From Boarding Gates To Firewalls: Airport-Inspired Cybersecurity Tips

#New Content #Webinars

Jan 14, 2025

The following is a transcript of the livestream conversation “From Boarding Gates to Firewalls: Airport-Inspired Cybersecurity Tips” - it has been edited for clarity.

We took cybersecurity to new heights in our recent livestream with Rishma Khimji, Chief Information Technology Officer at Harry Reid International Airport. Rishma shared fascinating insights and hard-earned lessons from protecting one of the busiest and most high-stakes environments in the world. Dive into the recap to discover actionable tips to strengthen your own cybersecurity program!

Getting Started

Gabriel Friedlander: The reason I love this topic so much is that I’m a student pilot, almost ready to get my private pilot’s license. I’ve been flying in and out of airports weekly, so this is very close to my heart.

For me, an airport has always been something unique. We just touched on this a moment ago—a small airport might have a 3,000-foot runway and feel very different from what we’re discussing today. Today, we’re talking about major airports, and I always get excited when I visit them.

Rishma, I’d love for you to start by introducing yourself. Then, could you describe the scope of what an airport really is? People often have different ideas about what an airport entails—some think of airplanes flying, terminals, or runways—but there’s so much more going on. Let’s start with that!

Rishma Khimji: Sure. I’m so excited to be here! Thank you for this opportunity to talk about our airport and highlight all the great things we’re doing.

What’s Unique About The Harry Reid Airport

Rishma Khimji: Our system consists of five airports. Harry Reid is our flagship commercial airport, but we also operate general aviation airports for non-commercial flights—private jets, flight schools, and similar activities. Additionally, we have two sports-centric airports for recreational flying, skydiving, and lessons. Being a system of five airports truly makes us unique.

Harry Reid International Airport is particularly special. Like most airport professionals, I could talk for hours about how unique our airport is, but there are two key points that set us apart. First, we’re located right in the middle of the city—just minutes from the Las Vegas Strip. Second, we’re a destination airport. Unlike many other hubs, the majority of our passengers are coming to Las Vegas as their final destination, rather than transferring to another flight. That makes us both the first and last impression of the city for many of our guests, and we take pride in ensuring their experience is exceptional.

We see ourselves as the gateway to the Las Vegas experience. Whether visitors are here for a convention, a vacation, or both, we want their time with us to set the tone for an amazing trip. The airport is always buzzing with activity, thanks to the variety of events and people passing through. It’s a vibrant and exciting place to work.

The Challenges of Cybersecurity In An Extensive Tech Ecosystem

Rishma Khimji: I’ve been here a little over two and a half years. My background is in public safety and municipal technology, so airports were a new challenge for me. While technology fundamentals are the same everywhere, understanding the unique operational needs of an airport has been a fascinating learning experience. Just when I think I’ve got it all figured out, something new comes across my desk, which keeps things exciting.

An airport is so much more than terminals, runways, and planes. It’s essentially a city within a city. We manage not just the guest experience—checking in, going through security, and boarding a plane—but also the infrastructure: water systems, energy systems, building maintenance, and more. This operational complexity is why I say airports function like small cities.

What makes Harry Reid International Airport even more unique is that we’re a 100% common-use airport. This means no single airline owns or has exclusive control over any part of the terminals. Instead, airlines lease space and rely on the services and technology we provide. For example, when passengers use a kiosk to check in, they may see the branding of their airline, but the technology and middleware supporting that system are owned and managed by us. This level of integration ensures a seamless experience for passengers and efficient operations for airlines.

Managing this extensive technology ecosystem is both challenging and rewarding. Our goal is always to ensure guests move effortlessly through the airport, from drop-off to boarding. Once they’re on the plane, they become the airline’s responsibility, but until then, we strive to deliver an exceptional experience.

Gabriel Friedlander: So, a few key takeaways I’m hearing here. First, you’re a destination airport, which creates unique challenges. There’s a lot of pressure on passengers because of the constant flow of people coming in and out. Unlike airports where planes might land at one gate and passengers simply transfer to another, you have large crowds moving through TSA, and there’s a constant demand for taxis and rideshares. That creates its own set of risks.

Second, it’s fascinating to hear how you approach all of this. Most people talk about protecting "the cloud" in a metaphorical sense, but you’re literally protecting the clouds. What you’ve described really highlights how security on the ground is foundational to ensuring safe flights. Protecting the cloud starts at the ground, and everything you manage is aimed at making sure those flights are safe. It’s a massive amount of work.

