To improve security, consider how the aviation world stopped blaming pilots

To improve security, the cybersecurity industry needs to follow the aviation industry’s shift from a blame culture to a “just” culture, according to ISACA director Serge Christiaans.

Speaking at Singapore’s Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop.

According to one analysis [PDF] the rate of fatal accidents fell from nine per 10 million flights in the 1980s to six per 10 million in the 1990s. Between 1995 and 2001, that figure was three per 10 million.

“There was a big game changer,” Christiaans told the summit. “Millions of people a day now fly in commercial aviation, and nothing happens.”

While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a “just culture” that accepts people will make mistakes and by doing so makes it more likely errors will be reported.

There are, of course, exceptions like negligence where you will be punished by law

In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.

“We’re not trying to blame, we’re not trying to point fingers, we’re trying to find the reasons behind the mistake,” said Christiaans.

“There are, of course, exceptions like negligence where of course you will be punished by law. But otherwise, if you speak up freely, you will not be punished.”

He then drew parallels to cybersecurity, claiming it can learn from aviation to look for the reasons behind the human error and determine if the mistake is perhaps systemic.

Christiaans said he is yet to come across a company that had implemented open reporting without punishment in cybersecurity.

He attributed this to the industry working from the top down. The people at the top worked hard to get to leadership roles and become resistant to change. Shifting culture therefore needs to start with new recruits.

“It’s going to take a generation,” said Christiaans. “We start with the youngest and educate them. And then in eight years, they become captains and when they go into management they already understand.”

What the pilot-turned-CISO did not address is how those at the bottom can become empowered while controlled by leadership beholden to different KPIs.

Furthermore, not all of the aviation industry has been a beacon of transparent culture. For example, whistleblowers have alleged that culture at Boeing emphasized profit over safety, ultimately leading to engineering decisions that caused the crash of two 737 MAX airplanes.

“Boeing is not in a business where safety can be treated as a secondary concern,” wrote engineer Curtis Ewbank in a formal complaint. “But the current culture of expediency of design-to-market and cost cutting does not permit any other treatment by the work force tasked with making executive management’s fever dreams a reality.”

The problem goes beyond Boeing. The US Office of the Special Counsel (OSC) alleged that the US Federal Aviation Administration (FAA) misled investigators checking whether FAA personnel were fully qualified to sign off Boeing 737 Max training standards.

And then, as Christiaan mentioned, there are the outright negligent pilots and suicidal murderous ones, who have or should shoulder blame. Some accidents are down to unexpected human incompetence or worse.

That said, Christiaan’s analysis may be true at least when it comes to most pilots and airlines, especially when culture is changed with small steps.

“You plant the seeds, some airlines adapt, some don’t,” said Christiaans. “The ones who adapt, succeed.” ®

Bootnote

ISACA is the IT industry body formerly known as the Information Systems Audit and Control Association.

READ MORE HERE