In our business and private life we are firstly suppose to consistently comply with rules, regulations and procedures, and secondly, we are supposed to make NO mistakes. Neither is possible - J.Nance
The world of IT Compliance and IT Security has a lot to learn from the Airline industry. At the last PCI Community meeting at Nice, John Nance, Aviation Expert, Analyst, Author & Consultant, shared his experience in matter of Airline Safety and Compliance. For your eyes only, I jot down the key points of his talk. |
Compliance and Safety, what to put first?
Both compliance and safety are important but putting compliance before safety leads to disasters as we in the aviation learned and we learned it the hard way. Pilots who focus on compliance act as system operators and not pilots.
Adapting the norme
The major (airplane) disasters are due to:
The evolution of safety in the airline industry comes down to two things: Understand how we failed and adapt the normes and technologies whenever required.
- Deviations from established normes. We need to understand what causes these deviations from the normes.
- Failure to change the normes whenever needed. The most dangerous phrase we have encountered in the past hundred years of industrialisation is "This is the way we have always done it”, a very dangerous sentence for anyone dealing with evolution of things. We must review the normes whenever required and not just live with them as we always done in the past.
The evolution of safety in the airline industry comes down to two things: Understand how we failed and adapt the normes and technologies whenever required.
Importance of team work in the risks mitigation
We intent to be in auto-pilote the half of the time and sometimes not even seem to care because we don’t believe that we can make errors. If we as human being can be perfect at specific moment in our life, no one can honestly guarantee that we will keep this level of perfection continuously over the time. We are prompt to errors. The risks associated to these ups and downs individual perfection can be mitigated through a chain of individuals, a collegial and interactive team.
Most of the time there is only two people in the cockpit, the captain and first officer/copilot. But it is not just them, there are the flight attendance at the back and the maintenance team on the ground. There are a lot of people supporting that flight and when you get away from the idea that the captain is GOD and everybody follows then you get to the point of understanding that none of us as individuals can provide the garanties for our passagers, our patients, our clients until we get together and ask what is the common goal and form a collegial and interactive team. One of the most important aspect of a team is the absence of communication barrier. No one must be afraid to speak up regardless of the difference of roles, function and education.
Most of the time there is only two people in the cockpit, the captain and first officer/copilot. But it is not just them, there are the flight attendance at the back and the maintenance team on the ground. There are a lot of people supporting that flight and when you get away from the idea that the captain is GOD and everybody follows then you get to the point of understanding that none of us as individuals can provide the garanties for our passagers, our patients, our clients until we get together and ask what is the common goal and form a collegial and interactive team. One of the most important aspect of a team is the absence of communication barrier. No one must be afraid to speak up regardless of the difference of roles, function and education.
Compliance is not just a matter of tactic
When you try to convince people to do the necessary things for the sake of safety/security you don’t have to limit yourself to communicate the rules and ask them to tick the boxes. Expecting that people comply with the rules just because they know the rules is a complete nonsense. There is nothing more useless than rules that are not understood. People got to understand the philosophy of it, not just the tactics (How to tick boxes). When you understand the philosophie/strategy behind a rule you not just do it, you own it.
The three pillars of failure
Perception - We as human being we fail firstly by perception. We don’t see things as they really are. We think we do but we don’t. Assumption - We make assumptions all the time. Wrong assumption could lead to a disaster. Communication - We are terrible at communication. 12,5% of the time people speaking the same language and sharing the same level of education do not understand what they are saying to each other. When you are dealing with people who thinks they are communicating clearly, your best bet is, it probably not. |
Don’t get surprise when something goes wrong
We normally got surprised when something goes wrong but we should be surprised when something does NOT go wrong.
Mistakes are going to occur, things are going to go wrong, no matter how much education, how much we try to mitigate the risk.
But nothing would pass your security team when you combine their mentalities, their capabilities and their recognition of a common goal (Keep data safe, keep the bad guys away from our sensitive data). Furthermore, when we are not surprised, we are ready.
Mistakes are going to occur, things are going to go wrong, no matter how much education, how much we try to mitigate the risk.
But nothing would pass your security team when you combine their mentalities, their capabilities and their recognition of a common goal (Keep data safe, keep the bad guys away from our sensitive data). Furthermore, when we are not surprised, we are ready.
Don’t stop at the first symptom
When you find a hole in your system it is not just a matter to fix it but looking at everything that contributes to it. To make sure that we will never let it happen again. We want to know everything that happened in sequence. Something that goes wrong in security is exactly the same way as an Aircraft accident. They are many different links. If you just go after one of those links and repair that and ignore all the others you don’t do a sufficient investigation and you will be dealing with one of those remaining links one day or another. This is tough because we as human we are tempted to stop at the very first symptom.