Mark Ferguson, CISO of Bombardier, discusses the benefits for CISOs of building a strong network of connections and communicating with security leaders to create security strategies that will stand up to increasingly organised and sophisticated cyberthreats.
One of the defining traits of the cybersecurity sector is its rapid pace and ceaseless changes. Having worked in this sector for more than 15 years and having had the privilege to spend much of that in senior leadership positions, I have witnessed first-hand the way that security teams must constantly strive to keep up with the evolving technology and tactics of cybercriminals. Threat actors have become increasingly organised in recent years, working in gangs, sharing tools and tactics, and even selling ready-made access to compromised networks.
I began my journey towards security leadership in 2004 when I was working for a controls business that was acquired by Honeywell, the multinational conglomerate best known for its engineering and aerospace businesses. After earning my CISSP, I developed through several different roles at Honeywell including acquisitions, security architecture and risk assessment, before moving to the management side of cybersecurity within the corporate global security team. My time with the risk assessment team gave me the opportunity to work closely with security leaders and other executives, enabling me to build relationships and establish trust and credibility. I eventually took the role of Director of Risk Assessment in 2010 and then progressed to the CISO role in 2015.
In late 2019, I eventually left Honeywell to become CISO at Bombardier. As CISO at Bombardier, I have taken on a wider remit, looking at risks beyond the scope of cybersecurity and adding compliance and product security to the role.
Transitioning from being CISO of one large multinational to another has provided some powerful insights into the common threats that face all organisations today. While the two organisations share similarities, they have very different business models and internal cultures, and face a similar yet different array of opportunities and challenges around cybersecurity as a result. However, it is also notable that the two companies are being assailed by many of the same threats – as are most others around the world.
Despite these shared challenges, organisations still tend to fight their security battles in isolation, with the particulars of threats and counter strategies being closely guarded secrets. With cybercriminals becoming increasingly more organised, security leaders must also begin to lower these barriers and begin to work together more closely.
Addressing the biggest cyberthreats
As a large high-profile organisation working in transportation and aviation, Bombardier presents a number of different cybersecurity challenges that I’ve had to get to grips with as CISO – the person ultimately in charge of risk, compliance and cybersecurity for the organisation.
Understanding the business and the types of threat actors that are interested in it, their motivations and types of attacks they would employ is a high priority for CISOs. Transport and infrastructure are potential targets for terrorists and hostile nation states, and so securing that infrastructure against cyberattacks is paramount. The loss of trust that would result from failing to protect the public and customers from a cyberattack would have a significant reputational impact.
Securing products and data has also become even more important as companies branch into more digital offerings such as connected aircraft. One of my biggest priorities is to balance the opportunities of new technology against the potential risks it introduces.
While these kinds of unique advanced threats loom large, our day-to-day security operations are often generally focused on more common security issues. A high priority for me is to reduce reliance on humans when it comes to cybersecurity. Email is easily the most common vector for attack and we spend a lot of time dealing with phishing, spoofing and business email compromise (BEC) attacks targeting our executives, admin staff and accounts payable team. These attacks usually impersonate a trusted contact such as another executive or a supplier, attempting to trick our employees into sharing sensitive data or authorising funds. When our staff come to work, they need to be able to trust, open and click everything they see in their mailbox, so keeping email secure is essential.
These types of attack were also one of the most prevalent issues in my previous roles and are a serious issue for businesses of all shapes and sizes. Indeed, the Internet Crime Complaint Center (IC3) found that there were over 20,000 BEC victims around the world in 2018, with total losses exceeding US$1.3 billion. Because attackers rarely use malicious attachments anymore, countering the deceptive emails used in these attacks requires investment into advanced email security tools that can spot more subtle signs of identity impersonation.
In a previous role at a large international organisation, we were able to deliver highest efficacy rates when we implemented Microsoft Office 365 layered with Agari’s email security technology to protect against inbound email phishing and outbound brand spoofing.
Communicating with the board
A CISO needs to not only understand the cyberthreats facing their business, but effectively relate them to the board of directors. Establishing a strong relationship with senior leaders is essential for ensuring that the security team has the resources and strategic freedom necessary to defend the organisation.
One of the most important factors for success with the board is keeping the reporting business focused and taking a risk-based approach. The technical specifics of any security issues are largely irrelevant – instead you need to concentrate on the business impact of a potential attack, whether that might be financial, operational or reputational. I have found it most helpful to explain cybersecurity to senior leadership in terms of maturity of the programme – how mature is the programme, where are the gaps, what must we be doing to close the gaps and improve maturity.
Whenever possible, it’s also good to be armed with metrics that can put a potential figure on the costs involved, as this makes it easier to think about cyber-risks in terms of ROI. I’ve found success in using a three-tiered approach, split into everyday operational metrics, a tactical layer for the functional leadership, and a strategic layer for the senior leadership and the board.
Building a strong cyber culture
Alongside securing buy-in from the top, a CISO also plays an important role in shaping their organisation’s cybersecurity culture. Cybercriminals see the human element as the chink in the armour and common strategies such as deceptive emails are designed to exploit this perceived weakness. Even one employee falling for a phishing email can facilitate a major breach, so the entire workforce needs to be aware about the importance of good cyber behaviours.
While it is both unfair and unwise to place the burden of spotting phishing emails and other threats on the shoulders of employees, fostering a high level of awareness can make all the difference. All staff should be aware of common signs of malicious emails and other suspicious activity and have a clear idea of how to report concerns to their management or IT and security teams.
I have had tremendous success in using an ambassador programme to help provide this awareness and develop a strong security culture. Employees who have the right interest and aptitude in security were brought on board and trained to teach the benefits on our behalf. I have found that people generally respond better to security advice when it comes from a peer or fellow employee in their department, rather than being handed down by the corporate security team.
The need for a unified approach
Being a CISO is a high-pressure role that requires providing leadership for a wide variety of areas around risk and cybersecurity, technology in general, as well as other concerns including legal, privacy and product issues. While this hectic schedule often leaves little time for looking outside of the company walls, I believe it is increasingly important for CISOs to take the opportunity to communicate with their counterparts at other organisations and begin to work together.
Cybercriminals have become increasingly well organised, with even a lone-wolf opportunist being able to easily purchase tools and information from others on the Dark Web. We have also seen a greater threat from organised groups that function in a similar manner to a legitimate business. Using the same kinds of tools as real marketing and sales teams, they can collate data for thousands of potential targets and send out huge automated phishing attacks. In most cases, these attacks are completely industry agnostic, or else will be targeting many companies within the same sector.
Meeting other security leaders and sharing information about these attacks, as well as other cyberthreats such as new malware tools, can provide extremely useful intelligence that may make the difference in thwarting an attack.
Attending security events, open forums or closed-door ones, has been one of the most useful approaches I have encountered for forging these connections and sharing intelligence. Many industries such as aviation and banking have their own sector-specific events which can be useful for discussing more targeted threats such as security issues around connected products.
At the same time, invaluable intelligence can be gleaned from CISOs from other industries. As discussed, some of the most pressing threats we face transcend sector and meeting other security leaders can be a real eye-opener. The annual Agari Trust conference is one example of an effective sector agnostic meetup I attend annually with representatives from a huge variety of businesses.
Events that provide the opportunity for security leaders to meet behind closed doors are particularly valuable. While speeches and demonstrations are extremely useful, CISOs will be able to discuss their security challenges more freely in private.
By building a strong network of connections and regularly communicating with security leaders in other sectors and geographical locations, CISOs can further improve their ability to create security strategies that will stand up to increasingly organised and sophisticated cyberthreats.