Cool as McCumber

Dec. 10, 2010
Of security people and their technology

I travel by air for my day job, and I do so a whole heck of a lot. I have become what is euphemistically known as a "frequent flyer." I have since noted that as much attention as frequent flyers get from the airline industry and media outlets, we are still a small minority of the American citizenry.

I assume we are such a small minority from my interpretation of two admittedly minor sources of anecdotal evidence. The first was the release of the movie "Up in the Air" starring George Clooney. Everyone I meet who finds out how much I travel by air tells me I absolutely must see this movie. I have never seen the movie - not even on an airplane that can feature a dozen first-run movies on the entertainment system. It's not that I don't want to see it - it's simply that I have never seen it available anywhere. Sure, I could seek it out and rent it through one of those online services or red kiosks, but that's too much trouble for me. I'm a passive movie watcher. If a big A-list actor like Clooney can't interest movie buffs in a story about a frequent flyer, it must be most Americans could care less.

The other anecdotal evidence I considered was learning from federal government sources that four out of five Americans preferred the new, enhanced screening procedures being implemented by the Transportation Security Administration. I must assume this ratio is the number Americans who are not frequent air travelers as opposed to those who are. If you travel by air frequently, you can bet you have concerns over passenger screening.

By now, you have seen dozens of stories about the new backscatter radiation body scanners, and the enhanced pat-down procedures for those travelers who would prefer not to get the radiation exposure and provide images of Picasso Porn for the amusement of government employees. This new technology comes with risks of its own. Now frequent flyers have to weigh the likelihood of increased cancer risks associated with exposure to this new radiation source. They then must be weighed against the risks associated with the enhanced "pat-down" procedures for those opting out of the radiation. These could include germs passed from other travelers when those performing the pat-downs don't change their gloves between examinations.

Providing a passenger screening process for millions of travelers daily is no doubt a burdensome endeavor. However, grounding your primary security measures on a specific technology creates problems many fail to consider. The first is cost. I have tried searching for a couple days to determine exactly how much the U.S. taxpayer had to cough up for these scanners to no avail. I am assuming from my experience with similarly scaled government technology purchases, the number in the high hundreds of millions at a minimum. With any security technology, however, acquisition costs are only the tip of the iceberg.

After these behemoths are built and shipped to their destinations at American airports, they have to be installed, tested and ultimately maintained for their entire lifecycle. Policies must be developed for their application, and manuals and training materials developed. Thousands of agents and technicians have to be trained in their use. Spare parts and the logistical infrastructure to service the scanners must be developed and deployed. All of this investment must be made before one person is scanned.

What happens, then, when the people being protected by the security technology don't accept the security experts' risk analysis at face value? What if you failed to ensure your technology would be embraced as a necessary security function by those on whose support your job rests? What if your charges decide the cost of the cure finally exceeds the cost of living with the disease?

After you have accomplished all the Herculean tasks of performing a risk analysis, developing the technical specifications, choosing a developer, building and fielding the technology, and investing in all the infrastructure, it's a very bad day when you find out you forgot to ensure the people being protected are not on-board with your program. How you, as a security expert, respond next will be critical.

You can demand that your constituents bow to your superior knowledge and foresight. You can demand submissive compliance with the new technology because of the huge sunk costs. You can criticize and defame those who disagree with your risk analyses. But by undertaking any or all of these responses, you are abdicating your role as a security expert.

Security experts practice their trade through the good offices of those they protect. If you damage that trust relationship, no technology can fix it. Determining which technology solutions to invoke is always the least important of our many security decisions. The human factor, on the other hand, is always paramount.
John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].