In a scathing and far-reaching US Congressional report released recently the Transportation Security Administration (TSA) was characterized in these unflattering terms: “Since its inception, TSA has lost its focus on transportation security. Instead, it has grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power, and acting reactively instead of proactively.”
Speaking of acting proactively, we were recently asked about what cybersecurity challenges companies can expect in 2012, and how to plan now to be proactive in their security stance. Lessons learned from this report on the TSA may help you improve your strategy for next year’s planning.
The big lesson? Spending big money does not guarantee positive results without a clear vision and leadership to get there. According to the report, “Over the past ten years, TSA has spent nearly $57 billion to secure the U.S. transportation network, and TSA‘s classified performance results do not reflect a good return on this taxpayer investment.” Continuing, “…lack of steady leadership, combined with long periods of time between Administrator appointments, has often left the agency rudderless and floundering.” Not a positive outlook. What has the result been for the organization? The report opined, “the status and mission of TSA have gradually eroded to make the agency a tangential and inert unit within DHS‘s massive structure.”
Certainly, that must not have been the original goal for the initiative. In your organization, it may seem like more budget is the only way to get where you’re headed, from a cybersecurity perspective. There are lots of shiny brochures touting the “advantages” of spending tons of money buying server racks full of the latest security appliances “guaranteed to make you secure.” Don’t bet on it. While updating your infrastructure technology is important to keep pace with threats, without clear leadership in place and clearly defined goals, you may not end up with the results you expect. The TSA report highlighted security expenditures gone awry, saying, “TSA wasted $39 million to procure 207 Explosive Trace Detection Portals, but deployed only 101 because the machines could not consistently detect explosives in an operational environment. After lengthy and costly storage, TSA recently paid the Department of Defense $600 per unit to dispose of the useless machines.” Not good news.
We recently wrote about securing your organization in 2012 without breaking the budget. Among the pieices of advice were things like reviewing your network architecture to ensure it is properly segmented by function to avoid “toxic spill” scenarios where problems in one business unit rapidly spread to others. This is the kind of solid network best practice that may cost very little. Another way to find out where your organization might need shoring up is to run a security audit. Whether you do it internally with your staff or hire outside experts, you may be surprised by what you find. Often, the areas you suspected were weak aren’t necessarily what they find. And with the findings, you can narrow down your purchase wish-list significantly.
Once you’ve covered the basics, then you may find you wish to beef up your equipment to the latest/greatest inline realtime security appliances as budget allows. But spending alone is no substitute for a plan, leadership, clearly defined goals and experts you can trust. Without those pieces in place, you might wind up spending a lot and still not meeting your organization’s goals. Let’s hope not.
Author Cameron Camp, ESET