ABC News reported yesterday that TSA airport screeners at dozens of U.S. airports failed to detect banned weapons, mock explosives and bomb vests, in 67 out of 70 tests. The top TSA official in charge has been replaced. Details will soon be available from the DHS OIG. Homeland Security News Wire covers the story.
Experienced security managers remind me constantly that “what you don’t measure, you can’t improve”, and its corollary, “if you never test your performance, you’re failing and you don’t even know it.” Shockingly, even the most security-conscious US agencies often fail to apply these simple lessons until their own security incidents make the headlines.
This incident should remind security managers that:
- Your weakest link is usually human complacency, especially amongst your lowest paid employees, therefore you must put in place a process that self-corrects and self-improves, through regular testing, checks-and-balances, redundancy, incentives (financial and otherwise).
- Reserve enough budget to conduct security penetration tests, held by external security consultants experienced in your industry. Resist pressure to go for the cheapest provider – your organization’s reputation is at stake and your job may be on the line. You don’t want to make the headlines… at least, not until you can demonstrate a quantified improvement in performance and justify your next pay raise!
- You need advance warning when problems are about to arise, e.g. response time is degrading for a specific facility, person. You must collect enough of the right metrics to pinpoint outstanding performance (e.g. to reward employees that work well or discovered new ways to improve productivity) and to correct bad performance (e.g. train or replace some employees or managers). Automation is key here. You must assume that any manual step will eventually be forgotten or done incorrectly, unless you constantly verify compliance.A good security management software can help streamline performance measurement and automatically verify that no member of your team drops the ball.
The media and general public will complain loudly about these new TSA failures, and rightly so. But the TSA has taken the first step to make things right. They are confronting reality. They finally performed these tests and that are going to share some of the results publicly. Many other agencies don’t provide sufficient security transparency or have ineffective security regulations that don’t test performance, or worse, test vanity metrics.
I’m an optimist, so I bet that 2 years from now we’ll start to hear positive stories. The best airports will proudly announce their near-perfect screening score. The DHS, TSA and other aviation authorities/regulators should take this opportunity to quantify the gains achieved through their security funding, to reward airports that spent our taxpayers’ money wisely, and to pressure airports that perform poorly to replace incompetent employees and force them to improve procedures.