A Teaching Moment

It may seem like ancient history when you read this column, but it makes academic sense to focus on the attempted terrorist attack on Christmas Day 2009 on Northwest Airlines Flight 253. A Nigerian man named Umar Farouk Abdul Mutallab attempted to detonate an explosive device on the Airbus 330 carrying 278 passengers and a crew of 11.

Thus, the holidays turned from a traditionally slow news time period focused on football bowl scores to one of high energy debates on the weaknesses of current TSA policies, the ridiculous delay of Erroll Southers’ confirmation to head of the TSA (and a member of Security magazine’s 2009 Class of The Most Influential) and some competency questions about DHS Secretary Napolitano’s capabilities for her job. There was no shortage of experts that shared their opinions, discussed new technologies and pointed fingers.

For the non-security professional, this thwarted terror attack became a teaching moment. And maybe it did in your organization too, as the discussions and debates centered on some core issues that may affect your enterprise.

How can you use the information? One way is to present this as a case study to your CEO and your Board: show them how difficult your job is, because if government agencies and experts don’t know what they are doing, how can they expect so much from you? But I don’t advise that course of action.

Rather, this is an opportunity to expand the “security culture” within your organization by:

• Reintroducing the importance and reasoning for security policies and the value of compliance to reduce risk.

• Demonstrating and/or applying new technologies and their use in securing people as well as your business to overcome privacy concerns by focusing on benefits.

• Hammering the value of communication to expand security’s scope and ability to identify risk and prevent events by breaking down silos, information gaps and focusing on prevention.

• Clarifying the advised actions of your stakeholders in an emergency situation so that liabilities are reduced and expectations clear.

Risk Mitigation: The attempted attack on Christmas Day renewed the debate between prevention and event response, with a focus from “stopping terror” to simply “tightening security.”

Which led to a debate about privacy and profiling. As a result, your employees and other stakeholders may be more aware of these issues and are perhaps divided on whether you are invading their privacy, increasing their safety or both.

This is a good opportunity to place the benefits of safety and security policy front and center. As one passenger reflected about airport security: “What good is my privacy if I’m dead?” In fact, a recent Harris Poll shows 96 percent of Americans support uses of video surveillance to counteract terrorism. While your situation is (hopefully) not so dire, a similar statement linking policy to personal safety is valuable.

Technology, as a valuable tool, not Big Brother: Since 9/11 there has been an unrelenting supply of new security solutions (80 pages of them follow this column) and many have been designed specifically for the air travel sector. While the air travel security program is clearly less than perfect, it has limited the size and scope of weapons that can bypass security. And while a weapon made its way onto Flight 253, there was sufficient time for an effective response.

Security technology is a two-edged sword that creates a high-tech détente. Access controls provide a balance: they prevent a person from going where they should not, but also protect someone from being in harm’s way. We give something up and we gain something, too. This is your opportunity to show security technology’s value.

Communications: Since 9/11, DHS has been created with the promise of a united approach to security and a focus on information sharing. But the silos and poor communications seem to persist in government today, according to former DHS Secretary Chertoff (see Jeffrey Rosen’s comments in the December 2009 issue of The New Republic). While many security leaders pledge to break down silos and collaborate across their organizations, they sometimes fail.

This is a powerful time to reach out and identify appropriate communications programs that will help your organization. Is the information that you provide across your organization clear and sufficient? Is the information you are receiving adequate for securing your internal customer?

Appropriate Response: The passengers acted immediately to extinguish the device and subdue Mutallab on Flight 253. Being aware, prepared and taking ownership for one’s own safety and security; being ready, willing and able to communicate concerns and err on the side of false alarms are known as key elements of a successful risk mitigation program by you and your peers, but it was eye opening to the general public on Christmas Day. It is being suggested by experts and pundits that John Q. Public take action into their own hands in times of threat. Is your company recommending to its employees that they become action heroes?

Do you want your employees to evacuate the building when the fire alarm sounds or fight the fire? There is no clear playbook here, but when events unfold, there is a difference between an individual not following policy and not having a policy.

We have not heard the last of this incident and its impact on how we travel. But if the recent mass-market exposure can be steered toward actionable change at your organization, thereby increasing both the economic and perceived value of your security program, then it has been a teaching moment.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.