One of the biggest challenges that organisation’s face when applying cybersecurity measures effectively is ensuring that senior board members understand the real-world risks that are present. In many cases, there is a large disconnect between the IT & cyber security teams and non-technical board members. This is often due to a lack of technical knowledge from board members, when it comes to the potential risks their organisations face and the resulting operational and financial impacts if a cyber security breach were to occur.

We are in an era where cyber threats are becoming increasingly sophisticated and far more regular across all industry sectors. In the aviation industry, so much of the infrastructure is open and potentially susceptible to attacks; therefore ensuring all organisational levels are working towards strengthening cyber resilience is critical – from safeguarding passenger data to ensuring the security of flight operations, right down to the fuelling of the aircraft.

Last week, Adam Battams represented SecureTeam at the IATA World Data Symposium over in Dublin, Ireland – moderating a panel of industry-leaders in aviation cyber security. Covering the topic of “Building Cyber Awareness at Board Level” in the aviation industry, Adam shared the stage with Thiébaut Meyer (Director Office of the CISO) from Google Cloud, Mark Orosz (CISO) from SITA and Nuno Baptista (Group Director of Cybersecurity) at TAP Air Portugal, who all offered key insights into how they have tackled the topic of board-level engagement within their own organisations, while providing key takeaways on how other organisations could repeat their success.

Cyber Awareness at Board Level

Cybersecurity is a business-wide concern, and it is essential to have strategic oversight from the board in every organisation. In order to achieve this, board members in the aviation industry must be equipped with a fundamental understanding of cyber risks and their potential impact on operations, reputation, and financial performance.

Cybersecurity awareness training for board members plays a pivotal role in bridging the knowledge gap between the IT teams and senior leadership. The aviation industry is a high-value target for cybercriminals, state-sponsored hackers, and insider threats; therefore, awareness training provides insights into the types of threats faced by airlines, airports, and aviation service providers, so that board members can take a risk based approach.

Awareness training also ensures the board members recognise regulatory and compliance requirements – aviation cybersecurity is subject to stringent regulations such as ICAO’s Aviation Cybersecurity Strategy, and the European Union’s NIS2 Directive. Board members must be aware of these requirements to fully understand how their organisation’s can remain compliant.

An overarching priority in any organisation with regards to cybersecurity strategy is to effectively evaluate cybersecurity investments. With continued training, board members can make informed decisions about cybersecurity investments, ensuring that financial resources are allocated to high-priority areas.

Taking a Risk-Driven Approach to Spending

Traditionally, organisation’s have treated cyber security with the same budgetary constraints as any other capital expenditure. This can be one of the biggest mistakes an organisation can make in addressing cybersecurity, as the financial spend is dictated by budget constraints rather than risk assessments. In the aviation industry, where cyber attacks can have catastrophic consequences, cybersecurity investments must be proportionate to the risks faced.

There are many reasons that adopting a risk-driven approach to cyber security spending is crucial to effective cyber resilience. Risk assessments help identify the systems that present the most critical risk to the organisation, such as flight control systems, passenger databases, and operational technology, ensuring that resources are allocated where they are needed most and therefore prioritising risk reduction in the most critical assets.

Cyber incidents can result in regulatory fines, reputational damage, and operational disruptions – investing based on risk minimises the likelihood of such costly breaches. A risk-based approach will also ensure that cybersecurity measures align with industry regulations – reducing the risk of non-compliance penalties.

Taking a risk-based approach to cyber security spending allows organisations to remain agile against the latest threats – adjusting cybersecurity investments based on evolving threats rather than relying on static budgets.

Developing Cyber Committees

An additional solution to bridging the gap between the IT departments and the board members, outlined by the panel during our discussion, is the use of Cyber Committees.

Cyber Committees consist of a mixture of IT team members and C-Suite members where the committee is tasked with understanding all of the business risks, critical assets, and cybersecurity investments. Through cyber committees, it is possible to collectively define the organisation’s specific, ongoing cybersecurity strategy, allowing the board to allocate budget appropriately and effectively.

Conclusion

Building cyber awareness at board level in the aviation industry is crucial for fostering a culture of cybersecurity resilience. Through targeted cybersecurity awareness training, board members can bridge the gap between IT departments and executive leadership – ensuring that cybersecurity is prioritised as a business-critical function.

When it comes to financial spending, cybersecurity investments must be risk-driven rather than budget-driven – allowing aviation organisations to allocate resources effectively and protect against the ever-evolving threat landscape.

By embedding cybersecurity as standard into corporate hierarchy, the aviation industry can enhance its resilience and safeguard its operations in an increasingly digital world.