Risk Management in Aviation and Cyber Security
I have been an IT and security professional for almost my entire adult life. I started off my career as a network engineer and fell into being a security engineer fairly quickly. It started by adding a firewall certification, then I added intrusion detection and prevention. The areas of security continued to grow; adding forensics investigations, eDiscovery, project consulting, and so much more. In the project consulting, we focused on ensuring the risk level of a project was within acceptable levels for the organization. I have been the top of the cyber security organization in my last three roles; but I’ve wanted to be a pilot for as long as I can remember.
In 2018, I became a certificated pilot and in 2019 an advanced and instrument ground school instructor. I recently finished teaching a formal ground school class to about 15 students of differing skill levels, ages, and goals for their piloting careers.
One of my recent students is about the same age as myself, has dreamt of flying all of his life and just wants to do it for fun, while another student is 16 years old with a desire to fly for the airlines, and yet another young student has the desire to be a pilot for the United States Air Force.
While there are different driving factors and levels of investment for each of these learners, there are some key fundamentals of the profession that they need to understand and embrace.
As I write this article, I look over at my bookshelf full of aviation training materials, technical and security books. Pulling the Federal Aviation Regulations (FAR) and Airmen Information Manual (AIM) you’ll find it contains 540 pages of the rules and regulations contained under Title 14 Code of Federal Regulations which governs pilots, aircraft, flying and related items. The version of the book I have was written for pilots and thus doesn’t contain any of the myriad of rules and regulations governing the aviation industry as a whole.
“Aviation, in itself, is not inherently dangerous. But to an even greater degree than the sea, it is terribly unforgiving of any carelessness, incapacity or neglect.” — Captain A. G. Lamplugh, British Aviation Insurance Group, London. 1930’s
Thinking back to teaching my first day of ground school class, covering the history of flight and the Federal Aviation Administration (FAA), and the history of flight in general going back 117 years, none of those regulations or rules existed. Over time, as the aviation industry grew and as pilots, passengers and civilians lost their lives, these laws, unfortunately, written in blood, were created to prevent the further loss of life.
And when I think of all current security regulations and requirements in the Cyber world, such as HIPAA, SOX, or more recently with regards to privacy with GDPR, CCPA, and other privacy regulations these too are written in lives. While these laws may not have been written because someone lost their life, some have lost their livelihood, identity, or savings.
Most of the regulations in the FARs are prescriptive, this is what you must do. There are some rules and guidelines in Cyber Security that are hard and fast, which must be followed. Most other areas are more suggestive and open to interpretation, such as the questions of “Should I?” or “What can I do to reduce the chances of that happening?”.
This is where risk management and discretion come into play. Flying is a greatly rewarding activity and there are steps that are taken to reduce risk. When teaching, I like to take the approach of getting the student to think about what risk management techniques they would use to ensure the positive outcome should something not go as planned. The same applies in Cyber: What steps are you are you going to use to ensure the successful outcome of a project and reduce the likelihood of something going wrong, and how are you going to address those risks if and when it does go wrong anyway so that you can minimize the impact of the the thing that went wrong. (Risk Management and Incident Response).
I intend to publish a short series of articles comparing and contrasting Aviation Risk Management with Cyber Security Risk Management. I would love to collaborate with other Cyber Security professionals who are also pilots on the similarities and differences in future articles. In the next article, I will touch on Checklists, what they are and what are not, and how to use them in a risk-based approach. Next I will focus on the differences in training and mentality between Aviation and Cyber. After that, I will discuss drilling the procedure, how you practice dealing with things that go bad such as engine out procedures and how you should be regularly testing your cyber security processes and procedures such as backups, patching, incident response, etc.