Sunday, February 10, 2008

A Few Thoughts on Consistency and Where We're Kip Hawley

Thanks for participating in the Evolution of Security blog. In the coming weeks we will ask for your opinions about some issues we have now in discussion -- balancing intrusions into personal space (pat-downs, imaging) with better detection, devoting dedicated lanes to 'speedsters' frequent flyers and how to manage who goes to that lane -- are two examples. We will also continue to go where you take us with the issues you raise. I would like to address one of those issues now: 'why do I get different results at different airports?'

There are two main issues: a) process consistency, where we want to have the same result everywhere; and, b) purposeful variation so as not to offer a static target.

Let me say up front that we have sometimes confused the issue ourselves, seemingly excusing unwanted results with 'well we do it differently on purpose' answers. While I understand the frustration of not having a completely identical process every time, I cannot say that you will ever be able to go through completely on autopilot. Here's my perspective...

Let's take process consistency first. Imagine we were a manufacturing business and that we wanted to crank out identical, high quality widgets. That's hard to do even when you use precision equipment and consistent materials. If TSA were a manufacturer, we would be processing over 700 million unique transactions a year, using over 40,000 different people, at over 400 locations. And, rather than combating maintenance woes (although we do) and the standard banes of manufacturing quality, our enemy is active, intelligent, malicious, patient, and adaptive.

Because TSA started from scratch, we used very defined 'standard operating procedures' in order to get the new organization up and running. Over time, that detailed process control started to work against us. It had the effect of making the job checklist-oriented. ('If I follow the SOP, then I am doing my job.') The tighter we squeezed to demand tighter adherence to the SOP, the more we squeezed individual initiative and thinking out of it.

While we had great people as TSO's, we were putting them in situations where they had to do things 'because it's SOP' whether or not it made sense. It was not helpful for public credibility or for keeping our people sharp.

Since nobody would care that we followed the SOP precisely if there was a successful attack, and since our enemy can observe our SOP and plan ways to beat it -- we needed something more.

This is the purposeful variation part. The idea is to have a menu of different security measures that TSOs add randomly to the standard process.

Everybody goes through the magnetometer and puts carry-ons through the x-ray and if there is an alarm, it is resolved. However, given the limits of technology and simple human fallibility, vulnerabilities inevitably exist. We are covering those vulnerabilities by adding, truly at random, additional measures. For example, in the last couple of months, I have had two versions of a quick pat-down. My computer was swabbed for an explosives check, as were my shoes even though I didn't alarm going through (Yes, I go through security just like everyone else). We also have new handheld liquid and solid explosives detection devices deployed as well as a variety of other measures. You may, and should, see what I mean in an upcoming trip.

I should also add that we have recently added other layers of security to address the same vulnerabilities that I have been discussing -- behavior detection, document checking, K-9 teams, undercover air marshals, etc.

So, our theory of how to achieve process consistency from a quality control perspective is to train well and set outcome goals that encourage individual initiative and judgment. We think that for a distributed workforce that sees endless variety in passenger situations and faces an adaptive enemy -- that is the way to go. This means that, yes, you will see some differences trip to trip on some judgment things that are not on purpose. That is the price for a thinking, switched-on front-line -- if you want people thinking, then you have to let them make decisions based on their training and experience.

You will also see some different measures applied trip to trip that are purposeful, put there to prevent someone from exploiting a vulnerability.

Thanks for working with us, Kip