At Dulles, a security awareness success story
Credit to Author: Ira Winkler | Date: Wed, 08 Feb 2017 03:00:00 -0800
When Kjell Magne Bondevik, the former prime minister of Norway, was temporarily detained upon arriving at Dulles International Airport on Jan. 31, international controversy ensued.
The controversy was purely political, and while I do not support the executive order stopping people from seven countries from entering the U.S., Bondevik’s detention had nothing to do with that issue. Instead, he was detained for additional questioning under a 2015 law that requires people who visited any of the seven countries in question to obtain a visa prior to entering the U.S., even if they are from a country that does not normally require a visa for entrance to the U.S. The law was put in place in the aftermath of the Paris attacks. Whether or not the law is just is not relevant to this discussion.
Bondevik was detained because he had Iranian visas and stamps in his passport. To those who say that as a former world leader, he should have been waved through, I respectfully disagree. Such deference is a breakdown of security protocols, and we see the ugly consequences of that every day in the enterprise.
There are many examples of users or security officers bypassing procedures because they are intimidated by people pretending to be dignitaries. People claiming to be the CEO contact HR and ask for employee data to be sent outside the company or money to be wired outside of the company. The company’s security practitioners preach that users should be skeptical of all such claims, but people quite often want to be helpful, especially when the person asking for help is thought to be someone deserving of deference.
I have written about the importance of well-defined governance, which establishes how employees should behave in various circumstances. While governance should cover how to elevate a situation, good governance does not give first-line workers the authority to bypass security procedures.
When Bondevik presented his diplomatic passport to an immigration officer upon his arrival, the officer adhered to policy once he noticed the Iranian stamps in the passport. He did this despite the fact that the passport also indicated that Bondevik was a dignitary. He did exactly what he was supposed to do. I give him credit for not bypassing procedures, and I give his superiors credit for not taking action against him.
Norway reportedly sent over an electronic waiver, which should have allowed Bondevik to go through without the initial detention, but that was not available to the immigration officer. This is an issue that should be looked into and addressed. But it does not change the fact that the immigration officer adhered to all governance in his actions.
If the average user would demonstrate the same level of adherence to governance, many incidents would be prevented. Security professionals have strived to achieve this level of adherence, and it’s important that we make sure that a public example is not criticized.