American View: What do airport disasters have in common with cybersecurity controls?
I’ve applied to eighty job adverts in the three months since my team was made redundant. I’ve gotten interviews with two organisations so far, neither of which have panned out.
I’ve applied to eighty job adverts in the three months since my team was made redundant. I’ve gotten interviews with two organisations so far, neither of which have panned out. That’s one interview per 40 applications and no offers. Looking at my trackers for previous layoff periods, my 2013-2014 ratio was also one interview for every 40 applications. That’s why I’m not particularly depressed over being sidelined, as this is how job hunting always seems to go in the U.S. Job hunting is an endurance challenge, not an audition, and perseverance consistently beats “pizzazz” for scoring interviews. Just soldier on patiently and lean on your contacts. Something will pan out eventually because of what we do.
I believe accurate framing of problems is imperative, and not just good for my mental and emotional health. Understanding the correct nature of a problem allows you to attack it effectively, whereas approaching a problem ideologically or doctrinally is likely to fail, as you’re attacking what you want the challenge to be rather than what it really is.
As a practical (if odd) example of this principle, consider last Friday’s runway incursion in Denver, Colorado: Frontier Airlines Flight 4345, an Airbus 321 commercial passenger jet, was taking off when it ran into a person walking on the active runway. The as-yet unidentified intruder was killed. The jet was able to safely abort its takeoff. The entire incident could’ve been so much worse; had the meandering “foreign object” severely damaged the impacted engine, the aircraft could’ve crashed killing everyone aboard. As it was, the passengers reported a chaotic and frightening evacuation on the runway while the affected engine caught fire … but no deaths.
This peculiar incident sparked the usual choir of “armchair authorities” on social media. Since we know nothing about the intruder (at time of writing), speculation turned to the intrusion itself. People who’ve never worked at an airport were swift to condemn Denver for only putting up fencing to keep nutters and wildlife out. As opposed to, say, an alligator-infested moat. Post after post on Twitter griped “Why wasn’t the airport secure?” The chorus of well-meaning but shortsighted suggestions gave me a headache.
Amreen Ahmad, writing for the Sunday Guardian, tried to put the challenge into perspective: “Denver International Airport spans nearly 53 square miles, making it the largest airport by land area in North America and maintaining complete surveillance across such a massive facility remains a significant operational challenge. Although officials said the fence showed no structural damage, the fact that someone reached an active runway within minutes has raised uncomfortable questions about monitoring technology and patrol effectiveness.” [1]
Good on Amreen for taking on the braying crowds. I doubt his completely level-headed explanation will hush the clout-chasing posters, but his attempt was definitely appreciated.
Denver Airport’s security challenge is instantly recognisable to every squaddie that ever marched. “Secure” is an objective, not a status. Whether you’re trying to secure 53 square miles of land or a single house in a built-up environment, you must assess, plan for, and prepare for all realistic threats that might be directed against your position during the time you’ll be holding it. You’ll never be completely secure because there are always limiting factors. For example, your average infantryman might be able to stop one enemy tank with a mine or a man-portable rocket launcher, but can’t possibly secure their position if the rude and unhelpful enemy brings along a second tank. Relative security is a game of prioritising probabilities in the harsh light of budget, logistical, and operational constraints.
People don’t like hearing that, though. Politicians, pundits, and publishers prefer to placate the public with promises of perfect protection. [2] No such thing exists in our reality. A determined adversary will get through your defensive countermeasures … eventually. In the Denver incursion, the intruder is believed to have scaled a fence … a fence that cost-effectively kept out an unknown number of other would-be intruders for quite some time. Maybe it kept out a thousand people; maybe only one. Until this week, it seemed to have been fit-for-purpose.