Let’s talk about the infrastructure. What keeps you up at night? What are the biggest risks you face? I know there’s always something to address, but are there specific threats or major disruptors that require the most attention when it comes to running an airport?

Leveraging Relationships and Shared Responsibility

Rishma Khimji: The thing about the airport is that, while we have ownership of the airport itself, our services are deeply integrated with those of other organizations—especially the federal agencies with those familiar three-letter acronyms. Within our campus, we work closely with TSA, Customs and Border Protection (CBP), and the FAA. These large institutions play critical roles in managing air travel, so our partnerships rely heavily on strong communication and finding common ground to ensure passenger safety.

When we talk about moving a passenger or guest through the airport, it’s not just about what happens within our operations. There’s a constant “handoff” and “handback” between the airport and these partners. For instance, at the TSA checkpoint, we hand the guest over to TSA, where they manage the security screening process. While it’s our land, it’s TSA’s operation. After passengers clear security and enter the secure side of the airport, they’re back under our responsibility, engaging with airport services like shopping, dining, or finding a spot to connect to Wi-Fi and relax before their flight.

This integrated movement requires careful coordination, and while nothing keeps me up at night because I have an incredible team that consistently exceeds expectations, my focus—and that of my directors—is on maintaining strong relationships with all our stakeholders. These include internal teams like facilities, public affairs, and the director’s office, as well as external partners like TSA, CBP, and the FAA. Without these relationships, there’s a risk of breakdowns in operations, which can lead to inefficiencies and disrupt the seamless experience we strive to provide for passengers.

Strong Relationships Lead To Innovation

Rishma Khimji: One example of this collaboration is our unique partnership with TSA. Here at Harry Reid International Airport, we have an innovation checkpoint in Terminal 3 that is one of a kind. It’s fully operational for passengers and serves as a testing ground for TSA’s newest technologies. These include advanced x-ray machines, automated systems for placing items in bins, and self-service checkpoints where passengers don’t need to hand over IDs or interact with TSA agents—just walk through the machine, and it does the rest. It’s almost like something out of Total Recall!

For innovations like this to succeed, TSA and our airport operations, including IT, must work together to determine the necessary infrastructure—whether it’s physical, network, or security-related—and identify technologies that can enhance the passenger journey. Our strong relationship with TSA allows us to test and refine these solutions here in Las Vegas before they’re implemented at other airports nationwide.

Ultimately, these partnerships are essential. If we want to ensure passenger safety and provide a smooth travel experience, we need to maintain and strengthen our relationships with all our partners. It’s this collaboration that makes everything possible.

Gabriel Friedlander: I’ll tell you what I love—I love how often you’ve emphasized relationships. I think you mentioned it at least 10 times! I hope the people listening are really hearing that message because it’s so important. Security is a shared responsibility, and many organizations don’t fully embrace that mindset.

Too often, employees think, Oh, that’s the security team’s job, or department heads assume, I’m doing my own thing—that’s for security to handle. But here you are, talking about how relationships are at the core of what you do, and that’s a powerful message.

What I find especially interesting is how you’ve linked relationships to innovation. When you have strong relationships, you can collaborate and try new things together. That’s such a contrast to the way security is often perceived—as an inhibitor or something that slows things down. What you’re describing is the exact opposite.

I think a lot of that comes down to relationships. When you have good relationships and strong collaboration, you can accomplish so much more. You can test new ideas, refine them, and even share those successes with others to show how it’s done. To me, all of this ties into what I’d call “security culture.”

So, my question is: how do you achieve that? You’ve been talking about building strong relationships—internally and externally—but why isn’t every organization like this? Why is it so hard for many security teams to establish those connections and foster that kind of culture?

How To Achieve Strong Relationships For Strong Security Culture

Rishma Khimji: I think the biggest factor is buy-in—it’s all about the "why." Why do we need to do this? Since 9/11, we’ve all understood the importance of keeping airports safe. Air travel connects the world, allowing people to move seamlessly from one city to another. It has made the world more accessible than ever.

If we want travelers to feel safe and secure—which is a basic human need—then safety becomes a foundational element, enabling people to pursue their ultimate goal of exploring the world. Safety is like a utility; it’s essential and often taken for granted once it’s in place.

