Doing the: the myth of security prioritisation by Philip Baum

In terms of regulation, few other industries can compete with aviation. Whether designed to address safety or security concerns, there are multitude of entities – some global, some regional and others national – making demands of airports and airlines. It’s often challenging to know which acronym one should comply with: ICAO? TSA? ECAC? EASA? NASP? OTS? DfT? CAA?

Industry associations then publish their own guidance notes and position papers, develop bespoke courses and promulgate what they believe to be best practice. All very worthy, but often confusing for the entity being regulated. I suppose the positive takeaway is that it’s actually illustrative of the severity of the threat; each party wishing to proscribe measures to prevent the next atrocity. After all, whilst we have recently witnessed terrorist attacks against entertainment centres, music festivals, beaches, mosques, hotels and numerous other locations where people gather en masse, no industry has been impacted by terrorism more than aviation; in all likelihood it will be targeted again.

Every regulator wants to put in place performance standards that its airports and airlines can be measured against. Equally very few states wish to take on the responsibility of performing screening functions. Customs, immigration, and quarantine services are almost never sub-contracted to service providers, yet airport security screening is often performed by contract security companies. And even when it is a governmental agency, such as the Transportation Security Administration (TSA) in the United States, performing such tasks, employees’ salaries usually fall considerably short of their counterparts in other governmental security services. As an example, starting salaries within the TSA are around $25,000, whereas Customs and Border Protection (CBP) staff start at $35,000.

Despite the ever-present threat, when it comes to security, no industry seems to try to reduce training time to the absolute minimum more than aviation. There’s always an excuse. Time. Budget. “We don’t face that kind of threat”. Operational demands. Seasonal employees. You name it, we’ve got the excuses at the ready. It begs the question whether regulation is actually a positive influence or a negative one? If regulations drive people to ‘adhere’ or ‘meet’ rather than to ‘exceed’ standards, then we have built in an inherent rein on innovation. It also creates a far more predictable security operation, thereby making it easier to plot around.

At conference after conference, and in meeting after meeting, airport and airline management echo one and other as they proclaim that safety and security are their number one priorities. I do not feel qualified to opine as to whether such declarations are true in respect of safety, albeit I get the strong sense that most of the major players are reluctant to cut corners in that area. Yet, whatever their public utterings, security is clearly not most CEOs priority. It is a necessary evil. It is a set of standards which must be complied with. But it is not a service to invest in, unless, in doing so, it improves passenger facilitation and the customer experience. It may well be that CEOs believe that their security departments are indeed going above and beyond the call of duty, but as businessmen and women do they truly wish to identify vulnerabilities and shortcomings in the system? Do they actually ask what more can be done?

“…whatever their public utterings, security is clearly not most CEOs priority…”

Airlines are guiltier than airports of this dereliction of duty. After all, most of the visible security measures are not their responsibility, however much IATA heralds the worthy Smart Security initiative. But even airports have been reluctant to promote professionalism, again illustrated by the general preference to outsource security to contract screening companies. Companies who pay their staff how much?

On the surface, it’s hard to persuade the bean counters to invest in security. It’s all outlay. Given the paucity of attacks against any one carrier, arguing the case for brand protection is an uphill struggle. Furthermore, there is a fundamental resentment felt by airline and airport management that they should even be responsible for funding security in the first place; they argue that it should be paid for by central government. Terrorism is not their fault. Nor can they do anything to prevent their carrier or airport being selected as a target. Perhaps this is why they are so keen to promulgate the view that aviation security is all about counterterrorism. The reality is, however, somewhat different. The vast majority of criminal acts which take place on board the world’s airlines or in its airports have nothing to do with terrorism.

Airline CEOs are held personally liable for any safety-related failing, yet the same rules do not apply in respect of security. I would imagine that there would be considerably greater investment in security if they could be held culpable for security failings.

At the Behavioural Analysis 2018 conference held in Cardiff on 14 and 15 March, perhaps one of the most striking statements was made by Ashly Helser, Security Specialist Operations Captain at the Mall of America. In the relatively unregulated space of shopping and entertainment precincts, and with local law enforcement on hand to assist in the event of an unlawful incident, the Mall of America has chosen to directly employ a team of 170 security officers. In itself, the decision to take on the responsibility of protecting its own guests and assets is laudable, but perhaps even more impressive is the commitment to training those employees. All undergo four weeks of initial training, covering a range of different security disciplines, before being deployed. That is a phenomenal investment. There is no requirement for Mall of America to do so, no attempt to delegate responsibility and it’s all done despite the possibility that a staff member, once trained, may elect to go and seek employment elsewhere. The difference is that, from the top down, everybody acknowledges that security is indeed a priority.

Our expectation is that our employees should be capable of not only responding to the traditional threat posed by hijackers and saboteurs, but also be able to respond to a host of new security challenges. Key to addressing the insider threat is ensuring that all employees are able to identify indicators of the threat within the organisation. Industry employees are increasingly being encouraged to play an active role in combatting the scourge of human trafficking by identifying potential vulnerable individuals and the traffickers themselves. Airside crime and inflight theft are on the increase and our best defence is the alertness of our employees and their familiarity with the signs of such criminality. Reducing cybercriminal acts against the industry requires all staff to learn new security skills and follow innovative protocols. Unruly passengers seem to be becoming more unruly than ever with violent outbursts occurring on an all-too-frequent basis in airport lounges and, more frighteningly, in aircraft cabins; communication tactics and restraint techniques cannot be effectively taught if an airline elects to squeeze its training into a couple of hours. It’s the height of irresponsibility.

And then there is terrorism. As we know the best lesson the past has taught is that next time it will be different. So it’s about time that we started to continually drill into our security staff the need to think outside the box and to organise scenarios, exercises and full-scale drills that help them do so.

We need to empower our screeners to use their initiative and apply common sense. Watching an agent desperately trying to rearrange liquids, aerosols and gels inside a passenger’s plastic bag to see if they can close it, and thereby permit it through the checkpoint, is a waste of time and offers zero security benefit; confiscating a necklace because it has a gun-shaped pendant hanging from it simply because any item resembling a firearm cannot be taken into the aircraft cabin (see Air Watch) demonstrates that we’ve lost the security sense and become completely checklist focused; and evacuating an aircraft and commencing a full search simply because a clearly disgruntled passenger uses the word ‘bomb’ (as if any real terrorist would do so!) shows that our risk management skills are seriously wanting. These and a multitude of other examples of ‘silly security’ exemplify the need for more in depth training to prevent screening becoming excessively process driven.

“…when it comes to security, no industry seems to try to reduce training time to the absolute minimum more than aviation…”

This is something senior management should be demanding instead of arguing against. In our compliance culture, we must meet regulatory demands yet we can still fight against complacency and strive to excel.

Philip Baum
Philip Baum