Lemos thinks that TSA's poor handling of the enhanced security through full-body scanners and thorough pat-downs could be an example to CSOs and CISOs and others in information security. He wrote:

Now, most companies do not have to deal with the public in the same way that the Transportation Security Administration does. Yet, as information security measures become increasingly intrusive, creating strict policies and educating security staff on those policies become important.

In addition, companies need to make sure that their policies make security sense and are not "security theater," where procedures are more a performance to make people feel safe than a precaution to actually enhance security. Despite massive changes in screening processes, many experts doubt that Americans are much safer. In a recent speech, Adam Savage of "Mythbusters" poked fun of the TSA for scrutinizing his naked body but missing the 12-inch razor blades that he accidentally left in his carry-on baggage.

Another area to include is the importance of a security policy that covers everyone and everything. One of the defensive comments about TSA's new security is that only a very small minority are asked to go through the new scanners, and then the pat-downs are for those who opt out. So, the vast majority of us will continue to use the old method. But how does that make for better security, if only one in ten gets extra focus? Data security often has similar holes: There is policy in place for computers on the internal network, but none for people accessing the network on smartphones or on personal devices, for example.


Bottom line: The biggest takeaway from the TSA situation is good policy and good intentions are fine but they don't mean much without the right execution and enforcement.

Add Comment      Leave a comment on this blog post
Nov 30, 2010 4:33 AM Fred Fred  says:

Not only are the X-ray scanners questionable in their safety, but the way they are used is being flawed.

Follow this:

The X-ray scanners were implemented primarily because of the undies bomber who was apparently using plastic.

Yet, you'll be required to go through the X-ray scanner if you set off the metal detector.

So, with that in mind, someone wearing plastic won't have to be scanned?

That doesn't make sense.

I'm 100% for airport safety, but I hope they'll come up with and implement intelligent solutions soon.

Dec 1, 2010 11:06 AM Ann All Ann All  says:

I believe the main reason we are seeing X-ray scanners and other 'high tech' security measures is not to catch terrorists (the scanners are an ineffective method of doing so, at best) but to reassure the traveling hordes that we are doing 'something'' about terrorism. In that sense, it is theater.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.