The challenge for many organizations is that they may not have a clear story to tell about their “why.” But that’s crucial. You have to find your story, define your “why,” and repeat it consistently until everyone buys into it. For airports, that story has evolved over time, shaped by events and a shared understanding of the importance of safety in air travel.

When travelers arrive at the airport, safety often feels secondary to them. As long as the airport is clean, well-maintained, and staffed with visible safety professionals like TSA agents, passengers feel physically secure. That sense of physical security naturally extends to their digital safety, too. If travelers feel the airport is taking care of them physically, they’ll trust that they’re being protected digitally as well.

That’s why our relationships across departments and divisions are so vital. We have an excellent security team here that ensures passengers are physically safe, and we extend that same care to their digital experience. For example, we offer free Wi-Fi that we manage and monitor carefully. It’s our infrastructure, and we’ve implemented strict protocols to actively monitor for scams, port scanners, and other threats.

We also collaborate closely with other divisions, like facilities, to maintain security. For instance, our facilities team does regular walkthroughs. If they spot something unusual—like a USB device plugged into one of our charging ports with no one around—they’ll remove it and test the area to ensure no malicious devices are present.

This level of coordination and attention to detail is how we ensure passenger safety, both physically and digitally. It’s also why we’re successful in fostering a culture of safety for our employees. Everyone understands that this is not just about the passengers but also about protecting the livelihoods of those who work here.

Clarifying The ‘Why’ For A Better Security Culture

Gabriel Friedlander: This is such a great message because it resonates with how businesses operate—you need a vision and a clear “why.” Why are you doing what you’re doing?

We talk about this a lot: finding the “why.” People understand the concept, but often, they don’t invest enough time and effort into truly uncovering it. Instead, they come up with something superficial and assume everyone will just follow along.

In your case, the “why” is clear: personal safety. It’s tangible and deeply relatable. People already have anxiety about flying, and your focus on safety helps address that. This makes it easier to communicate and “sell” the why—ensuring everyone gets to their destination safely. That foundation fuels your security culture.

Security culture starts with understanding the “why,” and it’s a critical exercise that every organization should undertake. It’s not just about security for its own sake—it needs to align with the organization’s broader goals.

For example, if you’re a healthcare company, your “why” might be ensuring patient safety. You don’t want MRIs or other critical medical systems to be hacked because you’re saving lives. Digital safety, in this case, directly supports the mission.

It’s essential to communicate this effectively. Saying, “We don’t want to be hacked” or “We need to protect the company so it can make money” isn’t enough. You need a deeper reason that aligns with your mission and inspires people.

ROI Goes Beyond Dollars

Rishma Khimji: If you think about it, money comes when safety is embedded—it becomes part of your reputation.

One thing we often discuss is that ROI isn’t just about physical dollars. It’s not just the monetary investment and the profit from that investment. It’s also about reputation. If I can build a high level of trust, my reputation will benefit significantly. That reputation, in turn, drives better buy-in and long-term success.

When we think about ROI, we need to also consider the reputational cost and return. What is the return on my reputation (ROR)? This perspective reinforces the importance of a secure culture. Building trust and protecting reputation are integral to the “why” behind security.

Gabriel Friedlander: This is great because it aligns so perfectly with the many times we discuss how security needs to be in sync with business objectives. And here’s a perfect example of that in action. You have the vision, you understand the "why," and it trickles down through the organization, which you also mentioned earlier. I’d like to touch on that again—how you also prioritize the personal safety of people walking around the terminal.

For example, you have employees monitoring the terminals, checking for suspicious USB devices, pulling them out and inspecting them. You also ensure secure Wi-Fi for passengers. I have two questions:

Could you elaborate on that? I’d love to hear more about how you handle this.
For regular passengers like me walking through the terminal—what can we do to help keep ourselves safe? It’s a shared environment, right? I’m connecting to public Wi-Fi, I might plug in my device. Should I be concerned? What precautions should I take when I’m at the airport?

Personal Safety and Digital Hygiene At The Airport

Rishma Khimji: I want to say, "No, you don’t need to do anything differently. Just treat it like your home network," but that’s not always the case. There’s always some risk, no matter where you connect. So, digital hygiene is very important. Be aware of what connection you’re using. If you need to do secure, confidential business, make sure to use a VPN.

