After hearing a presentation by Alexandra Landegger, Collins Aerospace’s chief information security officer (CISO) at our Aerospace IT event last month, I was more interested in cybersecurity than I’ve ever been.
Instead of just scaring the audience with what goes on behind the scenes to protect companies, she provided practical information that all aviation companies should heed; her multi-disciplinary approach was more engaging than the annual security class I take.
Her job as CISO is to protect Collins’ whole business ecosystem—across products, services, factories and IT—over the whole lifecycle: design, source, build, sell and maintain. If that doesn’t sound daunting enough, consider the various businesses within Collins, and then roll those up into parent company Raytheon. After that, consider all of the connected, digital elements. Then couple that with the fact the company’s services and people are located around the world, and it manages a vast supplier network.
How on earth do you create an environment that protects all of that—an environment which also has a Rosetta Stone of customer requirements and regulations?
Here are a few tips she shared:
-
Know what the “good guys”—the regulators, customers and suppliers—are asking for. “There is a reason for a compliance checklist,” she says. Coupled with this, know your requirements and regulations.
-
Know the “bad guys”—the hacktivists, criminals, nation states and insider threats—and their methods (such as credential harvesting, malware, vulnerability exploits).
-
The threats are increasing and will continue to expand. “We’re seeing expansion of commoditized attacks, state actors that are outsourcing more to instantly grow their capacity, and with COVID, our remote workforce creates new opportunities for our adversaries,” says Landegger.
-
Focus on basic security hygiene, including backups.
-
“You must infuse security across the culture,” she says. It should become part of your company’s DNA. Every person should believe in and adhere to this company-wide security culture.
-
Start a cross-functional cyber council if you don’t already have one. “Cyber can’t operate in a silo,” says Landegger.
-
Companies need to build security into processes and production early on! Do not let it be an afterthought.
-
No longer grant 100% access to everything to all. Risk-based segmentation limits a blast radius if a security problem occurs. Keep things in bubbles, she suggests.
-
Forty-five percent of A&D industry attacks begin with compromised credentials.
-
Since 2020, 22% of all security incidents in the A&D industry are linked to insiders.
Cyber is constantly evolving. Be smarter than the criminals and don’t be the weak link.
As she says, cybersecurity is a team sport—and each team member needs to play their part.