Could you describe your average day as CISO at Virgin Australia? Do you have a particular routine for the start and end of day?
An average day includes a variety of meetings, project reviews, steering committees, strategy sessions, presentations and briefings. Each day is different, but I try to kick them off in the same way - spending the first 30 minutes going through emails, catching up on global infosec developments over the last 12 hours, logging into monitoring consoles and going through the list of notable events identified by our various security systems. I try to reserve the late afternoon and evening for tool development, coding and other technical work.
Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Information security is a hot topic, and increasingly an item on the agenda at company board meetings. Computer-based threats are experienced across all sectors, and businesses are looking to build a stronger leadership capability by creating a senior security role at the top level of the business. While the ability to procure modern security technology is quite easy, obtaining experienced information security leaders remains a challenge here in Australia.
At Virgin Australia the CISO role reports directly to the Group CEO, John Borghetti. The positioning of this role in the organisational structure reflects both its importance to the business and the acknowledgement that information security is not an IT challenge – it’s a business challenge.
On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?
Further investment is planned, and the key driver is the change in investment strategy that a modern approach to information security requires. We call it the Stop:Response Ratio - the level of investment put into stopping attacks before they breach the network versus that put into detection, response and recovery after a successful attack.
While baseline investment in solutions to stop attackers at the gate remains essential, successful penetration of networks by attackers is inevitable. Companies must place more focus, and investment, on early detection, response and recovery.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
Like most prioritisation challenges, a risk-based approach is key. Flexibility is also important, as is a good understanding of the pipeline of projects and initiatives that the business has planned - across all business functions, not just information technology.
I’m interested in understanding the degree of engagement that you have with the business folks in Virgin Australia? How is cyber security viewed from their perspective?
One of the first points I make to new staff is that security is a support service - we're here to help the business achieve its strategic aims by contributing in the area of information security. Engagement with all parts of the business is crucial, and we've put increased focus on growing our enterprise security awareness to ensure it covers all areas of Virgin Australia.
Like most businesses, we have a diverse workforce when it comes to security awareness and experience. Building a strong information security culture is one of the harder challenges, but approaching awareness training from a personal angle rather than a business perspective helps make it "real" for staff.
There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
There are a lot of new players on the market, which is not surprising given the explosive growth being experienced in the sector. We use a small number of specialised providers to support us when it comes to security services – the relationship we have with these companies is very important as we take a no-holds-barred approach to penetration testing and attack simulation.
I’ve found in the past that some of the larger security service providers experience challenges in keeping quality consistently high during periods of fast growth. At the end of the day it depends on what you, as an organisation, want to get out of your security services. We’re not just after a compliance tick – we want to know how all parts of our security supply-chain are performing.
What do you regard as the crown jewels within Virgin Australia that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
For us, keeping our planes flying safely and protecting customer data are our top priorities. As an airline, we have always had a strong focus on business resilience, and our information security incident simulations are now run as part of the business resilience team’s annual program.
More and more we are hearing about Airlines adding WiFi to their offering. What’s your view of this and how this changes the risk profile of an air service – is this positive or negative?
Read more: Security leadership and the role of AI
In-flight internet services have been around for many years, as have discussions around any associated risks. While it's a headline-grabbing concept, there's not yet any evidence that remote control access of an aircrafts' avionics system via an in-flight WiFi network is possible. Aerospace companies make use of one-way network interfaces for sending selected flight data to in-flight entertainment systems, along with a host of other controls to maintain the integrity of the on-board avionics control system.
Virgin Australia takes all potential information security threats seriously, and the risk in this regard is extremely low. I believe in-flight internet access in Australia will be a great connectivity option for travellers when it does eventually arrive.
Within the Virgin Australia environment, are you more concerned about the internal technology vulnerabilities or of rogue insiders?
Like most security teams, we're concerned about a range of threats to the business, which also include emerging vulnerabilities and malicious insiders. At some point, you will have to provide high-level access to individuals in order for them to perform their role - ensuring you have the right spread of both preventative and detective controls in place increases your chances of catching malicious behaviour early.
Internal vulnerabilities will always present a challenge, particularly when exploit code is made widely available before vendors have released security patches. A flexible approach to vulnerability management coupled with the ability to move quickly means that even if the temporary solution isn't clean, it will tide you over until an official security patch becomes available.
When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?
Passion for all things security is critical. We also look for people with great customer service skills, an eye for detail and a flexible approach to problem solving.
Part of the onboarding process for all new infosec team members at Virgin Australia (including the CISO) is the requirement to gain certification as an Offensive Security Certified Professional. Knowing how to attack improves your understanding of how to defend, and the training provided by Offensive Security also arms staff with the foundational skills to meaningfully contribute to internal penetration tests. Because we expect a lot from our staff, we choose them pretty carefully.
Acquiring senior talent is probably the most difficult task - it took almost 12 months to find one of our recent hires.
How do you keep up to date with developments in Digital innovation and Cyber Security, this is clearly a dynamic area and it must be challenging?
It can be. Being an active member of the local information security community definitely gives you an advantage in this space - building strong connections with likeminded security folk across all sectors helps keep you in tune with the local and regional threat landscape.
I'm lucky enough to be part of a fantastic community team that participates in various “Capture The Flag” competitions a few times a year, which is a great way to keep the technical part of the brain moving. There are some great local, regional and international conferences such as Def Con in Las Vegas and RuxCon in Melbourne but at the end of the day, keeping up to date means committing hours outside of work.
Finally, what keeps you awake at night?
A combination of my two-month-old baby and knowing that no organisation can completely mitigate the risk of successful attack, but having a great team who work tirelessly to protect our digital assets does help me get some shut-eye.