Also, be cautious when accessing financial institutions over free Wi-Fi. Even though we take steps to keep it as secure as possible, you just don’t know what else is around you. Maintaining good digital hygiene and being digitally savvy is crucial no matter where you are. I really want people to adopt these practices.

As for ensuring safety, we have systems in place to actively monitor and protect passengers. The last thing I want is for someone to visit our airport, use their digital device, and face an issue that impacts them personally. That would harm our reputation and could also have financial consequences.

But beyond that, we think of our guests like family. How would I feel if something happened to me or my mom at the airport? I would want to know exactly when and where it happened so I could prevent it in the future. I don’t want that to happen to anyone else either.

We are the first and last impression of Las Vegas. If you have a great experience here, you’ll come back again and again. But if you have a bad experience with the airport, that could leave a lasting negative impression. I want to make sure your experience is positive, because when you return, that’s not just good for you, it’s good for the economy, too—it supports our paychecks.

So, the ROI of safety is not just about numbers—it’s also about reputation. And while the return on reputation (ROR) is subjective, we can still gauge it by looking at how well we’re doing in keeping people safe.

Empathy Is Critical In Cybersecurity

Gabriel Friedlander: Empathy is key, right? The way you talk—like how you say, "I don’t want my mom or anyone else to get scammed at the airport"—resonates with people. That’s the kind of communication that builds relationships and encourages others to join the effort in making the environment more secure. Empathy is a huge factor in cybersecurity.

I have a story to share. A friend of mine, who works in fraud prevention, told me something that happened to her. She was almost scammed at the airport. She was flying home from Canada, and her flight got delayed. The airline only offered a flight two days later, which added stress. She was traveling with her family, including her kids, so it was a tough situation. She didn't feel much empathy at the gate, and understandably, the staff were probably stressed too, trying to manage the situation.

She ended up posting about it on Facebook, and a scammer saw her post. They reached out, pretending to be the airline, offering help. In her stressed state, she didn’t think too much about it and just wanted a solution. They tried to install something on her computer to "help," and that’s when she realized it was a scam. She said, “I was so close to falling for it.” It wasn’t that she wasn’t aware of scams, but at that moment, she was just trying to solve her problem.

Check out Wizer’s dramatized re-telling of this scam in our Wizer Real Life Story here.

Airports can be really stressful when things go wrong—delayed flights, missing staff, issues with travel. It’s a high-pressure environment, and unfortunately, that creates an opportunity for scammers. That’s something we need to talk about more, to raise awareness. People should be cautious, even when they’re venting their frustrations.

One idea that could help: maybe put up signs at gates or other airport areas warning about scams—like "Beware of scams, the airport will never contact you on social media." Just small reminders to help people stay aware, especially when they’re under stress.

Remember, anywhere there is stress, there is more opportunity for scams. That’s the main point I want to get across.

Importance Of Digital Hygiene In Personal Safety At The Airport

Rishma Khimji: It all comes back to digital hygiene, right? We need to be careful about what we're posting, where we post it, and how we handle replies. For example, if someone contacts you and says, "Call me at this number," don’t use that number. Instead, call the airline directly to get the legitimate help you need. It's all about awareness.

Relying on your instincts is important too. At the airport, our staff can be stressed because, as you know, things can escalate quickly. Passengers can be greatly affected by unexpected issues. But don't feel afraid to ask for help as a passenger or guest. If the agent at your gate is overwhelmed by other passengers, don't be afraid to call the airline directly, or go to another podium and ask for assistance. We have staff throughout the airport who are trained to help.

Our airport employees always wear badges, and many of us wear uniforms so we can be easily identified. If you're unsure of something, feel free to ask us. We might not always have the exact answer, but we will guide you to someone who does. Our staff is trained to know the airport and how to direct you to the right resources.

Please, use the resources available at the airport and remember to practice good digital hygiene. I know we all vent on social media, but before posting, consider waiting until after the situation is resolved. This way, you won’t risk sharing sensitive information in real time.

Incident Response

Gabriel Friedlander: That’s a great point. Let’s talk a bit about incident response, because as you mentioned, chaos can unfold in an instant. There were a few incidents last year, so how do you prepare for such events? What are some things you wish other organizations would do, at the very least, to prepare for an incident? I imagine preparing for incidents is a major focus for you, given everything you handle—passengers, crews, airlines, vendors—there’s so much potential for incidents to occur. How do you prepare for that?

