Winging It

Trey Ford talks about what today’s CISOs can learn from yesterday’s pilots

Trey Ford learned to fly to get to know his dad better. The security pro and SecTor keynote speaker started learning in a Cessna 172 in 2008, following in the footsteps of his father, who had been an avid flyer before Ford was born.

When Ford took his test – with just three flying hours above the legal minimum – there was a strong crosswind, which meant that when he landed, he was being blown sideways.

“We don’t have to do this,” said his tester before they took off, offering the chance to postpone to a more hospitable day. But Ford took the plane up anyway. He wanted to demonstrate not only that he could follow the basic legal requirement to fly, but that he could go beyond that and operate the aircraft in far less ideal conditions.

That’s an attitude that information security professionals can learn a lot from. Just as in aviation, good cybersecurity practitioners will expand beyond mere compliance by focusing on true performance to address real-world challenges. It’s just one of the similarities that Ford sees between his life as a pilot and as global security strategist at Rapid 7.

Ford, who for a while also ran the Black Hat security conference globally, spoke to SecTor before his keynote speech about the similarities between modern cybersecurity and aviation’s history. We’re going through the same early stages as early pilots did, he explained, and making mistakes along the way. You can see that video below.

Earning your wings

Certification is one example of how cybersecurity is trailing aviation. Back in the early days of flight, it was a lot easier to become a pilot. In his keynote at SecTor, Ford explained that pilots just had to take off, fly a figure-eight loop and land. The modern aviation industry has far more stringent and well-defined certification procedures.

In today’s cybersecurity world, a lot people are new and winging it, just like pilots did all those years ago, because the standards to benchmark professionals are still developing.

Many of the CISOs Ford meets have said that it’s their first time in the role. In many cases their companies haven’t had a CISO before. This means these individuals aren’t just learning the job as they go along; they’re making it up for themselves. So clearly, we’re a long way from stringent professional certification in this field.

Transparent, concise communication

Another area of similarity is information sharing. This is something that the aviation industry has become adept at, communicating necessary messages and data with precision and intent.

From checklists that remind pilots of key tasks through to Notices to Airmen (NOTAM) messages that communicate potential hazards in flight, the industry is highly regimented. When accidents happen, the procedure for investigating them is painstaking and thorough, with well-documented steps. All participants get to know what happened, and can use the information to improve their processes and avoid similar disasters in the future.

Conversely, companies struggle to share information effectively in modern cybersecurity. Information on incidents is often not shared at all. Any sharing that does happen is often incomplete and erratic.

From a technical perspective, the tools for cybersecurity information sharing are already there. Ford points to VERIS – the Vocabulary for Event Recording and Incident Sharing – as a useful framework to explore along the way. It is a common set of metrics and terms for describing security incidents which brings some much-needed structure to the process.

There are other barriers, though. Companies face legal risks and shareholder wrath when considering what information to release. How can they alert people to problems without making themselves financially and legally vulnerable?

A safe environment

Even having these conversations requires a safe environment, which is exactly what’s missing, said Ford. We need safe places to have these discussions so that companies open up and begin talking about incidents in a constructive, useful way.

The aviation industry has created safe environments via mechanisms such as anonymous reporting, Ford said, explaining that pilots have a mechanism to anonymously self-report mistakes. Imagine if security professionals were given the same thing. Instead of hiding the causes of a breach, they could disclose them in a safe environment, so that everyone could benefit.

That’s going to take a dramatic shift in corporate thinking, but for many executives, already conditioned to protect themselves and their companies by refusing to discuss security issues, maturing in this way will be a gradual process. Aside from the cultural shift in thinking necessary to be more transparent, they will need the technical capabilities to produce that shared information – and to use the data that they receive in return.

“Even if we’re not ready to share information today,” he concluded, “we should prepare for it.”