by Dr. Chris Veltsos, CISSP
(ISC)² Security Congress wrapped up four weeks ago. The event sported world-class keynotes and also had many great sessions. This article shares some reflections on Captain Sully’s keynote, and his message to all of us information security professionals.
A Perfect Fit for Cybersecurity
The opening keynote at the 2019 (ISC)² Security Congress could easily be mistaken for a figure larger than life. Captain Sully’s story is one of calm in the face of chaos, with the result being that everyone on board that fateful flight was able to get out alive. As some of the exchanges between the pilots and the control tower resonated through the speakers, the mood was tense, as if all of us in the room suddenly found ourselves in the cockpit. However, Captain Sully’s message wasn’t focused on the failure of the technical equipment — as most engines would fail when hit by a flock of Canada geese — and instead focused on the importance of education and training, keeping cool and communicating well during a crisis, and the value of debriefings. More on this in a bit.
This cybersecurity conference keynote wasn’t about technology per se, yet it was such a perfect fit for what information security professionals are facing today. We have complex, interdependent systems and controls, and yes, it is highly likely that these systems or controls are going to fail, with potentially disastrous consequences. As I write these words, the news reports that a large cloud service provider had a major disruption, ransomware has once again shut down operations at several large and small organizations, and another spat of organizations suffered data breaches.
Judging by the standing ovation and clapping levels, Captain Sully’s keynote resonated very well with attendees. So what were some of the notable take-aways?
The Importance of Education, Training, and Debriefing
At several points, Captain Sully made the clear connections between the positive outcome of US Airways Flight 1549 and the education and training that he received — or rather that he engaged in — throughout his career. Why engaged in instead of received? Because education and training require that the person actively participates in those activities rather than being a passive recipient of information. In retrospect, Captain Sully highlighted several points in his career where education and training helped steer the outcome of flight 1549 to what we know today. He credited his love of reading and learning for having not only saved his life, but that of more than 150 people. And at the pace that things are changing today, Captain Sully reminded us to nurture a mindset of continuous learning, in ourselves and in the people who look up to us.
But education and training can only get us so far in terms of preparation. Without practice — and regular debriefings, even when the practice was a success — we are unable to internalize the lessons that must be learned, lessons that can one day make the difference between a crash where everyone survives, and one where lives are lost. And these drills can’t just be limited to the technologists, they have to involve business leaders, decision makers, across many levels of organizational leadership, to draw out lessons to be learned, and playbooks to be updated.
Another key theme in Captain Sully’s keynote was that of the shared responsibility that we are faced with. As security professionals know, information security is not a technology issue, it is a whole-of-business issue. That means, as Captain Sully said, “it’s not about me, it’s about us.” This requires a shift in mindset, both from security professionals and from business leaders, to ensure that we focus on what brings us together instead of the organizational silos that have in the past kept us apart. Digital disruption is taking the world of business by storm, and as you’ve noticed, there are a lot of bumps in the road so far. “We must adapt.” Yes, we as security professionals must adapt, and yet we must also help our organizations adapt.
This sense of shared responsibility helps us keep the big picture in mind. It’s not about being right about a specific control or waiting for the inevitable “I told you this would happen” moment. It’s about ensuring that our organizations are resilient in the face of ever changing operating and environmental conditions. Together we are better able to handle the crisis at hand. In Captain Sully’s case, he is quick to praise the teamwork that helped bring about the positive outcome. He couldn’t have done it without the help of his co-pilot, and he described a sort of dance that took place in the cockpit while maneuvering to bring a jetliner to gently crash in the Hudson river. But the crisis wasn’t over once the plane came to a rest in the water; Captain Sully praised the work of the flight attendants for helping get everyone out of the sinking plane.
Shared responsibility means that we must continue to stretch and reinvent ourselves as the realities of running a business today continue to stretch our capabilities. But there was one more key theme in Captain Sully’s keynote: communication.
Communication is Key
Unlike most crises or near-crises, the case of Flight 1549 is a fairly open book in that investigators were able to go over the two black boxes, the cockpit voice recorder and the flight data recorder, and comb over every instant of the flight, including every decision by the pilot and co-pilot. Another unique aspect of this crisis was that of the communications between the cockpit and the control tower. Clarity, focus, determination, trust. The now famous pilot shared with the audience how, to this day, he still remembers choosing his words very carefully, to ensure they represented the situation or the orders he wanted executed as best he could. In his communications with the tower, you can hear the very clear language used to list and negotiate nearest-airport options. Then once it became clear the plane couldn’t even reach the nearest airport, the focus — and communications in the cockpit — shifted to the preparations for a water landing.
Captain Sully also described how, even though they had not flown together until that day, he and co-pilot Silkes could collaborate almost wordlessly, stemming in part from the many trainings and debriefs they had each taken part in, and the sense of shared responsibility. The pilot and co-pilot must be able to quickly and honestly share relevant pieces of information with one another, and trust that the other party would be able to articulate concerns over an incorrect reading or action. Getting to that point — when two people can communicate with one another like a well-choreographed dance — it requires a keen attention to and investment in developing our ability to communicate, both when times are good and during a crisis.
We as cybersecurity professionals have our work cut out for us. Not only do we need to continue to develop our ability to understand and master the many technical domains that are part of our cybersecurity responsibilities, we must also invest in growing our ability to communicate with a wide variety of audiences, including top leadership and other decision makers, as we’re all in this together.
Captain Sully’s words inspire us to continue our own professional development so we can be better prepared to respond to the next cybersecurity challenge.