Rishma Khimji: One of the key things we emphasize is building muscle memory, and that comes through repetition. Repetition means running tabletop exercises. Given the number of partnerships the airport has, it's crucial we don't conduct these exercises in silos. For example, in October, as part of Cybersecurity Awareness Month, we hosted a tabletop that included representatives from the airlines and other airport divisions. This way, when we simulate an event, we can assess its impact across the entire airport organization.

Through these exercises, we can determine roles and responsibilities, establish clear communication channels, and identify the single source of truth. It's important to know how we’ll communicate the situation to the masses as well.

We also run internal tabletops specifically for IT to ensure we understand our role in diagnosing and resolving issues. But the most valuable exercises include colleagues and stakeholders from other areas, so we can all understand together how we’ll work together to address an event.

These exercises are key to breaking down silos. Often, solving a problem requires collaboration with vendors and other stakeholders. Doing these tabletop exercises repeatedly builds muscle memory, reinforcing the order of operations, and helps establish communication channels. Ultimately, it ensures that everyone knows their responsibilities and how they contribute to the organization's readiness.

Gabriel Friedlander: It also helps people understand the bigger picture. When they're in the tabletop exercises, they get a sense of what's required from other teams, and that helps them realize the gravity of what it takes. It makes them feel important because their contribution is essential to the overall success. This, in turn, strengthens the security culture we talked about. To build a strong security culture, we need the "why," we need to build relationships, and part of building those relationships are those tabletop exercises.

These exercises get all the parties involved, helping them see the bigger picture. When tasks are done in silos, it's easy to underestimate the magnitude of a cyber event. Tabletops provide a much-needed perspective on the full scope of what’s involved.

Key Takeaways

To summarize the key takeaways for organizations: do tabletop exercises. Many companies simply hire a service, create a PDF plan, and store it on a computer—often one that's vulnerable to being hacked. Without regular practice, that plan is essentially useless.

Invest in things like EDR, SIEM, and security awareness training, but make sure you're also investing time in tabletop exercises. Get people from different departments involved in simulating an incident and understand what’s truly at stake. Not only will this strengthen your incident response, but it also helps build a security culture and reinforce muscle memory.

There were a lot of great insights shared today. I’ve learned a lot myself. We’re running out of time, but do you have any final thoughts or anything you'd like to add? I have a ton of questions, but we’re out of time!

Rishma’s Final Thoughts

It takes a lot of systems to get a guest from the curb to the plane and then from the plane to their destination. There are many systems at the airport working to ensure a smooth experience.

One thing I’ll say is to arrive on time. Some airports can get very busy, and if you're not there two hours early, you risk cutting it too close and possibly missing your flight. So, come prepared and allow extra time for the unexpected. Chaos can happen at any time, but we’re here to help, guide, and support you.

The airport professionals, including all my colleagues at airports everywhere, are truly smart and dedicated people. We're doing everything we can to protect our guests both digitally and physically. However, it's also important for individuals to understand that they play a role in their own safety as well. If things don’t go as planned, take a deep breath, trust that we’re doing our best, and seek guidance from someone at the airport.

Airports are fun places to people-watch! They are hubs of transportation where you’ll meet people from all over the world and experience different cultures. I'm truly blessed to be in such a fabulous position at the Las Vegas airport.

So, with that, I encourage you to be prepared and have fun!

Gabriel Friedlander: Cool, thank you so much. One last question, just for my personal benefit. I want to bring my small plane, a Cessna 172, into the airport. You mentioned different terminals—do you have a separate runway for general aviation, or would I need to land on one of the larger runways?

Rishma Khimji: Las Vegas airport does have a general aviation area, so we can accommodate small, non-commercial planes. There's a dedicated runway for that. However, you'll likely be directed to Henderson or North Las Vegas airports. Fun fact: North Las Vegas is the second busiest operational airport in the state, with more flights than Reno Airport. While Reno is a fantastic airport and undergoing great changes, Southern Nevada is extremely busy. You have options—you can land at North Las Vegas, Henderson, or our airport.

Gabriel Friedlander: Cool, thank you so much! It was a pleasure having you, and I really appreciate everything you shared with us. Until next time!

Rishma Khimji: Thank you, goodbye!