Don't pull a TSA on security policies

The Transportation Security Administration once again teaches us the wrong way to educate workers on security policy

If you're traveling today, bring a good book to read in the security lines. Travelers fed up with the security measures mandated by the Transportation Security Administration have declared the day before Thanksgiving to be National Opt Out Day. The wait could be long.

IT security folks should look at this as a learning experience and take note of the backlash against the TSA -- with its rallying cry, "Don't touch my junk!" -- as the possible problems that poorly thought-out security policies can create. While the underwhelming choice between backscatter scanners and the "enhanced pat-down" has captured the public's attention, other recent incidents highlight the important role that training and education of employees in corporate security policy can have.

Take cameras, for example. The TSA has officially stated that they allow taking pictures of the security area, but it points out that airports and local officials could disallow it. In two recent cases, however, TSA agents have detained the photographer and declared that photographs are not allowed, even illegal.

On Tuesday, security professional Robert Graham took photographs of the screening area on his iPhone. The agents detained him and told him that picture taking is not allowed. At one point, when Graham stated that government agencies are accountable to the the public, he was told that many are not, especially the TSA. Eventually, he agreed to delete one photo that almost showed someone being scanned, but plans to recover it later.

Last week, Steven Frischling had a similar experience. The security folks, however, seemed hostile, even claiming that Frischling had tried to hide his photo taking even though he was holding "a foot-long lens up to your eye that is wrapped in 2-inch wide flamingo pink tape." He was also told that photographing a security checkpoint is a federal offense. Frischling had the number of a TSA's Office of Strategic Communications and used it to clear up the situation.

In his blog post, he stressed that education about policies is important.

"If the TSA wants to chat about ideas for helping further the education of front line security, both TSA agents and the airport-based police departments they work with, I'd welcome that opportunity," he writes.

Now, most companies do not have to deal with the public in the same way that the Transportation Security Administration does. Yet, as information security measures become increasingly intrusive, creating strict policies and educating security staff on those policies become important.

One area that will push the envelope will be mobile devices. Increasingly, workers are bringing their own devices into the corporate network. Companies have every right to monitor those devices, but extensive monitoring -- scanning email, SMS messages, and phone calls -- has to be done in a way that protects employee privacy and with the full informed consent of the employee.

In addition, companies need to make sure that their policies make security sense and are not "security theater," where procedures are more a performance to make people feel safe than a precaution to actually enhance security. Despite massive changes in screening processes, many experts doubt that Americans are much safer. In a recent speech, Adam Savage of "Mythbusters" poked fun of the TSA for scrutinizing his naked body but missing the 12-inch razor blades that he accidentally left in his carry-on baggage.

Focusing on reasonable security policies that actually work can help companies avoid a variant of Savage's barb aimed at the TSA: "You look at my junk, but somehow miss this?"

This article, "Don't pull a TSA on security policies," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.