Just in case you missed it, the Transportation Security Administration (TSA) is missing a hard drive containing some 100,000 current and former employee payroll records. The missing data contains names, Social Security numbers, payroll information, bank account, and routing information.

The hard drive was discovered missing last Thursday (May 3, 2007) from a TSA controlled security area. By Friday, the agency began notifying affected employees. The missing data covers TSA personnel employed by the agency from January 2002 through August of 2005.

Obviously, this has caused a stir among TSA employees, Homeland Defense, and of course, Congress and the White House. I’m still shaking my head about this one.

The reason I am so perplexed is that I have always preached that security is a culture and that it is not something you “do,” but a lifestyle, so to speak. Organizations that have cultivated a security culture have ingrained it in their employees that you think about security in everything you do. Furthermore, there are serious consequences to those that slip up and violate security policy.

Having said that, one would think that the TSA — an arm of Homeland Security — would have this culture of security. Yet kapow! A doozy of a breach like this pops up. What gives?

My guess is that — contrary to what many might think (or maybe not) — the TSA lacks this culture of security, and here are my reasons for saying so:

  • The TSA is a young organization; it is not quite six years old. It was created on paper on November 19, 2001 in the wake of 9/11.
  • It was initially an arm of the Department of Transportation and was tasked by Congress to “recruit, assess, hire, train, and deploy Security Officers for 450 commercial airports from Guam to Alaska in the span of 12 months.”
  • The organization moved from Transportation to Homeland Security in March 2003. Homeland Security is only four years old and on its second director.

Given the above factors — a hurried creation, a massive and rushed hiring effort, four significant changes in leadership, and a workforce that, for the most part, is “tolerated” by travelers; and you have to wonder if the organization has a culture at all!

Please do not take this as a diatribe against the hard-working employees at the TSA, because it is not. It is just recognition that given the circumstances under which it was created, the organizational changes it has undergone, and the enormity of its responsibilities, it’s not surprising that this has happened after all.

Additionally, the fact that the position of Cyber Security Chief has been held by four different individuals since Homeland Security was created and you realize that the TSA is bound to have more than its share of IT security challenges; I’m sure we just haven’t heard about them all.

It’s tough in any organization that has had this much change to create a culture that does much of anything correctly. Add in the fact that TSA is an outward facing organization (unlike the CIA which is constantly examining its belly button) and is more focused on catching the bad guy out there rather than wondering if there is one in their midst, and the fact that IT security is often talked about but rarely acted upon and we begin to see the challenges TSA faces every day.

Given all this information, should one excuse this massive breach in security? Of course not! We just now have a little more context in which to understand how something like this can happen and the knowledge to know that it is going to take some serious effort to remedy the situation. This effort has to be implemented from the top down and be more than lip service if the TSA is going to prevent something like this from happening again.

On the bright side (if there is one), in order for large bureaucracies to learn anything, it often takes something catastrophic to make them change. Perhaps this will be the jolt that sends TSA and its management in the right direction concerning IT security. This is small comfort for TSA employees today — and selfish on my part — but I would prefer the lesson be learned now rather than after a breach of confidential data from the millions of records it must hold regarding passengers. That scenario is just plain scary!