What TSA Shows Us About Data Security Policy

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Slide Show

Five Warning Signs Your Security Policy Is Lacking

Warning signs of a weak security policy from SunGuard Availability Services

This Thanksgiving holiday, we had company at our house, so that meant my view of the TSA airport security drama came from my couch and what I saw on TV or read online. I heard the term "security theater" thrown out a lot over the past week, as well as a lot of commentary questioning whether or not we can do this better.


I couldn't help but think that TSA's security problems run parallel with security issues and policy in so many different venues, including information and network security. The need is there. The good intentions are there. But the execution of the policy has a lot of room for improvement.


As it turns out, this very same notion was also on the mind of Robert Lemos at InfoWorld. Lemos thinks that TSA's poor handling of the enhanced security through full-body scanners and thorough pat-downs could be an example to CSOs and CISOs and others in information security. He wrote:

Now, most companies do not have to deal with the public in the same way that the Transportation Security Administration does. Yet, as information security measures become increasingly intrusive, creating strict policies and educating security staff on those policies become important.

In addition, companies need to make sure that their policies make security sense and are not "security theater," where procedures are more a performance to make people feel safe than a precaution to actually enhance security. Despite massive changes in screening processes, many experts doubt that Americans are much safer. In a recent speech, Adam Savage of "Mythbusters" poked fun of the TSA for scrutinizing his naked body but missing the 12-inch razor blades that he accidentally left in his carry-on baggage.

Another area to include is the importance of a security policy that covers everyone and everything. One of the defensive comments about TSA's new security is that only a very small minority are asked to go through the new scanners, and then the pat-downs are for those who opt out. So, the vast majority of us will continue to use the old method. But how does that make for better security, if only one in ten gets extra focus? Data security often has similar holes: There is policy in place for computers on the internal network, but none for people accessing the network on smartphones or on personal devices, for example.


Bottom line: The biggest takeaway from the TSA situation is good policy and good intentions are fine but they don't mean much without the right execution and enforcement.