Why Modern IT Security Is Like Aviation—100 Years Ago

In every new industry, there is a period of learning where best practices are established and future success is assured. In that respect, there are many parallels between the best practices for safety and security that the aviation industry has learned over the years and ones that could serve to benefit the modern IT security landscape.

By Sean Michael Kerner

In a keynote address at the SecTor security conference in Toronto on Oct. 21, well-known security expert Trey Ford (pictured), who currently works as a global security strategist at Rapid7, detailed the parallels between lessons learned in aviation and IT security.

Related: Security Consulting Firms Find Niche in Breach Detection Platforms

"I think information security is a very nascent space and is very similar to what aviation was like 100 years ago," said Ford, former Black Hat general manager who is also a pilot.

In the early days of aviation, there were no rules, and for the most part, the same is true for IT security today, Ford noted.

"We're making this up as we go," he said.

Ford noted that 100 years ago, pilots didn't have a body of knowledge to look back on. Looking at IT security, Ford said that companies want their security people to be professional and have a wealth of experience, but that experience doesn't always exist. He added that most humans are afraid of the unknown and for most people computer security is still an unknown quantity.

In Ford's view, it was a long journey that flight took to become part of modern society that required a number of fundamental events to occur. First was transparency. When a plane crashed, the aviation industry worked to document failures to help with safety.

"In aviation, they do a full failure analysis. Do we as a profession today run every incident into the ground and identify the root cause of what's happening?" Ford asked. "I don't know that we do, but they [aviation industry] did."

Understanding and documenting failure is a core tenet of the aviation industry's modern success, Ford believes, and the same would likely hold true for IT security.

"In aviation, if we have an issue with a wheel or any other piece, we want to know where it came from, is the issue isolated, will it affect me or anyone else, and then we want to distribute all that information," he said.

Related: Which Security Metrics Matter Most?

For the earliest pilots 100 years ago, the licensing process was very simple, Ford said. All that was required was to be able to take off, fly a "figure eight" in the sky and then land the airplane. That's the equivalent of a driving test in which the driver just drives the car in a parking lot in a circle and then parks the car anywhere he or she wants.

The modern process of getting a pilot's license is a complex and rigorous one that has the benefit of decades of best practices.

"Part of what makes the [aviation] profession safe is having explored and documented boundaries, learned lessons and communicating the information back," Ford said. One key historical lesson that Ford recounted was that of the Boeing Model 229 bomber, which was the precursor to the B-17 Flying Fortress. During its test flight on Oct. 30, 1935, the Model 229 crashed, killing three of the five people on board.

"This story [of the Model 229] is important to me and every other pilot for one specific reason," Ford said. "This was the birth of the checklist."

The investigation into the Model 229 crash revealed that the pilot had left the parking brake control lock on. As a result, the checklist for take-off was introduced, protecting future generations of fliers.

Related: Bring Your Own Encryption to Secure the Cloud

"I'm standing on the shoulders of giants that gave their lives so we have a checklist, whose mistakes have been paid for in blood, so that I can be a professional pilot," Ford said.

With regard to IT security, data should be shared to help the greater whole, according to Ford. Even for organizations that can't share data today about attacks, Ford wants them to be able to organize the data so it can be understood by data scientists to find patterns and future best practices.