Could the fence have been made unscalable? Not realistically, no. Sure, it could be upgraded with razor wire or electrified or supplemented by the above-mentioned ’gator moat. Those features might have deterred or thwarted Friday’s would-be ninja … But at a ridiculous installation cost (to say nothing of ongoing maintenance and liability expenses). Besides, razor wire can be defeated quite handily with wire cutters, torches, shovels, and/or motor vehicles. Such extreme measures sound dandy, but they’re often too expensive and impractical to justify. [3]
Some Twitter posters opined that Denver Airport needed 100% surveillance of their ridiculously large perimeter, with a Rapid-Reaction Force saddled up 24/7 to launch an interception action the moment anything bigger that a chipmunk touched the fencing. Sure, bud. Sounds great. Hell, might as well ask for the Colorado Army National Guard to ring the entire airport with checkpoints, ground patrols, ISR sensors, and artillery (for those hard-to-reach breaching points). Enormous effort, staggering cost, with only a tiny chance of ever being worth the extra effort. That’s the American Way™!
I admit, I’m having some fun at the Twitter trolls’ expense. So far, no one important has taken these silly suggestions seriously. Sure, some ideas might have some practical value if applied pragmatically. But they’re not – and never will be – cure-alls. Denver International is simply too big to fully “secure.”
I suggested to one pal that he might want to compare the “secure airport” conundrum to our previous king of long-haul passenger service: the humble train. We’re had railway transport here in the U.S. for 199 years, and people are still throwing themselves and others in front of trains. It’s a well-known risk with lethal consequences when it manifests … but you sure as hell don’t see every inch of train tracks in America surrounded by fencing, sensors, and armed moat ’gators.[4] The scale of the problem is just too danged big.
Trying to get people to understand the impact of scale in a problem is a difficult framing challenge. It’s one thing to look at a section of fence and think up good ways to improve it, but it’s nearly impossible for most folks to imagine the entirety of a massive complex’s perimeter fencing. There’s too much to visualise. That’s the way it is with security issues … and, if you’ll pardon the abrupt gear change, I submit that it’s the same with trying to comprehend the scale and complexity of cybersecurity issues as well.
Think about it: your enterprise network is vast, complicated, inefficient, and entangled with legions of external service providers’ platforms, connections, dependencies, and vulnerabilities. Your IT folks grok and appreciate this mess, but most of your users can’t. From their vantage point, there’s a display with all the “stuff” they require to meet their boss’s taskings. Everything is “in” the “computer” even if they’re running VMs on a zero client. It’s their job to use the kit to execute tasks; it ain’t their job to map the plumbing that makes it all work.
That’s why your users aren’t “stupid” for taking “unnecessary” risks and ignoring “mandatory” security controls. They’re making reasonable risk decisions based on the tiny fraction of the network that they can perceive and comprehend. It’s not that different from an armchair expert imagining a segment of chain-link airport perimeter fencing and expounding that a concertina topper would make it impregnable. Given the narrow, isolated view they have of the problem, their position seems reasonable.
That’s why, I contend, every business requires security human risk people (like me!). We’re storytellers first and foremost. Our training products, classes, publications, events, and social media activities are all vehicles for sharing stories that will resonate with our organisation’s users. Our primary function is to change how our co-workers comprehend the scale of the cybersecurity challenges we face, so they’re better positioned to comprehend why certain processes or activities are mandatory or forbidden. Essentially, we’re the pre-emptive defensive function that averts harmful acts, so that the company isn’t forced to implement ridiculously complicated and expensive “hardening” defensive measures to “human proof” vulnerable-but-necessary components.
That framing is why I haven’t given up on the current miserable American jobs market yet: our specialty is necessary. We’re not only cost-effective security countermeasures, but we also help raise team morale, build workers’ skills, improve incident reporting, and positively evolve our organisation’s culture. We’re a huge “plus factor” for the greater security team. Some CSO somewhere is going to snap up my former parter and me … Hopefully soon. We just have to keep applying until someone, somewhere is ready to listen to our unbeatable value proposition.
[1] Emphasis added.
[2] I might have taken too much cough syrup before typing this bit. Sorry.
[3] Unless you equip your elite moat ’gators with NVGs and assault rifles.
[4] Although that would be awesome.
Keil Hubert
Most Viewed
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2025, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543