Why you really shouldn’t hate the TSA

2018-09-06 0 By SecureSteve

Oh, the Good ‘Ol Transportation Security Administration. The federal body everyone loves to hate. They make you take your shoes and your belt off. They take ‘funny funny’ pictures of your body with a special scanner. There are also countless stories of ‘items’ the TSA has missed. However, they won’t let you take that bottle of water through…

Oh, how we love to hate

When is the last time you’ve been on a plane where an ‘incident’ occurred?

Everyone has stories about the TSA. Not everyone has an extreme negative story, but clearly frustrations with this organization are widely known. It is easy to hate, though! Think for a moment about all of the inconvenient things the TSA makes you do, just in the name of “security”. So, I have to go through all this hassle, and all this effort, just to utilize something that isn’t likely to happen anyway. Plus, is my Gatorade bottle really a security risk?

So, what gives?

For one, when is the last time you’ve been on a plane where an ‘incident’ occurred?

A corollary into the world of CyberSecurity

For those that are in or supporting the world of CyberSecurity, do you also hate the TSA? Have you had ‘bad’ experiences? If you take a couple of steps back, can you see any correlation between their struggle, and the struggle of your day-to-day job? Some obvious examples from the larger use base we’re trying to keep safe:

Look at all of this hassle I have to go through (Two-factor auth, VPN tunnels, password changes, sanctioned apps, blocked websites, etc.)
Look at all of the things I can’t do (install whatever I want, access any websites I want to, keep my machine unlocked, etc)
When was the last time you did something (Assuming cybersecurity works perfectly, nothing happens and no one knows it is there).

Why should the average public care?

A quick question to the casual reader – If you knew that one in ten flights crashed or had a bomb on it, would you board that plane? Probably not. What if that number was one in ten-thousand? Maybe you’d risk it. However, according to the FAA, there are 42,000 daily flights supported by their own Air Traffic Organization. So, if four planes (traversing the US) daily had an incident, would you still get on a plane?

The ‘best’ thing that can happen is that nothing happens and no one knows about it.

The point here is that the rate of incidents on aircraft is not one in ten, or even one in ten-thousand. In fact, per person, the average rate of an incident is less than one in 2.5 million (as there are an average of 2.54 million fliers just in the US, daily). (I guarantee that no one reading this post has been on a commercial plane that has crash landed, or worse.)

A call to action for security professionals

First, security professionals must support our colleagues and peers in their efforts to keep people safe. We all know it is a thankless job! Again, the ‘best’ thing that can happen is that nothing happens and no one knows about it. That’s a tough thing to swallow. We must support those that are in the industries of safety, and enable them to do their jobs. We are all in this together.

Secondly, use some examples of the TSA to help evangelize the benefits of a good security team and solution:

Making things easier
The TSA has introduced or supported concepts such as TSA PreCheck, GlobalEntry, and ClearPass to make traversal a breeze. Your security organization has enabled self-help portals, multi-factor auth from your smartphone, and proper apps that can be used to perform the basic functions needed for your job.
Soliciting feedback
The TSA is very active on Twitter. If you tweet at them, you’ll receive a response in very short order. The handle @AskTSA responded to my question within minutes. Most security organizations care about user feedback. If something isn’t working properly, organizations make efforts to remediate those types of issues. They also provide channels for feedback and user interaction.
Effectiveness
It is easy to point out when things do not succeed (some missed item by the TSA, or a phishing email that caused a ransomware outbreak, etc.) However, we must regularly reinforce the positive things the TSA provides, as well as our own security posture. Helping to evangelize that not all positive things are well known will be a huge step in gaining the wider user base’s buy-in.