Alexandra Landegger, Collins Aerospace’s chief information security officer, discusses cybersecurity with Lee Ann Shay.
You have a bachelor’s degree in foreign service and a master’s in communication, culture and technology. What drew you to cybersecurity?
I studied international relations in school, with geopolitics as the concentration. I got into consulting focusing on risk analytics for a couple of different U.S. government agencies. From there, I lined up the next consulting job with a master’s program that looked at tech transfer across borders. My next gig focused on technology forecasting: What will body armor of the future look like for the Army warfighter? When you take geopolitics, risk and technology—that leads you directly into cyber. I didn’t know it at the time, but I’ve been destined for this job. One of the great things about cybersecurity is it can be home for everyone. I’ve got people on my team who were preschool teachers, zoologists, philosophers and police officers—there are so many different skills that you need in this space.
Your team mitigates cyberthreats, addresses global cybercompliance risks and fosters a security culture throughout Collins. How do you weigh the different threats so you can prioritize resources?
We look at the ecosystem that we’re protecting—our IT; our operational technology, like our factories and labs; our products that are increasingly digital; our supply chain; and our joint ventures. With the understanding of the universe that we’re trying to protect, we have two mission statements: Fight the bad guys and meet the needs of the good guys. Look at the different threats that we face, whether it’s criminal or hacktivist or nation-state actor on the bad side or meeting global regulations, commercial contract requirements and internal policies on the good side. Then map what you need to protect and what you’re protecting against. Then you start to understand the intersection between what the good guys are asking for and what the bad guys are targeting. We dig into the areas of our business that would face the greatest impact if we saw a cyberthreat or potentially a compliance risk. Taking that full ecosystem-wide view of risk, the good and the bad, I found to be the most effective way of prioritizing.
You advocate for a companywide security culture. What best practices can you share?
There are a few ways to really drive security into the DNA of how your whole organization operates. Start with the right cybersecurity training. Basic awareness for everyone is really important, so everyone understands the cyberrisks and what role they have to play in it. The second big thing I recommend is building a cybercouncil. This is the forum where you bring together parts of your organization that have a stake in your cybermission—legal, HR, communications, IT, product engineering, safety, quality—and having this cross-functional group really aware of what’s going on, informing cyberdecisions, building that accountability across your executive leadership team. Third, build an ambassador network. Pick people across the organization who represent different geographies, different levels, different functions. Equip them with enough cyberinformation that they can champion your mission beyond your own cyberteam.
For companies just forming cybercouncils, what other tips do you have?
An important step many companies miss is building a charter. What is its mission? Is this a decision-making body or just an awareness group? Within Collins’ cybercouncil, we’ve also charted working groups for things like supply chain security, factory security and areas that sit at the intersection of different disciplines. Build working groups that have the authority, funding and ability to execute those missions.
With ever-evolving threats, how do you ensure Collins’ supply chain ecosystem is secure?
Supply chain security is probably one of the most complicated topics. One way to manage it is to look through the compliance lens. Know what requirements you need to meet. Then document it and build it into your supplier contracts. Unfortunately, compliance activities are often seen as a checklist activity: “Check, check, check. I did all the things, and they were fine.” In cybersecurity, we’re not just engineering the solution to a problem with a finite number of variables; we are engineering solutions against an ever-changing adversary. We’re playing a game of whack-a-mole. So work very closely with your legal department to understand how you continue to update and evolve these requirements through the life cycle of a contract. Focusing on outcomes more than methods is crucial. In addition, run exercises with suppliers and test different scenarios.
MROs are moving toward paperless operations so technicians can use tablets or mobile devices for maintenance tasks, parts ordering and more. How can they ensure cybersecurity?
There’s so much value to be gained by connecting things. To access all these things, secure them the right way. Double down on basic security hygiene. Make sure vulnerability management, antivirus capabilities, multifactor authentication and the right logging is in place. Manage end-of-life risks. Make sure that technology is up to date. As part of the security culture, empower your people with the right skill set for their jobs. Security training for a factory floor worker will look different than for someone in an office or on a ramp.