The world of IT Compliance and IT Security has a lot to learn from the Airline industry. At the last PCI Community meeting at Nice, John Nance, Aviation Expert, Analyst, Author & Consultant, shared his experience in matter of Airline Safety and Compliance.
For your eyes only, I jot down the key points of his talk.
Compliance and Safety, what to put first?
Adapting the norme
- Deviations from established normes. We need to understand what causes these deviations from the normes.
- Failure to change the normes whenever needed. The most dangerous phrase we have encountered in the past hundred years of industrialisation is "This is the way we have always done it”, a very dangerous sentence for anyone dealing with evolution of things. We must review the normes whenever required and not just live with them as we always done in the past.
The evolution of safety in the airline industry comes down to two things: Understand how we failed and adapt the normes and technologies whenever required.
Importance of team work in the risks mitigation
Most of the time there is only two people in the cockpit, the captain and first officer/copilot. But it is not just them, there are the flight attendance at the back and the maintenance team on the ground. There are a lot of people supporting that flight and when you get away from the idea that the captain is GOD and everybody follows then you get to the point of understanding that none of us as individuals can provide the garanties for our passagers, our patients, our clients until we get together and ask what is the common goal and form a collegial and interactive team. One of the most important aspect of a team is the absence of communication barrier. No one must be afraid to speak up regardless of the difference of roles, function and education.
Compliance is not just a matter of tactic
The three pillars of failure
Perception - We as human being we fail firstly by perception. We don’t see things as they really are. We think we do but we don’t.
Assumption - We make assumptions all the time. Wrong assumption could lead to a disaster.
Communication - We are terrible at communication. 12,5% of the time people speaking the same language and sharing the same level of education do not understand what they are saying to each other. When you are dealing with people who thinks they are communicating clearly, your best bet is, it probably not.
Don’t get surprise when something goes wrong
Mistakes are going to occur, things are going to go wrong, no matter how much education, how much we try to mitigate the risk.
But nothing would pass your security team when you combine their mentalities, their capabilities and their recognition of a common goal (Keep data safe, keep the bad guys away from our sensitive data). Furthermore, when we are not surprised, we are ready.