Security Lessons from Southwest’s Terrible, Horrible, No-Good Very Bad Holiday Season
By Neil H. Simon
The Southwest Airlines travel debacle of 2022 quickly became the gift that keeps on giving into 2023 for late-night comics, armchair business strategists, and travel and logistics aficionados. While the airline begins the slow climb out if its public relations hole, its winter fiasco and the January FAA system outage are filled with lessons for those on the frontlines of security in any industry.
Days later travelers again found themselves stranded in the airport as the Federal Aviation Administration (FAA) delayed over 10,000 domestic flights and canceled over 1,350 on Wednesday, January 11. The FAA system used to send safety alerts to pilots, NOTAM, suffered an outage that lasted nearly two hours, resulting in a trickling effect of travel issues and leaving angry customers to fend for themselves in airports across the nation once again.
Here are three key lessons from the Southwest – and FAA – mess for any security team to prevent, detect and respond to a crisis in a way that can keep your employees engaged, customers loyal, and operations protected in 2023.
1. Do the Update
How many times have you said, “We’ll run that security patch next month?” Or “We’ll sunset that legacy software system next quarter, because we’re just too busy right now.” There may never be a perfect time for a systemwide migration, but you know what’s worse? Delaying that update to the point of creating your own crisis.
With about 16,000 Southwest flights cancelled in four days at an estimated $600 million financial cost to the company, Southwest’s decision to delay software upgrades in the face of numerous internal recommendations, could hardly have been a larger mistake in retrospect. Crisis prevention, like leadership in general, calls for decisiveness and a bias toward action.
Security teams who hem and haw too long at a certain point are not being deliberative. They are debilitating. Indecision is a decision itself. It’s a decision to not act, to say that the present concern bear too low of a risk probability to warrant a new course.
In Southwest’s case, they had waited nearly 30 years longer than their competitors to update reservations systems. So, how do we know about these issues: the company’s own employees. (This former pilot’s cataloging of the 2010s decline of Southwest has been shared more than 104,000 times.) Which brings us to a second lesson from the Southwest case.
2. Own the narrative – starting with your employees.
When angry customers are tweeting at you and #SouthwestStoleChristmas is trending, you’ve lost control of your narrative. On day one of the crisis, I’m not suggesting there is anything Southwest could have done from a PR standpoint to reverse that trend right then, but there a few moves any security team can take to take back that message control in the earliest hours of a crisis, and it starts with your public-facing employees knowing a precise message to share.
Your frontline employees ought to know three simple things and be authorized to share them everywhere.
For Southwest, their passengers wanted one thing: to board a plane and get to their destination. Actions always speak the loudest. But in their Christmas case, it seems gate agents knew next to nothing.
The less customer-facing employees know, the less able they are to help shift the narrative with irate customers. Current status. In the shortest, clearest terms, what is the status? Are systems down? Say that. Be clear and specific.
- Tell the truth. Do not share information you think your customers want to hear. On day one of their crisis Southwest posted a note online blaming the weather. Public concerns shifted to doubts about the company as a whole days later as other airlines’ schedules were largely back to normal. Learn from this: Don’t publicly post piecemeal information that attempts to hide a larger systems issue.
- Expect unknowns. Amid a crisis, there are always going to be more unknowns in the early hours and days. Buy yourself time and goodwill with honesty. Say you’re looking into causes and solutions and then deliver with follow-up communications.
- Keep in touch. Telling people the next time they can expect an update reminds them you are thinking of them and their hunger for information. Even if your next update has minimal (or no) new information, the fact you are telling people, “I’ll update you again in 2 hours” makes them feel connected to the broader team and less likely to create some alternative storyline they make up on their own.
These steps, and old-fashioned phone calls can go a long way to preserving staff trust, and even delighting customers in distress, something Southwest will be spending the better part of 2023 doing.
3. Test your backup systems.
A client recently asked me who to include in crisis tabletop exercises. They had a core security team in place, and their default was to include only that team, but we quickly agreed we should add alternative players into that circle. Afterall, if the only people testing a security plan are your top tier, then you’re probably not as well-protected when new players come in “off the bench.”
Back-up staff is one thing, but more important is having backup and redundant systems. Southwest’s “Sky Solver” software to schedule crews clearly failed in December. And backup plans with crews manually calling in to report to work for so many grounded flights seemed to do no better. An untested backup system is essentially not a system. Security experts recommend staffing software with messaging integrations to help communicate to staff en masse during a crisis.
In short, no nefarious outside actor caused Southwest’s holiday season mess. It was the ultimate ‘own-goal’ and revealed a weakness that threat actors are now imminently aware of. And this brings us to the reminder that even non-security hygiene practices are ultimately security hygiene.
Updating internal flight scheduling systems may seem like it’s simply a labor and operations tool, but as Southwest showed us in December, in the end these systems are security systems on which business continuity depends. So, practice good hygiene this year. Update your software. Own your narrative. And test your systems, and then rest easier knowing you are that much better prepared for the next storm.
Neil H. Simon is executive vice president at Resolute Strategic Services, where he advises clients on crisis communications and emergency preparedness. He previously served as the head of communications for the Organization for Security and Cooperation in Europe Parliamentary Assembly and led cybersecurity leadership training at Gartner. He can be reached at firstname.lastname@example.org.