The Qantas Rules For Effective IT Security

Qantas group security head Steve Jackson has some simple rules for dealing with IT security: Don’t panic, don’t overstate the risk, and don’t give the wannabe criminals the free oxygen of publicity.

Speaking at the Australian Security Information Association (ASIAL) conference in Melbourne this week, Jackson began by urging a more balanced approach to security coverage, rather than treating every potential vulnerability as earth-shattering.

“We’re making this subject just a little bit too sexy for what it is,” he said. “We’re giving people out there who wish to have oxygen visibility . . . . It’s a load of codswallop. We have to take a responsible position as security professionals to balance the argument and not to drink from the firehouse.”

Jackson’s full title is group head of security, facilitation and business resilience at Qantas. These are the principles he outlined during his presentation — principles that can be adapted to other businesses.

Think in terms of risk, not security

“I’m not a cyber-expert. I’m not a technical expert, I’m a person who manages security risk,” Jackson said. Adopting that view also makes it easier to plan your budget.

“Organisations have limited resources to devote to questions like cyber-security, but efforts can be maximised to manage cyber-risk. The risk is there and you cannot eradicate it. Our journey has been very much based on taking a holistic yet targeted approach to try and strike the right balance. There’s nothing too much in the rocket science category. We start from basic principles and research.”

Security is broader than just IT

“Cyber-security can no longer be seen as something the IT guys do,” Jackson said. “This is not the domain of the CIO alone Employees are frequently the first to detect suspicious activity. We can’t ignore the importance of education and training”

“The most important piece of technology we have isn’t what’s on sale there — it’s what you’re born with, your brain. People need to use it.”

Identify non-IT measures for your performance

“In the Qantas context we carry 40 million people every year,” Jackson said. “My key performance indicator to the Qantas board is to ensure the safety of those passengers.”

“When you look at how you mitigate your risk — not to eliminate risk because that’s not your job — through a proper balanced lens, we find at Qantas we’re sitting OK. Once you look at it, you can immediately take the oxygen away from those who seek five minutes of fame and cause professionals five months of pain.”

Talk to other security experts

“In 36 years as a security professional, every security problem I’ve encountered has already been dealt with by someone else,” Jackson said. “We just don’t do enough talking.”

Recognise the primary motivation

A core part of identifying risks is working out why an attack might happen. Jackson argues that in most cases, this comes down to greed.

“The primary goal of people engaged in cyber-attacks on any organisation is to steal something,” he said. It’s not to bring down the house of cards. I’m not dismissing that possibility, but the reality we face in the Western first world is that people want to steal something. There’s nothing sexy in this — people have just become a little smarter in how to deal with it.”

Set clear security policies and communicate them

“We try to adjust culture and encourage people to be the best asset we can,” Jackson said. “Sometimes you do need to bring a black stick, but you must not think you can wield that black stick without telling people where the line in the sand is. Give them a policy.”

Integrate security into IT from the start

“Build your security by design. Take the opportunity to integrate your security measures. Don’t retrofit them afterwards. Engage and collaborate and have a stakeholder map.”

Plan thoroughly then have confidence in your strategy

“We developed in a very simple way an enterprise-wide cyber-resilience strategy,” Jackson said. “In the IT security world, when things happen — whether they’re a pimply-faced teenager or a member of Anonymous or a serious part of organised crime — people want to steal things from you. We needed to understand the size of that threat and the effectiveness if our existing controls. The effective of our existing controls is exceptional. We have many attacks, but the fact is we all have a control framework in place — we just need to understand that the control framework is in place.

“I will not dismiss out of hand the potential for a catastrophic cyber-attack — I can’t, no one can. But what I can say to the public is: have confidence in your airlines that we will never compromise your safety and security, and we will always take our security problems seriously.”