When security doesn't work
A few days back, a hater named Umar Farouk Abdulmutallab tried to explode an airplane and kill 289 people aboard and maybe more on the ground. He was stopped by another passenger, Jasper Schuringa, a Dutch movie maker.
The US Department of Homeland Security and its Transportation Security Administration quickly issued statements. They introduced new security measures. The TSA doesn't really say what those measures are, but various reports and airline Web sites mention stuff like this:
Air Canada said in a
statement that new rules imposed by the Transportation Security
Administration limit on-board activities by passengers and crew in U.S.
airspace. The airline said that during the final hour of flight
passengers must remain seated. They won't be allowed access to carryon
baggage or to have any items on their laps.
attendants on some domestic flights are informing passengers of similar
rules. Passengers on a flight from New York to Tampa Saturday morning
were also told they must remain in their seats and couldn't have items
in their laps, including laptops and pillows.
Note this: if the rules were already in place and the passengers strictly followed those, Mr. Schuringa wouldn't be able to subdue the terrorist: he had to leap over few seat rows to do that. Apparently, it's no longer allowed. It doesn't matter that explosives and flammable liquids were not allowed on the plane in the first place, and the TSA failed to enforce them. They issue a new ruling that doesn't make sense (last hour, huh?) and is almost impossible to enforce. Reminds me of the TSA requirement not to congregate on a plane headed for the United States.
This is not security, this is damage control. Happens too often in the government, and in the corporate world as well.
Doing your job is hard but not impossible: analyse why security measures failed, and correct the problem. If the measures are wrong, try something new. Like, in case of transportation security, sedating all passengers.
It is okay to acknowledge your errors. But it is a definition of waste not to, and keep doing same. Take information security. Firewalls don't work? Implement more firewalls. Intrusion detection systems don't detect intrusions? Rename them intrusion prevention systems, and spend some more. Sounds familiar?