A series of IT outages, software supply chain attacks and breaches in recent months continue to expose the fragility of our digital ecosystem and the need for strong cybersecurity strategies. While not always adversarial in nature, these events have teased a future of even more crippling incidents, and they’ve reinforced the need for round-the-clock vigilance.
These events – like the Snowflake data breach, the Change Healthcare incident, the CrowdStrike outage, and the massive AT&T data leak, among others – got me thinking about the parallels between my professional role as a cybersecurity CEO and my personal hobby as a pilot.
Here’s what I mean.
Systems, Processes & Prep
When it comes to both cybersecurity and flying a plane, there’s an acute need for systems, processes, and preparation. Atop that list is a pretty universal concept, I’ll refer to it by its technology term, “red teaming,” or preemptively testing for weaknesses.
With flying, for instance, flight instructors put pilots through rigorous situational tests – including gear or engine failure. Meanwhile, insurance requirements also mandate pilots to respond to a range of mechanical failures in flight simulators.
In addition, on the day of a flight, we’re doing an incredible amount of prep work: verifying fuel levels, confirming our flight plan, doing a walk-around inspection of the plane, even testing navigation, communication, avionics/other flight controls before getting off the ground.
Monitoring the day’s weather is equally important, with the goal of avoiding unexpected turbulence or other hazards. Pre-, mid-, and post-flight, we’re also communicating regularly with air traffic control – as we depend on the service for critical guidance and real-time data.
Aviation is meticulous and truly rooted in safety and control.
Transferable Knowledge
This mindset carries over to my day job as a cybersecurity leader. In fact, I approach every aspect as if it’s part of that pre-flight checklist, and it’s something I believe all cyber defenders can benefit from.
For example, we’re constantly and intensely scrutinizing product updates pre-launch for bugs or vulnerabilities. It means analyzing the codebase to detect flaws, running pen-tests to simulate attacks, and using effective scanning tools to detect known vulnerabilities, among other steps. We need to ensure that no weakness is overlooked.
The same way flight teams depend on ground crews and mechanics, technologists also rely on those in the trenches – from software engineers to security analysts and executives. Resilient software depends on this level of precision.
Also, sometimes adequate preparation means intentionally hurling the occasional “hand-grenade” into the development process. It’s a drill I’ll even oversee myself to ensure our engineers are quick to respond, like a pilot might if they’re seeing any red flags come across their cockpit dials.
Even pushing the product to customers is, like aviation, a meticulous process, involving a multi-step, phased (or “ring”) deployment with critical feedback loops at every step.
This forces us to adhere to our own pre-flight checklist – in this case opening the product to internal test groups, a small set of external users, then gradually to other user bases. It enables developers to identify and resolve issues right away. We also need an effective rollback function that reverts the product to a previous – and safe – version in the case of a crisis.
I’d argue that all this rivals the many checks we run on an aircraft before the wheels leave the ground.
More Than Autopilot
In a fast-moving, high-stakes industry like cybersecurity, perfection is hard to come by, if not utterly impossible. Like pilots, it’s important to equip defenders with the resources they need to succeed, across any number of doomsday scenarios – which might mean fighting “zero-days,” or previously unknown loopholes exploited by hackers.
Vigilance requires more than auto-pilot, or the “set-it-and-forget-it” mentality attached to some legacy technologies. Like aviation, cybersecurity depends on a series of dynamic, interchangeable parts and processes. And, as with pilots, its practitioners must display a certain command of these systems to keep the lights on, or let’s say keep the vessel airborne.
Again, it’s also essential to reiterate the importance of partners. I learned from the best and continue to practice with experts to keep my flying skills in line with the current landscape. Cybersecurity is the same. We all need to have partners we can lean on for training, to get a second opinion or to provide guidance on the best path forward.
A Safety Question
In aviation, we ensure the integrity of countless components before takeoff. The same applies to technology – which must be pressure-tested. That’s true of every life-cycle stage – from its development and release to upgrades and long-term maintenance. This builds muscle memory, and ultimately resilience.
Fortunately, I’m seeing a real tailwind across our industry with security executives and technology providers leaning into this measured approach. By exercising incredible caution, we can reduce risk and get ahead of the threats.
Both flying a plane and leading a cybersecurity company require equal parts focus, anticipation, and mental acuity. The safety of people and systems depends on it.
